Technical and Insight
Assurance through the looking glass
Is integrated assurance a good thing or not? Is it a pipe dream or is it the way forward? Speakers at this year’s ACCA Internal Audit Conference shared their thoughts.

Is integrated assurance a good thing or not? Is it a pipe dream or is it the way forward? Speakers at this year’s ACCA Internal Audit Conference shared their thoughts. 

The topic of integrated assurance continues to interest internal auditors from all backgrounds, but according to Graeme Clarke, director – governance, risk and internal control, Mazars LLP, raising the subject with clients within the public sector often elicits the response: ‘Integrated what?’ 

‘Building assurance frameworks started in the NHS many years ago, but largely failed to ripple out to other public sector organisations,’ he said. ‘This was despite the 2012 HM Treasury guidance on the subject, which simply never seemed to land.’ 

Graeme took his audience through a journey of key markers in the history of assurance in the public and not-for-profit sectors before arriving at the present day – a time, he said, when storm clouds were gathering. 

‘We have yet to see evidence of internal audit working in practice,’ he said. ‘Risk frameworks exist but whether they are truly embedded is altogether another question. However, having them in place is a halfway marker – it’s just the assurance that’s missing now.’ 

When boards and their directors are asked whether they have thought about integrated assurance, Graeme said that it is clear that the whole idea has passed them by. But when the process and what it can achieve is explained, he believed that winning some ‘buy-in’ is possible. 

‘There is no doubt that some pain will be involved in getting started but the green shoots are there,’ he concluded. ‘The foundations are in place with the increasing adoption and sophistication of frameworks and with awareness of risk becoming heightened. So…start talking, build on existing assurance links and give key stakeholders some training on the basics. To begin with, focus on key risks/processes because if you try to do more than that you will be setting yourself up to fail. Above all, keep it simple. It’s a journey.’ 

Selling in integration
Integrated assurance may currently defy a universal definition, but Vicky Kubitscheck, chief risk officer and compliance director, Police Mutual Group, pointed out that there are six familiar ‘labels’ – GRC, ERM, total assurance, combined assurance, coordinated assurance and integrated reporting – which all involve some form of integration. 

‘However, they all have slightly different aims, features and users,’ she said, 'but they share some common characteristics and aim to create a much more joined up picture, although some are more risk-based than others.’ 

The financial crisis had exposed weaknesses in the quality of assurance and offered a strong case for rethinking boardroom assurance. ‘Firms are recovering from the crisis but market conditions are still tough,’ Vicky said. ‘Organisations are not just having to reinvent themselves in the face of challenges such as technology and cybercrime but the whole environment has changed with the degree and depth of regulation.’ 

The selling point of an integrated assurance framework is that its structured approach can give an organisation a holistic picture of the principal risks and help it determine the residual exposure of risks it is facing. It joins up risk management and assurance across all lines of defence; aligning and optimising the organisation’s assurance in line with the board’s risk appetite and promoting accountability and shared risk intelligence. 

The four key components of the framework are:  

  • specifying methodology, policies and procedure
  • defining ownership, roles and responsibilities
  • integrated assurance mapping (which identifies gaps and overlaps in the contribution of risk assurance across all lines of defence but is not an end in itself)
  • integrated assurance reporting

all of which require communication and sharing of intelligence.

Vicky has also identified three levels of application. The first is to inform risk assurance planning, the second is to enhance risk assurance and the third is for those organisations looking to harness shared and collective intelligence to gain a holistic risk and assurance picture and improve the effectiveness of risk management. 

Among the key implementation challenges are not having a universally defined framework, which makes it difficult to sell the concept or get buy-in, the maturity of risk management, and turf wars which hamper coordination and collaboration. 

In summary, Vicky said that an integrated assurance framework is about rethinking assurance in order to promote a much more sustainable business. ‘It’s about promoting accountability so that we can work across boundaries to gain synergetic benefits and inspire confidence in our stakeholders,’ she concluded. 

Vicky Kubitscheck’s session is also available to listen to as a webcast

Too late to integrate?
Siebe Postuma, senior partner, Risk Advisory, Deloitte, was keen to stress the importance of applying an external perspective on why it is so difficult to integrate assurance and implement it in an organisation. ‘As assurance providers, it is important to have the widest possible lens,’ he said. 

Over the last years, he said, most assurance providers have been putting their efforts into trying to be relevant and provide added value. However, in this ‘new world of big data, disruptions and digital tsunamis’ it is much more important to focus on real time. ‘Instead, we should be asking: are we timely enough, are we agile enough, or do we spend too much time integrating all those assurance functions?’ Siebe said. 

There are many examples pointing to a ‘struggle’ in large companies to bring assurance integration alive despite their having mature assurance frameworks, control frameworks, anti-bribery activities, effective codes of conduct and mature internal audit functions.

‘For me one of the most frustrating things is that everyone is looking at risk management and internal audit and asking what we’ve done wrong,’ Siebe said. ‘Nobody is asking the question: where was the business? Why was the business not providing enough budget to do proper assurance or to build that integrated assurance that we really need?’

One of the factors behind compliance failures is that technology is changing businesses disruptively and exponentially. The world’s largest taxi company owns no vehicles, the world’s largest accommodation provider owns no real estate and the world’s most popular media owner owns no content.

‘Technology is changing the nature and volatility (speed) of risk and we should follow that with the same speed in adapting our ways of “doing controls and integrating assurance”,’ Siebe insisted. ‘In this “new world” doing controls or doing compliance every month or every quarter is far too late - real time control and continuous control monitoring is the new mantra.’

Future risk
The wider lens Siebe advocated needs to be used to anticipate future risk and respond with greater agility. Techniques like 24/7 risk sensing and monitoring and even predicting risk events are at the frontline of changing companies’ internal governance risk and control environments. Deloitte forecasts that the future risks presented by cyber attacks, climate change, geopolitical risks, terrorism and business disruption will lead organisations to adopt new and broader risk transfer instruments, such as insurance and more sophisticated supplier contracts, to protect themselves. They will also be proactively managing the accelerated and amplified reputational risks that the new hyper-connected world presents, it anticipates. 

‘We also believe that the big names will deploy persuasive controls as a part of their products, services and business models to monitor and manage risks in real time,’ Siebe said.  

He questioned whether internal audit is ready for the new digital disruption. ‘Are we ready to advise management on how the three lines of defence model will have to change as a consequence?’ he asked. ‘There is no time to lose. We have to become more agile and decide how and where to innovate as an IA function. In five to ten years data scientists will be running internal audit.’

The internal audit role has to move from passive to more assertive, predictive, proactive and insightful, he insisted, adding new skills, tools and techniques to improve focus and effectiveness. It needs to evolve rapidly to offer deeper and broader insights by expanding the scope of its work and including assurance on market-moving information.

Automating labour-intensive processes in order to focus resources and expertise on high impact areas will also need to be part of the future. And for example changing the way we align with the stakeholders in the company (board, audit committee and auditees) and this should include new ways of communication, marketing the brand and value of IA in the company and the art of storytelling your key messages to those stakeholders.

‘It is time to come up with our own future-proof GRC and IA strategy and engage with our business stakeholders early in the process to send them the right signals,’ Siebe concluded. ‘It’s too late to integrate. And the new word is “innovate”’.

Jill Wyatt, freelance business journalist

Integrated assurance – can internal audit really place reliance on others?
Effective collaboration across all key stakeholders is vital to the success of integrated assurance but raises many practical considerations.

Effective collaboration across all key stakeholders is vital to the success of integrated assurance but raises many practical considerations. 

Integrated assurance is complicated. The lack of a universally agreed definition of what it is, alongside different views on its applications at various organisational levels, leads Lisa Nowell, Global Director, quality assurance and professional practices, Barclays internal audit, to pose the question: ‘If we don’t know what it is or how to do it, why do we in internal audit even bother?’ 

‘Implementation of integrated assurance is made difficult by different interpretations of its applications,’ she told attendees at ACCA’s annual internal audit conference in London. ‘For some, it is about working with second line defence, while others think it’s all about having more relationship meetings to discuss what’s going on. Still others believe it is about placing reliance on other people in the business so that audit doesn’t have to do as much work in that area and can focus on the highest risk. 

‘There are also different terms used to describe the activity, including coordinated assurance, combined assurance and governance risks and controls. All these different definitions are confusing for the profession. However, I think the common characteristic is the coordination between the assurance functions, including internal and external audit.’ 

The financial crisis revealed that boards did not challenge their executives properly, did not understand the key risks within an organisation and therefore couldn’t understand the level of assurance that they needed in order to discharge their responsibilities. 

‘This wasn’t – and isn't – just true of the financial industry', Lisa pointed out. ‘Other industries share similar problems, such as the food industry with its horse meat scandal and the slave labour in Bangladesh’s clothing industry, so I think it makes it really clear that we do need to try and progress integrated assurance at least at some level.’ 

An integrated view of risk
While everyone thinks they know what assurance is, Lisa said it is important to question whether this is true. She didn't think it was. ‘I don’t believe organisations know the level of assurance they are getting for the amount of money they're investing and I also don’t think people understand how best to get an integrated view of risks,’ she said. 

From Barclays’ perspective, some of the key characteristics of integrated assurance are that it promotes risk management and assurance as an integrated process across functional boundaries. ‘It means we talk to each other,’ Lisa explained. ‘We talk across the boundaries, so it’s not just “them and us”. By combining forces we provide a holistic view of what risk we think is still left in the business and what needs to be addressed.’ 

More widely, integrated assurance does ‘try to believe in one version of the truth’, she added. ‘It helps organisations move towards a more common language and that’s important because you have to try to talk in a similar language. If you don’t, you will be endlessly debating the nuances of various points with other parts of the business. In Barclays it took four years to get to a common language just in risk perspective. 

‘The baseline for integrated assurance has to be a methodical process which identifies key risks and business activities and maps the level of assurance, understands what the board’s risk appetite and tolerance is and determines how you're going to meet that.’ 

In 2012 Barclays set up a programme designed to create common definitions of its risks and how it rated its control environment, as well as a way to define the company’s culture. The work on these led to an assurance map, which Lisa was keen to emphasise was not the same as co-ordinated assurance. ‘This map is just determining that assurance should take place and planning where to go next,’ she said. ‘It has taken nine months in one area of Barclays to do that, but it has created much better relationships within the business.’ 

The assurance ‘maturity model’, which Lisa then outlined, begins with communication and coordination, which at its most basic level might just be different parts of the business sending each other their plans. Increasing ‘maturity’ of the model would  lead to coordinating planned work, which Barclays has started to do, and integrated reporting to the audit committee and board, which the company aspires to.

A coordinated assurance plan would be starting to join up the three lines of defence to report to senior management and the board, creating a fully co-ordinated assurance plan and achieving controls testing efficiency through streamlining and automation. The aspiration in banking, Lisa said, is to automate as much of assurance as possible. 

Practical considerations
To successfully realise this model, which Lisa emphasised was not a ‘one size fits all’ solution, a number of practical implications and problems need to be addressed. 

‘There needs to be a mandate from the top otherwise you end up having fuzziness in the middle, which is not going to buy into the programme of reform,' she said. ‘If you don't get that, it’s going to make your job an awful lot harder.’ 

There also needs to be trust in the process. As Lisa pointed out, for the first time people now can go to jail if things go wrong. ‘That’s a big risk,’ she said. ‘Why should people place reliance on people they have no control over? Why would a head of risk or head of assurance place reliance on the first line of the business when they could go to jail if it all goes wrong? I really do think there is more communication required with regulators as to whether you can really place reliance on somebody else in the banking industry when there is a personal risk of going to jail.’ 

Lack of a single methodology also poses a barrier to integrated assurance in Lisa’s view. ‘Internal audit has its own methodology but I wouldn't want risk management compliance or the business setting up their own audit teams,’ she said. ‘The assurance that risk management provides is different in terms of the level and view of risk and what you're looking for is different views of the same risk from different angles. To move on, there needs to be a focus on finding a consistent methodology.’ 

Different levels of skills and experience across a firm is also key. In a company such as Barclays, which has a staff of 140,000, this is relatively easy. A smaller organisation might have 40 staff or fewer, so the question of where the required skills to achieve integrated assurance can be found has to be asked, alongside whether it is even really necessary. 

Lisa concluded by suggesting that at the current time management places much higher reliance and importance on the work of internal audit compared to the other assurance providers. ‘That isn’t easy in terms of demands on our time,’ she observed. ‘And working towards integrated assurance is very time-consuming.’ 

Jill Wyatt, freelance business journalist

The trials and tribulations of integrated assurance

Lessons from Transport for London’s efforts to revitalise its integrated assurance development programme.

What can we learn from Transport for London’s efforts to revitalise its integrated assurance development programme? 

Lack of understanding about what integrated assurance is meant to achieve and who should be involved in making it a reality was commonly acknowledged by speakers at this year’s ACCA Internal Audit Conference, ‘Assurance through the looking glass’. 

Roy Millard, senior audit manager, commercial and HSE&T, internal audit, Transport for London (TfL) was no exception. Even if delegates could define the concept of integrated assurance, he suggested that conversations with other professionals would quickly reveal there is little commonality in their understanding of either what it is or who provides it.  

Roy identified many other barriers to making integrated assurance work, including a lack of commitment from the top, the strength of focus on different areas of assurance, and the disputed value of the chosen methods of delivering assurance. A reluctance to abandon or challenge customary practices is often a further challenge, as are organisational structures – reporting lines in particular. 

‘In TfL, internal audit reports into the audit committee, safety reports into the London Underground managing director and the product assurance function reports into the finance director,’ Roy explained. ‘How do you get those people working together? Are they losing some control over assurance if they become integrated? There is, almost inevitably, some resistance to that.’ 

A question of ownership 
So who owns the task of getting people to work together better to integrate assurance? Roy was clear on this. ‘My view is that it’s internal audit because ultimately all assurance should flow to the audit committee,’ he said. ‘Unfortunately, internal audit doesn’t necessarily have the loudest voice or the most influence in this area, so everything comes back to tone at the top.’ 

The need to make integrated assurance work, he argued, is becoming increasingly important in the light of organisational complexity, joint sponsorship of major projects and the development of long and complex supply chains. A notably less tolerant view of failure from both local and central government is a further incentive. 

The opportunities and benefits of success include closing gaps and creating greater efficiency, drawing out root causes of systemic issues and, importantly, amplifying the impact and improving the credibility of assurance. Creating a coordinated picture of assurance output can also provide collective knowledge about the culture of an organisation, which can then be fed back to the board, as well as helping them learn lessons from both project or business successes and failures.  

‘I don't think any assurance provider is in a particularly good position to do that,’ Roy said. ‘But bringing together knowledge from various sources creates a much stronger ability to gather corporate knowledge, as well as a framework for propagating it out to the rest of the organisation.’ 

The expectations of stakeholders – both providers and receivers – is an important consideration when deciding how an integrated assurance framework can be defined within an organisation. When do they need assurance and what are the relationships that already exist between those stakeholders? 

Roy also stressed the importance of understanding the governance hierarchy. How many levels are there? What are the inter-relationships between the different governance panels and organisations and how well do they work together?

Six key principles
However an assurance framework is set up, it needs to adhere to the six principles of integrated assurance spelt out in the 2014 APM Guide to Integrated Assurance:  

  • independence
  • accountability
  • planning and coordination
  • proportionate
  • risk-based
  • impact, follow up and escalation.

‘If you follow these principles, you will be better able to successfully integrate a framework,’ Roy told his audience. ‘Applying them can be a way of improving some areas of assurance by bringing them up to common standards, building on what’s already there and avoiding duplication.’ 

For Crossrail, the new high frequency, high capacity railway for London and the south east, this had proved vital. When the project was just getting off the ground, the then chief executive identified the amount of assurance that would be done as representing one of the biggest risks to its success. 

‘It became clear that there would be so many people wanting to interfere, working out how much money was being spent and what was being delivered, and so many different political and financial interests that an integrated approach to assurance was essential,’ Roy explained. 

Equal weight should be given to each of the principles with someone clearly owning the task of integration. In TfL, an integrated assessment framework sets the policy for the organisation, which is overseen by the assurance delivery group and chaired by the general council, which is in turn accountable to TfL’s executive committee. 

Roy highlighted the need for people’s roles and responsibilities to have an assurance element to them, suggesting that any project manager’s job description, for example, should include the need to fulfill an assurance role.

Recapping on the barriers to successful integrated assurance, Roy listed the top contenders as lack of corporate will, self-interest, culture and associated lack of trust, and inadequate risk management. 

The strength of the audit committee, whose belief in the importance of achieving integration could serve as a useful lever in conversations across the organisation, numbered among the key factors in achieving success. Others include creating a strong link between risk and assurance, building in a culture of risk and assurance ownership, linking assurance and approvals, embedding assurance within activity plans and having well-defined assurance processes. 

The way forward
‘Assurance mapping is one of the most powerful tools available in moving the integration agenda forward,’ Roy said. ‘However, this is fiendishly difficult to do in a large organisation. TfL put its first maps together three years ago but there is clearly a long way to go before we realise the benefits of this technique.’ 

Nevertheless, assurance mapping plays an important role in TfL’s current efforts to revitalise its integrated assurance development programme. There is also a focus on ensuring that all auditors, wherever they are in the organisation, follow common processes, a common competence framework and common templates. Complementary work streams are concentrating on self-assurance, trying to discover ways that assurance maps can help generate assurance itself, rather than all being review based, and on corporate learning. 

Supporting this work is the introduction of an assurance database where all assurance plans and assurance outputs are stored and accessible to everyone in the organisation. 

Roy Millard’s session is available to listen to as a webcast.

Jill Wyatt, freelance business journalist

CPD article: Data Protection Act and the new EU directive
Dr Stephen Hill examines what internal auditors need to know ahead of new EU data protection rules.

Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.
Setting the scene
PwC reported in its 2015 Information Security Breaches Survey that 90% of large companies have suffered a data breach over the last year with 74% of SMEs suffering the same fate. In addition IBM and Ponemon Institute recorded in their 2015 Cost of Data Breach Study that the average loss of a data breach was $3.79m. The Online Trust Alliance discovered that 90% of data breaches could have been prevented using critical security best practices and 29% were the result of employee error (intentional or accidental) due to a deficiency in internal controls. 

The rapid pace of technological change and globalisation have profoundly transformed the scale and way personal data is collected, accessed, used and transferred. Social networks, data sharing websites, cloud computing and new portable devices (including tablets and smart phones) pose new challenges not only for data controllers but internal auditors as we leave digital traces with every move we make. With more and more individuals worrying about their own personal data in light of recent data breach headlines there has never been a better time to introduce new controls and procedures to protect our data. 

Reform is coming and after more than three years the EU data protection framework has finally been agreed with May 2018 being quoted as the implementation date. Despite being two years away there is no time for complacency as there are so many areas an organisation should start thinking about including a review of their obligations under the current DPA. 

Overview of DPA
The Data Protection Act 1998 (DPA) defines UK law on the processing of data on identifiable living people and brought the UK into line with the EU Data Protection Directive of 1995. 

The purpose of the DPA is to protect an individual's right to privacy with respect to the processing of personal data and includes the legal right for individuals to control information about themselves. The DPA applies to firms holding information about individuals in electronic format and on paper and requires that they follow the eight DPA principles of good information handling as follows: 

  1. fairly and lawfully processed
  2. processed for specified purposes
  3. adequate, relevant and not excessive
  4. accurate and, where necessary, kept up to date
  5. not kept for longer than is necessary
  6. processed in line with the rights of the individual
  7. kept secure
  8. not transferred to countries outside the European Economic Area unless the information is adequately protected.

The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. 

Anyone holding personal data for other domestic use is legally obliged to notify the ICO, unless they are exempt. Failure to notify is a criminal offence and the ICO can issue fines of up to £500,000 for serious breaches of the DPA. For full details of the DPA principles refer to the ICO’s website

Future changes – the GDPR
‘The EU data protection reforms promise to be the biggest shake up for consumers’ data protection rights for three decades.’
(Christopher Graham, ICO)

Vivian Redding, vice-president of the European Commission, introduced a Draft General Data Protection Regulation (the ‘Draft Regulation’) on 25 January 2012 which will now replace Directive 95/46/EC (the ‘Data Protection Directive’). Political agreement has now been reached via the trialogue discussions between representatives of the European Commission, Council and Parliament with a date of May 2018 having been set. The GDPR will apply to any organisation that holds or uses personal data of EU citizens. Companies are now directly responsible for data protection compliance wherever they are based (and not just their EU based offices) if they are processing EU citizens' personal data.

Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR. However, there are new elements that need to be addressed and many have commented on how best to prepare for the new GDPR. The following observations come from the ICO who recently produced a comprehensive guide called Preparing for the General Data Protection Regulation (GDPR) and looks at key steps organisations should take now.

What internal auditors need to know
Information held - document what personal data is held by the organisation, where it came from and who you share it with. The ICO suggests that you may need to organise an information audit across the organisation, or within particular business areas. This will assist in compliance and the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.

Privacy of information – review current privacy notices and ensure you are transparent with the data subjects. The new regulation will require you to additionally explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the regulator (ICO) if they think there is a problem with the way their data is being handled. The GDPR requires the information to be provided in concise, easy to understand and clear language.

Consent – data subjects must give consent (freely given, specific, informed and unambiguous) to allow for the processing of their personal data. Consent must be ‘explicit’ for sensitive data thus requiring the data controller to be able to demonstrate that consent was given. Internal auditors should review the systems the organisation has for recording consent to ensure they have an effective audit trail. In addition the GPDR will bring systems in place to verify individuals’ ages and to gather parental or guardian consent for the data to be processed of anyone under the age of 16.

Accountability and privacy by design – the GDPR places accountability obligations on the data controller to demonstrate compliance. Internal auditors should therefore ensure that certain documentation is maintained, conducting a Privacy Impact Assessment (ensure that lists are kept of what is caught) and continue privacy by design (minimise the risks).

Data breach notification – data controllers will be required to report data breaches to the ICO (note not all breaches need to be reported). This must be done without delay and where feasible within 72 hours. The threshold for notification to data subjects is that ‘there is likely to be high risk’ to their rights and freedoms. Internal auditors should start now to make sure they have the right procedures in place to detect, report and investigate a personal data breach.

Subject access requests – the GDPR has forced a change to the current SAR. Existing principles permitting access to personal data are largely retained but the time period for dealing with subject access requests has (from a UK perspective) been reduced to one month from 40 days and there is no longer the ability to charge a fee. Internal auditors should therefore review and update current procedures and plan how data controllers will handle requests within the new timescales and provide any additional information.

Data protection officers – in certain circumstances there will be the requirement to appoint a data protection officer or a person responsible for data protection compliance. The data protection officer should have sufficient knowledge, support and authority to carry out this role.

The above points provide some of the key areas that need to be addressed by those responsible. In addition attention should be given to areas including: the legal basis for processing data, the rights of the data subject (including the ‘right to be forgotten’), training and awareness and the international transfer of data. 

To conclude it is fair to say that the changes centre on the fundamental principles of data protection in a more technologically advanced world which for most are already embedded into existing systems and controls. While 2018 seems a way off, organisations need to take action now and review or implement the changes required to ensure compliance. Acting now and carrying out an audit of practices, for example, and reviewing policies will keep you on the right track and ensure you don’t panic come 2018. 

The new sanctions – in the worst case scenario the regulator could impose a penalty payment of up to 4% of annual turnover or €20m – will certainly attract the attention of board level executives and ensure they support and promote good data protection governance within the organisation. 

Dr Stephen Hill – director, Snowdrop Consulting Ltd (now part of Absolute Partnership)

Additional information to assist internal audit
Principle 7 - Kept Secure (Internal Audit Focus)
The DPA requires that ‘appropriate technical and organisational measures’ are taken against unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data. The ICO considers that the level of security should be appropriate to the level of damage which would be caused by any misuse or loss of the data. Failures to keep personal data secure are well publicised and have an adverse effect upon an organisation’s reputation. Some examples of high profile incidents and ICO penalties are: 

As can be seen the failure to keep personal data safe primarily arises as result of human error combined with: 

  1. poor physical security
  2. social engineering and web 2.0 exploitation (social networks)
  3. loss or theft of laptops, tablets, USB, portable hard drive, DVD/CD
  4. hardware or password abuse (internet and email)
  5. remote access (wireless) or cloud exposure
  6. poor internal controls.

When considering the measures that can be put in place to prevent security breaches or limit the damage it is important to first establish what level of security is right for your business and also understand all of the processes involved as you collect, store, use and dispose of personal data. While no single product can provide a 100% guarantee the most effective security is created through a layered approach, combining a number of different tools and techniques. 

In an office environment we can take measures to protect personal data such as ensuring computer screens are not visible to visitors, closing down unattended computer systems, securing paper records out of hours and placing waste paper in secure bins prior to secure disposal. When working remotely and/or undertaking site inspections there is a need to take greater care by: not leaving papers on view (either at home, in a vehicle or on public transport), working in a dedicated (and if possible secure) area and shredding all documentation prior to secure disposal. Be vigilant about protecting any portable devices, do not allow access to other people and adhere to IT security policies. 

You can reduce the effects by ensuring that personal data is only transferred to mobile devices if you actually need it and removing it when you have finished. Encryption is a means of ensuring that data can only be accessed by authorised users with a password: 

  • full disk encryption means that all the data on the computer is encrypted
  • file encryption means that individual files can be encrypted.

Anti-virus or anti-malware products regularly scan your network to prevent or detect threats. Make sure they are kept up-to-date. Restrict access to your system to users and sources you trust. Each user must have their own username and password. A brute force password attack is a common method of attack when trying to access wi-fi so use strong passwords, limit the number of failed login attempts and make regular password changes.

How to successfully launch an outcome and risk based internal audit service
Outcome and risk based internal audit  is a novel approach to effective assurance being used by a number of private and public sector organisations to achieve the holy grail of assuring business success, writes Neville de Spretter.

Outcome and risk based internal audit  is a novel approach to effective assurance being used by a number of private and public sector organisations to achieve the holy grail of assuring business success, writes Neville de Spretter. 

: An outcome is defined as the result and benefit of achieving an objective, a desired future state – what an organisation wants to achieve. Outcomes are permanent, long-term and independent of organisational structure; objectives are temporary, short-term and specific to a particular organisational structure. 

A CEO with whom I worked in the late 1990s frequently quoted ‘make certain to apply the “7 Ps” – proper planning and preparation prevents very poor performance’ in encouraging the business to deliver projects effectively. It has lodged in my mind ever since…!  

In my role as an independent consultant I’m frequently asked to facilitate and lead on building, revitalising or modernising internal audit services. Over a number of years ACCA’s technical activities and advice, research and insights, together with the IIA’s standards and guidance, have effectively guided and supported the projects. 

Recently I’ve been asked by boards and senior management to establish internal audit that is aligned with – and integral to – strategic and operational outcomes, is collaborative, pragmatic, and predictive in assuring outcome delivery. They want to know that outcome risk connectivity and interdependencies, both vertically and horizontally, at all levels, are understood, visible and transparent, and that the risks are being robustly managed. They want internal audit that is forward looking, solutions based, agile, adaptive, enabling and commercially focused. 

It means an internal audit focus on outcomes (and their measures and targets), risk and controls, in contrast to the conventional internal control, retrospective, binary reporting focused approach. Accordingly, once outcomes are clarified, mapped, measured and targeted, I’ve been working with organisations to identify the risk to each outcome, aligning risks with outcomes, and giving clarity and transparency to the activities that manage and mitigate each risk – and thereby establishing the audit universe.  

Assurance is then provided in a non-adversarial, business-enabling way: the activities are effective to manage or mitigate each risk to a level of residual risk that’s acceptable to the business, or they’re not. If they’re not, it is relatively simple to facilitate the actions needed to do so, or directors can agree to leave the level of risk where it is, and this is visible to all stakeholders. It provides a clear and holistic picture of what’s important to the organisation with the benefits of: 

  • Integration – everything the organisation needs to do and employ to deliver its required outcomes is linked at all levels across the whole value chain from customers through staff to suppliers.
  • Predictability – the probability of the required outcomes being delivered is objectively forecast, enabling risk mitigation, and providing assurance that outcomes remain on target to be delivered.
  • Transparency – any stakeholder is able to see what the business intends to employ, do and deliver, and the progress being made and expected.

So, while keeping in mind the ‘7 Ps’, the following summarises how planning for successful implementation has been approached, utilising ACCA’s and the IIA’s guidance.



The basis and authority of the service.

To begin, IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) provides a comprehensive blueprint. Their Establishing Authority presentation is useful to assist in discussions with management and the audit committee.


Ascertain senior management, board and audit committee expectations.

Clarify expectations and establish rapport; use, as appropriate, surveys, board minutes, group and individual meetings to help shape the service. What are board and executive strategic outcomes, the risks to their achievement, opportunities they present, and where can internal audit best help assure delivery?


Governance framework.

Policies and procedures should define management's responsibility for governance and therefore help inform Phase 4. Include a review of the audit committee charter to ensure that it dovetails with the internal audit charter.


The internal audit charter.

There are plentiful examples, including IIA’s model charter; ensure that your charter meets the audit committee's needs and any industry requirements, and is discussed, reviewed  and agreed with senior management and audit committee.


The audit universe, processes, systems and operations.

Partner with managers and teams to start to define and map their contributory outcomes (to corporate strategic outcomes), risks against those outcomes, and the activities (controls) to manage and mitigate them. 

It’s a complex picture so use the right IT to support it. Get the logic sorted and it’s relatively straightforward to use open source and agile development to create a user-friendly system.


External auditors and regulators.

Build rapport, ensure outcome, risk, control and action matters are shared and ensure activities are co-ordinated.



Begin to fill gaps in the audit universe (eg if managers and teams identify a risk, facilitate their defining the outcome it relates to, and vice versa).


Priorities for review.

Partner with managers and teams to start to define priorities at the macro level for review, agreed with senior management.


Construct the budget.

Base the budget on your review priorities for the year, taking into account direct and indirect costs, eg staffing, support, travel and subsistence, training.


Develop the detailed internal audit plan.

The risk based plan will depend on the review priorities agreed and the internal audit resources and staff, but once started should continue and flex with redefined outcome / risk priorities.


Form the team.

Information obtained during Phase 6 can aid shaping the structure and team member specifications and competencies, for what (eg specialist assignments), and where to source them (eg co-sourced, outsourced, internally resourced, a mix). IIA's Position Paper Role of Internal Audit in Resourcing the Internal Audit Activity may be useful.

The team will need to cover the range of expertise required based on the outcome / risk assessment.


Plan for team training.

Ensure that the team understand and can put into practice the risk based approach. The best plans have been created and delivered with HR and specialist training and development support and guidance.


Promote a quality assured internal audit service throughout the organisation.

Ensure buy-in to the approach: the ‘message from the top’ needs to be clear and unequivocal. (The IIA has complimentary brochures, such as All in a Day's Work, Adding Value Across the Board, and Guidance for the Profession.)

Partner with managers to establish constructive and enabling reporting relationships, and develop the means to follow up on actions.

Obtain feedback on performance as part of a quality assurance programme.

Neville de Spretter FCCA 

Neville is a member of ACCA UK’s Internal Audit Network Panel, an independent specialist in governance, risk management and control, principal at AdLibero2 Ltd, an associate of Perendie, a non-executive director of StyleSeeker Ltd, a steering committee member for the CRSA Forum, and a committee and drafting panel member for the British Standards Institution. 

Outcome and risk based internal audit has been, and continues to be, implemented in both private and public sector organisations, in the UK and overseas. 

Auditing business continuity capabilities
Continuity is an essential requirement for any business today. What are the priority aspects to planning such an audit, asks Dan Swanson?

Continuity is an essential requirement for any business today. What are the priority aspects to planning such an audit, asks Dan Swanson? 

As I’ve indicated many times, ensuring that an organisation can recover from disaster is a basic business requirement the board should explore regularly with management. Nowadays, leading organisations are taking this requirement and turning it into a strategic advantage: namely, investments in operational resiliency are assisting organisations to become more responsive to client needs as well as improving operational reliability, quality, and efficiency. It’s an effort you should consider. 

As organisations face increasingly complex business and operational environments, functions such as information security and business continuity keep evolving: indeed, they need to keep evolving. Today, successful information security and business continuity programmes (BCP) both address the technical issues involved and strive to support the organisation’s efforts to improve and sustain an adequate level of operational resiliency. Cybersecurity protection efforts are the latest extended improvement effort pretty well every organisation needs to invest in. 

Internal auditing’s contribution
Regular internal audits of information security, cybersecurity, BCP and DR programmes are highly recommended. The board and management need assurance regarding the effectiveness of those preparedness efforts, and they also need assurance that the company is building a more efficient and effective operation on an on-going basis. 

The following priorities are generally worth considering when scoping an audit of business continuity capabilities:


  • Overall programme governance. How is operational resiliency being encouraged? Is the programme given appropriate strategic direction and investment? (for example, does the organisation place sufficient emphasis on operational improvement?) Are suitable sponsors and stakeholders involved, representing all critical aspects of the organisation? Do they take sufficient interest in the programme, demonstrating their support through involvement and action? And most important of all, who is accountable for the programme's adequacy?
  • Ongoing programme management. A critical success factor in every BCP and DR effort is the way in which the programmes are planned and driven, ensuring that they meet objectives despite the company’s inevitable competing priorities. Does programme management balance consideration of the many conflicting priorities managers face with the critical need that corporate resiliency efforts be appropriate? This is not a once-a-year exercise anymore; being prepared is an ongoing, day-in and day-out effort. More frequent testing is becoming a necessity.
  • Management of significant system or process changes. The evaluation of operational resiliency inevitably results in system and process improvement. Is release management handled effectively to provide the best assurance that improvement results are beneficial and that operational reliability is occurring?

An independent assessment of the BCP and DR programmes by internal audit can provide objective feedback that helps ensure the programmes are adequate to prevent a business failure. Think about it: have your DR and BCP efforts kept pace with today’s new challenges and expanding requirements, as well as the significant investment in technology that most organisations have completed or are working on? 

Exactly how internal audit departments should interact with BCP and DR programmes varies widely among companies. With the right approach, audit can deliver tremendous value to the board and executive management by objectively assessing whether the programme provides effective coverage to protect the organisation from harm when a significant disaster occurs. With the very significant time pressures many managers are facing, an independent and objective evaluation can actually be just what the doctor ordered. 

An audit of the BCP and DR programme can take many forms. At its simplest, auditors can conduct a quick ‘BCP/DR health check’, reviewing the plans and interviewing key stakeholders. At its most complex, the audit team can analyse almost every aspect of the programme, evaluate the risk-based planning, observe BCP/DR testing, assess the completeness of the business impact analysis (BIA), and so forth. 

The type and the extent of auditing performed depends on the risks involved, management’s assurance requirements, and the availability of appropriate audit resources. External specialist resources may be useful on different occasions. The auditors might participate as formal observers in mock drills or review the programme’s documentation and assess its comprehensiveness and completeness. Your audit options are quite broad; adjusting your audit plans over time is also recommended. 

Internal auditors will normally review what has been planned and achieved against management’s expectations and in comparison to generally accepted best practices in the field. This is where audit objectivity comes to the fore; the auditors have a legitimate purpose to assess whether management’s expectations are reasonable and sufficient, given the level of risk to the organisation and in relation to other similar organisations.  

The following advice covers the main phases of any audit: scoping, planning, fieldwork, analysis, and reporting. BCP and DR programmes, however, come in many shapes and sizes, so clearly the specific details of any given audit will vary according to the specific situation. 


The BCP and DR programme should be able to meet the recovery window objectives of mission critical services, in the event of an emergency or unusual event by covering:

  • critical services, information assets, and dependencies documented in the business-impact analysis;
  • approved and organised recovery strategies;
  • measures to deal with the impacts and effects of disruptions;
  • response and recovery teams including the membership, contact information, and activation procedures;
  • roles, responsibilities, and tasks of the teams including internal and external stakeholders and covering planning, testing, and actual disaster efforts;
  • resources and procedures for recovery;
  • coordination mechanisms and procedures; and
  • communications strategies.

Audit-scoping phase
As with any audit, defining the goals and objectives for a review of the BCP and DR programmes is the auditor’s first task. Providing an objective and comprehensive assessment of the organisation’s BCP and DR programmes, to management and the board, is likely the overriding audit goal that should be worked towards. Scoping is best conducted on the basis of a rational assessment of the associated risks. The following aspects are generally worth considering when scoping a BCP and DR audit:


  • Overall programme governance. How are the programmes managed? Are they given appropriate strategic direction and investment? (That is, does the organisation place sufficient emphasis on BCP and DR?) Are suitable sponsors and stakeholders involved, representing all critical parts of the organisation? Do they take sufficient interest in the programmes, demonstrating their support through involvement and action? And most importantly, who is accountable for the success or failure? Periodically revisiting overall programme governance can be very productive, things change over time, particularly as businesses are acquired or aspects of the company are discontinued. 
  • Ongoing programme management. A critical success factor in every BCP and DR effort is the way in which the programs are planned and driven to ensure that they meet objectives despite the organisation’s inevitable competing priorities. Does programme management balance consideration of the many conflicting priorities managers face with the critical need that corporate resiliency efforts be appropriate? This is not a once a year exercise anymore; being prepared is an ongoing, day in and day out effort. Is the level of testing completed annually appropriate to the programme’s complexity and importance? (Finding out how well we’ll do during an actual disaster is an extremely poor strategy.)
  • Definition and accuracy of the BCP and DR objectives. Have the programme's requirements been clearly and fully defined by management? Has a comprehensive business-impact analysis been completed? Is it regularly updated?
  • Coverage of the BCP and DR plans. Have all the critical business processes been identified and suitable plans prepared? Do the plans take sufficient account of the need to maintain or recover the supporting infrastructure (IT servers and networks, for example)? Are the plans reasonably 'concise' or are they cluttered with non-essential processes, systems, and activities? Are significant outsourced activities adequately covered? Do they need validation as well?  Are plans current with respect to all the current hardware and software the organisation has in place?

    The governance structure for the BCP and DR programme should establish the authorities and responsibilities for the development, approval, and testing of contingency plans, and involves:

    • providing strategic direction and communication;
    • approving departmental contingency plans and governance;
    • committing financial and other resources;
    • reviewing and approving identified critical services and associated assets;
    • resolving conflicting interests and priorities;
    • approving contingency plans and activities;
    • ensuring that regular training, reviewing, testing, and auditing occur;
    • ensuring that contingency-planning activities are supported by IM, IT, and other continuity plans and arrangements, as required; and
    • risk appetite and statement of risk at the enterprise level.
    Management of any major system or process changes. Inevitably, changes will be required to implement BCP and DR arrangements. Is change management managed effectively to provide the best assurance that changes are tracked and addressed within the live and DR environments? In addition, the frequency of change to an organisation’s technologies continues to increase, and therefore changes to the BCP and DR programmes are ongoing.  
  • Robustness of the BCP and DR testing processes. Programme managers need to demonstrate the organisation’s preparedness, build management confidence, and most importantly, strengthen the organisation’s BCP and DR capabilities; Is ‘people participation’ identified, approved, and tracked to provide the best assurance that the drills and tests are actually attended, and that those results meet your BCP and DR objectives? Remember, it’s not a matter of ‘if’, today it’s more a matter of ‘when’, and perhaps how large a scope (is involved).
  • Plan maintenance. How is the change management process that keeps the plans up to date governed, even as the organisation changes? Are roles and responsibilities allocated within the organisation for developing, testing, and maintaining BCP and DR plans? Organisations MUST design DR and BCP capabilities ‘into’ their new solutions and technologies - it cannot be added on just before production implementation.
  • BCP and DR procedures. Consider the procedures and associated training, guidelines, and so forth to make managers and staff familiar with the process to follow in a disaster.

In addition to defining what aspects fall within the audit’s scope, equally important is that management and the board clarify any aspects that are out of the scope —particularly any important considerations that, for one reason or another, are not going to be covered at this time (say, perhaps because they will be audited separately).  

In closing, many people ask what audit tests could be performed? An audit of a BCP and DR programme could include some or even all of the following (and likely more): 

    • interviewing key stakeholders and participants in the programme
    • reviewing business case, planning, and IT related documents
    • more or less detailed reviewing of individual BCP and DR plans, checking that they are complete, accurate, and up-to-date — for example, testing a sample of the contact details for key players to confirm whether their phone numbers are correct
    • looking for defined recovery times and whether there is evidence that they can be met
    • examining training materials, procedures, guidelines, and so forth, plus any management communications regarding BCP and DR situations that might occur and what employees should do
    • reviewing testing plans and the results of any tests already conducted
    • evaluating relevant employee preparedness and familiarity with procedures
    • reviewing impact of new regulations on plans
    • reviewing contractor and service provider ‘readiness’ efforts.

A long term investment
Companies that want to implement a culture of continuous improvement should focus on improving the operational resiliency of their key systems and processes. Internal audit should help reinforce this goal by periodically evaluating both the whole enterprise’s and the individual business units’ efforts to address operational risk by enhancing operational processes and systems. 

Building a highly resilient organisation takes a long-term view and a persistent investment of management’s time and resources, and leading organisations are now doing this.

What is your organisation doing to improve, and audit, your business continuity efforts?

In closing, do make sure the organisation’s crisis management protocols are well defined as executive management and the board need to have crisis communications organised prior to any significant incident.

About the author
Dan Swanson has more than 26 years’ experience as an internal auditor. He was formerly the Director of Professional Practices at the Institute of Internal Auditors. 

Dan has completed audit projects for over 30 different organisations, spending almost 10 years in government auditing (federal, provincial and municipal levels), and the rest in the private sector, mainly in the financial services, transportation and health sectors. 

Further information
Extensive research on this important activity is available from CERT (a part of Carnegie Mellon University). 

Resilience Management
Since 2001, the CERT® Program has been working in the areas of security process improvement and operational resilience management and engineering. Beginning with the introduction of the OCTAVE® Method, the programme has been researching and developing tools, techniques, and methods that help organisations manage operational risk and improve operational resilience. CERT Resilience Management research and development is currently focused on the CERT ® Resilience Management Model, critical infrastructure protection, and resilience measurement and analysis. 

GTAG 10: Business Continuity Management (by the IIA)
This GTAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organisation could encounter in the case of a natural or man-made disruptive event that affects the extended operability of the organisation. 

Although most executives are likely to agree that BCM is a good idea, many will struggle to find the budget necessary to fund the programme as well as an executive sponsor that has the time to ensure its success. Business Continuity Management will help the CAE communicate business continuity risk awareness and support management in its development and maintenance of a BCM programme.

The guide includes: 

  • disaster recovery planning for continuity of critical information technology infrastructure
  • business application systems.
The value of mentoring
Mentoring is a really valuable form of support, believes Samantha Brown. Find out why, and learn how it can benefit your career.

Mentoring is a really valuable form of support, believes Samantha Brown. Find out why, and learn how it can benefit your career. 

We’ve all been there... questioning ourselves about what to do, which way to turn, which career path to take, and we’ve all mulled over the endless possibilities without  really getting to an outcome that we are certain and positive about. So what’s the solution? 

Ever thought about a mentor?  Ever thought what mentoring is all about?  

  • A mentor is someone who allows you to see the hope inside yourself. Oprah Winfrey

Statistics suggest that ‘80% of CEOs polled have stated they have had mentors’. That’s not to say, however, that you have to be an aspiring CEO to want or need a mentor.  Furthermore, ‘Employees who received mentoring were promoted FIVE times more often than people who didn’t have mentors’. 

I’ve been lucky enough to have (and still have) a number of mentors throughout my career. People I have a huge amount of faith and confidence in to talk through my thoughts, hopes and fears and in return, receive challenge, advice and further questioning which have enabled me to make a decision and stop my mind circling round in an endless loop of unanswered questions. 

I’ve also been on the other side and mentored graduates and colleagues from other teams which I’ve found hugely rewarding. 

So...what is mentoring?
It’s a relationship between two people where one (the mentor) provides guidance and advice by discussing and understanding what the other (the mentee) is going through.  This relationship is based on trust and confidentiality to help improve skills, self-reliance and balance the pros and cons of career choices. 

It’s imperative that conversations are confidential and the relationship is seen as a partnership to gain most value as, ultimately, the process must be developmental and value adding for both parties. 

What mentoring isn’t
It’s not a process driven by the mentor to discuss and fix the mentee's problems. It has to be driven by the mentee to work out the right outcome for themselves, while utilising the experience and views of the mentor. 

The process should in no way be secretive or undermine the mentee's line manager, and it is certainly not a promise of career development or progression, although it should aid this. 

Additionally, the mentor is not there to counsel or listen to the mentee’s work or personal grumbles or instil their own thinking and viewpoint. 

  • The delicate balance of mentoring someone is not creating them in your own image, but giving them the opportunity to create themselves. Steven Spielberg

What makes a good mentor?
You don’t need to be a high flier or big talker to be a mentor. In fact, you just need to be a good listener, be able to facilitate discussions through constructive questioning and demonstrate empathy. You also have to be comfortable to help your mentor achieve their goals but not push or force them in a specific direction. Above all, the mentor needs to be non-judgemental and act as an enabler for the mentee. 

Depending on the situation, you can be one or more of the following roles:

  • Role model. This is about leading by example and using your knowledge and insight into the organisation or situation to explore the issues and options for possible future actions.
  • Critical friend. This is all about tough love. Sometimes you need to challenge your mentee to get them to really think about what they’re doing and what the right course of action is.
  • Advocate. This is all about assisting your mentee with networking opportunities and providing exposure internally and externally to others who may be able to assist with promotions or other developmental opportunities.

What value can you get out of being a mentee?
You can gain fresh insights and a different perspective by an individual who has exposure to different experiences and take ownership of your career and future by discussing opportunities in a safe environment. 

It provides an opportunity to obtain help with difficult relationships at work, overcome a specific challenge or issue faced in the workplace from someone who is not directly involved in your immediate environment. 

Through this relationship you open yourself up to new networks by exposing yourself to new areas of the organisation and create wider networks that you can rely on. 

Ultimately, you should come out of the process with increased confidence and a fresh perspective. 

What value can you get out of being a mentor?
Becoming a mentor gives you the opportunity to demonstrate and develop your leadership skills by helping others to develop and fulfil their potential. 

Using and sharing your own skills and experience is a good way to assess and recognise what you have achieved during your own career, so is a useful reminder when drafting your CV as well as adding to it. 

You gain a great deal of personal satisfaction by helping someone else and also gain a better understanding of how people perceive you when you see yourself through the eyes of your mentee.   

What is needed to get the most value from mentoring?
Both parties need to set their own goals and communicate these at the start to ensure the objectives and possible end game are known and understood by both parties. This will make it easier to make the most of the time you have together. 

The mentor has to be prepared to challenge the mentee and the mentee has to be prepared to listen and take on board what the mentor says. If the mentee is defensive or is not open to hearing sometimes difficult messages, they are not going to achieve anything. 

Both the mentor and mentee need to dedicate time and effort to the process. This won’t work if one or both sides does not prepare or give their attention to relationship. Both parties need to be open, honest and enthusiastic. If you are not able to have candid conversations and you’re not addressing the real issues, the process is a waste of time. 

Furthermore, the relationship needs to be built on confidentiality. Both parties need to ensure they are both comfortable to speak the truth and provide examples of similar experiences or issues faced to bring them to life. 

Both parties need to feel comfortable with each other and be able to discuss if either party feels the ‘fit’ is not right.  If you don’t think you can work with the other party, don’t be afraid to say something as it is important you gel and feel that you can work together to achieve the best outcome. 

Both parties should continuously review how the relationship is working. It is important that the mentee does not become dependent on the mentor and maintains autonomy of their decisions.

  • We make a living by what we get, we make a life by what we give. Winston Churchill

I think mentoring another person is one of the greatest achievements you can experience...that of helping someone who is a little lost to flourish and achieve their own dreams, some of which they may never have thought to be possible! 

The principles of mentoring
It is important to clarify and agree on the basic principles that will underpin any mentoring scheme. These may include the following:

  • a shared understanding of, and agreement with, the purposes of any mentoring scheme
  • the process needs to be clearly understood by all concerned
  • mentoring is designed to be a constructive, developmental form of support – of mutual benefit to mentor and mentee
  • there should be access to adequate preparation – including training – for those involved in a mentoring scheme
  • there should be clear understanding of and agreement on the level of confidentiality required within the mentoring relationship
  • the purpose and destiny of any information collected or produced needs to be clearly understood by all parties involved. Any written record produced should be appropriate to the needs of the mentor and mentee. Records should be agreed by and be accessible to the mentee
  • any mentoring scheme should reflect and promote a commitment to equal opportunities
  • the mentoring scheme should be actively supported and valued by the organisation or service and its management
  • open communication and adequate consultation should occur at all times during the implementation and management of the scheme
  • any scheme should receive adequate resources to achieve its desired objectives.

(IIA South & East - Mentor Guidance) 

Samantha Brown FCCA

Would you register for an ACCA mentoring scheme for internal auditors? Take our short survey now

Writing the right report
Learn how to craft an audit report which is clear, concise and useful, with advice from Sara James.

Learn how to craft an audit report which is clear, concise and useful, with advice from Sara James.

Any internal audit, risk or compliance specialist will sympathise with the struggle to produce a good report – one that is above all clear, concise and useful. But what do these terms mean, and how can we achieve them in our different roles and organisations? Some basic principles cut across all writing in English, whatever the setting, whatever the sector. 

Clear means no vagueness, euphemism or jargon. This requires writers to have a clear idea of what they have done, how and why. Obvious, perhaps, but many gaps in fieldwork and documentation become apparent only at review stage – when it’s too late. Be clear in your own mind about your message and its importance. Only then can you choose the fewest, best words to prompt your readers to action. 

Clear writing is honest, credible writing. It requires skill and, above all, courage. Much of what we produce in reports is unwelcome news: inadequate or ineffective controls, cultural problems, regulatory headaches, poorly managed IT systems and the like. However, stating clearly what you found and why your reader should care is an essential, if possibly uncomfortable, step to improvement.

Consider the following example. I’ve often seen reports say things such as ‘there is a perception of issues around resource’. That probably sounds familiar to you, and so it should – it is typical corporate waffle, woolly and clichéd.

But what does it mean? I can think of three possibilities: 

1)   There aren’t enough people to do the work
2)   There are enough people, but they haven’t received training
3)   There are enough people, and they’ve been trained, but they’re still incapable of doing the work.

Each interpretation requires a different response from managers. Hire more people; train the ones you have; or possibly replace the existing, trained, yet incompetent people with better staff. The original version (issues around resource) leaves the reader no wiser as to what the root cause of the problem actually is

One example of confusion caused by unclear or evasive language was in the Treasury Select Report about LIBOR. Certain organisations involved cited spoke of ‘issues’, others of ‘concerns’.

Different corporate cultures create their own vocabularies of euphemism – to some, an issue is more serious than a concern; to others, it is the opposite. And, as the report itself made clear, ‘Barclays appears to have regarded the points raised by Mr Sants as “issues” rather than “concerns”. On the basis of the evidence it is unclear whether Barclays “got the message”.’[1] 

Resisting corporate habit is hard. (Notice I don’t say ‘challenging’.) It’s hard because it requires a greater degree of research, attention to detail and persistence from the internal auditor in uncovering the problem. It’s also hard because some people fear that clear messages are rude. 

Re-frame the ‘rudeness’ problem. A clear message actually saves your reader time and puts him or her in a better position to address gaps and failures. It also makes the organisation’s governance stronger, more transparent. 

Culture matters. Countries, regions and people perceive clear communication differently. What is polite in one culture may seem unclear in another, and frankly evasive in a third. Conversely, what is open and honest in one culture may come across as direct in another, and openly rude in a third. Consider your audience, adapt your style – but remember that people the world over appreciate a concise, useful report. 

Concise means only what is needed. Many organisations’ senior management and board receive three- to four-hundred-page reports monthly and quarterly. This volume of paperwork undermines good governance, as the human brain is simply not equal to ploughing through so much under pressure – much less taking critical decisions based on such reports. If you want to contribute to making your organisation better run, better informed and more successful, cut the verbiage. It impresses no one and actively hinders understanding. 

One carefully chosen, precise word is better than masses of words shimmering coyly around the message. Your readers’ time is limited, their attention spans overloaded. Keeping your words few and judicious increases the chance people will read and act on your reports. 

Concise writing is part of clear writing – each needs the other. Both lead, happily, to useful. 

Useful means relevant. Make clear how your findings and recommendations link to the organisation’s objectives. Reports should not look like wordy compliance checklists – or worse, an exhaustive, detail-sodden narrative of everything you observed, thought, felt or dreamed during fieldwork. 

It’s hard, after a lengthy internal audit engagement, to whittle down all you know to what your readers need to know. However, taking the time to do this means presenting something insightful. It also shows respect for the readers' time constraints and other pressures of work – always helpful in building and maintaining good relationships.  

The report format should be one that readers will find accessible and meaningful. This may mean using graphics – traffic lights, pie charts, tables – or even photographs. Don’t be constrained by what reports have always looked like in your organisation. Coupled with clear, concise writing that puts the data in context, fresh visual presentation can make your report stand out. 

You could consider presenting your findings on a few well-chosen, uncrowded slides, then handing out a written report at the end. The very act of preparing your slides will force you to hone your message to the essentials. Again – clear, concise, useful. 

If you are providing ‘integrated assurance’, discuss the importance of these criteria with the other assurance providers. You may be surprised – not only will the final report be better, but your working relations may well proceed more openly and efficiently. 

Whatever the specific style in your team, function or organisation, the principles of good writing don’t change. Regardless of reviewer, line manager or company preference, a credible, sound organisation will always promote clear, concise, useful communications.

Sara I. James is the owner of Getting Words to Work and a member of the Chartered Institute of Internal Auditors


[1] Fixing LIBOR: some preliminary findings (2012), p. 70.

Webinar – ask ACCA
Register now for a free webinar where you can ask ACCA’s leaders any questions, learn about where the Association is going and the latest benefits for members.

Register now for a free webinar where you can ask ACCA’s leaders any questions you have, learn about where the Association is going and the latest developments to benefit members. 

Ask ACCA webinar
Thursday 11 August – 12.00
Hosted by Brian McEnery – ACCA Deputy President and Alan Hatfield – Executive Director, ACCA 

Register for this webinar now

AGM 2016
Voting in ACCA's annual general meeting opened this week. Take a few minutes to cast your vote.

ACCA's annual general meeting (AGM) will be held on Thursday 15 September.

Voting opened this week to elect new members to ACCA's governing Council, as well as on a number of other resolutions.

ACCA is a membership organisation; play your part by participating, casting your vote and contributing to a successful body for the future.

You will have received a separate email from Electoral Reform Services with details of how to vote. Online voting opened on 27 July and closes on 8 September.

More about the AGM

Building your employability
Achieve your next career goal with the help of a structured learning experience.

Building your employability and growing you as a professional

We know that the role of the professional accountant is changing and that you will need to do more to ‘stand out from the crowd’. ACCA learning pathways help you achieve your next career goal by providing a structured learning experience to really develop the core skills that employers value. Book now and take advantage of our earlybird discount

Microsoft Office Specialist
Half price offer to help you master the Microsoft Office suite.

Microsoft Office Specialist gives you the tools to build a brighter future

As a professional accountant, mastering the Microsoft Office suite is vital to your professional success. Now you can stand out from the crowd by becoming a Microsoft Office Specialist for half the price from now until 31 August 2016. With expert instructor-led online video training guiding you step-by-step through the basics to more advanced features of Microsoft Office, and the chance to gain official certification for your CV, Microsoft Office Specialist is a fantastic way to gain verifiable CPD and boost your professional credibility.

CIA: 'no application fee' special offer
We have partnered with the IIA to offer an easier application process and no application fee throughout August.

The IIA is offering no application fee throughout August 2016 for the CIA

We have partnered with The Institute of Internal Auditors (IIA) to offer an easier application process and no application fee throughout August 2016. ACCA members won’t need to show evidence of previous education and qualifications, because we verify your membership status for you. Apply to become the trusted expert in your organisation and gain an internationally recognised qualification today. 

Cybersecurity webinars for internal auditors
Really get to grips with cybersecurity with our series of expert webinars.

Really get to grips with cybersecurity with our series of expert webinars. 

ACCA UK's Internal Audit Network has been running a series of seven webinars on cyber security since March. 

Jay Abbott – managing director of Advanced Security Consulting (part of the Falanx Group of Companies) – is presenting the series with co-hosts for specialist topics.

Jay has over 20 years’ industry experience in technology and security. He is a respected keynote speaker who is regularly quoted in the press and a trusted industry expert.

Each webinar lasts for an hour and constitutes one unit of CPD where the content is relevant to your current or future role.

The next two in the series will cover Outsourcing (24 August) and The latest techniques and attacks (21 September). Click on the title to register now and either watch live or on demand afterwards at a time which suits you.

Five of the seven webinars have now taken place and are available on demand – to register to view the webinar, click on the title: 

An introduction to cybersecurity for internal auditors

Cybersecurity and data security for internal auditors

Cybersecurity and social engineering for internal auditors

Cybersecurity and process network control for internal auditors

Cybersecurity for internal auditors – how you should react when you are under attack