Technical and Insight
Internal audit in a changing world

In a fast-changing landscape, what does internal audit need to do to demonstrate its value to stakeholders?

In a fast-changing landscape, what does internal audit need to do to demonstrate its value to stakeholders?


In a fast-changing landscape, internal audit needs to demonstrate the agility, integration, transparency and prognostic approach that together prove its continuing value to stakeholders. Speakers at this year’s annual ACCA internal audit conference – Internal Audit in a changing world – explored the challenges this presents.


What keeps CEOs up at night? Stuart Wooldridge, a partner in KPMG's insurance investment management sector, told his Birmingham audience that the firm’s UK 2017 CEO Outlook report reveals that reputational risk is high on the list with CEOs believing that reputational damage will have the second biggest impact on their organisation’s growth in the next three years.


A changing geopolitical climate and a ‘notable dip’ in confidence in the global economic outlook from last year are also on their mind. And to meet the challenge of remaining relevant and forward-looking, 65% of CEOs see disruption as an opportunity rather than a threat, with 74% saying their business is aiming to be the disruptor in its sector.


As CEOs grapple with these new challenges and uncertainties, findings from KPMG’s 2017 Global Audit Committee Pulse Survey pinpoint risk management as a top concern for audit committees. This creates opportunities for internal audit to maximise its value to organisations by focusing on key areas of risk and the adequacy of its risk management processes.


Stuart noted a migration of the internal audit function from hindsight, through insight to foresight. Foresight requires a focus on strategy and the market, he said, which in turn means understanding the global megatrends, the resulting disrupting forces on the industry sector and how they will affect the way the market looks in the future.


‘To do this, audit functions will need to free up some time and space. Automation of control testing, the use of data analytics and having the right skillset can increase efficiency of standard internal audit work but, more importantly, we need to move our audit plans from a focus on traditional risks to focus more on the drivers of strategy – the mega-trends that are affecting our economies and businesses now.’


Stuart suggested that if internal audit is agile and flexible enough in facilitating management to predict what major external and uncontrollable factors might be crystallising to affect the organisation’s performance and outcome delivery, it can influence management’s decision-making and support its ability to take advantage of, or protect itself from, upside and downside risk.


However, he concluded with a warning: ‘Audit functions are going to have to audit the things that scare them – strategy and business models.’


What should a CEO look for from IA?

Internal auditors know that they must pay close attention to what organisations’ boards and executive management look for from them and whether these expectations are being met.


One of the big questions that need to be asked in conversations with the CEO and chair of the board is around whether they actually want assurance, according to Robin Pritchard, chief executive at Gateway Assure. ‘Where does it get that assurance from? Is internal audit the appropriate assurance provider? Is there a board assurance framework that is effectively embedded? There should be.’


Communication challenges centre on the profile of internal audit and how it is sold. Is the board and senior management interested in what it has to say? ‘There are too many internal auditors that that never actually get near a board and, if they do, are frightened to tell it what they’ve been looking at,’ Robin said.


‘One of the problems, particularly with the outsourcing of internal audit, is that you’re only on site a couple of times a year. In the past you’d knock on a door and have a conversation about what matters. Emails changed that. Sometimes you are not saying things you want to because you are committing yourself in writing.’


Robin emphasised the importance of good communication and engagement with the audit committee is critical. ‘We are a partner in the assurance process,’ he said. ‘You can’t dodge that.


‘I think if we can have communication throughout the organisation with the people that matter and come to a common understanding of what could bring the organisation down and then provide assurance in those areas, it would be to the benefit of all our organisations.’


CEOs can be very different characters – including those who like to ‘throw a pebble in the water and see what happens’ to the ‘growlers’ who always bite back and are determined that whatever is in an internal audit report isn’t going to go any further, to the busy bees that are too busy to spare internal auditors time. 


So, what makes an effective head of internal audit? According to the IAA (2006), it is a person of integrity, committed to highest ethical and professional standards, who is dynamic and inspirational, capable of leading the function and be an ambassador, and a flexible pragmatist, who understands the organisation and can therefore transform its needs into a cohesive internal audit plan.


The key features a CEO/chair might expect to see from internal are summed up in the three ‘Ps’: which Robin said he wanted to be the ‘take home’ of his presentation:

  • Perception (do clients understand what the International Professional Practices Framework (IPPF) says)
  • People (are the right people engaged with internal audit on both sides of the fence)
  • Professionalism.


‘I’d been working for many years before I realised there is a fourth “P”’, he said. ‘Passion. When they open me up at the post mortem, they’ll find internal audit and risk management running through my blood!’


Exploring the nature of relationships and the link to the status of internal audit in an organisation, Robin pinpointed the signs that it’s trusted: reports are accepted at audit committee unchallenged; the audit committee discusses the whole of the report; and business unit managers act on recommendations made by internal audit. If it’s valued, internal audit is seen to be using its expertise to the benefit of their client through an open and collaborative approach; reports provoke directed discussion by the executive team and audit committee; and there is a continuous service delivery.


He left his audience to ponder over a 2003 quote from Donald Rumsfeld, then US Defence Secretary of State: ‘There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.’


Jill Wyatt, business journalist


This is the first of three articles covering the highlights from ACCA’s recent internal audit conference – Internal Audit in a Changing World. Look out for two in-depth articles in the next issue.

GDPR – what are you doing now?

CPD article: If your organisation missed the implementation deadline for the Regulation, what are you doing now?

Reading this article and these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units. 


ACCA is running a series of webinars on GDPR for Internal Auditors from September onwards. Find out more and register now  


In a recent General Data Protection Regulation (GDPR) survey many large organisations and almost 80% of small and medium sized organisations admit they are not ready or don’t understand GDPR.


GDPR looks at all data from the perspective of the data subject or ‘Natural Persons’ per the terminology of the regulation. This puts the needs of the data subject first.


The Regulation forces us to change our approach to how we treat personal data and, until there are court rulings, we will not have complete clarity on the set of validation rules.


In the intervening period, we should consider looking at GDPR in the way that Working Party 29* of the European Commission intended – as a holistic approach to protecting personal data with the interests of the individual at its core. In the Regulation, there is a concept of ownership and bestowing rights and responsibilities on those we share our data with.


In the longer term whether the concept of ownership is compatible with the growth in the digital economy is questionable and will undoubtedly be the subject of much discussion.


Complying with GDPR is about managing information risk and needs to consider the following trio of risks across all facets of an organisation:

  • people
  • processes
  • technology.


One of the major issues organisations and their auditors have had with the previous Data Protection Act was that it was primarily viewed as an IT problem to be solved with technology.


The articles that make up the GDPR make it clear that it is a people and processes problem and that by raising awareness, adequate training and developing robust processes the requirements of the GDPR can be adequately satisfied. There will be technology solutions that help with storage, processing, retrieval, transmission and security but their primary role is to help facilitate business operations in a secure and efficient manner, not guarantee compliance.


While some organisations are well on the way with their compliance journeys, others think they can fly under the regulation radar. The truth is that organisations of every size – not just corporations – must be GDPR ready. 


This is because the new Data Protection Act 2018 – the legislation that brings GDPR into UK law – is not simply a rebranding of the existing Data Protection Act, but a major overhaul.


The old laws were well past their sell-by date. GDPR aims to make sure we are all protecting the personal data we collect, so ignoring this legislation represents a very real risk to your business. 


GDPR ready – an opportunity to get ahead?

All businesses are likely to collect and share information about citizens and residents of the EEA. They can be part of other, larger companies’ supply chains and are expected to comply with their customers’ standards of information management.


An investment in being GDPR ready and meeting the higher standards of data management brings benefits for every business. When you help your client to protect their customers’ data, this builds greater levels of trust. In the long run, if you make compliance part of your everyday ‘business as usual’, you will be at a distinct advantage over businesses which cannot adapt to meeting GDPR standards – or the evolving standards of their customers.


Companies which understand and accommodate these new rules will also enjoy more accurate data, better data security and other competitive advantages.


What’s in your data?

All companies, regardless of size, store and handle personal data, and are subject to GDPR rules.


The GDPR requires organisations to clearly inform the data subject of the information they collect from them and on what legal basis. The first principle under Article 5 states: 

  • Data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.


Organisations need to ensure any data they collect is protected from unlawful access and use, as defined by Article 32:

  • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.


Organisations also need to understand and record exactly what individual pieces of personal data they collect process, store and share. In simple terms this means that all organisations are required to create what is known as ‘Records of Processing’ which is referred to under Article 30:

  • Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.


Records of processing must include:1

  1. Name and contact details of the organisation
  2. Purpose and description of processing: an overview of the types of processing that take place, with a description of the types of personal data processed
  3. Categories of data and retention schedules: an overview of the types of personal data processed e.g. sensitive, protected characteristics etc. and the retention periods for each type of data
  4. Third party transfers: a register of any third party transfers that take place, including binding corporate rules and transfers to third parties outside of the EU
  5. Technical and organisational measures: organisations may refer to control frameworks such as ISO 27001 to demonstrate a baseline level of security compliance.


In compiling your ‘records of processing’, it is important to consider that GDPR differentiates between ‘personal data’ required to enter a contract which will be freely given and necessary for the performance of the contract and data provided under consent that is given for a specific purpose to receive marketing material or access information contained on a website.


There is also ‘sensitive personal data’ – which is often collected, but not actually required by a business as it fulfils its contract with the customer. Sensitive personal data poses more risks under GDPR and includes political affiliations, sexual orientation, medical history and family details.


Organisations other than government or health, for example, must have specific, justifiable reasons to collect and process sensitive personal data. These may relate to a record of criminal convictions when working with children or the employment of individuals with specific medical needs. The GDPR lists ten specific conditions; to justify processing sensitive data, at least one must be met.


Six steps to be GDPR ready


  1. Get your people up to speed. Ensure everyone in your organisation understands the principles of GDPR, how it affects the data they handle and the policy and procedures you have in place. Following the implementation of the GDPR in May, anyone can now call your organisation and ask for specific information you might hold on them. Make sure you have a process in place and your employees know what to do.

  2. Review your contracts. Do you outsource payroll, marketing or computer systems? It’s time to check that your external partners are taking GDPR seriously.

  3. Do a data audit. Look at what data you hold – and why. Record the steps you take to be compliant, including installing data security and refreshing information to maintain accuracy. Only collect and store the minimum amount of personal information necessary for your intended purpose (and if your legal basis is customer consent this must be recorded).

  4. Put processes in place to ensure that you retain the personal data no longer than is necessary for the performance of the contract, activity or to comply with existing legislation or sector regulations.

  5. Be transparent. Explain why you collect data and where you’re sharing it – as well as how people can contact you if they have requests or concerns. This will help inspire confidence and trust with your customers.

  6. And when something goes wrong…Know what you will do in the event of a data breach or information request and make sure your people are fully trained. Having a plan in place will ensure you can comply with the 72-hour notification timescale and save your business time and reputational damage.


If, as an organisation you have systems and process in place or a coherent plan where you are putting them in place then in the event of a breach the ICO may look kindly; if you have done nothing then a significant fine is likely.


GDPR and audit

Auditors' concerns relate to two primary areas:

  1. How do we conduct a GDPR audit?
    We consider the seven GDPR principles as laid out in Article 5 and adjust our audit plans to ensure that through a range of audits we consider the GDPR impact. We can obviously undertake a GDPR readiness review in line with the principles of a programme and project management audit.

  2. How does the GDPR affect our record keeping?
    This is more complex and depends on our relationship with our auditee; if we are an internal function then our role should be governed by the organisation’s GDPR Framework.

    If on the other hand, we are an outside body then we will need to ensure that our letters of engagement/contracts with our clients include a data processing addendum, and ensure our audit process includes a ‘records of processing’.

    This is relevant for two key reasons:
  • working with our clients to ensure compliance with individuals' rights in respect of their personal data
  • the ability to work with our clients in the event of a data breach. If the auditors suffer a data breach then we need to be able to inform our clients within 72 hours of discovering the breach where there is an impact.


As a rule, auditors should not collect personal data in the normal course of an audit and any data that is collected should be afforded adequate protection. 


Assess your GDPR compliance

If you would like to assess your GDPR compliance to see if your business is GDPR ready, why not try our Readiness Assessment


ACCA resources

ACCA is running a series of webinars on GDPR for internal auditors from September.  Find out more and register now 


Steven Connors – partner, HW Controls & Assurance


Steve is a GRC specialist working with clients across a range of sectors to help them deliver value from their information systems while at the same time ensuring that the data remains secure. Steve has been assisting organisations to take a pragmatic approach to compliance with GDPR by challenging them to consider how compliance can drive business value. Steve joined Haines Watts in 1995 and through roles in industry and consultancy, he has gained extensive experience of information security, risk management, corporate and IT governance, business process re-engineering and business intelligence.


* The Article 29 Working Party was the advisory body made up of representatives from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. On 25 May 2018, it was replaced by the European Data Protection Board under the EU General Data Protection Regulation.


1 Organisations with fewer than 250 staff do not need to maintain records of processing activities for all activities, only those considered to be of risk to the individual or where sensitive categories of data are processed.


More effective IT general controls

The challenges internal auditors face when reviewing ITGCs and approaches you can use to audit them.

The challenges internal auditors face when reviewing ITGCs and approaches you can use to audit them.


ACCA UK's Internal Audit Network held a series of seven webinars on de-mystifying IT audit for business auditors last year.


The series started in May and concluded in November with a webinar about the General Data Protection Regulation (GDPR). It featured three main presenters - Vincent Mulligan FCCA (IT Audit Consultant at Eisteoir Consulting Ltd), Mike Hughes CISA, SGEIT, CRISC and Steve Connors CISM, FIPA, FFA (both partners at Haines Watts). To register to watch any of the webinars in this completed series, click here.


This article shares some of the highlights of the second webinar in the series on IT general controls. In this session, the speakers considered the nature of ITGC, the challenges internal auditors face reviewing them and the approaches that you can use to audit them.


Read the article in full now



Internal audit’s important role in combating modern slavery

The role internal audit has in helping businesses implement their anti-trafficking and human slavery statements.

The role internal audit has in helping businesses implement their anti-trafficking and human slavery statements.


Back in April 2017 I wrote an article which set out the reporting requirements of businesses with respect to the Modern Slavery Act 2015 and the role that internal audit can play in both an assurance and advisory capacity.


September 2018 will see the first tranche of organisations publish their second ‘anti-trafficking and human slavery’ statements. But how successful have these statements been to date and what more is required to drive real, tangible change when it comes to awareness and behaviours?



To recap, the introduction of the Modern Slavery Act 2015 was a key initiative of Theresa May during her time at the Home Office and has received continued focus during her time as Prime Minister.


The Act requires organisations conducting business in the UK, with a global turnover greater than £36m, to produce a report annually detailing the steps they have taken to ensure that slavery and human trafficking does not exist within their organisation and their supply chain.


While its impact remains a work in progress, the Act has helped to raise awareness of these terrible and harrowing crimes. Police in England and Wales recorded 2,255 modern slavery crimes in 2016/17, up from 870 cases in 2015/16, according to Kevin Hyland, Britain's anti-slavery commissioner.


This heightened awareness is slowly starting to influence customers, suppliers, investors and stakeholders more broadly when engaging with businesses. This in turn is forcing organisations to be more proactive in taking steps to mitigate potential slavery and human trafficking risks. However, there is also increasingly a recognition of the value generated beyond simply complying with legislation.


From a reporting perspective, companies such as Marks and Spencer and Unilever have sought to lead the way with respect to the level of detail and transparency within their Anti Slavery and Human Trafficking statement.


Unfortunately, in a significant number of cases progress is more limited. In April 2018 TISCreport (Transparency in Supply Chain) reported that 50.8% of organisations (9,627 out of 18,939) required to report annually still have no locatable statements on modern slavery. This suggests there remains a lack of awareness of the legislation or that the potential implications are not sufficient to ensure this is a priority. This has not been helped by the government reiterating that it will not proactively monitor compliance; it has been left to NGOs, charities and the voluntary sector to fill this void.


Tick box templates

Having reviewed a number of those published statements a significant number do not comprehensively cover the required information as detailed within the Home Office guidance. Many statements are bland, templated documents which suggests that many businesses still view the reporting element as a tick box exercise. These conclusions are further supported by a report from the UK business and human rights resource centre in October 2017 which identified similar issues when looking at statements published by the FTSE100.


There appear to be a multitude of reasons for this: the resource and cost implications, a lack of expertise or knowledge as to what is required within these reports, or other avenues being used to promote efforts in this area without effective referencing within the statement. Irrespective, this appears to be a lost opportunity to communicate proactively with stakeholders on those positive actions which have quite often taken place behind the scenes.



The lack of understanding around modern slavery reporting requirements has also created a number of misconceptions. One of the most common is that a business’s obligations to take steps to prevent modern slavery is limited to their organisation only. The reporting requirements are clear that businesses must also take steps to ensure that modern slavery is not occurring throughout their supply chain.


For specific sectors the risks are clear, present and generally understood. The construction, travel and leisure and hospitality sectors, for example, often rely on migrant labour, some of whom may not be able to communicate effectively in English. Slavery and human trafficking risks within these sectors are, therefore, inherently higher. Likewise, manufacturers of a range of products often have to source materials or engage with suppliers who operate in countries where modern slavery (as defined within the Act) is commonplace or even legal.


For other businesses, modern slavery risks are less obvious. This has created a degree of complacency with regards to supply chain risk -  particularly those organisations which tend to be single sited, UK based with a predominantly local supplier base.


In these instances it is commonplace for modern slavery risks to be dismissed as irrelevant. However, cleaning firms, catering companies, temporary staffing agencies, office suppliers, providers of outsourced or managed services (eg IT) all represent the supply chain, and therefore slavery risks should at least be considered by businesses, yet are often overlooked.


Additionally, many organisations have raised concerns over how they can assure themselves over modern slavery risks where their supply chain is broad, complex or has multiple layers.


It is important to remember that businesses are not required to ‘guarantee’ that modern slavery does not exist within their supply chain; simply to report what (if any) action has been taken to assure themselves that it does not.


In order to achieve this, a risk-based approach is recommended allowing a level of enquiry and validation which is reasonable and proportionate to the nature of a business’s activities and those of its supply chain.


Possible approach

An approach taken by many organisations applied a variety of factors and weightings to determine those areas of the supply chain which are considered to be riskier. Factors may include value of trade, location of the supplier (UK vs. international), nature of products or services provided or a reliance on human labour.


The outcomes can then be used to drive the action required to obtain the desired level of assurance. For example, those suppliers considered to be low risk may be required to sign a declaration annually that they have taken appropriate steps to ensure modern slavery does not exist. As the perceived risk increases suppliers may be asked to provide policies, procedures or evidence of action they have taken through to announced or unannounced supplier audits, specifically focused on slavery and human trafficking risks.


Leverage what exists

It’s also important not to reinvent the wheel. Leverage what already exists. There are likely to be processes already in place which can easily be enhanced to help mitigate modern slavery risks within a supply chain. For example:

  • what information can be obtained or provided to suppliers as part of the supplier due diligence or on-boarding processes regarding modern slavery and how is this information used to inform the supplier selection criteria?
  • do formal contracts with suppliers and subcontractors include obligations to comply with modern slavery rules or other related policies?
  • do performance targets and reward structures incentivise suppliers and subcontractors to comply with ethical policies and requirements?
  • are accounts payable staff aware of modern slavery risks which could be identified through the invoicing and payment processes?
  • do buyers or management visit supplier sites and are slavery and human trafficking risks considered as part of any walk around or interaction with supplier staff?


This risk-based approach enables effort in this area to be much more focused and maximise those activities which already take place within an organisation.


The Modern Slavery Act is clearly an incredibly important piece of legislation which is having a positive impact. However, the level and quality of the reporting around this remains below what would be expected from businesses of all shapes and sizes.


Given the absence of proactive monitoring by government it will require greater pressure from customers and investors to push the desire for improved modern slavery reporting up the board agenda. However, with the increased focus on corporate culture, ethics and sustainability more broadly I remain hopeful that businesses will rise to the challenge and play an ever increasing role in the fight against modern slavery and human trafficking risks.


Daniel Maycock – director of risk and assurance, Pennon Group plc and a member of ACCA UK’s Internal Audit Network Panel

Auditing culture in the fourth sector

In light of events in the charity sector, good audits can encourage and maintain behaviour change in companies.

In light of events in the charity sector, good audits can encourage and maintain behaviour change in companies.


It was the collapse of high profile young people’s advocate Carmen Batmanghelidjh’s Kids Company which set the red lights blinking on the charity sector dashboard.


Kids Company was founded in 1996 to provide support for inner city youngsters. Batmanghelidjh had claimed fantastic results in turning round the lives of children who were being sucked into gangs, drugs and crime. And its charismatic founder in her colourful costumes and headdresses was a fixture on TV talk shows – and the corridors of power. Former Prime Minister David Cameron was a supporter.


But in 2015, a journalist uncovered serious financial irregularities including lumps of cash being handed out to troubled children with few if any controls. The expose was published just days after Cameron’s government had approved the injection of £3m into the charity. It took just weeks for the entire organisation to collapse.


In the fall out, questions were asked about the Charity Commission’s regulation of not just Kids Company but the fourth sector as a whole. The fiasco prompted soul-searching among the donors – including the government. And promoted a new focus on the strength of governance at charities with law firms and accountancy bodies drawn to think hard about whether the correct standards of audit were being applied.

But there was another factor with Kids Company. Even as a winding up petition was going through the High Court in August 2015, new allegations about the organisation were emerging. Sexual abuse of youngsters, drug-dealing and handing over wads of cash to children unaccountably.


In these revelations the seeds of a new crisis can be found.


A senior lawyer, formerly of a magic circle firm in London, who has advised charities for 20 years and sat as trustee on numerous philanthropic organisations says ‘At the time, Kids Company was perhaps seen as isolated. Certainly, when I was asked to be a trustee, I was more concerned about smaller and not so small bodies such as family foundations,’ he says, ‘I would be concerned about how family charities were used for tax benefits and the reputational risk there.’


‘At the same time as Kids Company, there was also a focus on the cost of fund raising – and the amount of money raised going to good works compared to salaries and payments to fund raising firms,‘ he adds, ‘but these are largely transparent problems and the risk or issue can be seen and managed.’


So a high profile collapse such as Kids Company might not trigger wider questions of ethical behaviour in major fourth sector organisations.



But a far larger scandal was quietly brewing. In February 2018, The Times splashed a story about Oxfam. Aid workers for Oxfam – one of the world’s largest charities – had been buying sex in Haiti in the aftermath of the earthquake which brought the country to its knees in 2010.


If Kids Company’s £3m government injection was big news, the scandal at Oxfam was massive. The charity employees 90,000 people around the world and last year received £176m from government and public bodies from a total income of £406m.


The initial scandal soon snowballed. The charity had been aware of accusations but had failed to properly inform the Charity Commission and had quietly let ringleaders and perpetrators go – often not raising any issue as they moved to other charities in similar roles.


It emerged that Oxfam’s investigation in 2011 led to four members of staff being dismissed yet three more – including a senior figure – were allowed to quietly resign.


More and more similar allegations not only about Oxfam but other charities emerged. Medecins Sans Frontiers was drawn into the scandal.


More recently allegations of sexual harassment by a top executive at Save the Children emerged, leading it to cease funding bids from government until it had put its house in order.


Blind spot

Former City journalist, now freelance journalist and consultant, Simon Watkins says the flood of accusations highlights a blinds spot.


'These kind of allegations have shocked people more than if they had been made about executives at commercial companies, because there is a tacit assumption that people working at charitable organisations are on a different moral plane. But just because the ultimate cause is noble, it does not follow that every action carried out by every individual is automatically beyond reproach.


‘Clearly what is needed is that the claims of the fourth sector be treated with the same questioning eye that would apply in the corporate world’.


Jos Simson, chief executive of City PR Tavistock, agrees – and says charities should draw a lesson from an unexpected direction – mining and resource extraction companies.


‘Mining companies working in frontier economies across Africa and other tough regions and jurisdictions historically have been challenged on their records. You don’t need to dig far for allegations of bribery and corruption,’ he says.


‘But CSR reporting, especially since the 2006 Companies Act, has produced a sea change. Perhaps once it was a box ticking exercise, then an annoying but necessary job. Now, the best companies whole-heartedly embrace robust, audited CSR reports.’


It is not so much that hard-bitten geologists have discovered their softer side, Simson explains. ‘A good CSR report is vital for modern investors. You can quite clearly see a flight to quality. When a company reveals a failing in its CSR, of course there is a focus on putting things right – but credit is given for self-reporting. Investors believe that if a company can be honest about uncomfortable social issues, it is more likely to be financially transparent and more likely to execute well on the ground.'


Robust audits

The lesson according to Watkins and Simson is that charities will find it hard to examine themselves with clear eyes and the solution lies in conducting robust audits of both finances and behaviours.


'If you bring in an unflinching auditor to assess and test what you are doing, it may initially be painful - but only in the way ripping an old plaster off is. Sunlight is the best antiseptic,' says Watkins.


Good audits also encourage and maintain behaviour change in companies. The process of examining any organisation's culture increases the chances of workers holding themselves to account.


But the process clearly has to start with audit – outcomes that get measured are the subject of focus.


Simon Fluendy – Researcher and writer

IA LinkedIn group goes global!

Connect with internal auditors around the world.

ACCA UK’s Internal Audit network has an official ACCA UK LinkedIn group which is only open to members.


Previously restricted to UK members, the group is now open to ACCA members around the world to facilitate networking and discussion of the global internal audit profession. ACCA hopes that this group will:

  • stimulate discussion and debate by providing a forum to share ideas and discuss issues amongst members working in internal audit and associated fields
  • highlight current issues of interest to members working in internal audit
  • encourage discussion of policy and consultation documents.

If you have not already done so, joining the group is easy! 


For members with an existing LinkedIn account, access the group here and click the ‘Join’ button on the top right hand corner of the page.  An email will then be sent to your registered LinkedIn account email address asking for you to verify your membership details.  Follow these instructions and once your membership has been validated you will be admitted to the group.

If you do not currently have a LinkedIn profile, you can register for a free account here.

Webinar series - GDPR for internal auditors

Register now for free autumn webinars.

ACCA UK's Internal Audit Network is running a series of five webinars on GDPR for internal auditors.

The series will run from September to November and will feature two main presenters - Mike Hughes and Steve Connors (partners at Haines Watts): 

14 September – 12.30-13.30

Beyond GDPR

The 25 May enforcement of GDPR by the Information Commissioners Office (ICO) has occurred - what do we need to do now and how do we build this into the overall approach to an information governance framework?


26 September – 12.30-13.30

Big Data vs GDPR

Explore the issues faced by businesses looking to leverage value from the emerging digital economy while staying compliant with GDPR. This session will consider the impact of GDPR on a business's marketing strategy and introduce the concept of data rights versus data ownership.


9 October – 12.30-13.30

Managing your cyber risk

Increasingly we are becoming a very connected society. Learn about the vulnerabilities and threats the world of cyber brings, increasing business risk, and what we can do to manage this risk. We will look at some of the tools that are available to help organisations manage the cyber risk.


6 November – 12.30-13.30

Third party/supply chain assurance

How do you identify and manage your critical third party suppliers through your entire supply-chain - from the selection of the third party, through due diligence and then onto ongoing contract and service management? This webinar will consider these areas and also include tips on supplier relationship management and the use of metrics and key indicators to flag when issues may be around the corner.


21 November 12.30-13.30

Protecting IP and your business reputation in the digital age

This webinar will look at moving away from the traditional reactive approach to cyber security towards a proactive approach to monitoring by considering some of the latest thinking and products, and assessing the scalability of these enterprise level products and services to help an SME protect its intellectual property and reputation.


Book any of these webinars now and watch live or on demand at a time that suits you.



Webinar series - Big data and how to use it

Catch up on these four essential webinars on Big Data and how to use it.

ACCA UK's Internal Audit Network ran a series of four webinars on Big Data and how to use it from March to May this year featuring different speakers on the following topics:

  • What is Big Data?
  • The legislation around Big Data
  • Data analytics – assurance from an audit perspective
  • How Internal Audit can use data to provide assurance.


Each webinar lasts approximately one hour and provides one unit of verifiable CPD where it is relevant to your work. You can register for the on demand version of these webinars at any time.




Fast-track to CIA designation

Demonstrate your audit expertise and fast-track to the certified internal auditor designation.

Demonstrate your audit expertise and fast-track to the certified internal auditor designation.


Are you an ACCA member working in internal audit or interested in exploring the profession?


ACCA has partnered with The Institute of Internal Auditors (IIA) – the leading body for internal audit – to provide a simple route to the Certified Internal Auditor® (CIA®) designation.


Just one exam

ACCA members can get the designation by passing just one exam.


Why get the CIA® designation?

  • demonstrate your internal audit expertise
  • gain IIA membership
  • gain CPD.


Find out more now


What’s included

  • 12-month membership of your local Institute or IIA Global (if there is no local institute in your country of residence)
  • CIA exam application fee
  • CIA exam registration fee
  • customised electronic version of The IIA’s CIA Learning System®


Save now

  • IIA member saves $260
  • Non-member saves $620


The CIA challenge exam offers significant savings to you. The all-inclusive fee is just $1,095 for existing IIA members and $1,295 for non-members.


How do I apply?


You must apply for this offer between 4 June and 31 August ONLY.


Once you’ve been accepted you’ll be prompted to:

  • Register to take the exam by 30 September
  • Book your exam session by 15 October
  • Take your exam by 31 October.


You can sit the exam at any PearsonVue test centre around the world.


Please note candidates will have only ONE opportunity to pass.


For more information about this exclusive offer, please visit the ACCA website






Up to Date
CIA challenge exam