Technical and Insight
A question of timing

CPD article: Smart ledgers for internal audit purposes

Smart ledgers for internal audit purposes


Reading this article and these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units. 


Prior smarts


A smart ledger is 'a distributed multi-organisational data structure with a superb audit trail and some embedded computer code'. The immutable data structure provides a solid foundation for a history of data shared among the organisations. Adding new records allows the organisations to share more data or ‘message’ each other. The embedded computer code provides more sophisticated ways of sharing data, for example not-before-or-after certain times, or only with a selected people from the organisations.


Smart ledgers, distributed ledger technology, and blockchain are trendy phrases for old programming techniques. The techniques date back to at least a US patent application of 1976, though there are signs of earlier use. The techniques became trendy with the excessive attention paid to their use in cryptocurrencies, particularly since the launch of Bitcoin in 2009. Cryptocurrency hype has led to people seeking to apply smart ledgers in a wide range of applications. Numerous ‘use cases’ have been postulated ranging from trading of all forms, to identity systems, documentation sharing, and exchanges.  ‘Blockchain’ is going to save the planet by recording carbon emissions, solving refugee crises through secure identification, and curing cancer through sharing medical records. 


Controlling central third parties


In truth, smart ledgers may well aid some ambitious projects to save the world, but the technology will do none of those things on its own. In economic terms smart ledgers’ principal benefit is helping to reduce the ‘central third party’ problem. The traditional solution to many forms of data sharing, from trade on exchanges to university degree information, has been to create a central third party who holds the master ledger or master records. Central third parties and central registries are a feature of many audit controls. But central third parties have the opportunity to either extract excessive ‘rents’, ie charge too much, or cheat. Charges can be levied on extracting and verifying old records, or making adjustments to new ledger entries such as new members, new assets, or new transactions. ‘Cheating’ is as a simple as taking a bribe to falsify records. 


The advantage of smart ledgers lies not in being cheaper or faster. The advantage is that they allow organisations to work together without giving central third parties a strong natural monopoly.  Smart ledgers reduce central third parties’ opportunities to charge excessive rents because the data is distributed, and reduce their opportunities to cheat because the historic ledger cannot be changed. When switching to a new central third party, organisations are not hostage to a monopoly on historic data.


Smart ledgers have grown in popularity, in large part due to increasing confidence based on their use in cryptocurrencies. While the ‘jury is out’ on cryptocurrencies, not least because of economic theory predictions and energy consumption, commercial users have shown great interest in identity, documentation, and agreement exchange using smart ledgers. So far, the greatest value has been in providing an independent, authoritative record of a document with an associated timestamp, while reducing central third party power.


Perhaps just external, independent timestamping is sufficient benefit?


Some quick examples of external timestamping already in action include:

  • Fishface – is a project to provide fully-documented fisheries' capabilities to small inshore fisheries based on GPS and HD video. Fishface records vessel logs and videos dynamically on a smart ledger external to the fisheries’ records
  • FireDoor Guardian – is a company providing inspection tools for fire door examiners. Their software uses a smart ledger to timestamp the mobile app entries that examiners make about a fire door, in order to prove to government inspectors that each door has been properly examined
  • Youthinmind – is a global study of mental health that continuously records individual assessments on a smart ledger to provide incontrovertible proof of what were the results, when, and where (geostamping). Health regulators pushed for such a system to avoid challenges of record tampering in clinical trials.

There are a number of audit issues, both internal and external, for users of smart ledgers. A basic first question is how can you ‘prove’ that all copies of the data are exactly alike on the ledger. The quick response is ‘the software works that way’. However, this answer is not as robust as it appears. For example, the Bitcoin blockchain keeps no record of transactions that have been rejected by its consensus algorithm. With tens of thousand of ‘nodes’ holding copies of master ledgers, it is clear that there is no simple proof of complete congruence. There are many other ‘ledger’ issues worthy of discussion, some covered in Auditing Mutual Distributed Ledgers (aka Blockchains): A Foray Into Distributed Governance & Forensics.[1] There are even more issues to do with the legality of tokens or initial coin offerings, acceptability of blockchains for legal purposes, and validating smart contract code.


However, internal auditors increasingly recognise the potential to apply smart ledgers to internal audit. Perhaps the most basic thinking is to use these ledgers to increase confidence through timestamping. These ledgers can provide independent timestamping for a host of organisational ledgers that need to be part of the system of internal controls. Ledgers of ledgers if you will. For any transactions of substance, an internal auditor can specify that a copy of the transaction must also be timestamped on an external smart ledger. This provides verification in future of the completeness and accuracy of internal records. In addition to timestamping and regulatory reporting, here are some internal audit ideas:

  • recording the use of identity information in anti-money-laundering and know-your-customer processes
  • archiving ‘deal rooms’ or ‘property data rooms’ authoritatively for future reference
  • tracing consolidation processes through externally timestamped records of general ledger statements
  • requiring the external recording of any high-risk internal process to be recorded on a smart ledger.

Some high-performance systems for timestamping are extremely cost-effective, with costs being minuscule on a per-transaction basis. In a 2017 experiment, researchers from the National Physical Laboratory, the Toronto Stock Exchange (TMX), Strathclyde University, and Z/Yen timestamped financial stock trades with Co-ordinated Universal Time (UTC) generated from atomic clocks and recorded the trades directly on a smart ledger. The 'Atomic Ledger' project recorded over 20 million transactions from three hours of trading to the ChainZy smart ledger system. The National Physical Laboratory concluded that this system was capable of recording up to one trillion transactions per day. This experiment foreshadows the idea that any regulatory reporting, not just trade reporting, could be independently and inexpensively timestamped. Regulators, such as the UK Financial Conduct Authority, have been speculating on ‘pull’ reporting (getting what they want when they need it). Independently timestamped records could reside as a base set of smart ledger information for them to ‘pull’ from when required.


Even smarter?


Independent, external timestamping can be a simple and inexpensive control. More complex situations can be accommodated with embedded snippets of computer code, ‘sprites’ to some people, ‘smart contracts’ to others. These computer programs can be set to release data at certain times, verify release of data, record when and to whom data is released, in fact anything that can controlled by a program is possible. Much of the focus and hype surrounding ‘smart contracts’ is on forcing payments to complete. For a variety of reasons, such as liquidity, this is problematic. But the idea that dumb code can provide some basic controls seems solid. Looking ahead, two trends are worthy of mention: increasing technology regulation and increasing data stewardship.


Many new application areas will generate huge amounts of data. Take drones or autonomous vehicles. An autonomous vehicle might have several radars, a lidar, and comms with the road bed, nearby vehicles, meteorological centres, lighting, or signage. All of this is likely to be required to be authoritatively recorded. Likewise, with drones sending and recording their positions, visuals, or commands. A society that is constantly trying to reduce risk is one that will insist on increasingly authoritative recording. Regulators will demand it.


Equally, data stewardship is crucial. Legislation, such as the EU’s General Data Protection Regulation, requires organisations to demonstrate solid stewardship of any data that might identify an individual. Yet, the idea of independent external timestamping would mean that this data is being shipped outside in large volumes. Sure, it can, and should be encrypted, but it also needs to be shared. The answer to this problem lies in the ‘smarts’. Embedded snippets of code can control future data usage. A number of data markets are emerging, using techniques such as anonymisation, partial interrogation, or zero-knowledge proofs. Others are exploring how theories, such as deontic logic, might glue all this complexity together. All these techniques are aiding the use of code to enforce rules dictating how data can be shared, when, with whom, for what purpose, for how long. Such ‘permissioning’ structures[2] may create a wealth of new controls for internal auditors.


What’s a poor internal auditor to do?


In the 1970s, groups of computer programmers were thrilled about the ‘internet of communication’. Some mused on how they could prove communication? Could they demonstrate simply that A had sent B a communication C some time after the event? The answer was straightforward then, ie store a ‘hash’ or long ‘checksum’ of A, B, and C. At the time, the economics of an ‘internet of record’ made little sense. One 256 bit hash consumed a significant fraction of any contemporary computer’s memory. Today, Bitcoin talks of substantial trillions of hashes per second.


Today, the computing economics are substantially different. Society demands more records for forensics and risk reduction. Smart ledgers are likely to provide many multi-organisational ways of storing shared data and transactions. Internal audit must not just oversee smart ledgers, but also use them to achieve internal audit goals.


Professor Michael Mainelli FCCA FCSI FBCS, Executive Chairman, Z/Yen Group


Webinar series - unblocking the Crypto Chain

ACCA UK’s Internal Audit Network ran a series of four webinars on crypto currencies and blockchain for internal auditors in April which are now available on demand. You can register for any or all of these on demand webinars here.


[1] Michael Mainelli and Matthew Leitch, Auditing Mutual Distributed Ledgers (aka Blockchains): A Foray Into Distributed Governance & Forensics, Long Finance (November 2017), 37 pages -

[2] Maury Shenk and Michael Mainelli,  Information Rules: Smart Ledger Architectures & Distributed Permissions, Long Finance (November 2018), 62 pages -

The crypto control toolbox

CPD article: A succinct, accessible introduction to the computer security mechanisms essential for today's digital business systems – the ‘crypto control toolbox’.

A succinct, accessible introduction to the computer security mechanisms essential for today's digital business systems – the ‘crypto control toolbox’.


Reading this article and these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.


A little while ago I presented a webinar for ACCA on cryptocurrencies that explained the technology involved in very simple but literal terms, and why leading cryptocurrencies are not efficient enough to compete with widely used payment systems such as Visa and Mastercard. But, while cryptocurrencies seem to be struggling, the computer security mechanisms they are built from remain critical for today’s digital business systems. They are particularly useful when you need secrecy and proof. This article provides a succinct, accessible introduction to those mechanisms – the ‘crypto control toolbox’.


Encryption is making a message unreadable by replacing each of its characters with something else. (A secret code replaces whole words or larger units of the message.) Encryption is what the World War II Enigma machine did.

Digital encryption today involves (1) an algorithm that does the encryption and (2) a character string known as a ‘key’ that is used in the encryption algorithm so that the same algorithm can encrypt differently depending on the key used. A key and algorithm are also needed to decrypt the message and these days the two keys are not the same (unlike a real-world key for a door).


Data can be stored in encrypted form so that, if a hacker gets access to a file, they still cannot use it. This includes stored CCTV files, for example.


Public and private keys
A problem with encryption of messages to other people is that the person you send your encrypted message to needs to have a key to decrypt it. If the key for encryption is the same as the key for decryption then that person will be able to decrypt messages you send to other people as well. You end up having to send secret keys to people and how do you do that securely?

The modern approach is to use two keys, one that you keep private and the other that everyone knows. Anyone who wants to send you a message encrypts it using your public key – the one everyone knows. But nobody can decrypt it without the private key, which is the one you keep secret, and working out that private key is all but impossible for mathematical reasons, even if you know the public key.


Companies now provide services to generate pairs of public and private keys and do other useful things with them. This is the Public Key Infrastructure (PKI) that provides certificates linking public keys with the real world identities of their owners.

In addition to sending secret messages, combinations of public and private keys let you do other useful things:

  • Data can be encrypted more than once so that to read a file two people have to use their private keys in succession. For example, this might allow stored CCTV files to be readable only if two people give their consent (eg the householder and a judge).
  • In cryptocurrencies, your public key lets people pay money into your account while only your private key can be used to pay money out.

There is also a way to provide a Zero Knowledge Proof:  a better way to do password control that involves proving you have the password without actually giving it. In a crude password system the user’s password has to be known to the system and the user has to divulge the password to get access. Not very secure. Asking for ‘the third, fifth and sixth characters of your password’ is only a little better.

But suppose the system creates a mathematical problem and encrypts it with your public key. You then decrypt it with your private key, solve the problem, and send back the answer. Only someone who has your private key could reasonably hope to do that, so the system knows you have the private key and that it’s you. Other forms of Zero Knowledge Proof have also been devised.

Hash functions
These are an old idea in computing. The function (an algorithm) goes through a file and calculates a ‘hash’, which is a short string or number sensitive to the details of the file. Change one bit in the file and the hash changes. Although hashes are not unique to each file it is extremely difficult to make changes to the file without changing the hash. (That is one of the properties of a good hash function.)

Hashes are a good way to check that a message/file did not get changed while moving from one place to another, or check that a file has not changed from one time to another. Hashes have also been stored on computer systems instead of user passwords because it is insecure to store passwords. The password system just hashes the user’s password and checks the resulting hash against the one stored on file for that user.

But that is just the start of the uses of hashes.

Digital signatures
These are, in many respects, much more secure than a manual signature on the last page of a document. They are made by combining hashes with public-private keys. An algorithm calculates a hash of the document to be signed along with the time and date, then encrypts the hash using the signer’s private key. Anyone who knows the signer’s public key can decode and check the hash against the document and so verify who signed it.


This is, in a way, the reverse of the situation with encryption. With encryption the private key is used for decryption. With digital signatures the private key is used for encryption.

A blockchain is a sequence of ‘blocks’ (files perhaps) where each one contains a hash of the one before it. This means that all but the last hash is itself protected by being hashed. By checking that the hashes agree all the way down it is possible to check that the whole blockchain remains intact and unchanged. A blockchain is a ‘super audit trail’, as Professor Michael Mainelli likes to say.


This alone makes them useful for some important applications. For example, if you write something and want to do more than just put your name on it to secure your copyright, you can upload your document to Metrognomo and it will record a time-stamped hash of your file, with your name, so that in future you can prove to anyone who cares that you had that document on that day. (Other similar services are available.)

The complicated history of the first publications on natural selection might have been simpler if Charles Darwin had been able to submit more of his papers to a time-stamping service. Some academic journals now ask if you have done this and publish the identifier you get as part of the process. Scientific studies that have to be pre-registered can also be time-stamped in this way.


Mutual distributed ledgers
A development of the blockchain technique allows multiple trading partners to work together without using a central third party (eg an electronic exchange). Each partner holds a complete copy of a blockchain that holds all the ledger entries for the whole collective. Crypto-wizardry keeps those copies of the blockchain in step, rather than relying on book-keepers to carry out reconciliations.

A so-called ‘consensus algorithm’ is used so that every partner has a complete copy of the blockchain and new blocks are copied around quickly and without prolonged confusion as to which block goes on next.

This is much like the inefficient duplication used in cryptocurrencies but, provided the number of trading partners is not too large, the computing inefficiency may be offset by the advantages of not being at the mercy of a central third party on which all trading partners find themselves increasingly dependent.


Smart contracts
A mutual distributed ledger based on copies of a blockchain is a reliable record that is almost impossible to tamper with. The idea behind smart contracts is to store executable code on the blockchain so that, once it is in place, it cannot be changed and the system will execute the code when its conditions are met. For example, when two people have digitally signed something, money has been paid, and a particular date has been reached then the ledger might transfer ownership of an asset to another party.

The code is not really a legal contract but is written to execute the terms of a legal contract and more than one piece of code may be needed to represent the terms of a single legal contract. (Though perhaps we will also see people negotiating a deal in terms of source code rather than traditional legalese.)

The crypto control toolbox is full of interesting techniques and more are being developed and defined all the time. But the most interesting thing is to find new ways to put the basic controls together in to make new applications with new and useful properties.


Matthew Leitch is an independent consultant and researcher


Webinar series - unblocking the Crypto Chain

ACCA UK’s Internal Audit Network ran a series of four webinars on crypto currencies and blockchain for internal auditors in April which are now available on demand. You can register for any or all of these on demand webinars here.


Auditing culture

Where do internal audit functions start with the seemingly intangible and knotty topic of auditing culture?

Where do internal audit functions start with the seemingly intangible and knotty topic of auditing culture?


Internal audit functions the world over are being challenged to audit culture, or at least consider doing so and the new corporate governance code asks boards to ensure they assess culture. But where do internal audit functions start with this seemingly intangible and knotty topic? Can it really be done, and how do you undertake a risk assessment of this area? This article will cover how you can structure such an audit, and how you can ensure it fits YOUR organisation and helps it achieve its business goals as well as its reporting obligations.


Structured risk assessments really help us in understanding risk across the audit universe and in planning across an audit cycle. However, the historic focus on hard data and specific processes has potentially led to things being missed. If we look at the financial services sector over the last 10 years, a focus on specific conduct processes meant behavioural risks were not typically included in the audit universe, or the risk management framework or indeed the compliance plan. The regulatory focus on ‘conduct’ post 2007 and the identification of tangible conduct measures was an important step; however, it was not enough, and the subsequent focus on risk culture broadened the scope of audits in this area considerably. Internal audit now knows it can go further than this and really understand the enterprise level behavioural risks within a business and be able to form an opinion on them, adding value and understanding to both first and second line. Internal audit really can audit organisational culture.


Building a ‘corporate culture’, like many a construction project, needs building blocks. But what do we mean by ‘culture’? In other walks of life, ‘culture’ is a concept all of us are familiar with. Yet the business community has been playing catch-up in defining corporate culture and the elements that create it.


One definition of corporate culture is ‘the combination of values, attitudes and behaviours that a company exhibits in its operations and relations with those affected by its conduct, eg: employees, customers, suppliers and wider society’. Wijnand Nuijts of the Department of Governance, Culture and Organisation Behaviour at the Dutch National Bank drew two conclusions:

  1. ‘Culture is not a monolithic, but a multifaceted construct that includes numerous components. These components are not tied together through hierarchy, nor through a linear causal relationship. Rather, they constantly mutually influence each other in a continuous cyclical process.’ 
  2. ‘Culture is not static and does not exist in isolation. In fact, culture is (the product of) an adaptive response to environmental influences (at a certain point in time) and develops in order to address the challenges that are created by the internal and external environment. This evolutionary aspect of culture has implications for the manner in which supervisors can, or perhaps even should, supervise culture.’

The survey results contained in Grant Thornton’s recent report Beyond Compliance - The building blocks of strong corporate culture showed that 50% of businesses worldwide have culture as a standing item on their board agenda, while 71% have established internal controls that address culture and employee behaviour.


Boards are heading in the right direction when it comes to culture. But more can be done. After all, regulators – and auditors - cannot develop or embed corporate culture. Culture can only be authentic – and sustainable – if it comes from the leadership of the organisation and is important enough to feature as a key part of its strategy.


So having said all of that, what role can internal audit play in this? Well, the start point of auditing culture is your organisation's own business strategy. There is no such thing as a ‘good’ culture that we can pull off the shelf and audit. Every firm has a culture, and that culture will be defined by its history, location, size, whether it is in a single location, its leadership and the environment in which it is operating. The question is – is it the right culture?


The right culture for an organisation is one that helps it achieve its business goals, it strategy, its vision. It has to be right for your particular business. Not only that but it then has to be embedded across every area of the business with a relentless focus from the top.


So how do leaders implement and embed a culture? Well, there are leadership and management interventions across the organisation at multiple points every single day. Employees subconsciously look for alignment and consistency to the messages and stated culture from the top of the organisation.


These interventions form the drivers of culture, the enablers to having a culture that is aligned and consistent with the business goals. If we know what leaders need to focus on across these drivers in order to embed the culture, then as auditors we know what to test in order to successfully audit culture. We need to cover each of the drivers in our audit, and we need test both design effectiveness and operational effectiveness, testing whether it is actually working on the ground across the organisation, and across each of the drivers.


So what are these drivers of culture? Well, we have already seen that strategy is a key driver, it is the critical start point for culture with the purpose of playing a key role in the achievement of business goals. Leadership is also key, with leaders across the business, and at different levels of leadership, needing to actively and personally engage in the culture going way beyond the traditional ‘tone from the top’. People management is a further driver affecting employees and promoting and encouraging the right behaviours across the organisation. However, the culture drivers do not stop here – the management of other resources, the processes and measures across the organisation, and how change is designed and delivered are also key, as is supply chain management, web presence, external reputation and communication.


An audit of culture does encompass huge swathes of the organisation and can initially be daunting; however, a structured focus on the design and operational effectiveness of each driver can quickly show areas that are misaligned, that are inconsistent, and that mean that the overall culture is not embedded and enabling the achievement of business goals.


The drivers of culture and what we are looking to audit within each is represented by the diagram below and is summarised as follows:




The strategy of an organisation should include both ‘what’ the organisation is looking to achieve and ‘how’ it is going to do it. Strategy should include values, behaviours and ethics. These are the key parts of how the organisation is going to achieve its business goals – and should make it just as important a part of the overall strategy as what the organisation is aiming to achieve.



Leaders must be able to reflect the strategy, articulate it, but more than that: to role model it, and live it out every day for their teams. They need to recognise it in others, to bring their example to the fore and to reward it, either financially, through simple recognition or promotion. Every single day, every single conversation, presentation and action will be observed and noted – it can be challenging but it can also be exhilarating when it works and takes on a life of its own.


Culture change will not be achieved overnight but it is a myth to think that a change in culture can only be achieved over an extended period of time. A relentless focus on culture can see change achieved by large organisations with many thousands of employees over the medium term. Leaders need to design and implement measures so that the organisation knows that the leaders are paying attention to cultural issues and that the ‘how’ matters.


People management

Right across the employee lifecycle there are opportunities to nudge, shape or reinforce the culture. From ensuring that new joiners are not only informed of the company's values, but that interviews, tests and references seek out information about an individual's way of working, ensuring that individuals are recruited not just for their technical capabilities but for what they will bring to the culture, and for their soft skills. This should then be reinforced through the performance management cycle, through objective setting, through talent identification, through promotions and through every learning intervention.


There are many touch points where culture can be reinforced or enhanced, and a company that puts real energy into this and makes every intervention count really will find that the culture is not at all an accident of who happens to work there.



There are many messages conveyed by the organisation that employees pick up on in terms of how organisations deal with their customers, with their supply chains, with regulators, with potential prospects, with the way they manage the office space and the intranet and internet offerings. All of these messages need to be aligned and consistent, otherwise stakeholders such as employees and customers or clients will receive confused messages around the organisation's culture


Process and change

Some processes in particular are ‘critical to culture’ - for an insurance company this could be the sign-on process or the claims process. For many companies it can include the direct customer contact via web or via a call centre. It is all the individual moments of truth where customers, or employees, touch the organisation and the experience they have is really important.


It is also where the organisation is undergoing change, often with project management and new systems. Much attention is put into whether projects are on time and on budget but very little on the impact of projects or transformation on the organisation's culture - and yet these are critical times in terms of reinforcing culture and behaviour and the direction of both the what and the how of strategy.


Corporate responsibility and reputation

How an organisation portrays itself externally has a key part to play in the culture. Employees are a part of this audience. They see the impact and the position externally - they see positive and negative press, positive or negative impacts on the environment, positive impacts on charities or local neighbours. It forms part of the holistic view of the organisation that they carry with them and it is again vital that it is aligned, consistent and the impact on culture is positive.


Let’s look at just one of these drivers, people management, in more detail.


So what do the HR team need to do in order to ruthlessly embed the culture across the organisation? Well, if we follow the employee lifecycle then the employer brand should be designed to include the values and behaviours so that it is clear to potential employees what the culture of the organisation is, or should be. Then the interview process should include questions to test it. This is not about recruiting clones, and not about a lack of diversity – there are many ways to fit into a culture and many skills and talents to bring to it, but a fit with values is important.


Once recruited, objectives need to be set that not only include what an individual needs to do, but also include ‘how’: how they behave with colleagues, what conduct is expected etc.


Then at each performance assessment the ‘how’ can be discussed and assessed. This does need managers with the capability to have honest conversations, and to have evidenced examples of aligned and non-aligned behaviour. But what it does do is make the culture matter, right across the business and enable great examples to be gathered and communicated more widely. Use of storytelling in this way can further illustrate what the organisation values, what it is looking for in terms of behaviour, and give others the confidence both to reflect the desired behaviours and also to speak up when the values and behaviours are not aligned.


Once the culture is built into the performance review cycle, it can then be used to inform promotion discussions. Promotion interviews and capability frameworks should both include behaviours and values. It will be vital to the organisation to have the leaders and managers of the future able to achieve its business goals over the long term. It can be used in talent assessment – either directly as a measure, or as included in the performance measurement. Then from the talent pool, succession plans can be drawn for senior role succession that will ensure the culture endures over the life of the business strategy and beyond.


Through all of this, learning programmes can be developed that reflect the values and behaviours needed. Then right from induction through to senior manager training, values and behaviours can be reflected in the content, or added as specific modules depending on the need and the degree of change needed.


Whilst looking at the topic of people management, one of the real pitfalls with auditing culture is the ease with which the auditor can slip back into a functional or topic based audit, and with people management in particular, it is really easy to slip into an HR audit – looking at risk and controls across the function - but this is not your purpose here.


An HR audit looks at the risks and controls, looks for a well governed function – looks at whether the function is doing things right.


The people management element of a culture audit looks at whether the function is doing the right things.


But how can audit be the judge of whether they are doing the right things? Surely that is not the role of audit? Our answer lies in going back to the business strategy, in looking at the defined culture and looking at whether the people strategy really enables the delivery of that, and then the whole programme of activity across the function – and into the business – is consistently aligned. If it is, then they are doing the right things.


It is this level of detail that we as internal auditors need to go into for each of the drivers of culture, and then test for the unique desired culture of the organisation so we are actively exploring the design effectiveness, and the extent of deployment – or operational effectiveness across the business. In this way we can spot sub-cultures and find areas where misalignment between culture drivers occurs, providing audit reports that are insightful to both executive and boards.


Sue Jex is a Director at Grant Thornton leading on People and Culture risk and the author of the IA Foundation recent publication A Journey into Auditing Culture.

Where angels fear ... internal audit and board effectiveness

How should internal audit review board effectiveness?

How should internal audit review board effectiveness?




My firm is a rare beast in that we are one of the UK’s leading firms of board effectiveness review, but also look at internal audit functions for those that want something different from the usual suspects’ offering. So we sometimes get asked by internal audit for advice on the 'interesting' question of how internal audit should review board effectiveness.


Yes, that’s 'interesting' in the Chinese curse sense …  and at its simplest, the best advice to any head of internal audit is to stay well away from it. There are three exceptions to this general rule.


The first is when the head of internal audit is only a year or two from retirement, with a secure pension, and combines great sensitivity with a thick skin. With these qualifications, you are admirably placed to undertake a rigorous review of the board’s effectiveness. 


You need freedom from career anxiety because a good review of your board’s effectiveness might require you to tell directors that they aren’t pulling their weight, or that they need to talk less and listen more, or give more attention to the discussion than to their iPad, or that their mannerisms are really annoying everyone else. Now imagine yourself having that conversation with the CEO, or the CFO, or the Chairman, or the Audit Committee Chairman… 


The second pair of qualifications to this first exception is more subtle. You need great sensitivity because a board is, more than anything else, a social system. Structures and processes can help or hinder its effectiveness, but, more than anything else, what will make it work well or badly is its people and their relationships. 


Consequently, board effectiveness doesn’t lend itself to anything resembling a conventional audit approach. When so much of the evaluation is qualitative, standard approaches to evidence aren’t much use. You can audit compliance with the corporate governance code but that is at best remotely connected to effectiveness. Effectiveness means achieving good outcomes – but how do you define those for a board? Good decision-making, perhaps. Risk oversight that contributes to the success of the business. Challenge that stimulates management to do better than they would otherwise do… and so on. All very situation-specific and difficult to measure, and what good looks like will vary from day to day and person to person. 


So looking at a board’s effectiveness means looking at what it’s doing – and how its people are behaving – in its own circumstances, and thinking about how they might do better. That takes a high degree of sensitivity, and even more sensitivity to frame any suggestions for improvement in a way that will land well. Hence the need for a thick skin, to enable you to take it in your stride when your bright ideas are dismissed on the grounds that you haven’t had the experience of boards to know how they really work.


You should by now have got the point, that looking at boards is tricky and that being a good auditor isn’t necessarily the most appropriate qualification for it. But we said there were three exceptions to the general rule of staying well away from it, and so far we’ve only looked at the first. The others have a bit more mileage in them for internal audit. These are audits of the processes that support board effectiveness – most importantly, the board information – and the special case of subsidiary boards.


Good information is an absolutely vital enabler of board effectiveness. Heads of internal audit have a special role as informal providers of insight into the organisation, quite apart from the formal reporting. A good audit committee will value the private sessions just for this, so don’t be coy about it. Just make sure the audit committee understands when you move from evidence-based to intuition, and knows to respect your confidences.


And make sure the audit plan includes board information. No, not just once every five years. If the board is dependent on it, how can you define it as low risk?  Are you really saying that a misinformed board would be low impact? If that were the case, then you’d be better off moving your job and your pension to a company whose board actually helps it to succeed, rather than joining an ineffective lot in going through the motions. 


But it’s more likely that internal audit’s – very common – assessment of board information as low risk reflects an assumption that, because of its sensitivity, there will be a high level of management control, so the probability of error is low.


Wrong. If you think that, you’re using the wrong definition of error. Don’t ask 'can this information be reconciled to the source data?' or other such audity questions. Instead, ask 'does this information equip the non-executive directors to contribute well?' Does it help them understand the risks and opportunities, judge the performance of management and provide good challenge? Is it balanced, particularly in its assessment of pros/cons and risks?


And when answering this question, remember who you’re asking it on behalf of. One of the most common failings of board information is that it’s actually management information. (If everyone calls it MI, that’s a clue.) But management information is for management, who live in the business every day and need a high level of detailed knowledge to enable them to be making a never-ending stream of large and small decisions. 


Non-executive directors, by contrast, dip in and out, typically between four and eight times a year. In the long intervals between board meetings they will be off attending board meetings at other companies, usually several other companies. So they have neither the time nor the mental bandwidth to handle information at the level of detail that is useful for the management of a single company. 


Even if NEDs did have the capacity to absorb and understand management information at that level of detail, it’s not what they should be doing. Only the most hopeless CEO benefits from having an array of ex-CEOs second-guessing him or her (and if things were really that bad then there is a better solution than relying on the NEDs to prop up management). NEDs need to operate at a strategic level, ensuring that everything – including quality management – is in place to give the company the best chance of success. So they need information to be distilled and presented in a way that makes it easy for them to see what the really important things are. And they need it to be set in context – the story so far – to remind them of the board’s previous work on the topic and of what management has done since then.


The most common failing we see in board information is not that the data is suspect but that it simply hasn’t been put together with any thought to the particular needs of non-executives. If internal audit can help address this it will make a real and lasting difference to board effectiveness.


And finally – the special case of subsidiary boards. This situation arises most often in financial services firms, and increasingly in other regulated industries too, where the regulator requires locally incorporated businesses to have 'real' boards (as opposed to the rubber-stamping variety found in most unregulated corporate subsidiaries).


Just because they are subsidiaries doesn’t mean they’re straightforward. On the contrary, these reviews can be particularly tricky. There is always a tension between the regulator’s desire for an independent board that is solely responsible for the business and the parent’s desire to control its subsidiary and ensure its strategy and risk-taking conform to group policy and meet the group’s goals. That’s another topic in its own right – for now, the point is that it’s not uncommon for group audit to be asked to look at the effectiveness of subsidiary governance, including the subsidiary boards and committees.


Group audit is probably responsible – often directly, sometimes indirectly – for the quality and extent of audit that local boards rely on, so there’s a bit of a conflict. But that can be managed by having a subsidiary board review done by auditors from another part of the business. And the fact that their reporting lines are independent of the subsidiary means they are protected from the career-limiting risks of criticising the board.


More important, and more difficult, is to ensure that the audit team has the necessary capability. As described above, understanding the effectiveness of a board is more of an art than a science. While there are aspects, such as board information, that lend themselves to audit experience and approach, there are others that don’t. So the old advice of 'Know thyself' applies in spades here. Know your strengths and limitations, and plan to make the most of the former while bringing in outside expertise to make up for the latter. If you get that right, you can add real value.


Jonathan Hayward is a director of Independent Audit Limited


Independent collaboration

Striking a balance between being  independent scrutineers and trusted advisers

The challenges internal auditors face to strike a balance between being  independent scrutineers and trusted advisers were explored at ACCA UK’s Internal Audit Conference in May.


Standards exist to provide a reliable basis for people to share the same expectations about a product or service. For internal auditors, the most important of these are independence and objectivity.


The Institute of Internal Auditors defines these as ‘freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner’ and ‘an unbiased mental attitude’ that allows them to believe in their work product and ensure ‘no quality compromises are made’.


So can those standards be met? Generally speaking, the answer is yes, according to portfolio non-executive director, Geraint Davies CBE, who spoke at this year’s ACCA UK Internal Audit Conference. However, he observes that doing so ‘can be less of a Holy Grail’ and ‘more of an unholy alliance’.


For organisational independence, there has to be in place an internal audit charter, risk-based audit plans, and an audit budget and resource plan, he says. Line management has to be clearly defined and there should be ‘no no-go areas’, as these threaten independence. ‘Once you have to manage something, your independence is impaired,’ he says.


Davies challenges auditors to consider being invited into all areas of the business, and all meetings and strategy days. ‘If it’s not happening, ask yourself why not? And then push for it.’


The person to look to for support is the company secretary, because they are big enough, connected into the system and they can’t be ‘got at’ by the CEO and FD. ‘The company secretary should have a primary role in ensuring the Head of Internal Audit can go where the risks dictate and not be influenced by those in the executive,’ says Davies.


Trusted adviser

Paul Mills, Head of Financial Risk and Governance at the Financial Ombudsman Service, also speaking at the conference, was clear that alongside independent assurance, the insights, experience and recommendations that internal auditors can offer a business are both wanted and needed. ‘Of course, you can take an absolutist viewpoint and say that you provide independent assurance and that’s it,’ he says. ‘But the insights you get from other clients, backed by evidence, is something businesses want to tap into.’


He emphasises that it is vital to engage with the people being audited and work out what they’re trying to do and how, as is the rigour and objectivity that internal auditors can bring to this process. ‘Give an honest view of what you think is really going on and avoid being sucked into being too emphatic,’ Mills adds. ‘There are definitely pitfalls to avoid – group think and blind-spot biases among others – so ask yourself the hard questions if you think you’re getting too involved.’


Mills acknowledges that there will always be times when internal auditors must stand back and say to others in the business: ‘I really want to help you, but I’m not going to be able to because it’s not my role.’ In these cases, hopefully the internal auditor can point them in the right direction to get help.


Derek Anderson, Head of Internal Audit and Assurance at the Northern Ireland Education Authority, and a fellow speaker, agrees. When the going gets tough and businesses get in trouble, he says, organisations want more than compliance monitoring from their internal audit service. ‘They want an understanding of the business and the provision of advice and guidance. If they are up to their middle in the sticky stuff, it’s not very effective if I cite independence and objectivity as a reason that I can’t help. That’s not really assisting the organisation, and it’s the

argument for riding a coach and horses through the independence argument.’


However, Anderson does feel it’s his job to put in controls and processes that stop businesses getting into the ‘sticky stuff’ again, and then stand aside. ‘I can’t be permanently doing that – it’s not my job. But I don’t think I could just let the organisation go down,’ he says.


It’s generally agreed that if internal audit is to add value to an organisation, there needs to be an investment in relationships with the board, audit committee, senior management and business stakeholders. For Anna Newcome, presentation and communication coach, CTS Presentations, who also spoke at the conference, getting the most out of these relationships is about listening.


‘Failing to listen carefully means you can’t know how to respond,’ she says. ‘It immediately creates frustration and sets up a negative relationship. On the other hand, if someone feels they’ve really been heard, they will be much more inclined to comply with any suggestions that you make. Giving solutions, jumping to conclusions, judging and interrupting are all barriers to good listening, and create a wall between two people.’


Newcome also draws attention to good communication: for someone trying to create an impact and ensure the listener is clear about the message being communicated, an awareness of body language and tone of voice are more crucial than what’s being said.


So, given that getting close to businesses and the people in them is part of the role of most internal auditors, is independence really possible? Davies sums it up: ‘Yes, it is – the private sector is getting there, but the public sector is a way behind. Is it easy? No, it’s not. It’s a journey, not a destination.’ 


Jill Wyatt, journalist



Auditing your firm’s EWRA

Are you sure you know what the risks are when auditing your firm's Enterprise-Wide Risk Assessments?

Are you sure you know what the risks are when auditing your firm's Enterprise-Wide Risk Assessments (EWRA)?


The risk of money laundering within financial services is indisputable, and the industry is increasingly committing significant effort and expense in carrying out Anti-Money Laundering (AML) specific Enterprise-Wide Risk Assessments (EWRA) to better understand and mitigate potential AML risks.


Typically, the output of such an AML EWRA is intended to enable institutions to prioritise their resources and mitigate the risks of money laundering faced by them. It is particularly important where institutions face changes to their traditional business model and the regulatory environment in which they operate.


To be effective, an EWRA must be a dynamic and accurate reflection of an institution’s risk profile. With more regulatory guidance on the subject, we are seeing a growth in EWRA capabilities. Mature and advanced institutions are moving to a blended approach of qualitative and quantitative EWRAs that provide a much more holistic and sustainable view of risk across the enterprise.


The EWRA is often not subjected to internal audit review and testing, as a ‘key control’. Yet it should be, especially given the important role that an EWRA plays in helping an organisation articulate its AML risk profile.


In this article, we discuss how internal audit can play a vital role in testing an organisation’s EWRA methodology and process to determine if it is fit for purpose, by testing for common challenges and preventing a much needed risk assessment tool from degrading into an unwanted annual exercise.

The EWRA as a ‘key control’

While typically not understood as an organisational ‘key control’, the EWRA functions exactly as that. Within the context of AML, it plays a key role in identifying and defining the inherent risks within an institution and setting out the specific controls required to mitigate them. The existence and performance of the EWRA helps to articulate  all controls within a risk and compliance framework, and therefore must be subjected to the same level of scrutiny for it to be effective. This is even more important for jurisdictions where the completion of a risk assessment is set out as a legislative requirement.[1]


For internal audit teams trying to provide a holistic coverage of an institution's AML systems and controls, it is advisable to consider the EWRA as an auditable topic in its own right.

What auditors should look for in an EWRA

When auditing an EWRA, audit teams should consider using the following list as some of the key factors that an effective EWRA should be able to demonstrate. An EWRA should:  

  1. Maintain consistency of scope: an EWRA has to be a repeatable exercise that is performed at least on an annual basis. As such, consistency in scoping is essential to producing an EWRA that is of comparative value and provides key stakeholders (including regulators) with a clear view of year on year increase or decrease of the residual risk of an institution. When testing an EWRA, auditors should query if all lines of business, products and services, and the full geographic footprint of the organisation are being consistently covered from one assessment period to the next.   
  2. Be aligned to the institution's AML risk appetite: whether a Risk Appetite Statement (RAS) is set at a business unit level or at the enterprise level, an EWRA without a RAS will be unable to provide measurable actions to address identified gaps. It will also be unable to highlight areas where the institution might be edging towards unacceptable risks. Auditors should query whether the conclusions of an EWRA report are aligned to an institution’s RAS and the extent to which the RAS has been integrated into the EWRA.
  3. Be based on hard data that is available and accessible: as regulators are increasingly leaning towards EWRAs that reflect hard data - (this includes data in relation to customer, products, services, transactions and geographical coverage or delivery channels) - an institution's ability to make this data continuously available and accessible for the purposes of critical analysis is crucial. An auditor must query the extent to which an EWRA is the product of quantitative data analysis and whether this analysis is supported by ‘quality’ data. Where there are data limitations, the nature of the limitation and the impact that it has on the EWRA must be clearly reflected in the EWRA report or EWRA methodology. 
  4. Provide accurate assessment of sub-risk categories: an institution's sub-risk categories (such as Customer Risk, Products and Services Risk, and Geography Risk) are keystones of the EWRA. Auditors must assess whether the assessment of these sub-risk categories have been performed reliably and uniformly across the whole institution.
  5. Be supported by a defined and documented methodology: as they say, methodology is King - if they don’t, they should. A sustainable and repeatable EWRA is impossible to produce where the methodology lacks transparency and is not supported by well-defined artefacts (eg a well-defined risk assessment questionnaire). Auditors must test the methodology of an EWRA and get comfort on its currency, sustainability and consistency. 
  6. Be informed by a multi-dimensional assessment of the control environment: while the evaluation of a control from the perspective of its ‘design’ and ‘operational’ efficiency will not be new to an auditor, it is worth paying attention to the fact that EWRAs may unduly focus more on the design of a control and less on its operational efficiency. This can lead to a skewed control rating thus impacting the overall results of the EWRA. Another dimension of assessing the control environment, for the purposes of an EWRA, is the distinction between centralised and decentralised controls. Where a control is centralised, it is important for that control to be assessed centrally and to apply that assessment uniformly across all affected units to avoid inconsistency, eg where a centralised on-boarding or transaction monitoring team performs controls for multiple branches of an institution, the relevant controls should be tested at the central base level, rather than picking and choosing isolated branches to test. This will help to ensure that no one branch is being subjected to a different standard and that any issues identified in relation to one is uniformly addressed across all.       
  7. Be communicated appropriately to all key institutional stakeholders: a successful EWRA report should result in actionable tasks that are owned, delivered in time and measured through subsequent EWRA cycles. Therefore, the communication channels used to report and track progress against actionable items should be reviewed when auditing an EWRA.
  8. Be upgraded to automated systems/processes (where possible): this last factor is dependent on the institution's technological maturity. Often EWRAs are very manual and are retrospective in nature. This means that the EWRA is often reduced to a tick-box exercise and doesn’t necessarily provide a ‘current’ view. Auditors are advised to question the extent to which aspects (or even the totality) of an EWRA process can be automated. In an age where regulatory technology is at the forefront of most institutions' considerations, it would be a missed opportunity not to automate something as fundamental as an EWRA. 

For more on EWRAs please read the Protiviti thought leadership document – Building Blocks for an Effective AML Enterprise Wide Risk Assessment.


Tasnoova Zaki - Senior Manager in Risk & Compliance at Protiviti UK


About Protiviti

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Through its network of more than 80 offices in over 20 countries, Protiviti and its independently owned Member Firms provide clients with consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit.

Named in the 2019 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 60 per cent of Fortune 1000® and 35 per cent of Fortune Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

[1] Please see as an example in UK Regulation 18 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

Moving GDPR preparation into operations

Being prepared for GDPR is different to having GDPR as part of operations. Read more in this article.

While people may think that they have done everything needed to prepare for GDPR, they may have missed things and they may not have thought about how they get assurance over GDPR. They may not be ready any  more as needing to be prepared for GDPR is different to having GDPR as part of operations.


GDPR has now been in force for over a year so would it be correct to assume that all organisations have taken the necessary steps to ensure compliance? Based on our work and feedback from others it appears that this is not the case, far from it, but the big question is whether the magnitude of the recent fines imposed on British Airways (£186m) and Marriott (£99m) will make stakeholders think again.


What does the Information Commissioners Office (ICO) expect of an organisation? That’s quite simple, the ICO expects that all organisations, no matter their size, are taking the protection of personal data seriously, that they are looking after the interests of the data subject. The ICO would expect all organisations to have compliance with the legislation at the core of operational activities. This means that in respect of personal data they are:

  • doing the right things
  • doing them in the right way
  • doing them well.

Both British Airways and Marriott failed to convince the Information Commissioner that they were doing the right things, etc., and had done all they could to protect the personal data of their customers, but why are the fines so big? Is it because the ICO is making an example sending out a message to those organisations who approached GDPR as a burden, another compliance headache, those that did the bare minimum or worse ignored it completely?


Possibly, but equally, it could be because both companies failed at a fundamental level – they failed to safeguard their digital estate. But it could have been much higher: BA’s fine was 1.5% of global turnover, it could have been up to 4%! It is also worthy of note that Marriott incurred the £99 million fine because they acquired another hotel chain in 2016 - and it was this hotel group, Starwoods, that had lost customers' data through a cyber breach.


While many organisations have invested a great deal of time and energy in being compliant with the regulation, many have failed to recognise the business value. Instead of viewing GDPR as another regulation you need to comply with, you should be considering the potential business benefits. Why wouldn’t you want to ensure that your data is:

  • obtained fairly and lawfully
  • recorded accurately and reliably
  • one version of the truth       
  • held securely and confidentially       
  • used effectively and ethically           
  • shared appropriately and legally
  • delivering business value?

Comply with GDPR


GDPR is also about value and trust in data, a central element of information governance. Information governance encompasses among other things information security or, at a digital level, cybersecurity.


Many organisations were taken in with checklists and companies offering one-stop technological solutions without taking the necessary steps to understand how personal data flows through the organisation, as opposed to designing and implementing a framework that will fit with the culture and ways of working of your organisation.


Then there are those organisations that complained: 'it's not fair' and placed it on the 'too difficult' pile. On many occasions, senior stakeholders have told me that they could not see how GDPR affected them as they did not collect, store or process personal data – in all cases, they had failed to grasp that employment data was personal data.


Absorbing GDPR into business, as usual, requires a holistic approach to information governance. People processes and technology – the guidance issued by Working Party 29 who were responsible for developing the Regulation and the ICO in their 12 steps spelled it out: raise awareness, train, develop processes and procedures, tighten up on IT security.


How can doing the above build business value? It can be a differentiator, especially if you buy into the view that we are moving from the information age to where reputation is paramount.


In the marketplace competition is fierce and the choice is not restricted by geography. We no longer just rely on the shops on the high street or local businesses to fulfil our needs. Could it be that in the not-too-distant we will be looking at a ‘data trust index’ when making our decisions over which internet business we want to interact with? So, will a business whose reputation is damaged because they cannot be trusted with our data be overlooked the next time we go shopping?


In GDPR terms even those organisations that embraced the challenge are only at the beginning of their journey.


Organisations collect data, for a whole host of purposes and from a range of sources. The simple question is why we spend time and resources collecting, processing and storing this data? This simple answer should always be because it is necessary to assist in achieving business objectives. If this is the case then the data collected must have value - and something that has value, we safeguard. If something has no value, why do would we acquire it?


For the last year or two, the focus has been on GDPR but in reality, many progressive organisations have been using GDPR as a way to improve their overall approach to information governance.


Looking forward it is how we incorporate GDPR into information governance that will lead to a certain level of maturity in how we deal with GDPR. There is also a real prospect that protecting personal data may fall as part of annual audit requirements.


But it’s not just about our organisation, it’s also about organisations that we share our data with. If we do not manage our third-party data-processing relationships appropriately, our reputation could be impacted by their negligence. Even if there is a breach in a third party's data security, we are still accountable, therefore it is our responsibility to make sure that the third parties we work with are looking after the data we share.


GDPR does not reflect a whole new philosophy about personal data; rather, it builds upon the basic application of good information governance practices, albeit with a greater emphasis on transparency than an auditor might be accustomed to.


Providing audit assurance on GDPR is not a one-off process; the regulation requires auditors to consider personal data throughout the enterprise:

  • GDPR centres on the quality and accuracy of the data collected - a core tenet of information governance is the reliability of the information.
  • GDPR focuses on the security of data in information governance - we also consider security data and look at the processes we’ve got in place for data loss management. We don’t want to lose data but if we do, we need systems in place to inform us that a breach happened
  • in GDPR we need to ensure that personal data is accessible - under information governance, we also need to be able to access data. This is the way we leverage value out of information.

  What can you do to reduce your risk of a fine?


If the following statements are true of your organisation then you will have reduced your risk of a fine:

  • we have completed a data audit, developed a Record of Processing Activities and have conducted a risk assessment of the data collected, processed, stored and shared
  • we know who all our third-party suppliers are, and any of their suppliers who handle our personal data, and we have satisfied ourselves that they have the appropriate processes in place and they are working effectively
  • we have privacy notices drawn up and readily available - we do not have to get the data subject to sign them, we just need to ensure that we make them aware where the notice can be found
  • we have cookie statements on our websites
  • we have developed processes and template letters that underpin the way we deal with addressing an individual's rights when they make a subject access request
  • we have raised awareness across the organisation and trained our staff on how to deal with personal data and assessed their understanding
  • we have reviewed our contracts with our suppliers and customers and where appropriate put Data Processing Agreements in place
  • we have reviewed our information security arrangements to ensure that all sensitive and personal data we store and process is appropriately protected both at rest and in transit
  • we also have to consider something we have not before - that is providing data subjects with their personal data in electronic form which facilitates portability
  • where we make changes to the systems we use to collect, store and process data, we have developed a process to undertake a data privacy impact assessment to ensure that we fully understand how our actions and activities may impact on the rights and freedoms of the data subject
  • we have reviewed all our business processes that touch on personal data to ensure GDPR compliance is embedding into ‘business as usual’ and becoming an integral part of daily operations
  • we can demonstrate that our GDPR related processes are operating effectively and consistently.

 Don’t panic, help is at hand


There are several sources of information to help including:


ICO’s 12 Steps


Seer-i GDPR Readiness Assessment


NCSC’s Cyber Essentials


NCSC’s 10 Steps to Cyber Security


NCSC Board Tool Kit


Don’t let your organisation be the next to hit the headlines saying that you have received a large fine from the ICO. The fine is only the start of your worries - reputational and brand damage could cost much more!


Steven Connors, Partner, Haines Watts

IIA review and survey on Three Lines of Defense

Complete the survey before 19 September 2019

IIA review and survey on Three Lines of Defense


The IIA is asking internal auditors and stakeholders around the world to weigh in on proposed updates to the Three Lines of Defense model. After 20 years in use, it could be time to refresh the model to better reflect current practices and the ever-evolving global landscape.


You can be part of the evolution of the Three Lines of Defense model to reflect current practices and the global landscape to help guide organisational success. Read the review and complete the survey to ensure your stand is understood.


The deadline to participate is 19 September 2019.


Access the IIA’s review and survey now.

Payment services authentication

Is your business preparing for an extra layer of authentication for online payments?

Is your business preparing for an extra layer of authentication for online payments?


Payment services authentication is one of those 'horizon scanning' issues that internal audit should at least be asking questions of the business in relation to:

  • what preparations are being made
  • whether or not new policies and procedures are required
  • if any change management or training is needed and if so whether the business has scheduled it
  • what contingencies are in place if new procedures do not operate as intended in the early days – particularly if the services provided are considered critical/essential or time dependent.

In September, Strong Customer Authentication (or SCA) will have significant implications on how all businesses handle online transactions in the European Economic Area (EEA), where both payer and payee are in the region.


SCA, part of the PSD2 changes, requires an extra layer of authentication for online payments. It requires the use of two independent sources of validation by selecting a combination of two out of the three categories (two-factor authentication):

  • something you know (eg PIN)
  • something you have (eg card/phone)
  • something you are (eg fingerprint).

Many businesses will need to consider how they operate and advisers will need to consider how the change could impact their clients. The good news is that a number of exemptions exist, as outlined in this useful summary.


These exemptions includes that ‘when the transaction is initiated by a legal person (eg a business) rather than a consumer, and it is processed through a secured dedicated payment protocol, the Commission is satisfied that it does not require separate authentication, provided alternative controls are sufficiently secure'.


Certain transactions are also exempted, such as recurring payments and purchases under €30. But even some of the low-value transactions may be challenged, for example if the combined value of several unchallenged transactions goes above €100. Businesses may also need to consider if they should point out to customers that they can ‘whitelist’ businesses with their card issuer. This will mean that they would not need to authenticate themselves for future purchases.


However, much depends on how card providers set up their systems and the options available.

Webinar series - unblocking the crypto chain

Register for our on-demand webinar series on crypto currencies and blockchain for internal auditors

Webinar series - Unblocking the Crypto Chain

ACCA UK’s Internal Audit Network ran a series of four webinars on crypto currencies and blockchain for internal auditors in April which are now available on demand. Speakers included Professor Michael Mainelli of Z/Yen Group, Rodney Prescott of PwC and independent consultant Matthew Leitch and they cover these topics:

  • Introduction to blockchain
  • Smart ledgers and security
  • Immutability – a key blockchain and crypto feature
  • The reality of cryptocurrencies and their audit implications.

Each webinar provides one unit of verifiable CPD where it is relevant to your work. You can register for any or all of these on-demand webinars here.


Other blockchain and crypto resources


There are two CPD articles on blockchain in this e-bulletin:

ACCA also has a report on the professional accountant’s guide to distributed ledgers and blockchain: Divided we fall, distributed we stand.

New ACCA resources for internal auditors

ACCA's Internal Audit hub has been revamped and updated. Take a look now

ACCA’s Internal Audit hub provides support to our members working in governance, risk, assurance, control and efficiency (GRACE). The hub has been revamped and updated and now includes sections on:


Learn about internal audit

This section explores what internal auditing is like in practice and the many pitfalls to avoid. A series of guides covers internal audit for beginners, the management team, and the audit committee. These guides have recently been updated and guidance for heads of internal audit added.


Our webinars and other resources

ACCA UK’s Internal Audit Network regularly runs free webinars for its members working in internal audit. Search here for our upcoming webinar series on blockchain and crypto currencies for internal auditors, as well as webinars available on demand on cyber security, de-mystifying IT audit and GDPR.


This section also has a new Resources by theme area that collates material produced by ACCA in the past few year by the themes of ethics, audit management, IT and regulation/legislation.


Our publications and other research

Here you'll find a link to the most recent edition of this e-bulletin and you can also search for CPD articles for internal auditors. 


Internal audit blog

If you would like to gain some insight into the life of an internal auditor then look at our blog series 'A day in the life of the invisible auditor' where a different internal auditor will provide some thoughts every week in 2019. If you would be interested in providing a blog then please contact