Technical and Insight
Auditing culture and behaviour

CPD article: James Paterson considers what you should focus on when you're auditing the 'soft stuff'.

Reading this article and these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.                           




For the past 6 years I have been running the IIA UK training on auditing culture, I also helped write the IIA UK guidance on auditing culture. My background is worth explaining: I’m a finance professional, but did a masters’ degree in management (focusing on organisational behaviour). I then left finance to work in HR (in leadership development and managing culture change). Then I became a head of Internal Audit for AstraZeneca for 7 years, and since 2010, I have been combining my passion for people and the soft stuff with my love of Internal Audit, doing training and webinars across Europe and further afield.


I am really happy that GRC professionals, regulators and Internal Audit have started to recognise the importance of the soft stuff when it comes to the effective management of risk and maintaining ethical conduct. This was caused – in a large part – by the recognition that many aspects of the financial crisis of 2007-2008 were caused by short-comings in the “bonus culture”, and underestimation of the latent risks building up. In addition, there were mis-selling scandals highlighting poor conduct in sales, which did not put the customer first.


In the UK, the importance of culture and conduct in relation to Internal Audit was formally recognised in a code of practice for Internal Audit in financial services, published in 2013, which said that Internal Audit should consider, when making audit plans: “the risk and control culture” and “the setting of, and adherence to, risk appetite” amongst other areas. In January 2020, the same points have been included in the IIA UK Code of practice for Internal Audit, applying to all sectors and not just financial services:


You can read the rest of this article here.


James Paterson, Risk & Assurance Insights Limited


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.


Third line lessons from the front line of the pandemic

All of us have a role to play in helping create better processes and specifically, better internal audit practices.

All of us have a role to play in helping create better processes and specifically, better internal audit practices.


Coronavirus and lockdown


The Covid-19 lockdown has dramatically re-ordered our professional, as well as private lives in all sorts of ways. Four months ago, headlines included 'US stocks fall 12% in worst day since 1987' and the VIX index, the market's 'fear gauge', jumped to a record high on 16th March 2020. Just one of the risks in financial services is that given that market returns can increase significantly for fast movers during periods of increased volatility, Artificial Intelligence algorithms could make a rational, though unintended, choice to engage in market manipulation for the benefit of their investing clients but at the expense of other investors. Similar trends may be discerned in other sectors and the Office for National Statistics report [1] soberly paints a dramatic picture of an entire economy in crisis.


April 2020 showed even sharper falls than in March, as the negative impacts of social distancing and lockdown led to falls in consumer demand and business and factory closures, as well as supply chain disruptions. GDP fell by 20% in the month, the largest fall since monthly records began in 1997, reflecting record widespread falls in services, production and construction output. The construction industry experienced a strong decline in output of 40% during the month of April. Turning to just one example from the public sector, the volume of educational activities declined by approximately 35% in April. On average, charities report that they are expecting a 24% reduction in total income for the year. During the  Covid-19 pandemic, services comprise 80% of the UK economy, while production and construction comprise 14% and 6% respectively. I will come onto the significantly heightened fraud risk and of control circumvention later in this article.


Risk Registers need to be re-written, freshly scored and stress tested with rigour.


The question arises for us, how can this shape the future of Internal Audit? As we have all heard and said, things will not return to normal and new norms are to be expected. All of us have a role to play in helping create better processes and specifically, better internal audit practices. One can ponder how exactly we might be more effective auditors and participants in the overall assurance process. Also, what risks might we all pose not only by changing too much but also by changing too little.


Immediate changes


As occurred in the financial crisis, precipitated by the banking failures in 2017 including the building of leveraged debt instruments, which preceded them, Internal Audit must come out of the current epidemic stronger as a result of the learning opportunities that crises afford us. In these still early days, these may be seen as:

  1. Greater use of remote auditing, with the efficiencies and benefits that this can bring.
  2. An accelerated adoption of agile audit techniques and much quicker reporting of control weaknesses, recommendations and opinions.
  3. Data analysis extensions going beyond those of the previous twenty years.

These will require risk mitigation by audit departments themselves, because of the change in working patterns and audit coverage. This change is not driven by failure of the audit processes (“comfortable irrelevance” enjoyed by Internal Audit, was an expression of the credit crisis, a decade earlier) but rather by the unrequested opportunity afforded by prolonged remote working and looking at work itself done remotely by our colleague auditees.


Never before has the role of Internal Audit in reviewing and reporting on adverse events been so pertinent. Reflection on the lessons learned and analysis of what went right and wrong are likely to be key drivers and inputs into identifying priorities and setting a forward-looking internal audit plan.


Remote auditing


Based on experience during the Covid-19 lockdown that commenced on 23rd March, it is extremely likely that internal auditors will work from home more in the future and will be expected to undertake less business travel by auditing remote locations, analysing their data and reporting audit results, without having to visit them.


The plan to increase remote working has many advantages for staff work life balance, reduced travel time and dedication to the task in hand. However there are risks that include:

  1. Reduced contact with colleagues, albeit mitigated slightly by online interaction and video conferencing.
  2. Work life and home life melding into one, possibly dealt with to some extent by having a dedicated desk which can be left when working time ends each day or by powering down the “work” computer.
  3. Reduced opportunities to work alongside auditees and to get under the skin of the activity being audited.
  4. Less chance to observe body language clues in auditees.

Further consideration is given to the latter two because controlling them will need greater input from internal audit management. One of the benefits of colleagues in different departments working in the same building is that it has always been relatively easy for the auditors and their laptops to locate to the trading desk or office area subject to audit. Then to work on audit tests, whilst normal activity continues. The auditor, whilst remaining productive, hears about any frequent problems as they occur and picks up on how they are resolved and errors are corrected. Sometimes people bounce ideas off the visible auditor and thus it is both interactive and educational. The process is informative and likely to assist in the drafting of reports and the formulation of recommendations.


If an auditor is working remotely and is out of sight, this drip feeding of knowledge and observation of culture, is harder or impossible and audit management may have to request and obtain minutes of team meetings that may discuss recurring problems, as a substitute, in the hope that such matters are covered and are fully documented.


Turning to feedback from auditees, this takes the form, like other communications, of a combination of the spoken word, the tone in which it is delivered and the body language (including facial expressions and eye contact; head movements; hand gestures; body posture) of the speaker and their colleagues, as they hear the words spoken. Dissonance and leakage may occur which cast doubt on part of what is being said and of any important omissions. This is not so easy for internal auditors to detect when working remotely even if the speaker is seen and heard in a small box viewed on screen. Heightened awareness of voice tone and a little more scepticism may be justified in controversial and risky areas without being overly cynical. Verification of responses needs to be rigorous. Furthermore, audit management will need to consider carefully the degree of assurance that may be forgone and caveat any material gaps in that consistency of assurance.


Audit technology


By using new technologies in cloud-based applications for collaborative working, video conferencing and remote access infrastructure, auditing will be effective if we ensure that adequate security measures are used for video conferencing and data access, transfer and storage. The increased adoption of technological and digital tools may require better internal audit file management, workflow systems, data analysis and artificial intelligence. Furthermore, internal audit functions should take the opportunity to introduce strengthened continuous auditing activities thus enabling Internal Audit to automate the monitoring of key risks and the operation of key controls, gaining time to concentrate on complex areas of risk.

There is an opportunity to improve audit effectiveness by building stronger internal audit teams. When auditing is done remotely, the location of auditors does not matter and audit teams can be built to ensure the most suitable auditors are assigned to each audit, irrespective of where they are based.


Fraud auditing


The risk of fraud increases now because criminals thrive on chaos, uncertainty and disruption and Covid-19 responses have provided these in abundance. During a paradigm shift, where everything has changed rapidly, unusual activity that could be red flags for fraud may go unnoticed. What has been noticed though is that financial institutions have seen spikes in false positive alerts generated by their monitoring software which reflects the fact that customer behaviour has changed suddenly but for good reason.


Lots of employees are now working remotely, so criminals who can use sophisticated analysis to seek out weak links will take advantage of any weaknesses in controls and in IT security. External fraudsters have sought to exploit people working from home by impersonating managers in order to give payment instructions.


Supply chains have been broken and employees are under increased pressure, so it is easier for normal supplier controls to be circumvented and due diligence diluted.


Auditing for fraud events is harder when not done face to face and supplementary data analysis may be needed, some of which have been available for some time. For example Benford’s Law analyses may be used to search for anomalies and data patterns that are unnatural and which may indicate suspicious activity. This may be more efficient but also more reliable than traditional control compliance testing based upon relatively small samples. Not only can this analysis be very effective and insightful but it has been recommended by the Association of Certified Fraud Examiners for twenty five years.


The Association of Certified Fraud Examiners’ 2020 Report to the Nations [2] included amongst its Key Findings that the use of targeted anti-fraud controls has increased over the last decade and that a lack of internal controls contributed to nearly one-third of frauds. The presence of anti-fraud controls is associated with lower fraud losses and quicker detection and these include:

  1. An anti-fraud policy
  2. Fraud training for employees
  3. Fraud training for managers/executives
  4. A whistle-blowing hotline

Clearly these are essential elements of strong corporate governance. The fraud training should be structured around the anti-fraud policy and decisions can then be taken on whether the whistle-blowing hotline is run in-house or contracted out.


Control circumvention


Past crises and watershed moments for the profession supplied internal audit with important lessons on where controls fail, which remain relevant:

  • that good controls being overridden (may only be 1% or more likely 0.1% of the time) may be a greater risk than inadequate or ineffective controls because the latter can be understood and mitigated in practice
  • whenever controls fail the auditors must keep digging until they get to the root of the problem.

If, as the Association of Certified Fraud Examiners has found, the absence of internal controls contributed to one-third of frauds, it is implicit that control circumvention is a major component of the other two-thirds of fraud. Dealing with it must be a major priority of control system design and corporate governance.


In the June 2020 quarter and because of the pandemic, management has concentrated on employee and customer safety, business continuity and financial resilience. The shift to telecommuting across the board and slowdown in activity has changed the risk levels and business operating practices. Some controls may no longer function as intended. It is necessary to evaluate how management has adjusted financial and operational procedures to cope with remote work arrangements and offices being unavailable.

This evaluation should include the:

  • Re-evaluation of separation of duties when many employees are ill, away from the office or furloughed.
  • Adjustment of credit risk and payment terms to reflect changes in customers’ risk profiles.
  • Review, approval, and documentation protocols for changing static data and making accounting entries.
  • Re-alignment of IT security controls to deter social engineering attacks and mitigate the lack of employee experience with remote working and using internet communication methods.

The review should extend beyond the company to cover the continuity of services and controls from third-party vendors, including large business process outsourcing providers operating overseas.


Agile auditing is a good solution


The main difference between agile and traditional auditing is that inflexible, early stage planning is replaced by iterative planning and a series of sprints, incorporating short bursts of activity covering planning and testing. Continuous communication and collaboration both among the internal audit team and with management, are delivered. Typically the eight weeks or so spent on planning, fieldwork and reporting are replaced with, say, three agile phases totalling six weeks.


Agile auditing is built around a flattened structure, with empowered job roles. Teams can decide to continue on a project track or change directions based upon experience gained during sprints. Re-alignment can be made by more junior auditors, as senior auditors will have set appropriate guidelines during planning phases. A more responsive internal audit approach can deliver the value that senior management needs.


Within sprints, auditors can monitor and revise their priorities every two weeks or so and are not constrained by a traditional internal audit cycle. Fieldwork and review are quicker and reporting is too.


Agile internal audit planning involves a continuously updated backlog of audits and projects, prioritised on risks. Communication is both very frequent and more informal, with reporting via dashboards and update memos, rather than formal, long form audit reports.


Testing priorities are reassessed and redirected as priorities evolve; every two weeks or so (depending on the length of sprints) audit teams review priorities, testing and goals. Major weaknesses are surfaced as they arise, so that action can be scheduled quickly. Audit teams can be more adaptive.


Thus, agile assurance is given in real time over risks that are currently rather than historically, critical or important is desired, as are important matters that can be sharpened by agile methods:

  1. Very prompt feedback to Management.
  2. Independent assurance over risks assessed and related controls, with an eye to the future.
  3. Closer involvement in assessing continuity planning and stress testing.
  4. Demonstration that current technology supports the audit process, whether or not it is mainly done remotely.
  5. Understanding the control implications of remote working across the company, including data security and process integrity.
  6. Sticking to Internal Audit’s existing change agenda for agile auditing, data mining and analytics.
  7. Expectations that Internal Audit can demonstrate its independence and objectivity, as it increasingly adopts agile practices.
  8. Emphasis on the susceptibility of certain controls to circumvention in difficult circumstances. This has fraud risk implications and may need enhanced expertise in fraud auditing and investigation in some departments. Fraud investigation in particular, will still need higher levels of face to face discussion, interviews and challenge. Management’s detective controls over fraud prevention may be rendered less effective as their operation becomes more remote.
  9. Reduction in the human element of auditing will reduce the ease of spotting certain red flags of fraud, weak culture and ethics.

Not all internal audits are suitable for an agile approach and companies may need a hybrid system rather than forcing agile audits on every element of the audit universe.


Future Opportunities


In future, internal auditors need to give:

  1. Stronger assurance on high risk activity, at the risk of attending less to relatively low risk matters. The confidence to do this can be built on greater concentration on evolving risks and monitoring changing risk patterns. Cyclical assurance plans are yesterday's solution.
  2. Clearer documentation of their modus operandi to allow strong challenge and review for those working remotely.
  3. Improved early confirmation of findings with management to ensure auditors who cannot see body language have properly understood the written word.
  4. Promotion of Internal Audits’ value based on the observed benefits during the pandemic of earlier internal audit findings and insights.
  5. Greater consideration of more extreme stress scenarios.
  6. Assurance on control resilience to circumvention and fraud.
  7. Better use of the reduced time that can be spent with auditees.
  8. Re-assessment of how companies operate and have changed so that control effectiveness can be tested in this light.

Auditors need to be wary of looking like Generals who seek to re-fight the previous war, oblivious of new forms of attack, technology and techniques.


The entirety of what has been set out may be a significant change agenda and greater for some departments than others, so it is best to get the audit team involved, individually and collectively. As with any change, people who are actively involved in it, rather than simply subject to it, will be more content and effective in development and implementation. They can then assist it to be resilient and are more likely to surface weaknesses and resultant errors than if they had not been involved from the start.


I would emphasise the importance of Internal Audit and Audit Committees re-evaluating previous audit actions. Work priorities have changed and the implementation of previously agreed audit actions may no longer be a main priority. Internal Audit should consider:

  • Reviewing and re-prioritising the action tracker with the audit committee.
  • For high priority internal audit actions, talk to auditees to confirm the status of relevant actions and whether their deadlines remain achievable.

Internal Audit’s role after the crisis should reflect the main lessons covering the:

  • Heightened fraud risk and of greater control circumvention opportunities at the same time as the motivation of nervous, or even desperate, staff to commit fraud, increases.
  • Ability of management to make appropriate decisions during times of stress.
  • Any cultural concerns arising from employees ability to adapt and respond to the crisis.
  • Financial resilience and liquidity.
  • Dependencies on suppliers and third parties.
  • Disadvantaged customers.
  • Effectiveness of business continuity plans.
  • Adequacy of IT systems.


John Webb, FCCA & Certified Fraud Examiner

Copyright: © 2020



[1] Office for National Statistics: Coronavirus and the impact on output in the UK economy: April 2020.

[2] Association of Certified Fraud Examiners, Inc. 2020 Report to the Nations.


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

Revisions to the FRC's Ethical Standard

The majority of the new requirements have now been in force since March 2020 - find out how it impacts on Internal Audit.

Revisions to the FRC's Ethical Standard have introduced some additional prohibitions for all auditors, writes James Ferris.


The FRC’s Ethical Standard (ES) sets fundamental principles, supporting ethical provisions, and general requirements for the conduct of audits and other public interest assurance engagements. In 2016 the ES was revised to implement more robust requirements for the auditors of Public Interest Entities (PIEs) as a result of the 2016 EU Audit Regulation, and to merge the previously separate ethical rules for auditors and reporting accountants. The 2019 version of the standard is a product of our post implementation review (PIR) of the 2016 changes.


The context for our 2018/19 review was one of significantly increased public and political concern about audit, and increased scrutiny of the non-audit related fees auditors earn from the companies they audit. During the course of our review several firms made voluntary public commitments to the BEIS Select Committee to limit the provision of non-audit services other than those that were ‘essential’ to the FTSE 350 companies they audit in order to address perceptions of conflicts of interest. Responses to our consultations and wider stakeholder outreach in 2018 and 2019 were generally supportive of further restricting the types of non-audit services which external auditors can provide, alongside the existing fee cap for PIE auditors. Given the experience of corporate and audit failures outside the world of PIEs, there was also strong support for stronger independence rules for the auditors of other types of entity, which although not PIEs themselves, are of significant public interest.


As a result, our revision of the Ethical Standard focussed on:

  • Enhancing the role and status of Ethics Partners within the firms, as well as the requirement to report to the FRC where there have been ethical breaches
  • Strengthening the Objective, Reasonable and Informed Third Party (ORTIP) test, where auditors are required to consider possible external perception of threats to independence
  • For PIE auditors, moving from a list of prohibited non-audit services to a more narrowly defined list of permissible services that are audit related or required by law and regulation
  • The development of a new defined term of Other Entity of Public Interest (OEPI) to be applied to entities which do not meet the PIE definition, but where the level of public interest is heightened. Auditors of those entities will only be able to provide non-audit services from the permitted services list
  • Introducing additional prohibitions applying to non-audit services to all audited entities. These were informed, in part, by stricter rules introduced into the IESBA Code (for example in respect of recruitment services and playing a ‘management role’ in an entity).

Our final overarching aim was to try to simplify the text, remove some perceived ambiguities and make the standard easier to use – at least relative to the complexity of the underlying subject matter.


The measures to enhance the role and status of Ethics Partners are central to our overall objective, which is to encourage the firms to deal with ethical matters in a more holistic way, and to provide a focal point for the practical application of the ethical principles. It is the day-to-day application of principles by those firms that is critical to the achievement of ethical outcomes in the public interest. Since it would be impossible to anticipate every possible set of circumstances, and therefore to write an Ethical Standard with a complete set of ‘rules’ covering every possible situation, a deep commitment to and understanding of the fundamental principles of Integrity, Objectivity and Independence is of paramount importance.

This is underpinned by changes to the ORTIP test which previously required practitioners to take account of the perspective of an ‘objective, reasonable and informed third party’, and whether such a person would probably conclude that, were a course of action be taken, that would compromise the ethical outcomes required by the standard. We strengthened the focus of this test on key stakeholders who are not practitioners, with reference to s172 of the Companies Act and the stakeholders to whom company directors have specific obligations. We have also extended the use of the ORITP text to a broader range of scenarios.


The more narrowly drawn list of permissible services which can be provided by PIE auditors means that those auditors will only be allowed to provide services which an objective, reasonable and informed third party would consider appropriate and related to their role as auditor, or where there is a legal or regulatory requirement. No other services can be provided. The permissible services list also applies to our new category of OEPIs, although the 70% fee cap does not. OEPIs are entities where we believe there is a legitimate wider public interest, and where a more stringent set of auditor independence rules should apply. As a proportionate regulator we have defined OEPIs as larger AIM listed companies, large pension schemes and large private companies, as well as Lloyd’s Syndicates. Whilst we do not doubt that there will be challenges associated with this change, we believe the objective of enhancing confidence in auditor independence for these larger entities is paramount. In order to allow audit firms and audited entities time to prepare we delayed the effective date for OEPIs to periods commencing on or after 15 December 2020. The 10 year tendering or 20 year rotation requirements do not however apply to OEPI auditors.  


Finally, we introduced some additional prohibitions for all auditors. These were areas of the previous version of the Ethical Standard where we felt that more robust rules were appropriate. These included the use of contingent fees for non-audit services – where the service provider effectively has an interest in the successful outcome of the transaction on which they are reporting. In respect of recruitment services, we felt that the old rules which allowed some short-term junior staff secondments from audit firms to audited entities – was no longer defensible and should be simplified to an outright ban. Similarly, we do not feel it is appropriate that an external auditor should simultaneously provide internal audit services to an entity and have introduced an absolute ban.


The majority of the new requirements have now been in force since March 2020. This has, of course, coincided with the COVID-19 pandemic. We have been very mindful of the significant challenges facing the UK economy, and have been flexible and responsive with the guidance we have produced on the new non-audit services rules. We made it clear, for example, that where auditors were helping companies with applications for government support schemes that we considered those as part of the list of permissible services.


More generally, we welcome the positive and constructive engagement we have had with audit firms, including regular discussions with Ethics Partners. We are always open to dialogue with any stakeholders to help them understand our ethical requirements better and how they may be affected by them.


We also constantly monitor the impact our Ethical Standard has on auditors and the entities they audit, as well as on wider perceptions of and confidence in the profession. Looking forward, we will also need to consider the impact of the government’s proposals for audit reform in response to the three independent reviews. In the meantime, we believe that our revised Ethical Standard provides an enhanced set of ethical principles and requirements.


James Ferris is Acting Head of UK Auditing Standards at the FRC. He joined the FRC as a Project Director in 2015, and has been involved in a variety of projects relevant to UK auditing and assurance standards including, most recently, revisions to the Standards for Investment Reporting and the FRC’s Ethical Standard. Immediately prior to joining the FRC James was a Financial Audit Director at the National Audit Office, where he also trained as a chartered accountant.


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

What's expected of Senior Managers during Covid-19?

Senior Manager Functions need to be clear about their individual accountability in relation to the COVID-19 response.

As businesses adapt to the new norm, how are your senior managers discharging their individual responsibilities?


COVID-19 has changed the way businesses work and put significant pressure on organisations across the globe. Not only is it unpredictable in nature, but it also brings new challenges relating to the workforce, customers, outsourced partners and technology infrastructure. New responsibilities and workload pressures are being placed on individuals to maintain operational continuity. Regulators continue to actively review how the financial sector responds to COVID-19 and provide guidance on managing the disruption effectively. As businesses adapt to the new norm, how are your senior managers discharging their individual responsibilities under the Senior Managers and Certification Regime (SM&CR)?


The role of Senior Manager Functions (SMFs)


SMFs need to be clear about their individual accountability in relation to the COVID-19 response. Most firms will already have a response plan under this pandemic in place, and this needs to be agile, to reflect the uncertainty of the current situation. This may mean changing day to day activities in order to take (and evidence) reasonable steps to manage the impact of the pandemic. These steps may include:

  • Assessing if they have adequate resources available to discharge SMF responsibilities.
  • Adjusting business practices, including working from home. Regulators expect SMFs to identify employees that are unable to perform jobs from home and support them accordingly.
  • Reviewing end-to-end activities of essential services to make sure SMFs are aligned in terms of the firm’s response plan.
  • Considering fit and proper assessments for SMFs to make sure they’re healthy and able to focus on business as usual and crisis management.
  • Making contingency plans in case a significant portion of the SMF’s team is unable to work.
  • Assessing current processes to make sure there is adequate segregation of duties and robust reviews. Management information needed should be reviewed and made available to enable SMFs to review anomalies.

The role of the CEO


The Chief Executive Function has a pivotal role to play in how the firms responds to COVID-19. During this time, firms need to focus on the activities, services, operations and outsource providers that, if disrupted, would impact the real economy or financial stability. The CEO is responsible for making sure there are proper processes in place to identify the essential individuals needed during this time.


Effective and regular direct communication from the CEO and other SMFs is essential for staff, customers, regulators and third parties, including outsourced business partners.


The role of the CFO


The Chief Finance Function needs to actively manage the firm’s financial resiliency and review the working capital requirements under various scenarios. The regulator expects the SMFs to implement processes to obtain up-to-date liquidity positions and mechanisms in place to notify the regulator if they believe they will be in difficulty.


The role of the COO


The Chief Operations Function is critical to keeping key business operations and essential services running during the pandemic. Key considerations should include:

  • Assessing the firm’s operational risks and making sure these capabilities are in place during the pandemic, to support essential services and promote operational resilience.
  • Making sure the technological infrastructure is in place to support remote working.
  • Identifying and mitigating the technology risks that may emerge under remote working such as GDPR risks, loss of data and cyber security.
  • Reviewing systems and controls to make sure the firm can continue to comply with regulatory obligations.
  • Revising impact tolerance levels under operational resilience and making sure processes are in place to manage them on an ongoing basis.
  • Continuously re-assessing the operational resiliency of outsource providers and suppliers who support important services. Regular contact with these third parties is key.

Managing handover documentation processes


Handover documentation is an important element of SM&CR, and more so with the potential for widespread absence due to illness. This should be up-to-date, and firms may want to re-assess how frequently these are updated.


The role of certified staff


Most certified persons will fall under key essential staff, as assessed by the regulator. As firms identify these workers within their own business, it may be a good time to reassess the individuals who should be certified. This will include people who make key decisions and are integral to essential activities, services and operations.


The role of the board


The board and other key governance committees should be leading good governance throughout this period of uncertainty. Relevant and timely management information is critical for making informed decisions, and this should be available at a higher frequency than under business as usual. Firms may also rethink practical elements of how they operate. Non-Executive should have the systems and capacity to work remotely and to enable effective challenge of the Executive. Corporate secretariat will need to be agile and rapid in its response as it ensures that adequate records of all key decisions, together with associated challenge, are properly recorded in order to stand up to inevitable future scrutiny.


What to do now


Good oversight and governance are critical during periods of uncertainty, and SM&CR application needs to be agile to respond effectively. As a starting pointy, firms should assess their essential services and associated activities to determine the key personnel required. Building on this, systems and controls should be assessed to make sure they are able to mitigate emerging risks or the increased likelihood of existing risks occurring. Policies and procedures should be reassessed to include alternative and/or additional controls to mitigate new and emerging risks. Key documentation should be reviewed including management responsibility maps, statements of responsibilities, policies and procedures, and management information, as well as third party contracts.


While protecting customers is the end goal, firms need to maintain financial and operational resilience. Firms should also take the lessons learned from their COVID-19 response to ensure SMFs continue to be able to manage in the future.


Sonia Shah - Grant Thornton Financial Services Group

FS COVID-19 hub -



If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

The use of social media by employees

What is best practice when it comes to the use of social media by employees and what should internal auditors be mindful of in this area?

What is best practice when it comes to the use of social media by employees and what should internal auditors be mindful of in this area?


Before we look in detail at social media use by employees, we need to establish that social media covers a range of channels and these channels may be owned by the employer or the employee. For each channel there may also be a range of user profiles created with different promotional responsibilities.


The number of social media channels is growing, and the popularity of individual channels ebbs and wanes over time. Facebook and Twitter are recent examples on how the mismanagement of posts that are viewed as offensive and the unfortunate placement of advertisements has had a potentially damaging impact on brands. Organisations have recognised that reputation by association can be negative as well as positive and have boycotted channels that do not have adequate controls in place.


If we consider the channels that are owned by the organisation the objective of using these channels is ultimately to promote and maintain the brand.


Employers should be able to control the narrative of these channels. They can ensure that only approved content is put out and they can ensure that their use of social media is governed by a strategy that is capable of being monitored.


The Strategy

Successful corporate use of social media relies on developing a social media strategy. The strategy defines the objective, purpose and identifies the channels to be used.


The paradox for many organisations is balancing control with empowerment. Some of the best ideas can come from employees who are not central to sales and marketing, for example some of the organisations best salespeople may be the service engineers who go out to client’s sites. So by centralising the function, it is easier to manage the profiles, control the narrative, but this could be at the expense of limiting ideas.




There are two audit areas to consider, measuring efficiency and effectiveness and then control. In the digital age companies are focusing more of their advertising budgets on social media channels so we as auditors need to consider value for money as well as compliance.


Due to how the use of social media has evolved in business one of the issues faced by many larger organisations is housekeeping. Over time various departments could have built up numerous social media profiles that are no longer maintained, and even have been forgotten about as the employee who managed the profile could have moved on.  


In one medium sized public body, a recent audit identified over 200 different user profiles covering numerous channels – the issue for the organisations management was that many of the profiles had not been used for several years and as an they had been created and maintained by employees who were no longer with the organisation they could not be accessed.


As a result, an auditors first task is often to undertake a discovery exercise. If the IT department are not able to assist there are numerous “eDiscovery” and “Social Listening” tools available and these are an effective method of identifying both profiles linked to the organisation and references to the organisation.  


But as auditors we want to focus on how well the organisation manages risk and these can typically be grouped as follows:


  1. The organisation fails to suitably manage its Social Media presence generated internally (or by associated third parties) impacting upon its reputation;
  2. The organisation fails to harvest ideas from its wider employee base: and
  3. The organisation fails to suitably monitor and where appropriate respond to externally generated Social Media activity including:
  • That from which it can benefit and therefore contribute to; and
  • That which may cause harm and therefore needs to respond to.


Value for Money


Just a reminder that in this context value for money is about achieving the right balance between economy, efficiency and effectiveness, the 3Es – spending less, spending well and spending wisely;

  • Economy – Acquisition of resources in appropriate quality and quantity, at minimum cost.
  • Efficiency – Maximum output for any given set of inputs or the minimum inputs for any given quantity and quality of goods and services provided.
  • Effectiveness – Extent to which any activity achieves the intended results, which can be either quantitative or qualitative.

We should be focusing on how management are planning and monitoring the use of social media to achieve this balance.


Typically, we would expect that the team responsible for social media are compiling metrics to aid management assess performance that includes as a minimum:

  • Analysis of each social media profile
  • Identifying top performing social media posts
  • Identify your site’s most shared content

 Fortunately, most of the well-known platforms are able to generate analytics for example Facebook’s include;

  • Page likes
  • Post likes
  • Followers
  • Engagements
  • Most engaging posts
  • Clicks
  • Shares
  • Follower demographics

As auditors we should be looking at the governance and reporting arrangements around this information to ensure that the metrics are accurate, appropriate and provided to management in format that informs decisions that are in line with the 3Es.


Personal Social Media Use


This is the area that can cause the most issues for management, it is a balancing act between empowerment and control set against privacy.


Take for a moment the scenario where a company’s management team are looking at options for re-structuring, there will be scenarios, papers other documents and discussions, all of which are highly confidential. Someone who is not part of the senior management team became aware and using their personal social media accounts divulges, albeit without naming the organisation, something of the plans.



  1. Confidential information leaked, hence potential damage to the brand
  2. Break down in trust between employee and employer


  1. Company goes into damage limitation exercise
  2. Company considers action against employee – but can they?

Many organisations will have a confidentiality clause in the contract of employment, but is it always reasonable to assume the employee understood the clause and its intent?


Does the company have in place a Data Classification scheme and employ protective marking?


Has the company implemented a Social Media Policy and instructed staff on its interpretation?


This particular incident occurred about 5 years ago and despite the fact that the organisation was a public body it did not have in place a Social Media policy, nor had it adequately covered confidentiality in its terms and conditions of employment, the Employee Handbook or at Induction.


As a result, the organisation took no further action above and beyond a formal interview but what it did was to:

  1. Amend the contract of employment and employee handbook;
  2. Include data privacy and security as part its induction course;
  3. Set up a project to look at Data Classification; and
  4. Draw up a Social Media policy

Social Media Policy


The purpose of a policy is to give clear guidelines on how employees should and should not communicate using social media channels with regard to the organisation. The number and variety of social media channels is changing with increased regularity so the policy should not seek to identify channels nor be too prescriptive.


Encouragement, trust and empowerment can have a very positive impact on the way employees talk about organisation on social media, but there needs to be rules, guidance and above clarity on where the line is that should be crossed.


Use of social media is in the end a balancing act and it is probably easier to get it wrong than it is to get it right.


The following are some common ways for that to happen.

  • Often, it can be difficult to distinguish personal opinions from those of the company.
  • Employees may talk about the company and its practices on social media, which can lead to a breakdown in trust.
  • As in the example above information that employees share about a company may damage its brand; and
  • Excessive use of social media in the workplace can lead to loss of productivity.

By its very nature the social media environment is a dynamic environment so activity and policy should be kept under continual review. Earlier in the article I referred to “Social Listening” tools, these are crucial to protecting the brand and refining the approach but be mindful as focusing on an individual rather than a general sweep could be construed as an infringement on employee privacy rights.


When developing and auditing a social media policy for personal social media use it should be a statement of principles that is supported by a guidance that may be updated as frequently as required. Some of the better guidance I have reviewed consists of following three sections; - Do, Don’t and Helpful Links.


There are a few basics to consider:

  • It is not possible to exercise control over personal social media profiles.
  • It is possible to have employees and contractors sign an agreement stating that they won't divulge confidential information or maliciously seek to damage the brand through their social media activity.
  • Remind employees that not only are their posts open to public scrutiny, but comments they leave on others’ posts are too. As such, they should be careful not to post anything that could be detrimental.
  • Ensure you communicate to employees and contractors what is considered inappropriate activity that may result in disciplinary action. For example, racist and sexist posts, hate speech against anyone (not only their employer), inappropriate behaviour and images, as well as any other actions that are restricted from social media itself should all be mentioned on this list.
  • Ensure that the work environment is one where employees don’t feel the need to air their grievances online and can approach management to solve any issues related to the workplace.


Steven Connors - Director, HWCA


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.


Effective communications with NEDs - accountability

In the second of a series of articles on how internal auditors can better communicate with NEDs, Sara I James looks at accountability.

In the second of a series of articles on how internal auditors can better communicate with NEDs, Sara I James looks at accountability.




This is the second of a series of articles on how internal auditors (IAs) can better communicate with non-executive directors (NEDs) – NEDucation, if you will! The first article addressed conversations with NEDs, and how better understanding their backgrounds and expectations can improve the relationship.


We also touched on the fact that NEDs face increasing responsibilities, which IAs can help them meet. We can best do this through encouraging and persuading NEDs to ask the first (and second) line searching questions that require credible answers.


However, this raises further questions about accountability. In any organisation, good governance is based upon clear roles, responsibilities and accountability. NEDs play a key role in establishing the governance framework, and IAs see first hand how well the organisation puts it into practice.


In this piece, we will cover:

  • What role does internal audit play in assessing (and improving) accountability?
  • Do Internal Audit’s reports and other communications make individual managers or other audit clients accountable?
  • How clearly do IAs make the link between controls and the people establishing or operating them?
  • How can IAs work with NEDs to enhance governance?

Internal audit and accountability


Internal audit functions play an important, sometimes complex, role in an organisation’s governance structure. Any Internal Audit charter should describe and reflect this clearly, setting out the function’s purpose, authority and responsibility.


The main purpose of Internal Audit is to provide independent, objective assurance about the organisation’s risk and control framework. This means – following the three lines of defence model – that IAs assess and provide opinions, but do not directly create, put in place, manage or otherwise take responsibility for an area’s risk assessment or controls. Those are tasks for the first line’s managers.


Describing roles and responsibilities within an area is standard when conducting an assurance engagement, leading to IA’s assessment of it as an adequate and hopefully effective control. If Internal Audit finds to the contrary, then recommendations are common – but it must be clear that Internal Audit is simply stating what the first line should aim for in resolving the matter. It is not down to Internal Audit to create an action plan.


Sometimes things become more complicated. It could be complicated for a good reason – Internal Audit is working with an area in an advisory or consultancy capacity, for instance. In this case, it would be normal for Internal Audit to collaborate with first-line managers on an action plan, while making clear Internal Audit is not responsible for owning and implementing it.


Then there’s complicated – for a bad reason. This can take the form of senior managers disputing roles and responsibilities. Perhaps there’s been a recent restructure, with resulting gaps and duplication. Perhaps the senior managers know a particular control or project is dysfunctional or thankless, and don’t want to be associated with it. It’s even possible that those responsible and accountable aren’t actually competent.


In these circumstances, IAs must use all their insight and personal skills to get to the root cause. If indeed certain managers are unable or unwilling to carry out their assigned controls, Internal Audit needs to report this. But how to do so without creating unnecessary conflict?


Who is accountable?


This is a difficult point for many people – especially in the second and third lines. It is necessary to be clear about who is responsible for what, but also important to maintain relationships. This section will give you practical tips on how to discover and articulate accountability.


First, using the active voice more will make your writing easier to understand. Even more importantly, it will help avoid any confusion or ambiguity about accountability. To put it simply, in an active sentence, you must say who is doing what.


Again, IAs often feel uncomfortable about reporting in the active voice – they fear it is finger-pointing, especially to individuals. However, we rarely mention individuals in reports, especially when communicating with NEDs; we talk about divisions, business areas or teams.


So why does it matter so much? Here’s an example, taken from a real Internal Audit report.


Version 1: The IT Services Team does not adhere to Control A. Controls B and C are not adhered to, either.


In this version, most reasonable people will assume that the IT Services Team is not adhering to any of the three controls mentioned. The reason the second sentence is passive is to avoid too direct a message.


However, that’s a big assumption. When asked, the IAs who had written this version stated that another team – unnamed – was responsible for Control B. This second team was also responsible – with support from yet another team, also unnamed, for Control C. So it should have read:


Version 2: The IT Services Team does not adhere to Control A. Mystery Team 1 does not adhere to Control B or C (which requires support from Mystery Team 2).


Here’s a writing tip that will help your fieldwork and analysis. Using the active not only makes your sentences clearer. It also helps you, throughout your audit engagement, spot gaps or inconsistencies. If material you receive from the first line – whether policy and process documents, reports, or information in interviews – is mostly in the passive voice, be alert. It could be corporate habit – most organisations, after all, usually use the passive, wrongly thinking it sounds more professional or stately.


However, it could be a sign that whoever has written the document, or answered your question in person, doesn’t actually know how a process works, or what happened at a certain point. When you hear someone use the passive voice, unless it’s 100% clear who’s doing what, ask them to tell you more. If they can, then you may want to suggest they revise process documents using the active, so everyone can understand. If they can’t, then it may be they don’t know!


Why does this matter? Because unless you know exactly where controls (and any problems related to them) sit, you cannot begin to understand root cause. One team’s failure to adhere to multiple controls implies a problem with the team. Several teams’ failures to adhere to controls imply a wider organisational problem – exactly the kind of thing IAs should be reporting. It’s this kind of information – about accountability – that helps organisations target problems, fix them, and improve.


Governance: communicating it to its creators


Who do you want to inform and influence with your high-level reports? Board members, including NEDs – which means the very people who establish the organisation’s governance framework, including accountability. Remember, according to ACCA,


NEDs are now looked to to provide special input to the process of governance. The fact that NEDs are not involved with their company on an executive, day-to-day basis means that they can offer, and are today expected to offer, a more detached, objective and comprehensive view of how the company’s affairs ought to be directed than might be possible if the company’s board consisted solely of executive directors.[1]


This ‘detached, objective and comprehensive view’ should equip them to see clearly where conflicts of interest and gaps in accountability lie. Their legal obligations should further prompt them to be aware of the pitfalls or absent or flawed accountability. However, what if this isn’t the case?


As mentioned in the first piece, you may work with a NED who comes from a different country, culture, sector or organisation. His or her view of accountability could be out of date, misaligned to regulatory and legal requirements, or otherwise inappropriate.


Even within the same country, region, sector and business, a NED may come from an organisation where accountability sits in one of two extremes. When accountability is concentrated in the hands of a very few at the top, there will be bottlenecks and groupthink – neither is good for a healthy organisation. On the other hand, when accountability is always assigned to the most junior staff, they can become scapegoats for managers’ poor decisions. Poor morale, high turnover and even fraud are all risks in this situation.


Reporting clearly and factually about accountability will help NEDs and therefore the organisation as a whole.




Just as IAs must provide assurance regarding the organisation’s risk and control framework, NEDs must take business-critical decisions. How we communicate directly affects their ability to discharge their regulatory duties.


It can be difficult to agree on accountability with the first line, who may wish others – even Internal Audit – to be responsible. Persuading a NED to change his or her view of accountability within the organisation may be even more sensitive – but it’s necessary.


This is the second in a series of three articles about IAs and NEDs. The third will address reports and the reporting process. Please send your feedback about this article, and points you’d like addressed in the future, to




Sara I. James, PhD, CIA, is the owner of Getting Words to Work ( and a member of the Chartered Institute of Internal Auditors.


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

[1] ACCA Global, A guide to directors’ responsibilities under the Companies Act 2006, p. 11.

The CIA Challenge Exam for the CIA qualification

Registration opens on 1 August 2020.

Back by popular demand - The CIA Challenge Exam from the Institute of Internal Auditors (IIA)

We're pleased to announce that from 1st August to 30th September,  ACCA members can register and start preparing for the exam that is the quickest, most convenient and economical route to the CIA qualification.

Fees and package details
The CIA Challenge Exam bundle is $1,195 USD for IIA members and $1,545 USD for non-IIA members. The bundle includes:

  • CIA Challenge Exam application fee
  • CIA Challenge Exam registration fee
  • Customised electronic version of The IIA’s CIA Learning System®
  • Access to the International Professional Practices Framework and Standards to help you prepare for the exam.


  • Candidates must be current ACCA members in good standing (i.e. no membership fees or CPD outstanding) 
  • Former ACCA members, affiliates and students are NOT eligible*

*IMPORTANT: All fees are non-refundable and non-transferable.

How the exam works

  • The CIA Challenge Exam is delivered via online proctoring or at a testing centre
  • Comprised of 150 multiple choice questions based on the syllabi
  • Based off the International Professional Practices Framework and Standards
  • Expected to take three hours to complete
  • Offered in English only.

Timeline and key dates

  • Application and registration: 1 August to 30 September 2020
  • Schedule window: 1 August to 29 November 2020
  • Testing window: 1–30 November 2020
  • Retake registration: 1 November 2020 to 31 January 2021
  • Retake schedule window: 1 November 2020 to 27 February 2021
  • Retake testing window: 1–28 February 2021

Find out more
Visit the IIA website, which contains full information and registration instructions.


Risk management comes of age in pandemic

Alastair Goddin, head of risk at Asta Capital, considers the importance of risk management teams.

Alastair Goddin, head of risk at Asta Capital, considers the importance of risk management teams, the need to understand developing scenarios and to expect the unexpected in this ACCA article.

An unexpected boost for robotic process automation

Robotic process automation is helping employees to adapt in the transition from the workplace to home during the Covid-19 pandemic.

Robotic process automation (RPA) is just one example of how technology is being adopted to help overcome the health, business and social disruption caused by the virus says Chris Davis in this ACCA article.

News on ACCA UK's Internal Audit Conference

Due to Covid-19, ACCA UK’s Internal Audit Conference will not take place this year but find about about our free autumn webinar series.

Free webinars for members working in Internal Audit

Due to Covid-19, ACCA UK’s annual Internal Audit Conference will not take place this year but we will be providing a series of free webinars for internal auditors this autumn covering:

  • climate change
  • business resilience
  • mental health and wellbeing
  • auditing agile.

The webinars will be available on demand by 30 September and you can register for them here.







ACCA UK Internal Audit webinars available on demand now

ACCA UK has two new webinars available on demand for its members working in Internal Audit.

ACCA UK’s Internal Audit Network ran two webinars recently that are now available on demand: 


Internal Audit and technology - managing common problems and barriers


Dr Andrew Davidson of Johnston Carmichael covers the following issues for Internal Audit with technology and for each area, he looks at the concern for Internal Audit and the solution:


  • Expectation gap - management thinks that new software will do everything, solve all problems and give 100% reliable answers
  • Training and change - staff can be reluctant to change to a new way of doing things
  • Ongoing monitoring - it is rare that new technologies are implemented flawlessly and work exactly as anticipated
  • Data management - for software technologies, the data required (or produced) may be more or less than that required by the business
  • Techno-joy - people may use software despite it not being relevant and try to force it to do the job.


The Next Generation of Internal Auditing

In this webinar, the team at Protiviti explain how they are using Active Assurance as a strategy to remain relevant in a very dynamic environment. The session includes a demonstration of their tool for process mining and showcases other next generation tools that they are currently leveraging when supporting their clients with their assurance agenda.

Protiviti can offer further support on Active Assurance during this time of uncertainty.


Each webinar will provide one unit of verifiable CPD where it is relevant to your work. 

ACCA resources for internal auditors

ACCA's Internal Audit hub is a great resource for those working in Internal Audit or thinking of moving into Internal Audit.

ACCA’s Internal Audit hub provides support to our members working in governance, risk, assurance, control and efficiency (GRACE). The latest edition to the hub is a resource for those moving into Internal Audit. Resources already available include:


  • making the move from external audit to internal audit
  • what is internal audit and what does it do?
  • core skills such as interviewing, designing the test plan, sampling, executing testing, evidence recording and report writing

The content is a mixture of bite-size webinars, brief guides, articles and presentations. We will be adding to the resource over time.


Other sections in the hub:


Learn about internal audit

This section explores what internal auditing is like in practice and the many pitfalls to avoid. A series of guides covers internal audit for beginners, the management team, the audit committee and Heads of Internal Audit. New to this part of the hub is a section on evidencing compliance with professional standards.


Our webinars and other resources

ACCA UK’s Internal Audit Network regularly runs free webinars for its members working in internal audit. Search here for past webinar series on blockchain and crypto currencies for internal auditors, cyber security, de-mystifying IT audit and GDPR.


This section also has a new Resources by theme area that collates material produced by ACCA in the past few year by the themes of ethics, audit management, IT and regulation/legislation.


Our publications and other research

Here you'll find a link to the most recent edition of this e-bulletin and you can also search for CPD articles for internal auditors. 


Internal Audit blog

If you would like to gain some insight into the life of an internal auditor then look at our blog series “A day in the life of the invisible auditor” where a different internal auditor provided some thoughts every week in 2019.

NAO guide for Audit & Risk Committees

The National Audit Office has issued a guide for Audit & Risk Committees on financial reporting and management during Covid-19.

The National Audit Office has issued a guide for Audit & Risk Committees on financial reporting and management during Covid-19:


Audit and risk committees are integral to the scrutiny and challenge process. They advise boards and accounting officers on matters of financial accountability, assurance and governance, and can support organisations, providing expert challenge, helping organisations focus on what is important, and how best to manage risk.

Each organisation will have existing risk management processes in place, but risk appetite may have changed as a result of COVID-19, for the organisation to operate effectively and respond in a timely manner. This may result in a weakening of controls in some areas, increasing the likelihood of other risks occurring. Organisations will need to consider how long this change in risk appetite is sustainable for.


This guide aims to help audit and risk committee members discharge their responsibilities in several different areas, and to examine the impacts on their organisations of the COVID-19 outbreak, including on:

  • annual reports
  • financial reporting
  • the control environment
  • regularity of expenditure.

In each section of the guide we have set out some questions to help audit and risk committee members understand and challenge activities. Each section can be used on its own, although we would recommend that audit and risk committee members consider the whole guide, as the questions in other sections may be interrelated.

The guide may also be used as organisations and audit and risk committees consider reporting in the 2020-21 period when more specific and detailed reporting on the outbreak will be required.

Safe working guidance from the BSI

The British Standards Institute has developed a Safe Working Guidance document to help organisations adjust the way they work.

The British Standards Institute has developed a Safe Working Guidance document to help organisations adjust the way they work.


Building on formal guidance issued by UK Government, BSI has developed a new Safe Working Guidance document to assist organizations as they adjust the way they work, and protect workers and other people in their workplace from the ongoing risks related to Covid-19.

This document is not a formal standard, but a set of guidelines, developed at pace and reviewed by an expert Advisory Group. This document will be revised frequently to reflect the dynamic situation, considering comments from users, government guidance, the level of risk and emerging knowledge.

For over a hundred years, BSI has been bringing expertise and knowledge together, to build trust and a more resilient future.