Printer Friendly Page
The internal audit network panel
The internal audit network panel.

Bev Cole FCCA
(Chair)
Bev is an independent consultant on internal audit and risk management.

Graeme Clarke FCCA
(Vice Chair)
Graeme was first attracted to internal audit by the opportunity to work with a varied and diverse range of organisations and making a difference by recommending ways for improvement. Upon graduating from university, he joined a specialist provider of internal audit and risk management services. Ten years on, he remains a specialist internal auditor and is currently a director of the governance, risk and internal control team at Mazars LLP. His internal audit experience covers the breadth of the public and not for profit sectors including central government, local government, education, housing and health and charities.

Helen England FCCA 
Helen has spent the majority of her career working as a key member of the team providing outsourced internal audit and risk management services to predominantly public sector clients. Her experience includes working with further and higher education, and the health sector along with local and national government bodies. Helen is the director of audit at Parkhill, who provide internal audit and risk management services to NHS bodies.

Sarah Pumfrett FCCA
Sarah is a senior internal auditor with Shell.

John Webb FCCA 
John is an independent consultant.

David Watton FCCA
David has worked as an internal auditor for the last 18 years and has experienced at first hand the major developments and convergence that have taken place in internal auditing, corporate governance and risk management in this time, including the impact of Sarbanes-Oxley.  His current position and extensive travels as consultant auditor with FTSE 10 global oil and gas company BG Group have given him an international insight to the internal audit profession.

To contact any of these Panel members, please email Pat Delbridge.

Anti-money laundering essentials: how internal audit can add value
In the current financial climate, how can internal auditors calculate and manage the risk of fraud and money laundering?

In the current financial climate, how can internal auditors calculate and manage the risk of fraud and money laundering?

 

The story seems incredible. Police at the scene of an explosion in a fireworks factory in 2006 smelled cannabis coming from a neighbouring property. After investigation they discovered a ‘sophisticated and extensive’ drugs operation but were unable to prosecute the property owner because he was living in Venezuela and refused to return to the UK to answer charges. Instead, the police pursued his father, who was tried and convicted of drugs-related offences. As a final twist, the property owner had £250,000 on deposit with the UK’s largest bank in an offshore account in Jersey!

 

This story is not made up or taken from the pages of a John Grisham thriller. Rather it is one in a series of revelations in the media in 2012 surrounding HSBC, the most notable being those accusing the bank of putting commercial interests before the prevention of money laundering by Mexican drugs cartels and Al-Qaeda terrorists following a report by the US Senate. The consistent theme is that failure of controls at HSBC has allowed criminals and terrorists to access the bank and make use of its account facilities for money laundering purposes around the world.

 

This article follows on from a piece in the September edition of Internal Audit giving 10 practical tips for internal auditors in the conduct of their anti-money laundering (‘AML’) work.

 

Here, the focus switches to how internal auditors should respond to the changed approach of authorities in the US and the UK to the AML systems and controls which now involve increasingly retrospective and aggressive measures. Firms need to demonstrate a robust controls framework that is capable of identifying problems and of acting on them promptly. Internal auditors have an important role to play in this and should step up by adopting a twin-track strategy based around traditional assurance and a modern risk-based approach. 

 

Regular independent reviews of systems and controls remain necessary and they must be extensive in scope. But they are no longer sufficient. Rather, internal auditors need to add an extra dimension to their AML work through an informed risk-based approach drawing on research, collaborative working with AML professionals and an assessment of culture. Before looking at this, it is important to understand the new regulatory approach.

   

A new regulatory approach
Regulators on both sides of the Atlantic were heavily criticised for the failings of supervision in the lead-up to the financial crisis. They have responded. The old concepts of ‘regulatory forbearance’ (US) and ‘light-touch regulation’ (UK) are things of the past. All firms need to be aware of a very different supervisory approach by the authorities, one that is increasingly rigorous and intrusive, where decisions made will be looked at retrospectively with the benefit of hindsight.

 

The huge fines levied on banks in 2012 for AML failings demonstrate well the new regulatory philosophy of credible deterrence. As examples, Coutts was fined £8.75m by the FSA in the UK, its highest ever AML-related fine, while in the US the Dutch bank ING was fined $619m. Standard Chartered agreed to pay $340m to settle allegations that it was involved in money laundering for Iranian clients. More striking still are the indications that HSBC will have to pay fines of $1.5bn following the controls failings highlighted in the Senate report.

 

The sheer size of these fines, together with the extremely negative publicity that accompanies them, means that the possibility of AML systems failure can no longer be seen as a ‘necessary cost of doing business’. Every firm must have a strong controls framework in place in order to mitigate the risk of financial loss and reputational damage. Internal audit has a key part to play in this framework.

 

Necessary assurance – auditing the AML process
It remains necessary (indeed essential) during a time of increased regulatory scrutiny that internal audit provides independent monitoring of the effectiveness of AML policies, procedures, systems and controls. To provide effective assurance, internal auditors must regularly test samples of client files for accuracy and consistency in terms of complying with customer identification and due diligence procedures. 

 

They must do much more than this, however. The key areas of an AML audit programme are extensive: 

  • look at the adequacy of governance arrangements and policies
  • ensure the regular screening of customer names against official proscribed lists
  • review to see whether a proportionate, risk-based approach is applied in practice, both at the strategic level in terms of a threat matrix and also at the individual business-relationship level too
  • check whether the transaction monitoring system is appropriate to the business and capable of flagging up suspicious-looking transactions
  • verify the working of both internal and external suspicion reporting mechanisms
  • assess the quality of staff training programmes
  • consider the adequacy of the record keeping and retrieval systems from third parties.

 

Two further components are necessary for an effective assurance process. First, internal auditors should carry out periodic quality self-assessment reviews to make sure they themselves are properly trained and prepared before each AML assignment. Second, the results of the internal audit work must be reported formally to senior management and the board via the audit committee.    

 

Understanding risk – how internal auditors add value to the AML process
Internal audit work as described above is necessary to provide senior management with assurance but it will not in itself be sufficient to lead to real improvement in the AML process. Reviewing evidence in client files may very well reveal errors or inconsistencies. By itself, this is of limited value – what senior management really needs to know are the causes of the errors and the underlying risks to the business. 

 

There is always a number of possible contributory factors: staff attrition rates, little or no infrastructure in place prior to ‘opening for business’ in new locations or with new products, lack of training and/or too low a level of staff involved in the due diligence process or rapid growth in customer numbers. Providing senior managers with an informed analysis of the root causes of any errors found must now be a critical component of AML-related internal audit work.

 

There are three essential extra ingredients to an AML audit programme to enable this informed analysis to take place: 

  • Professional pre-audit planning and research: the FSA’s thematic reviews of good and bad practice are essential reading, notably the two reports Financial crime: a guide for firms (December 2011) and Banks’ management of high money-laundering risk situations (June 2011). They highlight the types of controls weaknesses seen in the Coutts case. An understanding of the issues behind the regulatory fines in the US and the investigation into controls failings at HSBC is another part of being adequately prepared. Keeping up to date with the findings of the Financial Action Task Force is also required. It is vital that internal auditors are both current and credible around AML issues if they are to add value in this area
  • Work collaboratively with the Money Laundering Reporting Officer (MLRO) and other practitioners to agree the areas that require focus during the audit: this is a key part of risk-based internal auditing. Remember that AML risk is no longer customer-centric: what is sold (the products), how the firm is introduced to its customers (the delivery channels) and where in the world the customer and the related business are located (country risk) are crucial too. Good AML practitioners recognise that internal audit is an essential component of a strong controls framework and is needed for effective risk management. They also view the internal audit report as a useful way of flagging up key issues to senior management
  • Review the culture and controls-consciousness of the firm: this is a vital area of risk at the present time and begins with governance. The tone is always set at the top and it is essential that directors and senior managers take AML risk seriously if regulators’ expectations are to be satisfied. The following two questions provide a useful indicator of the level of senior management engagement: when was the last time the CEO and other board members received AML training; and what was the size of the MLRO’s pay increase when he/she was appointed to that office?   

    If the answers are ‘never’ and ‘none’ then there might well be a problem! Internal auditors should not be afraid to flag up these issues. Another area of concern is where there is a strong and dominant sales culture in the business. It is instructive to observe that the ‘systematic, widespread and unacceptable’ failures in the Coutts case largely concerned poor controls over high net worth individuals where it seems that the risk scores were unduly influenced by the potential profitability of the business relationships concerned.

 

Here is another story covered by the media in 2012: a couple living in a small house in Teignmouth, Devon, who were found in possession of over 300 firearms (including Uzi submachine guns and pump-action shotguns) leading to the conviction of the husband, had £85,000 deposited in an offshore bank account in Jersey with HSBC.

 

Such sensational-sounding stories will always attract media attention. So, although the ultimate objective of AML activities is to disrupt financial crime and to assist the authorities in prosecuting criminals, the key requirement for all firms is the management of reputational risk in an era of intrusive regulation. Internal auditors are crucial to this, first by providing assurance on AML systems and controls and secondly by adding value through an informed insight into risk.

 

Steve Giles is a partner in Highview Consultants and has recently published a book entitled Managing Fraud Risk – A Practical Guide for Directors and Managers. Each chapter of the book covers a vital aspect of fraud including corporate governance, detection controls, risk and business ethics. Read a sample chapter.

 

Why internal audit can be a springboard for your career
Michal Wolszczak talks to IA Bulletin about the valuable role internal audit has played in shaping his career and the importance of developing the right leadership skills.

Michal Wolszczak talks to IA Bulletin about the valuable role internal audit has played in shaping his career and the importance of developing the right leadership skills. 

IA Bulletin: When did you decide that you wanted to work in finance?

I grew up in Poland, and I can’t claim I always wanted to be an accountant. To give some context, around the time I was making decisions on my education, the country was in transition to the free market economy. This started in the early ‘90s, but in the first five years nothing much changed. 


I opted for business school through a process of elimination; I was no good at science or history, but I had a talent for languages and maths and that made business school an obvious choice. I chose a progressive university that had a number of foreign lecturers, used a Western style of teaching and conducted some lectures in English.  

My graduation with a Polish-focused academic education in economics coincided with the new millennium. I took a Masters degree in Denmark, where I realised that I wanted an international career. I knew that to achieve my goal, I needed to broaden my experience away from academia and obtain a strong grounding in relevant, internationally-focused, business subjects.  

By the late ‘90s several of the international consulting companies had a presence in Poland with the ‘Big 5’ among the most desirable for young professionals. Although I obtained a job with Arthur Andersen in June (scheduled to start in September), the company dissolved over the summer and was absorbed by Ernst and Young.  

Ernst and Young was in the process of changing the employee value proposition from offering ACCA to the Polish Certified Accountant but as part of the mandatory induction course, they still offered the ACCA modules. 

IA Bulletin: What attracted you to the ACCA qualification and what do you perceive to be the benefits of ACCA over other professional qualifications?
ACCA was very widely known in Poland. It had an excellent reputation and brand image. Almost every day I met people who had some connection with the qualifications or were studying for the exams. Many of my network peers had recently started roles where ACCA was offered as an incentive study benefit; or were seeking to move into roles where ACCA was a preferred qualification. 

 

Given my desire for an international career, I knew that ACCA was the best option for me because it had an international focus and taught modern, cutting edge techniques and theories as well as the practical aspects of accountancy which encouraged finance partnering with the business to provide deeper and wider insight. I wanted to progress towards becoming a CFO or vice president of a business as part of a long term international career, and therefore I felt I needed to understand drivers, be able to translate the information and explain the numbers back to the business to drive decision–making. This meant it was important for me to follow the international qualification path. 

 

IA Bulletin: What attracted you to internal audit?

I completed my ACCA qualification in my next role with PwC in The Netherlands and obtained membership while predominantly performing external audits. However, I didn’t see my career path being within the profession and resulting in partnership. I was more interested in working in a commercial business environment and internal audit was my bridge to the corporate world. 

 

Shell was just coming through the reserves scandal in 2006 and was seeking high quality professionals to supplement the internal audit function as part of a drive to professionalise the department. This was vital given the scrutiny of the company at that time. I was able to transfer my external audit skills to obtain a position within the finance team of Shell internal audit.

 

IA Bulletin: What was your focus/experience during your time in internal audit?

My primary focus was on upstream finance; I specialised in Treasury auditing but I also gained experience of other audits, including operations and health & safety.

 

I firmly believe that if you have good audit skills, judgement, an ability to ‘grok’ the issues from a vast amount of data, draw conclusions and use your communications skills you don’t have to limit yourself to a single area of audit. The focus needs to be on the risk management, not on how well the auditor knows the process. Good auditing is about identifying the right risks, prioritising them, and ensuring management has exercised good judgement in developing the right responses to manage risk. 

 

Audit’s role is not to sit on management’s seat. Management decides which risks to manage and the priority and response actions; auditors independently assess whether the decisions taken by management have created or destroyed company value. Audit should not advise the business by consulting, but the line is very thin. 

 

It doesn’t mean that during the audit when building the relationships with the auditee you cannot share your opinion and knowledge, as long as you do it in such a way that it cannot be seen as instructing the business. For example, you can challenge management on whether they have identified all the risks associated with their chosen course of action or share examples of good and bad practice and experience of what you have seen elsewhere; that is how you maintain independence. This is very powerful because you are not standing as an arrogant wise man, but are seen as someone who gathers information and shares it willingly with the business.

 

IA Bulletin: Do you have any suggestions on how the ACCA qualification could be developed to be more relevant for internal auditors?

When I studied the qualification, risk management was not that strong, but I’m pleased to see that this has changed and there is now a dedicated paper on this. This area should be emphasised and strengthened. 

 

Strategic planning and strategy implementation is another area where there is a dearth of skills. In particular, determining the right strategy and understanding that it is about what the company chooses to do and, as importantly, chooses not to do. This is what differentiates one company from its competitors. Accountants should help by providing the business with the right lenses to give it a measure of value for money, define the right path and identify the correct metrics to monitor progress towards its goal. It also needs to be ready to intervene and escalate to management when the metrics indicate that either the path is wrong or the goal needs to change. Accountants should bring rigorous structure to the discipline and performance appraisals; that adds huge value for any company.

 

Finally, soft skills are critical for accountants these days. It’s not just about the technical skills and calculations, it’s about how you talk about the numbers and explain them to people to obtain buy in for actions. Accuracy alone is insufficient. Accountants need to explain the risks in the way a business can understand, what the numbers mean in terms of achievements, and also understanding and identifying what to share versus what to withhold. 

 

Many accountants fail in this area and therefore are ignored even though they are correct in their view, purely because they are unable to effectively present the information. This is a skill that the internal audit process can help to develop. It starts with listening and understanding, absorbing information, making judgements on where to focus and which issues to pursue versus which to drop, and ends with conclusions and selling the message to management in such a way that they accept an issue that needs to be addressed and take effective actions. 

 

IA Bulletin: Do you believe both ACCA and a role within internal audit can be a springboard into a management role?

Audit helped me a lot in shaping my skills, but also in practical ways with allowing me to connect to the business and educate myself on how to develop my career. Everyone has to define for themselves what their career path will be, sometimes taking risks if required. For example, I moved out of audit in 2010 into a business role that was not perfect, but nine months later I was opportunistically promoted as a result of someone leaving the company. I then moved to a different part of the business when another opportunity was offered. You have to make the best of the roles you are given to create your own opportunities. 

 

Auditors frequently undersell their own skills and do not realise their value in transferable skills to the business. Fundamental core audit skills are in very short supply yet are vital to most areas of business.

 

I prefer to think of leadership rather than management roles. Management roles tend to be associated with staff reporting responsibilities whereas leadership roles are aligned with strategic progress. When I think about leaders, I think about either someone who people want to follow or someone who breathes fresh air. The former is very much personality based, you either have it or you don’t; whereas the latter can be developed through education and soft skills. 

 

If you surround yourself with energised people who are looking at new trends and you maintain professional education you are always in the forefront. It is like a second sight, based on a combination of experience, intuition and connection with peers in other organisations. You can see the big topics before those around you start talking about them, and you can anticipate things and use your judgement as a professional; you can be a forerunner that shapes the discussions. This gets noticed and pretty soon you become recognised as a leader.

 

IA Bulletin: Do you have any words of wisdom for those starting out on their audit career?

Don’t be too eager; be open and enthusiastic, but never over-promise and under-deliver.  Temper your enthusiasm with prudence and you will succeed.

 

Michal Wolszczak – senior portfolio and planning adviser, Shell Exploration and Production BV

Internal audit within charities and the NHS: a comparison
Khushboo Bajaria shares her experiences of being an internal auditor in both a charity and the NHS – and reveals which area she prefers.

Khushboo Bajaria shares her experiences of being an internal auditor in both a charity and the NHS – and reveals which area she prefers.


Having worked as an internal auditor for three years my experience is based largely in the National Health Service involving large acute trusts, specialist foundation trusts, strategic health authorities and primary care trusts and charities. It is increasingly important to have internal audit within NHS bodies and charities, especially with the changing landscape and responsibilities within the NHS.

 

In a charity, the trustees are responsible for management and general control. They can come from many backgrounds but have a united interest to create a change for the better. The decision to appoint internal auditors for a charity lies with the trustees and the audit committee. It is not required by statute but is part of good corporate governance.  

 

In a NHS organisation the board is responsible for overseeing internal controls. Internal audit reports to the audit committee. The audit committee will challenge internal audit’s work and hold NHS management to account where internal controls are not effective to meet organisational objectives. 

 

Both the NHS and charities have a number of regulatory bodies and various statutes/guidance as shown below (internal auditors should be familiar with these to ensure they can provide an effective service): 

Charities Commission
The Charities Commission is an independent regulator for charities based in England and Wales. A registered charity based in England and Wales must follow guidance published by the Charities Commission. There are currently about 180,000 charities registered with the Charities Commission. These range from small local community groups to larger charities such as Oxfam and Comic Relief. The Charities Commission uses a risk based framework to regulate the charities. Parliament has given the Commission five statutory objectives: 

  • to increase public trust and confidence in charities
  • to promote awareness and understanding of the operation of the public benefit requirement
  • to promote compliance by charity trustees with their legal obligations in exercising control and management of their charities
  • to promote the effective use of charitable resources
  • to enhance the accountability of charities to donors, beneficiaries and the general public. 

 

HMRC
For tax purposes a charity can be eligible for tax exemptions and reliefs on income and gains and in some cases profits. The charity must complete a tax return or self-assessment depending on whether the charity is set up as a trust or company. Tax exemptions and relief for charities include: 

  • income and corporation tax
  • capital gains tax
  • business rates relief
  • stamp duty land tax
  • generous relief against VATable purchases.

 

Charities Act 2011
The Charities Act 2011 came into effect in March 2012 and replaces Charities Acts 1993, 2002 and 2006 as well as the Recreational Charities Act 1958. It is an Act of Parliament which sets out how charities in England and Wales are registered and regulated. 

The NHS
The NHS was developed with three core principles in 1948 which guided the NHS for more than 60 years. The NHS Constitution, published in March 2011, highlighted seven key principles which are being used to change the structure of the NHS. Going forward the role of internal audit is uncertain but this should be clearer by April 2013.  

There are various governing bodies such as the Department of Health, Care Quality Commission, Monitor, NHS Litigation Authority (NHSLA) and so on. Each NHS organisation follows different rules and regulations. Regulatory bodies such as the NHSLA have a risk management standards framework. If criteria are not met the organisations could lose millions of pounds. There are also NHS Internal Audit Standards which were published by the Department of Health in July 2012.  

Internal audit
Audit plans for both charities and the NHS are risk-based and cover a wide range of financial and non-financial areas. An NHS body requires a board assurance framework (risk register) which covers the high level risks it faces. The audit plan is largely based upon this framework. A charity may or may not have such a document so plans can be developed on the basis of discussions with directors and management.

 

The audit plans for a charity range from one to two years and audits undertaken are performed on a rotational basis, eg finance audits such as accounts payable and accounts receivable may be undertaken every two years. Sector specific audits can cover areas such as Gift Aid, grants making and management and regulations compliance. Other general audits such as HR and payroll would be part of both the audit plan within a charity and an NHS organisation. The number of audit days in a charity is significantly lower than for an NHS organisation.

 

Audit plans for an NHS organisation usually range from one to three years and require approval from the audit committee. Internal audit should attend these audit committees which usually take place around five times a year to present the work they have undertaken. Audits covered can be the standard financial audits, governance, clinical areas and other key business systems.

 

From my experience, the NHS organisations have a robust governance structure with many groups and committees overseeing various arrangements. In a charity, there are fewer committees and managers take a laid back approach. For example, the finance team within an NHS body can be from 20-60 staff with documented policies/procedures for almost everything, whereas a charity may have only 5-10 staff and a lack of documented policies/procedures. A lower number of staff in charities also means that sometimes duties are not strictly segregated.

 

Of course, the risks facing a charity are based around its reputation as donations can be affected by personalities rather than operational or strategic risks. NHS organisations do have reputational risks but the majority are around patient care and quality of its services.

 

In terms of technology, the NHS appears to be adapting more slowly to new technology (non-medical) and is more paper-based therefore less green. The use of technology such as iPads rather than printing off reams of paper for meetings is growing in charities.

  

In my opinion it is much more interesting auditing a charity. They are easier to relate to with a greater amount of public awareness. They are also more approachable, friendly and responsive to audit recommendations.

 

Khushboo Bajaria – senior auditor, internal audit, Parkhill

Auditing carbon sustainability
Sarah Pumfrett discusses internal audit’s role when it comes to carbon sustainability.

Sarah Pumfrett discusses internal audit’s role when it comes to carbon sustainability.

 

‘The green economy’ and ‘renewable energy’ have become household topics of conversation around Europe over the past decade. The ‘throwaway society’ that has replaced the ‘make do and mend’ mentality of just a couple of generations ago contributes significantly to the rate of natural capital depletion, leaving accountants wondering what is meant by ‘sustainability reporting’ and auditors wondering how to provide assurance that risks to business objectives are effectively managed.

 

Planning the audit
When planning the audit, ask yourself ‘what assurance does the audit committee want from this report?’

 

Choosing which risks to assure will depend on the entity involved. Auditors for central government may be focused on policy decisions driving energy security, stability and sustainability (including low carbon consumerism over time); those involved in manufacturing may be concerned with a reduction in: 

  • natural capital depletion (recycled rather than virgin components)
  • product energy consumption (controlled shutdown where excessive time on standby, cycling of electricity according to automated control as is the case with a fridge in steady state operation).

 

Auditors also need to be aware of subtleties in terminology, which may obscure the fundamental points that underpin the objectives. A good example of such a subtlety is the difference between ‘sustainable’ and ‘renewable’ energy: 

  • sustainable energy: must permanently, and effectively, replace its legacy equivalent, while reducing the associated environmental harm (calculated using lifecycle accounting for both technologies). Hydro power is sustainable
  • renewable energy: is generated from an inexhaustible source (regeneration is at least equivalent to usage, or the source is not ‘used up’ during generation).  Wind provides renewable energy.

 

Lifecycle accounting takes cognisance of the full cost of the activity including: mining for components, transportation, processing and manufacture to final product; transportation and installation of product, operational maintenance, and full site decommissioning (to original state prior to installation) through to recycling or final disposal. It also encompasses all relevant components that form part of the activity (not only considering the generating plant, but also transportation of component parts to the plant – eg gas pipelines from the refinery to a gas generation unit – and pylons/underground cabling and sub-station infrastructure between the generation unit and consumer).

 

Consideration of objectives and risks
Whether differentiating between sustainable and renewable matters depends on assurance required. For example, if the objective is to generate all power through renewable energy, then moving exclusively to wind power could be the answer. Therefore, it would be possible for an auditor to confirm that moving exclusively to wind power would achieve the objective. However, this would ignore the facts that: 

  • power blackouts would be inevitable when the wind was too high or low for the operational design range of the turbines
  • grid-balancing issues could result in surges, potentially blowing end user equipment and excessive wear and tear through power fluctuations
  • environmental harm from rare earth mining, transmitted turbulence (eg soil compaction), ecological damage (barotraumas to bats and birds), and human health concerns (wind turbine syndrome) may outweigh the benefits of renewable energy generation.

 

It becomes critical to understand the subtleties of terminology at the audit preparation stage, when asking the questions: 

  • why should we generate energy from renewable sources?
  • is this the true objective?

 

In discussion with management, you may establish the real objective is not ‘to generate power from renewable sources’ but ‘to reduce carbon dioxide emissions, in a bid to halt global warming’. Another objective may be ‘to diversify from reliance on oligarch enterprises in politically unstable locations, thus eradicating oil price related fluctuations’. By understanding the true drivers, you are better prepared to provide the right assurance by looking at the correct risks. 

 

I have highlighted in bold the ‘real’ objectives although they are couched with ‘misleading’ secondary objectives (in italics), which may nonetheless be relevant where multiple strands are to be audited. For example, ‘halting global warming’ could involve: reducing the ruminant population (methane production); banning climate control (central heating, air conditioning etc) or geo-engineering (eg deployment of ‘space blankets’ or ‘asteroid dust clouds’).

 

In relation to decarbonising energy generation, risks would include: in utilising a technology that cannot operate in ‘base load’ mode (a fluctuating power generator that cannot be controlled, such as wind): 

  • back-up power generators would increase emissions due to operating on a compensating/ fluctuating, rather than steady-state, schedule
  • the manufacture, commissioning and decommissioning of additional infrastructure results in an increase in emissions above traditional generation
  • significantly greater maintenance required due to operating outside intended design, increasing secondary emissions through increased production, transportation and decommissioning of consumable components.

 

In relation to reducing exposure to price-fluctuations from market oligopoly, consider: 

  • the Chinese monopoly of rare earth mining, and potential for price fluctuations and material restrictions, for construction and lifecycle maintenance
  • whether the costs of duplicated infrastructure (to provide energy when wind generation fails) and subsidies (renewable obligation certificates and feed in tariffs) outweigh benefits.

 

In independently considering risks, you may generate ‘different’ risks than the risk register.  This is useful to facilitate discussion with management and get a better understanding of the identification, quantification, and appreciation of the risks, and ensure that the audit team understands the risk appetite (and perhaps blind spots) on the subject.

 

It is valid to challenge management to demonstrate identification and assessment of your risks with quantification in terms of velocity and impact. Note that ‘likelihood’ is not relevant for gross risk determination but is relevant in considering the control framework cost benefit analysis. If a low likelihood, high impact, high velocity risk exists, it should be recorded with the evidence of when it was last reviewed and accepted and this should be assessed with the knowledge that the risk environment changes over time. Review of the risk register seldom identifies ‘emerging risks’ (obsolescent technology in a rapid dynamic and innovative environment, perception changes of end users etc) therefore discussing ‘the elephant in the room’ adds value.

 

For example, the government may have concerns over legislative compliance; particularly in relation to the United Nations Economic Commission for Europe (UNECE) findings (ACCC/C/2008/23, ACCC/C/2008/27, ACCC/C/2008/33 and ACCC/C/2012/68) on non-compliance with the Aarhus Convention. According to Pat Swords, the chemical engineer and chartered environmentalist who brought the 2012 case and whose career spans designing industrial plants to implementing EU environmental legislation and training industry/regulators across central and eastern Europe, ‘the ruling says the ... EU Environmental Legislation was not complied with.  This has never happened before, that the implementation of an EU Directive, in this case Directive 2009/28/EC on renewable energy, has been declared to be unlawful.  To put it mildly, from a legal perspective this opens up a flood gate of further legal challenges.'

 

Local authorities, tasked with ensuring permitted developments are appropriate and justified, will need to consider the risks of inappropriate decisions based on inadequate environmental impact assessments, failure to apply the precautionary principle in relation to medical and scientific evidence, and the ability to process the volume of applications in accordance with prescribed timelines, without sacrificing quality etc. The consequence of wrong decisions may include blighting long-term residential amenity and property values (resulting in a lowering of council tax income), reducing income from tourism or other investment in the local economy, increasing medical, educational and social care costs, and increasing demands on environmental services staff (eg noise complaints to environmental health officers).

 

Developers’ risks may include: 

  • claims for damages for property devaluation, recent evidence indicates a detrimental impact of up to 40% on homes (and the Aarhus Convention ruling, which opens the door for legal challenges including injunctions and damages claims) resulting in profit reduction and reputational damage that could include bankruptcy in worst case scenario
  • HMRC investigations and tax avoidance penalties, where separate legal entities are used to segment liability and ensure the VAT registration threshold is not breached
  • retrospective subsidy reductions if/when government policy changes, undermining project economics
  • where insolvencies strike developers, landowners may face an abandoned, dangerous, and toxic structure over which they have no ownership, but which, for safety reasons, they may be forced to decommission in an environmentally responsible manner.

 

Auditors should also ensure management has explored upside gains - eg government-related carbon dioxide reduction initiatives could include: 

  • consumption reduction (lowering cost of living) perhaps by mandating ‘energy ratings’ record the full supply chain, lifecycle impact, to inform consumer purchasing
  • promoting long-term investment in sustainability over short-term investment in renewable (potentially relating to inappropriately derived and meaningless targets to generate enduring benefits rather than sunk costs).

 

Fieldwork and test planning
The test programme should cover both the design and the operational effectiveness of the controls that relate to the key risks for that entity. The control framework should manage the gross risks (those the entity carries with no controls in place), to the net risks (management’s risk appetite or the amount by which things ‘can go wrong’ while still achieving the entity’s objectives). It is critical to focus on the key risks rather than auditing compliance to management’s processes which tells you nothing about whether the processes are fit for purpose, only whether they are followed.

 

Every test programme should be specific to the entity because even similar organisations may have very different risk appetites and objectives, therefore template programmes do not form the basis of an effective internal audit function. Without generating a test plan, some well-documented risks that have manifested include: 

  • Denmark sells power to Sweden and Norway (who generate through hydro power) at below cost price while paying market rates to import when wind power is unavailable.
  • reputational exposure followed the ‘leaking’ to the internet of one Danish manufacturer’s lobbying of their government to suppress health related concerns and the associated protective legislation that was in process amid suggestions that GDP profits/exports must be prioritised over residents' health and safety
  • challenges to the Scottish government on the stated employment figures for the sector resulted in the embarrassing disclosure that the figures stated by the government had been provided by the industry promoter but had not been independently verified; and the quality as well as the quantity of jobs was questioned by campaigners
  • excepting hydro and nuclear, emission issues result from ramping up and down output from backup base load generators designed for steady production. No credible evidence has been provided to demonstrate that wind power positively contributes a sustainable reduction to environmental harm, with some evidence that it increases rather than decreases ‘greenhouse gas’ emissions when lifecycle rather than operational carbon accounting is applied (eg rare earth mining; concrete production; manufacture and installation of turbines; decommissioning and disposal/recycling of turbines, including removal of concrete bases and reinstatement of land)
  • the government has mandated that all power companies must diversify their generation thereby removing any option for consumers to ‘shop around’. Consumers are paying not only for the wind power, but also to replace base load generators such as Combined Cycle Gas Turbines (CCGT), nuclear plants etc. In other words, consumers are paying for double the capacity needed to ensure there is power. This inefficiency is likely to increase ‘fuel poverty’ where consumers cannot afford to use the power. Residents’ only alternative if they do not wish to fund this folly is to disconnect from the mains supply.

 

Closing the audit and reporting
In concluding the audit, consider the effectiveness of the control framework in managing the gross risks down to the net risks. It is also not too late to consider whether the net risk is appropriate as, by the end of the audit, the audit team will have a far greater understanding of the risks and rewards involved. If management is taking risks that do not appear to be aligned with the organisation’s normal risk appetite, or if the risks taken do not align with the communicated risk profile, then do not be afraid to make that clear in the executive summary of the report.  

 

Sarah Pumfrett commenced her internal audit career with a local authority in 1998 before switching to the oil and gas industry in 2002.

 

The author is writing in a personal capacity and the views expressed above do not necessarily reflect those held by ACCA or her employer.

Eight things you need to know as a new head of internal audit
How new heads of internal audit can make a successful start.

How new heads of internal audit can make a successful start.

 

Over the past two years the IIA heads of internal audit induction master class (HIAIMC) has provided an opportunity for new heads of internal audit (HIAs) to meet others in a similar position and to reflect on how to make their start a success. James C Paterson reviews some of the themes that have emerged.

 

1. It is a big job – make sure your role is clear.
Whether your team is large or small, expectations on the HIA and IA team are increasing as organisations strive to do more with less.

 

This means that it is important to pay attention to the organisation’s understanding of the IA role (eg the balance of IA time between assurance and advisory work, and the way that the time on the IA plan is allocated between financial, compliance, operational and other risks). In this way, any misalignments in relation to how IA should be spending its time can be spotted early.

 

One HIA I worked with identified the need to educate senior management and the audit committee on the ‘three lines of defence’ model of roles (between line management, other functions and internal and external audit), since there were indications of unrealistic expectations of what IA could achieve with its resources and not enough emphasis on what others needed to do. The education of the stakeholders was completed just before a large fraud came to light in the organisation.

 

The HIA reflected afterwards that, had they not clarified the roles, it would have been easy for IA to get the blame for not preventing/spotting the fraud, rather than recognising weaknesses within management, purchasing and finance.

 

2. Know which of your stakeholders really call the shots
It is becoming common for the HIA and IA to receive requests to do different sorts of work (eg support for projects in relation to new controls design).

 

To some extent this reflects the increased value of IA in an organisation, but some HIAs are recognising that there is a risk that IA is turning into one of the few remaining 'free resources' available to management.

 

New HIAs recognise their most critical stakeholders are senior management and the audit committee (which will make decisions with regard to the IA budget and whether or not the service might be outsourced). Therefore, ad hoc advisory work for line management must be carefully managed in order to allow time for proper engagement with key stakeholders and delivery of key priorities endorsed by them.

3. Look at the IA plan
Almost all HIAs in the HIAIMC are looking to enhance their approach to the IA plan. This typically involves adopting a greater understanding of other assurance processes and roles, particularly to build the case to rely on other lines of defence for financial controls and compliance areas, in order to reduce the Hotel California effect in relation to the extent of IA testing of basic compliance areas: ‘You can check out any time you like, but you can never leave’.

 

In addition, improving the IA plan normally involves looking at the way the audit universe is constructed. This usually extends from a process/location/systems approach to explicitly include other areas such as: key risks, top business objectives, major projects, significant external disclosures and other regulatory returns – often revealing a range of high-value-added areas that may have been blind spots in the previous plan.

 

Two other areas also emerge: the extent to which key stakeholders understand the breadth and depth of the proposed IA plan assignments and the clarity of understanding in relation to what IA is not going to be auditing in the year.

 

Both of these points are important with regard to IA resource discussions, as well as heading off the commonly reported difficulty that when something does go wrong in the organisation, key stakeholders will say either: ‘Why didn’t you audit that area?’ or, if IA did look at the area: ‘Why didn’t you find the issue when you were last there?’

 

4. Recognise that most risk management processes have room for improvement
In the HIAIMC only a minority of HIAs are fully satisfied with the effectiveness of the risk management processes in their organisations. Concerns range from the extent to which it is a separate and tick-box exercise (rather than being actively used by management) to an over-emphasis on ‘feeding the (risk management) system’. Recently, one head of audit and risk realised that moving from a monthly to a quarterly update of the top risks was likely to increase its acceptance in the organisation, free up time in the risk and audit team and enhance the quality of the debate on the most critical risks.

 

Other reflections include a recognition that there may be blind spots in the risk register – typically: a reluctance to log black-swan risks (with managers often saying: ‘What’s the point of recording such risks? What could we do about them anyway?’); and risks that become accepted as part of the culture (‘They don’t want a formal process for that risk area; it would be seen to be bureaucratic’, or: ‘We’ve had some problems for years, but nothing major has gone wrong’. Up to now).

 

5. Articulate a clear vision of where the IA function is and where it is going – ensure that it is part of a broader conversation about risk and governance in the organisation
It is not unusual to find that a new HIA has particular ideas about strengths and areas of improvement for their function. However, it’s rarer for these ideas to have been clearly summarised in a simple ‘dashboard’ format that can engage IA staff and key stakeholders. Such a dashboard can also play a useful role when preparing for an external quality assessment (now required every five years, but a prudent thing to do in the first year or two of taking over a function).

 

Many HIAs also develop a vision and strategy for the IA function without articulating how this fits within the wider governance, risk and assurance picture for the organisation. This is a common trap, since many stakeholders are attracted by the idea that IA will address all of the key governance, risk and assurance issues in the organisation, whereas this is – in reality – something that the whole organisation needs to play a role in. The role of others needs to be clearly spelled out in any IA strategy.

 

6. Pay close attention to the understanding and efficient delivery of value-adding activities in the IA team, including the question of ‘dissatisfiers’
In the HIAIMC we review a number of lean principles and techniques. Many new HIAs recognise that, while one of their key priorities will be for the IA team to ‘add value’, there is usually a relatively informal understanding in the team of what adding value actually means in practice.

 

The lean Kano model emphasises the importance of understanding that things are valued differently; ranging from ‘delighters’ to ‘satisfiers’ to ‘dissatisfiers’.


Common insights from this work include opportunities to 'delight' through the streamlining of IA reports (which are actually likely to take less time to write and finalise) to the identification and communication of risk and control trends, emerging risks and lessons learned.

 

A common dissatisfier is the extent to which IA takes up management time, especially on routine updates or data gathering (which can be addressed through IA getting more direct access to key systems and information). Another is the many ways that management can get upset because of a perceived ‘surprise’ from IA (which often requires a revised approach to assignment supervision and review, paying more attention to the likely influencing challenges IA may have – eg where IA work has been requested in the hope it will ‘prove’ a particular point, but that is not what IA finds).

 

7. Take stakeholders and peers with you on the improvement journey
The temptation for the new HIA to want to make an impact in the first 12 months can lead to another risk: not keeping key stakeholders and other colleagues on board with what is being changed.

 

One HIA was feeling frustrated that their CFO was not being as supportive as had appeared at the time they were interviewed for the role. On reflection, we agreed that it was inevitable that the CFO would be on their ‘best behaviour’ when the HIA was being courted to join. In addition, we agreed that increasing cost pressures were going to make it difficult to give the HIA the additional staff they had originally been promised. We also recognised that some of the improvement areas identified by the new HIA would raise the question of whether the CFO could have done earlier.

 

As a result, the HIA worked with the CFO and other key stakeholders to make changes in line with the realities of the current business environment (and recognising some of the good aspects of what had been done in the past), leading to a more productive working relationship.

 

8. Focus on delivering a few key things in the first year
Many new HIAs identify a range of areas where the governance and risk processes in their organisation can be enhanced, as well as a number of areas where the impact and efficiency of the IA team can be improved.

 

However, with such a wide range of potential areas in which to work, it is important that the new HIA should carefully weigh up the areas that should be prioritised. This will depend on a number of factors, including the organisational context, culture and stakeholder expectations, as well as more pragmatic factors such as the amount and calibre of resource available.

 

I would then encourage the new HIA to focus on a selection of priority areas over the course of the first year, demonstrating ‘quick wins’ and not over-extending themselves with the risk of under-delivering.


James Paterson is director of Risk & Assurance Insights. He was HIA for AstraZeneca for seven years.

 

This feature was originally published in Audit & Risk, the web magazine of the Chartered Institute of Internal Auditors (IIA) in the UK and Ireland.

 

Find out more about the IIA.

 

In conversation with a ‘thought leader’
Bev Cole, chair of ACCA UK’s Internal Audit Members' Network Panel, talks to Jonathan Ledwidge – one of the leading thinkers on diversity of thinking.

Bev Cole, chair of ACCA UK’s Internal Audit Members' Network Panel, talks to Jonathan Ledwidge – one of the leading thinkers on diversity of thinking.

 

Jonathan was born in London in 1959 but grew up in Jamaica. He studied physics and chemistry at the University of the West Indies before joining PW and becoming a chartered accountant. He returned to London in 1986, earned an MBA from Cass Business School and has worked for a number of banks in the City, including Continental, CIBC and ABN AMRO. His roles have included internal audit, product control, risk management, business manager, people development and cultural change. He is the author of three books including Clearing The Bull: The Financial Crisis and Why Banks Need a Human Transformation.

 

Bev: Later today you’re going to talk about whether diversity of thinking could help predict financial crises; does that mean you believe there was a lack of diversity of thinking in the mid noughties as we didn’t predict the financial meltdown?

Jonathan: It wasn’t just a lack of diversity of thinking – there was what I call a ‘fiendish orthodoxy’ where everyone (government, regulators, central bankers, business schools and banks) all thought the same thing, all acted in the same way and there was no independence of thought. At the end when it the crash came, they all turned to the bankers and said ‘you messed up’.

 

However, the reality is that this was a collective failure of many pillars of society, not just banks. Why?

 

Because there was a lot of money involved. Bankers were making money, governments were talking about a Goldilocks economy, central bankers were saying that inflation is down and everyone else was happy with their lot.

 

It was somewhat like after the fall of the Berlin Wall when some even opined that this was the end of history – only to later invade Iraq and mess everything up.

 

Another interesting point is that this lack of diversity in thinking and total commonality of thought is absolutely incredible given the amount of information and knowledge available in the modern era.

 

Bev: You talked about commonality of thought: how does this manifest itself, specifically in the boardroom?

Jonathan: What happens is – and I’ve worked in the banking industry for many, many years – when money is being made, people stop thinking. So when anybody asks the question why is this happening this way, have you thought about this, the answer is usually well we are making money – why are you questioning it?

 

Profits often mean that banks do not think objectively and when individual employees are given incentives not to think objectively on top of that, then it means that independent critical thinking goes out the window.

 

At the same time, if governments are benefiting – if they’re seeing that revenues are up and the next election is looming on the horizon and the economy is moving positively in their favour – then it means that they are not going to be thinking critically either.

 

Bev: Is diversity of thinking the biggest reason behind that or is it just one of the many factors? I’m thinking of things like hubris and hindsight bias.

Jonathan: Those are the by-products but really and truly if bankers, politicians and others had only stopped to look back at what had happened before, what was about to happen would have been immediately obvious.

 

Someone once said that you can tell that there’s a crash coming by how much champagne there is flowing in the City. Basically what we’re talking about here is an inability to think because all the players had their own incentives not to think.

 

Bev: When you are talking about diversity of thinking, what elements do you believe make up diversity of thinking, and which have the biggest impact and why?

Jonathan: I think the first element has to be strong independent thinking – it has to be about being able to break out of the bubble and seeing things for what they are. The second thing has to be to remove the incentives that ensure that people only think one way eg the trading room is making a profit therefore they must be right, therefore we must give them more latitude and so on and so forth until the elastic bank snaps.

 

Rewards and incentives are very important to encouraging the right behaviours.

 

Another thing that I think is important is how different elements of society, that is governments, central bankers, economists and regulators, all get drawn into thinking in exactly the same way.

 

There is a need for each of those players to effectively revert back to thinking and acting independently about their specific roles rather than just going with the flow. You could say that part of the problem is that enough people were brave enough to stand up and take an alternative view.

 

In effect all they had to do was look at history. History repeats itself all the time – all you have to do is to look at the patterns. For example with the 2008 financial crisis, people started talking about what happened in 1929 but they did not even have to look back that far. If they looked at what happened in the past 30-40 years - the LDC debt crisis, the junk bond crisis, the Japanese asset bubble, the dotcom bubble – they would have seen that the behaviour patterns were the same each and every time.

 

Ultimately what banks, finance and risk professionals have to do is look at diverse sources of information – not just VAR models or economic models like Modigliani-Miller – but the specific circumstances surrounding previous crises. It is amazing the story each of these tell and how, if properly studied they can induce the right sort of thinking.

 

What is important is that for every institution – not just banks – they revert to looking honestly at themselves and taking time for reflection.

 

Bev: Is the financial services industry particularly prone to falling into this trap (of lack of diversity of thinking)?

Jonathan: I would say that it is particularly prone to failing because of incentives and the reward structures. I remember sitting on a trading floor next to the economists. Economists are often there to provide advice to sales on what they should tell customers when certain market numbers come out.

 

So for example, economists will say that we expect the numbers in the labour market to show higher employment and therefore on the back of this, our customers should be buying these securities. The number comes out and it is the opposite of what the economists predicted, and I’ve sat there and witnessed this, the economist then turns the argument around and says ‘well, they should buy anyway because…’ and they just make up another argument as to why customers should be buying the securities from the bank.

 

Bev: That’s a clear example of confirmation bias where you take whatever information that backs up your view of the world.

Jonathan: It really is.

 

Bev: From my experience, one of the challenges we get in this field is that if you are in that bias situation, you’re in a nice cosy club. Everyone thinks the same, they come from the same background, they have the same social network, they probably socialise together – everything is supportive of that view. How do you get that to change?

Jonathan: It’s worse than that actually. I’m an outspoken person but what tends to happen in banks and larger organisations is that independent thinking gets squeezed out. The people who get promoted are the people that the manager wants to hear. Independent voices are not really welcome and you hear things like ‘that person isn’t a team player’ quite often and what that means is that person actually has some amount of critical thinking!

 

In some organisation, by the time you get to the top all you have is a bunch of yes men. I’m not saying that these people are stupid – all I’m saying is that squeezing out critical thinking is bad.

 

Bev: How do we get people to value that diversity of thinking?

Jonathan: There’s another aspect to that and it is all about watching what other firms are doing. Some of the firms that got into trouble wanted to ape something that Goldman Sachs was doing – they saw that Goldman Sachs was making a lot of money with sub-prime mortgages so they wanted to jump into the same market.

 

In reality, what you need are executives who have an ability to actually stand back and say 'this is the type of organization that we want to create'. Once they have decided that then they can start building the types of mission and values that will move organisations into a different path.

 

Bev: As auditors, if we could audit things like culture….

Jonathan: I’m glad you raised that. I recently wrote an article on the subject of ‘can you trust your auditor?’ and it wasn’t so much a question that auditors are dishonest but more a question that in all of these crises, how relevant is the audit of numbers and systems of governance and control today?

 

The reality is that values trump valuations and therefore we should really be thinking about how we evaluate an organisation’s values. Having worked in banks for so many years I can tell you that they have enough internal controls and procedures such that if you were to put them together they would go all the way to the moon and back. Yet these were not enough to stop the financial crisis.

 

One of the things I noticed about banks was their lack of diversity in respect of their mission, values and purpose. For example, if you take a company like Google, it says that its mission is to take all the information in the world and make it accessible. When I was writing Clearing the Bull, I looked at a number of banks and for the most part I was unable to tell one from the other. They all more or less had the same banal statements about hiring the best people, being nice to clients and caring about the community. None clearly stated the reason for their existence.

 

For me, having a mission is really, really important because when you have no mission that sets you apart, then that means that all you do is play ‘follow the leader’. It is therefore no wonder that so many banks ended up in the same situation and fell off the same cliff – they all thought in the same way.

 

That is how important having diversity of thinking is.

 

Elsewhere within this issue of the Internal Audit eBulletin our survey asks 'Is diversity of thinking encouraged in your organisation?’ Why not have your say now by returning to the cover page and entering your vote?

 

Watch Jonathan in clips of a speech from Clearing the Bull on YouTube:

 

Part 1 – Ending 30 years of banking failure

Part 2 – Why banks are still in trouble 

Part 3 – How banks must change  

Save the date! 2013 Internal Audit Conference
Join us at the 2013 Internal Audit Conference.

ACCA UK’s 2013 annual Internal Audit Conference will take place on Thursday 16 May in London.

If you would like to register your interest then please send an email to professionalcourses@uk.accaglobal.com.

Managing fraud risk / Internal audit needs and capabilities survey
Keep up to date with further reading after this ezine.

Managing Fraud Risk: A Practical Guide for Directors and Managers

Author: Steve Giles, partner, Highview Consultants

 

The risks have never been higher. Fraud can severely damage an organisation’s profitability and reputation, yet many organisations continue to take a reactive approach, thinking about fraud only once it has occurred. As a result they are forced to deal with the consequences.

 

Peppered with captivating anecdotes, this book is the modern, strategic approach to detecting and investigating fraud, while developing an anti-fraud framework in a cost-effective manner.

 

Clear, logical and accessible with each chapter covering a vital aspect of fraud including corporate governance, detection controls, risks and business ethics.

 

As a former forensic accountant for Deloitte, Steve Giles was involved in headline investigations such as the Polly Peck affair. Now an international consultant in the areas of governance, risk and compliance, he specialises in how to manage financial crime risk and business ethics.

Read a sample chapter and get further information.    


Protiviti Annual Internal Audit Capabilities and Needs Survey
See a report on the results of the 2012 survey.

 

Internal audit practitioner guides
ACCA has produced a series of Internal Audit Practitioner Guides which can be found in its Internal Audit Virtual Learning Centre.

ACCA has produced a series of Internal Audit Practitioner Guides which can be found in its Internal Audit Virtual Learning Centre. These guides are easy to read and outline what internal auditing is like in practice and the pitfalls that are often encountered.

 

The last IA Bulletin included a guide covering assignment planning. In this issue, we include the guide for assessing risks and controls.

For access to ACCA UK’s Virtual Learning Centre: 

  • login in to your myACCA account 
  • select the ‘Virtual Learning Centre’ link (in the ‘Learning Opportunities’ box)
  • click on the ‘Log in Now’ button and accept the conditions of use and you will be taken to a menu page
  • scroll down the menu page to select ‘Internal Audit’ and that will take you into the virtual learning centre.

 

The guides can be found in the ‘Audit Basics’ part of the ‘Learning about Internal Audit’ section. This resource is only available to ACCA members and is free of charge.