Technical and Insight
Checklists – an alternative approach

Understand the advantages and disadvantages of checklists, before looking at an alternative approach.


Understand the advantages and disadvantages of checklists, before looking at an alternative approach.

 

My position is that checklists as commonly conceived are useful but could be more so if conceived differently. I recommend a checklist consisting of a model of what the organisation is seeking to achieve and so needs to do and employ. The current state of the organisation can then be checked against the model.

 

Internal auditors are the obvious candidates to assure the quality of the model and to compare the organisation’s current state with the model. Such a role would enhance the status, efficacy and employability of internal auditors.

 

What is a checklist?

A checklist is simply ‘a list of items required, things to be done, or points to be considered, used as a reminder’ (Oxford Dictionaries). On this definition, standards are checklists.

 

What does an internal audit checklist look like?

The prime example is the Chartered Institute of Internal Auditors (CIIA)’s International Professional Practices Framework of principles and standards[1]. There’s also an ISO 9001 version of an internal audit checklist[2] and a free version by John F Smith[3].

 

Advantages of checklists

  • everyone forgets things and makes mistakes. Checklists help us to remember what we need to do
  • you can follow a checklist serially, which helps you complete what needs to be done
  • you can adapt the list to your own circumstances and psychology
  • a checklist helps you to be specific
  • checklists make it easy to delegate tasks.

 

Disadvantages of checklists

  • checklists are produced by people or maybe only one person and so are likely to be incomplete
  • some people find long checklists demotivating or distracting
  • a checklist can lull you into a false sense of security, and prevent you seeing the big picture, asking why, or thinking about the causes of problems
  • checklists have headings but otherwise do not specify the dependencies between the items on the list, so failing to define the order in which the items need to be carried out and risking things being done out of order
  • checklists are a prime target for artificial intelligence, so reliance on them exposes you to the risk of redundancy
  • checklists don't tell you whether the organisation will achieve its goals.

 

The value of internal audit

The CIIA article What is internal audit?[4] offers the following definition of internal audit’s value to the organisation: ‘Internal auditors deal with issues that are fundamentally important to the survival and prosperity of any organisation. Unlike external auditors, they look beyond financial risks and statements to consider wider issues such as the organisation's reputation, growth, its impact on the environment and the way it treats its employees.’

 

Will a checklist or standards deliver this value?

Checking a list of actions or following standards will not deliver the strategic value of internal audit. Even if all the standards are being followed and all the recommended actions are being carried out, the organisation won’t know whether it is likely to survive and prosper.

 

To determine whether the organisation will survive and prosper, the internal auditor needs a model which defines the relationships between its intended outcomes, how they should be measured, what risks will prevent their delivery, and what activities and resources are required to deliver them. Knowing the relationships between these data is essential to knowing whether the organisation will deliver its outcomes because broken or unknown relationships will prevent delivery. The model will enable the internal auditor to audit the current state of the organisation against the model in a way that isn’t possible with generic standards and checklists.

 

Information technology

Prose is an ineffective way of linking information because it can’t analyse relationships and communicate them clearly and concisely. Greater assurance would be provided through a cause- and outcome-driven system instead of the current prosaic approach. Information technology is the only way of recording and communicating relationships and linkages.

 

There are so many relationships – between outcomes, risks, performance measures, activities, facilities, finance, customers, producers, society at large and the environment – that information technology is needed to manage them.

 

Governance, reporting and audit platform

In IT terminology, a platform is a generic unprescriptive system applicable to any sort of organisation.

 

A governance, reporting and audit platform collects and connects every outcome, activity and resource required to realise an organisation’s outcomes, encouraging collaboration across disciplinary and organisational boundaries. It lets anyone contribute to the outcomes the organisation needs, increasing participation and diversity. It encourages ethical behaviour and facilitates audit by showing what everyone’s doing and what's likely to happen. It motivates people to challenge current deliverables, ways of working and resourcing, stimulating innovation and reducing cost.

 

Benefits of the platform

By linking and integrating all the causes of success, a governance, reporting and audit platform automatically and objectively determines whether a risk or KPI is relevant, whether a fact or circumstance would affect the ability of the entity to generate or preserve value in the long term, and the relative importance of the matter to the entity’s development, performance, position or future prospects and the impact of its activity. The platform sets performance measures which measure the outcomes the organisation is seeking to achieve rather selecting them from a checklist. It explicitly links remuneration to the delivery of outcomes, and integrates non-financial with financial information.

 

Remaining useful

In time, standards and checklists will probably be replaced by artificial intelligence. Therefore I agree that it is worth considering what internal auditors can do to avoid being replaced by artificial intelligence. I suggest that internal auditors should adopt artificial intelligence before it adopts them.

 

Tim Leech wrote a two part article for this Bulletin entitled Is internal audit the next BlackBerry? which provides reasons why it is time to reinvent the profession.[5]

 

A governance, reporting and audit platform would replace checklists and standards. It would reinvent internal audit. It would give internal auditors artificial intelligence and a means of remaining useful. It would enhance their status and increase their effectiveness and productivity. By providing an integrated, transparent and predictive business model, it:

 

  • predicts delivery; allocates accountability; mitigates risk; encourages responsible behaviour; regains trust; and creates sustainable business
  • makes reporting automatic; immediate; continuous; complete; concise; clear; balanced; open; objective; and proactive.

 

As stated earlier, internal auditors are the obvious candidates to assure the quality of the model on the platform, to audit the organisation’s current state against the model, and to draw the board’s attention to any discrepancies which have been overlooked.

 

Getting from checklists to artificial intelligence

A change as fundamental as this will take years – all the more reason to start now and get ahead of the game.

 

I will gladly demonstrate an example of a governance, reporting and audit platform to anyone who asks me to do so at peter.bebb@perendie.com

 
Peter Bebb, Director, Perendie
Making the move from external to internal audit

CPD article: Outcomes-based auditing is the next step change for the profession, believes Sarah Pumfrett.


CPD article: Outcomes-based auditing is the next step change for the profession, believes Sarah Pumfrett.

 

Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units. 

 

Early in 2017, ACCA UK ran a number of focus groups around the country for members working in internal audit. One of the issues identified was that when external auditors move into internal audit, they do not necessarily realise that they need a different approach and some new skill sets to perform what is a very different role. This article aims to highlight some of those differences and can be used to help members moving from external audit into internal audit.

 

‘Surely an auditor is an auditor?’ is a phrase I’ve heard more than once during my career. I often find myself explaining that I don’t give opinions on financial statements and while I’m sure the turnover and ratios are really important, the numbers don’t actually interest me that much.

 

Instead, my fascination lies with effective enterprise risk management and the assurance that goes with it – a discipline I call ‘outcomes-based auditing’. I believe this is the next step change the internal audit profession is making following on from ‘risk based auditing’.

 

While the different disciplines within auditing – internal, external/statutory, quality, HSE etc – have overlaps in skill sets, each has a distinct focus that changes how and what they are auditing. Let’s keep it simple and consider those involved in financial audits for a moment. 

 

Traditionally:

  • internal auditors had no interest in what the numbers were, providing they were calculated correctly according to the specified process. Their focus was on whether or not management consistently followed logical processes to generate the results. They reported to the chair of the audit committee and have no power to affect the sign off of the financial statements
  • external/statutory auditors had no interest in risks and controls; they didn’t care how the numbers got into the financial statement providing that those numbers were ‘ball-park correct within a specified tolerance’. After all, their role was to provide assurance that the financial statements were not materially wrong. Statutory auditors have to hold a practising certificate and professional indemnity insurance in case they get their opinion wrong.

 

Individually, there was little overlap, but there was a benefit from knowing the numbers had been accurately calculated. Theoretically, had these two disciplines performed impeccably and cooperated, businesses (and their wider stakeholders) were broadly protected from fraud, mismanagement, error and omission.

 

Unfortunately, the theory didn’t hold up in practice and with financial crashes and suggestions that auditors on both sides were less effective than they should have been, statutory auditors are now required to pay more attention to the control framework and their understanding of the key controls behind the numbers. 

 

This is a threat to both internal and external auditors as the external auditors haven’t traditionally been trained to understand the risk management controls (and may therefore struggle with the new skills they’re expected to have) and the internal auditors may well be challenged on what value they add if the statutory auditors are now covering the traditionally split roles.

 

Compounding the problem, historically many job adverts for internal audit positions specified an accountancy qualification and experience associated with statutory auditing. This indicted that many organisations did not fully understand or appreciate the different skill sets involved. This may well have been a root cause for the perceived failures that resulted in the situations mentioned earlier. 

 

So let’s start with the basics and build up from there. 

 

Internal audit is about much more than the financials! You have to be in a position to audit whatever the key risks are, at that point in time, for the organisation. 

 

These risks cover the full Political, Economic, Social, Technical, Legal and Environmental (PESTLE) spectrum so mere financial expertise is insufficient to perform an internal audit to a technically competent level. 

 

Furthermore, two organisations doing exactly the same thing in adjacent premises may have entirely different risk profiles and therefore a one size fits all approach to what their risks are is totally inappropriate. As an example, let’s take three high street shops, all selling an assortment of clothes, china, toys, calendars and cards. You’d think if they were alongside one another they’d have the same profile, right?  Wrong! 

 

One of these shops is:

  • a multi-national corporation: it’s a ‘pile it high and price it low’ store – all about the profit it can take out for shareholders; it pays minimum wage, has a high proportion of part time staff (students, women fitting in work around school hours and semi-retired individuals)
  • an independent retailer: it focuses on locally sourced and ethically traded, high quality produce – the shopkeeper knows most of their loyal customers by name and can tell you specifically which home-based tailor with small children created the unique dress/blouse; local artist set up a pottery to provide the tableware, community enterprise carved the wooden toys; and which local charities make the cards and calendars it stocks. Profit margins are low and the owner hasn’t had a day off in the past two years, but it’s more about community spirit and putting something back for this business
  • a charity shop staffed by volunteers, selling a mix of new and second hand items: a lot of their customers are on low incomes and any profit they make goes to the cause they’re supporting.

 

Each has a very different risk appetite and reason for existing; therefore they should have very different audits. The first probably has a far higher risk of loss through theft than the latter two; the middle is highly dependent on a small number of artisan producers, and therefore stock-out and cash-flow are likely to be key risks; the latter is reliant on donations of both goods and time... if a volunteer fails to turn up the store may be unexpectedly closed, while in times of austerity the quality of donated goods may fall to a point where the shop has nothing saleable coming through the doors, probably at a time when demand is at its highest.

 

So how do you start to convert the skills of the financial statutory auditor to an internal auditor? The first is to recognise that they already have skills you can use:

 

  • they understand a logical approach and professional due diligence 
  • they probably also have a good idea about commerciality so can ask insightful questions around the financial side of the business
  • they will already understand how to interview people in order to get relevant answers
  • they will understand financial statement assertions (completeness, accuracy, validity etc).

 

These are all key skills. The trick is to then train them to think outside of the financial statement box and apply these skills in a wider context. 

 

Let’s start with the easiest form: ‘systems-based auditing’, which is still endemic and possibly the most likely to be recruiting statutory auditors to the role. Systems-based audits tend to be quite compliance-focused and will involve documenting the system either through narrative or flowchart, walking through the system to confirm that what has been documented is true to actual process and then assessing the process map for design gaps and material efficiency savings. The auditors will need:

 

  • research skills (to understand the PESTLE and translate it into the terms of reference and scope the work effectively – this may include use of questionnaires such as a system appraisal questionnaire and/or key control identifiers as well as risk appetite assessments)
  • interviewing skills (to quiz management on how they think the system operates in order to document the system)
  • flowcharting skills (to translate the interview notes to a process map)
  • logical analysis (to identify redundancy, duplication, omission and mistimed activities in relation to the control of risk)
  • walk-through skills (the key here is not to lead the person performing the work but to identify discrepancies subtly as they go through the process, and make pertinent enquiries to establish if there’s a reason for the exception or if that’s how it always works).

 

Once the analysis has been performed, the auditors need to fact check their issues with management to ensure there is no error or omission in understanding and to agree areas that require improvement. It may be that an interim report or management letter is required at this stage depending on how you’ve agreed to structure the audit.

 

For controls that are confirmed to be effectively designed and implemented, the next stage is to assess if they are operating effectively and for this a test plan is required.  The plan needs to consider:

 

  • Direction of testing. For example, if confirming that all invoices have associated purchase orders, selecting a sample from the invoice list is the correct starting point. If you select from the purchase order listing then you have erroneously biased the testing and will not find exceptions... all purchase orders will have associated invoices (timing dependent), but not all invoices will necessarily have purchase orders.
  • Method of testing. For example, if three people are raising 1000 orders a month, you won’t have time to test all of them so how will you sample to give assurance that, regardless of who processes the order, the controls are effective?
    • Should you randomly sample from the population? What if one of them processes significantly more than the other two and you therefore end up with your entire sample coming from one individual?
    • Should you stratify your sample across the three? What if one of them only processes orders for very low value items such as stationery; should that get equivalent attention to the person who is raising high value orders? 
    • Should you interval sample (in which case, how do you first order the population to ensure the interval is not biased)?
    • Is judgemental sampling the right option? Perhaps you want to focus on the high value items... but what if the process for high value items is slightly different and has to be separately authorised? Are you in danger of picking the ones that are more likely to be correct because someone else has already approved them?
  • Sample size in relation to the assurance required. According to normal distribution, the greater the accuracy required from the opinion, the larger the sample needs to be in order to avoid sampling error. However, in this day and age of big data and analytics, it’s not impossible to test up to 100% of the transactions in a system and identify those that are most likely to have findings, and then to sample from those to establish if there is a control gap or control failure. 

 

‘Risk-based audits’ are still promoted by the profession as the standard. These audits are focused on the key risks to the business, and how those risks are being managed. Rather than auditing the entire system, specific risks to business objectives are targeted and controls relating to how management prevents those risks from manifesting or detects that they have manifested are the focus of the audit. 

 

While this enables the auditors to focus on the key issues of concern to management, it also means the wider context of the system is lost, and if management has missed a key risk, the auditors are also more likely to bypass coverage of that area if they haven’t performed an independent assessment of the key risks to the entity and its stakeholders.

 

Increasingly, thought leaders within the profession are advocating a move to outcomes-based auditing. Key audit techniques include understanding:

 

  • what the objectives of the business are (this involves interviewing management and challenging your (and their) understanding of what success looks like)
  • why they have a particular strategy and how that strategy aligns with their ultimate goal
  • who owns the objectives (is management aligned or do key individuals have different viewpoints which can undermine the objective)
  • when were the objectives set, communicated, and strategies implemented to achieve them and due to be delivered
  • where does management perceive the constraints, parameters of operation, risks and threats are to achieving the objectives
  • how is management treating the interim risks between where they are and where they want to be?

 

Outcomes-based auditing focuses on what must go right for an entity to thrive rather than attempting to control everything that could go wrong. It takes internal audit from the compliance-focused ticking the box exercise to the strategic assurance and trusted adviser role the board and c-suite need to effectively deliver for everyone.

 

Sarah Pumfrett, vice-chair, ACCA UK Internal Audit Network Panel

 

If you would be interested in a conversion course for statutory auditors looking to move into internal audit then please email pat.delbridge@accaglobal.com

 

Recommendations to agreed solutions

Should internal auditors be making recommendations?


Should internal auditors be making recommendations?

 

ACCA’s Internal Audit Network Panel was recently discussing the outcomes of a series of consultative meetings held earlier this year. One point in particular was a recurring theme – ‘should internal auditors be making recommendations?’. 

 

Unanimously, the panel believes that internal auditors should be making recommendations. Here, I will explain why.

 

As an internal auditor with 20 years’ experience, who works to high professional standards and is an experienced chair of audit committees, I started to examine the argument of raising recommendations in my own mind. Some key points were screaming out to me:

 

  1. Why would we just point out the problems? The image of internal audit has suffered enough over the years; thankfully I believe we have made great strides in abolishing the old ‘policeman of the organisation’ type image - let us not now become the grumbling pot of negativity which springs into action, tries to point fault at management and generally casts doom and gloom wherever we go.
  2. The IIA definition: ‘internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes’; the key words here for me are ‘help’, ‘improve’ and ‘add value’. Surely, recommendations are a key element of the process to achieve this.
  3. As an audit committee chair, I look to my internal auditors to add value, which must come from their wider experience, fresh eyes and independence. I know from my personal experience this is a view shared by my fellow board members and our executive team; flip to my professional career as an internal auditor and I believe my clients rightly expect this of me and my teams when delivering services.
  4. Do we not have the skills, experience or confidence in our own ability to assist? Is it the fear of getting it wrong? No one expects us to know everything! I think this is the pivotal point. It’s not the making of recommendations, but individuals having reservations about whether the recommendation is right, therefore whether they should be making it and whether if they do their independence is impaired?

 

My conclusion at this point is that internal audit must not just point out problems; we must be seen as a critical friend and force for improvement. 

 

I believe it is the way in which we reach those recommendations which is important and that I’d now like to explore. 

 

I believe that as a profession internal audit has moved on considerably over the years and many of us are doing our very best to dispel the old image of the policeman of the organisation and bayoneting the wounded. However, the terminology we use is not doing us any favours. I do not personally like to use the term ‘recommendation’; it creates a somewhat imposing state for management: ‘internal audit is saying we should do this’. Can you hear those police sirens howling away in the background? 

 

I hope we all recognise that the internal auditor who plods around an organisation just pointing out problems, thinking they know it all or taking credit for management actions is likely to be met with short shrift. 

 

Over recent years I have placed preference on the term ‘agreed solutions’; ultimately one can argue that an agreed solution is simply a recommendation, by another name, but importantly I believe the subtle difference lies in how you arrive at it. 

 

We just need to remember two very important life lessons that I’m sure almost everyone’s parents will have shared with them; however, for which they cannot take credit.

 

The first I believe is credited to Epictetus – a Greek Stoic philosopher who lived approximately 50-150 AD – or is at least inspired by his words ‘we have two ears and one mouth so that we can listen twice as much as we speak’.

 

The second has its origins in the Bible, Ecclesiastes, 4:9: ‘Therefore two are better than one, because they have a good return for their labour’; translated to the modern proverb ‘two heads are better than one’.

 

For the purpose of illustration I’m skipping the fieldwork; as the internal auditor, we have identified an issue within the control environment which leaves the system exposed to a level of risk which is beyond that of the organisation’s risk appetite. 

 

We have discussed this with management, the finding is factually correct and valid, so what’s important now? a) Communicating the issue succinctly to management and audit committee, but more importantly b) the solution: how are we going to help our client reduce risk to an acceptable position?

 

I refer you back to point 4 above; no one expects us to know everything. It is how we use our tool bag of skills that enables us to do this; think of yourself as an enabler or catalyst for action.

 

This is where we put the ‘two ears and one mouth’ proverb into practice; if we speak less, listen more and engage better with our clients it benefits our relationship exponentially. 

 

This approach rests on the premise that management should know their organisation and systems much better than you; use this to your advantage. 

 

When presenting your finding, discuss the risk exposure it presents to the organisation and then move to openly discussing methods by which the risk could be reduced. 

 

This is the time to introduce and volunteer your own thoughts in respect of potential solutions based upon understanding of the client’s policies and procedures, regulatory requirements, professional experience or good practice that you have gained from auditing elsewhere and that which you have harvested from your fellow audit colleagues; but do not attempt to enforce your ideas - open the discussion up and invite the auditee to volunteer their thoughts. 

 

Talk the issue through, listen to their ideas and steer the conversation towards reaching a consensus or rather the ‘agreed solution’ which draws on the respective experience of both parties and therefore reflects the ‘two heads are better than one’ proverb.

 

Don’t be afraid to openly admit that as management they will know systems and processes better than you do; recognition and indeed a little professional flattery will pay dividends. You are there for a short defined period to deliver the audit assignment; they on the other hand are likely to live and breathe it daily. Remember, no one expects us to know everything.

 

This approach enables internal audit to present the full story in its audit report to senior management and audit committee; we have identified the finding, risk exposure and arrived at an agreed solution through an engaging and consultative process to address the exposure. Management replies are simplified to acceptance, allocation of responsibility and the target timeframe for implementation.

 

It is this process of acceptance that ensures management recognises it is their responsibility to implement the agreed solution and protects our independence – ultimately it is their decision.

 

An engaging approach where management views are heard, respected and included to deliver the right outcomes for the business will strengthen relationships, embed internal audit and create a culture of co-operation and working together for the same aim. 

 

Likewise, it improves the relationship upwards within the business and importantly with audit committee; what they really want to see is solutions not problems, agreement not disagreement, acceptance not conflict. Implementing an agreed solutions approach can help achieve this.

 

In a world characterised by swift, electronic and impersonal communication it does the internal audit process good to recognise these old proverbs and revert to old fashioned methods; many will remember the old British Telecom advert ‘it’s good to talk’ - most definitely it is, but remember to add a splash of Epictetus’ wisdom here and listen twice as hard.

 

As internal auditors, our most valuable tool is the ability to converse successfully with our clients.

 

Lee Glover FCCA – director of internal audit, Haines Watts

 

Making the transition from internal audit to a NED

Rosemary Hilary FCCA talks about life as a Non-Executive Director (NED).


Rosemary Hilary FCCA talks about life as a Non-Executive Director (NED). 

 

Journey to becoming a NED

During the course of my executive career I spent a number of years as a senior supervisor at the Bank of England and then the Financial Services Authority (FSA).  I also ran the department that was responsible for authorising all new financial services firms and approving the people who would run them.

 

This all led to a strong interest on my part in strategy and business model analysis; what makes organisations tick; why some boards work better than others. My role involved interviewing prospective and current NEDs and the idea formed in my mind that one day I might become a NED myself.

 

Making the transition

As the FSA transitioned into the Financial Conduct Authority I decided to explore other executive opportunities and moved to TSB Bank – it was an ExCo role and that further rounded my profile. In the summer of 2015 I suddenly received a flurry of calls from headhunters about interesting NED roles. I realised that my skills were very much in demand, particularly as a qualified accountant and with my risk background, where there is a key role to play in chairing audit and risk committees. What helped a lot was that I had been on the board of Shelter, the national homelessness charity, for six years. Nevertheless it was a very tough decision to signal the end of my executive life by resigning from TSB.

 

My portfolio

By the time I had worked my six months’ notice at TSB, I had four NED roles lined up. In fact my last day at TSB was 31 March 2016 and on 1 April I was at the Pension Protection Fund (PPF) on a day’s induction!  As well as the PPF, I am on the boards of Vitality Life and Vitality Health, Willis (the global insurance broker) and Record plc which manages foreign currency solutions.  In each case I chair either the risk or audit committee (in two cases these are combined).

 

Adapting to NED life

One of the questions I was asked in interviews for my NED roles was, having had a very busy executive life, whether I would be able to step back enough and resist any temptation to become involved in decisions that are the executives’ responsibility. But I was very confident on this point. I felt and continue to feel that I have earned my stripes as an executive and have no desire to cross that line. What interests me far more is ensuring there is a sound strategy and an appropriate risk framework with all that that entails.

 

The financial services senior management regime

Following the financial crisis, the regulators have introduced a new regime for senior managers to make their personal responsibility more clear. This applies to certain board members – most relevant for me personally is that it includes the chairs of the audit and risk committees. Certain other NED roles are not covered. I know this has created a lot of nervousness among NEDs. For my own part I have always considered that the role of a company director carried great responsibility. 

 

What the new rules have impressed upon me though is the need to be even more careful in doing my own due diligence on any organisation I might join. In a sense you are lending your personal brand to that firm so it is important to ensure it is one that shares the same values and culture as yourself. I have heard it said that these new rules blur the distinction between the NED roles and those of the executives but I don’t see that at all. Neither do I see that, if something goes wrong in the organisation, there would be any more of a tendency to ‘blame’ the NEDs in particular.

 

Relationships with the executives

A lot is written about the role of NEDs to ‘challenge’ the executives and of course that is an important part of the role. But that makes it sound as if all meetings need to be combative and that is certainly not the case. It’s important to realise that being a NED is not just about turning up for board meetings. I see it more as the NEDs being on a journey with the executives and that journey takes place outside the board room as well as inside it. By building relationships and truly understanding the strategic backdrop and the strengths and challenges of the organisation, it becomes possible to temper that challenge with support. At the end of the day, the NEDs want the company to succeed as much as the executives do.

 

One of the benefits of chairing the audit or risk committees is that you get to see through to the heart of the business and to ‘follow the money’. And those roles also entail a close relationship with the risk and audit teams: one of the changes brought about by the crisis was a move to strengthen the independence of the chief risk officer and chief audit officer by giving them a primary reporting line to the chair of the risk committee and chair of audit committee. This gives me another opportunity to understand what’s going on. And I also see my role as supporting and to an extent mentoring those colleagues.

 

Information flows to the board and board committees

This is always an area of discussion - how much is enough? Of course there is no right or wrong answer. In an ideal world there would be a perfect pyramid of management information (MI) with just the right amount flowing up to the ExCo, the board committees and then the board itself. 

 

The quantity and quality – and also the timeliness – of MI and other material to the board is very much something the NEDs should challenge. Too much information is very difficult to process and will not lead to a good board or committee discussion. Too little has its own risks. Investing the time to understand the business and build relationships helps NEDs validate the information they receive.

 

Overall

I find being a NED is great fun and rewarding. I enjoy the variety of the work and meeting a wide range of new people. But I finish on one word of caution: it is crucial to be extremely well organised as, unless you choose to employ one privately, there is no PA nor is there an IT department!

 

Rosemary Hilary FCCA

 

Interested in becoming a NED? Check out these resources on ACCA’s website.

 

Rosemary is an independent non-executive director on the boards of Vitality Life and Vitality Health;  Willis - the global wholesale insurance broker;  Record plc – a currency manager;  and the Pension Protection Fund.  For Willis she chairs the Audit Committee and for Vitality the Risk Committee.  The PPF and Record have combined Risk and Audit Committees which Rosemary chairs.  She is also a member of the MBA Advisory Board at Cass Business School and a 30% Club mentor.  She was a trustee of the national homelessness charity Shelter for six years until 2016.

 

Rosemary’s last executive role was at TSB Bank where she was the Chief Audit Officer. Prior to that she was at the Financial Services Authority and before that the Bank of England.  She held a number of senior supervisory roles and worked closely with the FSA board.

 

Rosemary qualified as a certified accountant and has a first class honours degree from Manchester University, where she studied Pure Mathematics and European Studies.

 

I don’t need this pressure…

How frequently do internal auditors face serious ethical challenges – and how can they mitigate these risks?


How frequently do internal auditors face serious ethical challenges – and how can they mitigate these risks?

 

Where do you, as an internal auditor, stand on ethics? This might be considered a straightforward question to answer, what with the importance of the highest conduct and standard expected of you, and ingrained within your professional studies and development.

 

A more challenging follow-up question would be: but what about when the pressure is on you or your team? A survey of members prior to ACCA’s 2017 annual Internal Audit conference delved into the ethical pressures faced; actions taken in those circumstances and, crucially, when and where those pressures presented themselves.

 

Firm truthfulness

The survey’s questions followed the themes of the conference itself. As a starting point, we should consider the words of conference speaker Derek Anderson, head of internal audit, Northern Ireland Department of Justice, who spoke of ‘not merely honesty but firm truthfulness’.

 

He spoke of the pressures faced in certain situations, where sugar-coated information is provided to make it more palatable. ‘Nevertheless, there are real dangers in not being truly honest.’

 

In terms of further setting the scene, the survey kicked off by asking 34 members about the internal audit team’s private access to the audit committee. Nearly half (13) said their head of audit has private access, while other members of the team can speak to the committee with the audit head also in attendance. Ten said the whole internal audit team could contact the audit committee. But four said not even the head of audit can meet the committee without a representative of company management present.

 

The vast majority (30 of 34) rated the audit committee’s understanding of the important role internal audit plays. Again, four said they weren’t up to scratch.

 

Ethical pressures

The central question asked of the members was whether they had left a role due to ethical pressures they had faced. Nearly half the respondents (15) said they hadn’t left a role – and had also not experienced ethical pressures.

 

However, eight members said they had witnessed pressures on other staff. Four stated they had felt ethical pressure upon them from within internal audit itself, while six had been pressured by operational management that made them uncomfortable professionally. One member said they’d witnessed ‘false assurance’ given to the audit committee as a result of ethical pressure. These respondents remained in their roles.

 

Five of the 34 members have resigned from a role due to the ethical pressure being placed upon them – of which one stated this as their reason for leaving during their departure process. One member said they’d seen two colleagues leave due to ethical pressures.

 

Serious issues

While the research investigates a modest number of members, it flags up a number of serious points. Though generally content with access to senior management and its appreciation of internal auditors’ importance and role, it is not all rosy. There are isolated concerns over audit committees' understanding of internal audit’s role; and a small but significant number of occasions where ethical pressures have impacted on their role and that of colleagues.

 

Again, a small but significant number have quit jobs or witnessed unethical behaviour due to pressures placed upon them and colleagues.

 

And finally, what impact has this all had on the attractiveness of internal audit as a career, or at least one in which people want to continue within?

 

A third (12) have served as an internal auditor for more than five years and see it as their ‘niche’. However, 11 long-serving internal auditors are unsure about whether they will remain in this role. A further five long-servers wish to change career path.

 

Of the remaining six respondents, four wish to continue in internal audit, while the other two raise doubts about their future.

 

ACCA’s new Ethics and Professional Skills module

Given these findings, the launch of ACCA’s new Ethics and Professional Skills Module on 31 October seems well timed. It is another world first for ACCA – no other professional body offers a module like it.  

 

It focuses on developing the complete range of ethical and professional skills employers told ACCA they need and is:

  • a module made up of seven units which ends with a self-reflection assessment, to be completed online
  • incorporates real business scenarios that a professional accountant is likely to face
  • is one of three components which make up the ACCA Qualification (the others being exams and experience)
  • costs £60 to complete – while this charge is new, the total price of the ACCA Qualification remains the same for students. ACCA members can sit the module for free.

What the module covers

Comprising seven interactive units, the module covers: 

  1. Ethics and professionalism – an introduction to the broad ethical and professional values which underpin all the other professional skills and behaviours which are explored in the module. These values provide a framework for you, the professional accountant, to guide your behaviours in demonstrating the more specific professional skills you’ll cover.
  2. Personal effectiveness – ways to maximise the quantity and quality of your work output and how you communicate and interact with others. And ensuring you make the most of the resources available to you.
  3. Innovation and scepticism – understanding how to encourage open mindedness and innovative thinking to create or suggest imaginative solutions to problems. All within the context of suitability, feasibility and acceptability – and at the same time recognising the limitations of solutions and any problems with their implementation.
  4. Commercial awareness, analysis, evaluation and problem solving – improving your ability to view situations from a commercial or business perspective, considering factors that influence the success of a business. And an understanding of the business processes, relationships, risks and costs.
  5. Leadership and team-working – getting to know more about different type of leadership approaches and traits which can be adopted or adapted at any level of the organisation. And how effective leadership involves inspiring, motivating and supporting teams to work effectively and efficiently, delivering value for their organisations.
  6. Communication skills – understanding more about how to communicate effectively with others in a business environment, including clients, customers, colleagues and external authorities. And how effective these are in different contexts and recognising the appropriate methods and skills involved in advising, supporting, motivating and influencing others.

 

The seventh unit is a comprehensive and interactive assessment where you are presented with a series of video clips or other media about a situation based on the learning from units 1-6. You’ll take on the role of a professional accountant and face challenges which you have to identify and explore. And then you’ll be asked to provide solutions and effective ways of delivering these to ensure the best possible outcome for the business.

 

It takes 20 hours to complete the module and you are awarded a certificate on completion.

 

As with the previous Professional Ethics Module, ACCA members are able to access the new module as part of their membership benefits with ACCA. Members can self-assess how many units CPD are appropriate for their learning, up to a maximum of seven units.

 

While ACCA members have already completed the ethics requirements of membership, this is a good opportunity for you to refresh your knowledge and understanding. Members do not need to complete the entire module, but must complete the first unit to be able to access the following five units and the assessment.

 

The module is accessible via your myACCA account.

 

Kevin Reed is a freelance journalist and former editor of both Accountancy Age and Financial Director

 

Presenting a report to achieve the best outcome

How language can really change the impact of an audit report.


How language can really change the impact of an audit report.

 

The audit report is the outcome of weeks or months of detailed and painstaking work, often following years of training to develop the vital technical skills required to understand the critical elements of internal auditing. It’s our final product, and as such, it’s the thing on which we’re judged. 

 

Get it right and the organisation will take the required steps to address control gaps and failures, adjust risk appetite and streamline operations. Get it wrong and in the next cycle, if you’re lucky, you’ll find the same control gaps, the same control failures, and the same discussions with management; if not, one of those issues you’ve detected this time around will catastrophically affect the entity and its going concern status.

 

Many auditors approach a report from one of two standpoints: 

  • that no matter how well presented, the client won’t be interested in, or won’t understand, the issues; or
  • that what influences the writer will influence the reader and they will get our point.

 

I work in the technical world of language, where we speak of ‘meeting the other person at their bus stop’. That is, thinking about how the client(s) will understand the report and how our writing will motivate them to take action.

 

Ahead of drafting your report, you need to get key influencers ‘on board’ with the message you will present.  

 

Remember our reader is an individual and will have inherent motivation and thought patterns that are context dependent and may affect their rational acceptance of the facts. Context dependent because how individuals react can differ by context (such as work/private life) or time of life. These motivations and thought patterns are well researched and documented in the Language and Behaviour (LAB) Profile® (Words that Change Minds[1]).

 

Most people will want to make their own mind up by gathering information from the outside and judging it based on their own internally held standards. I’m sure we’ve all had one person in the room who, no matter the facts, sticks to the completely unfounded belief that nothing needs to change and you have to turn that ‘faith’ into objective and logical acceptance of the evidence coupled with motivation to change.  Try to agree the facts, as this gives you a starting point from which to leverage cooperation for change.

 

Once the facts are agreed, you can turn to solutions. They know the business better than you do, so you want their assistance in defining the ‘fix’.  Once you’ve agreed there’s a control gap or failure ask for their ideas and if none is forthcoming, use phrases such as: ‘a suggestion for you to think about’, or ‘something like this would work but only you can decide’.

 

Many people are motivated by solving a problem – moving away from something that is happening. To have them understand and implement your point of view use phrases such as: ‘here’s how this can help you avoid this problem’, ‘if fixed now it won’t deteriorate’, ‘the company can avoid this by …..’, ‘this will prevent’.  Others will respond better when hearing of the ‘advantages’, what you are proposing ‘will enable them to do’.

 

Here is a tried and tested formula from the LAB® Profile giving a concrete example.

 

The scenario: project management controls are in place. The monthly RAG (red amber green) report shows: green, green, green, red, green. The auditors query the reporting as to why there were no amber warnings and the response from management is: ‘We knew we were a bit over budget and behind but we thought we could catch up and didn’t want to alarm anyone so we stayed green until we realised we couldn’t meet the deadline’.

 

Auditor: ‘Why did it then go from red back to green?’

 

Management: ‘Because the project authority extended our timeline by three months and increased our budget.’ 

 

Auditor: ‘Can you deliver within the new budget and timeline?’

 

Management: ‘We hope so, if we work enough overtime we should be able to meet the deadline.

 

Auditor: ‘How will the overtime affect the new budget?’

 

Management: ‘It’s not budgeted...’

 

A tried and tested formula for vastly improving stakeholder engagement is:

 

Fact > Problem > Solution > Benefit > As you know ….

 

Start with the root-cause analysis you have to present. Avoid judging this information and make sure it is purely factual.

 

Problem: What problem(s) does this fact cause (for the company)?
‘Given you’ve indicated that it’s highly likely that either the new timeline or the new budget will not be met, reporting green will mislead the Project Authority as to status of the project.'

 

Solution:  What is the proposed solution?

‘I suggest (rather than command language such as ‘you should’) the status remains amber and remedial actions are carried out until the ‘return to green’ plan is on track.  You can highlight to the Project Authority the challenges and ask for their support during the critical phase you’re now working on.'


Benefit: State the positive result that your client can expect from the solution.
‘This will ensure that the Project Authority is fully aware of the tight timelines and budget and will not be surprised if one or other needs to slip again.’


As you know…. triggers the start of the process which leads to the end result – buying in.

‘As you know, when you are reporting on the remedial actions being carried out they can have confidence in your transparency and will be more likely to support you should the budget or timeline prove impossible.’

 

Once you’ve got their buy-in, you’re ready to start developing the report.  Write the main body of the report first, and then create the executive summary. In this, we need to concentrate on providing a balanced summary of the facts in plain language, avoiding technical terms, jargon, ambiguity and emotion. If done well, the opinion included at the end should be obvious without even being recorded.

 

Remember that this is aimed at the audit committee, who will not have the same depth of process knowledge that the audit team or management has but they need to understand what they should be concerned about and who needs to take what actions to allay those concerns.

 

You can include significantly more detail, including technical jargon and acronyms (providing they’re explained in context), in the main body of the report. While reporting styles will vary by organisation, best practices suggest that the main body of the report should be ‘by exception’ in order to focus the executives on the issues that need to be addressed. Additional detail, examples and even reports of exceptions can all be included as appendices as required. 

 

Do not make recommendations; instead include agreed SMART (Specific, Measurable, Attainable, Relevant and Time-bound) actions. Avoid words such as ‘consider’, ‘should’ or ‘might’ and ensure the action owner is named by position.

 

Take away! (How to use this information right away in your work)

You can prepare your next meetings/reports the easy way — and reduce the time it takes to get ready and increase the likelihood of getting buy in.

 

FACT What information do you have to give your clients that they don’t already know (or are not being realistic about)?

 

PROBLEM What is the negative consequence of this information that they will want to prevent?

 

SOLUTION What is the solution you have to state (no ‘shoulds’ allowed)?

 

BENEFIT What is the positive consequence of this solution that they will want to go towards?

 

AS YOU KNOW What do they believe to be true that proves the problem exists?

 

Rosie O’Hara, Master Consultant of the Language and Behaviour (LAB) Profile® (Words that Change Minds) www.developingworks.com

 



[1] Charvet, 1995

NEWS
Ethics and trust in a digital age

ACCA launches new Ethics and Professional Skills module.


ACCA’s new Ethics and Professional Skills module

The launch of ACCA’s new Ethics and Professional Skills Module is another world first for ACCA – no other professional body offers a module like it. It focuses on developing the complete range of ethical and professional skills employers told ACCA they need and is:

  • a module made up of seven units which ends with a self-reflection assessment, to be completed online
  • incorporates real business scenarios that a professional accountant is likely to face
  • is one of three components which make up the ACCA Qualification (the others being exams and experience)
  • costs £60 to complete – while this charge is new, the total price of the ACCA Qualification remains the same for students. ACCA members can sit the module for free.

 

What the module covers

Comprising seven interactive units, the module covers:

 

  1. Ethics and professionalism – an introduction to the broad ethical and professional values which underpin all the other professional skills and behaviours which are explored in the module. These values provide a framework for you, the professional accountant, to guide your behaviours in demonstrating the more specific professional skills you’ll cover.
  2. Personal effectiveness – ways to maximise the quantity and quality of your work output and how you communicate and interact with others. And ensuring you make the most of the resources available to you.
  3. Innovation and scepticism – understanding how to encourage open mindedness and innovative thinking to create or suggest imaginative solutions to problems. All within the context of suitability, feasibility and acceptability – and at the same time recognising the limitations of solutions and any problems with their implementation.
  4. Commercial awareness, analysis, evaluation and problem solving – improving your ability to view situations from a commercial or business perspective, considering factors that influence the success of a business. And an understanding of the business processes, relationships, risks and costs.
  5. Leadership and team-working – getting to know more about different type of leadership approaches and traits which can be adopted or adapted at any level of the organisation. And how effective leadership involves inspiring, motivating and supporting teams to work effectively and efficiently, delivering value for their organisations.
  6. Communication skills – understanding more about how to communicate effectively with others in a business environment, including clients, customers, colleagues and external authorities. And how effective these are in different contexts and recognising the appropriate methods and skills involved in advising, supporting, motivating and influencing others.

 

The seventh unit is a comprehensive and interactive assessment where you are presented with a series of video clips or other media about a situation based on the learnings from units 1-6. You’ll take on the role of a professional accountant and face challenges which you have to identify and explore. And then you’ll be asked to provide solutions and effective ways of delivering these to ensure the best possible outcome for the business.

 

It takes 20 hours to complete the module and you are awarded a certificate on completion.

 

As with the previous Professional Ethics Module, ACCA members are able to access the new module as part of their membership benefits with ACCA. Members can self-assess how many units of CPD are appropriate for their learning, up to a maximum of seven units.

 

While ACCA members have already completed the ethics requirements of membership, this is a good opportunity for you to refresh your knowledge and understanding. Members do not need to complete the entire module, but must complete the first unit to be able to access the following five units and the assessment.

 

The module is accessible via your myACCA account.

Business forms and company law

What's the future for business forms and company law


The future is decentralised and autonomous? ACCA's Jason Piper blogs on the future of business forms and company law.

CPD
How to use big data

Register for our series of webinars on Big Data and How to Use It in 2018.


ACCA UK's Internal Audit Network is running a series of five webinars on Big Data and How to Use It in 2018.

 

The series will run from March to May and will feature different speakers for each webinar.

 

The first webinar will take place on 27 March from 12.30-13.30 and will feature Richard Kusnierz MIPI. You can register for this webinar here.

 

This introductory webinar will consider What is Big Data? It means different things in different organisations and while it is a problem area, it is not as big a problem area as many people think. There is a lot of data that can be collected and analysed but much of it is irrelevant.

 

The most important decision is what data requires analysis – what is business critical? This webinar will help to dispel the ‘myths and misconceptions’ about big data and consider practical applications.

 

Richard has over 24 years’ experience of using data analytics to prevent, detect and investigate corporate fraud. He successfully formed two boutique companies which provided investigative consultancy and bespoke data analytics. His areas of expertise include fraud investigations, risk assessment, data analytics, system development and evidence handling. He has spoken at numerous conferences and delivered counter fraud and risk management training courses for a number of professional bodies and training institutions. He has also contributed to several technical books on data analytics techniques for fraud detection, published specialist articles in trade publications, and appeared on the BBC as a fraud expert for a factual programme on Benford’s Law and fraud profiling.

 

He has worked with private and public sector clients to investigate frauds and prepare evidence used in successful criminal prosecutions resulting in custodial sentences and asset recovery orders. His evidence in three separate criminal trials at Southwark Crown Court has been accepted without cross-examination, attesting to the accuracy and robustness of the evidence handling procedures.

 

You can register for this webinar here.

 

The rest of the series will cover: 

  • the legislation around big data including the GDPR
  • how internal audit can use data to provide assurance
  • assurance from an audit perspective
  • a case study on analytics.

 

Keep an eye out for booking details in the near future.  

 

Get seven units of CPD with our IA webinars

Watch our series of webinars on de-mystifying IT audit for business auditors.


De-mystifying IT audit for business auditors – stop being afraid of the black box.  

 

ACCA UK's Internal Audit Network held a series of seven webinars on de-mystifying IT audit for business auditors earlier this year. The series started in May and concluded in November with a webinar about the General Data Protection Regulation (GDPR). It featured three main presenters - Vincent Mulligan FCCA (IT Audit Consultant at Eisteoir Consulting Ltd), Mike Hughes CISA, SGEIT, CRISC and Steve Connors CISM, FIPA, FFA (both partners at Haines Watts).

 

Watch any of these webinars now by registering here.

 

Introductory session
As accountants and auditors, we recognise the importance of information technology (IT) for organisations and that the examination of the management controls over IT and the management of information are an essential part of a review of those organisations. In this introductory session, we will consider some of the ways we organise ourselves and the approaches we adopt to conduct these reviews. 

IT General Controls 
ITGC or General Computer Controls (GCC) relate to the environment that supports our IT applications and that are therefore applicable to all applications. In this session, we will consider the nature of these ITGC, the challenges we face reviewing them and the approaches we can use to audit them.

Application audit review 
Application controls are controls that we have implemented over our application systems to ensure they operate as intended and ensure the accuracy and completeness of the data, calculations and records. In this session, we will consider the types of these controls and the approaches we can use to audit them.

Infrastructure audit review
IT infrastructure consists of the hardware, software, network resources and IT management services that we leverage to deliver the IT environment that supports our organisations. As the complexity of our IT environment increases and our dependence on IT grows, providing assurance on the effectiveness of the controls over these assets and services is critical to management and other key stakeholders. In this session, we will consider how we can effectively review IT infrastructure and the organisations and processes we have put in place to manage it. 

Integrating IT audit into the business audit
We use our information technology to support our business processes therefore it is logical that we consider the key controls we have implemented to manage the financial, operational, organisational, IT and other key risks that impact on that business process or function. Integrated reviews which leverage the skills and experience of multi-discipline teams allow us to provide assurance across these key risks. In this session, we will consider how we can effectively organise and implement integrated audits.

How to audit cyber security
As our organisations take advantage of the opportunities of the internet and digital technologies and implement ever-greater connectivity with our customers, vendors and other stakeholders our exposure to a wide range of cyber threats grows. As the expectations of our key stakeholders including our boards, management and regulators for assurance over the effectiveness of the controls managing these risks grow we will consider how we can deliver cyber security audits.

General Data Privacy Regulations
The EU General Data Privacy Regulations (GDPR) were adopted on 27 April 2016 and will become effective on 25 May 2018 after a two-year transition period. This will replace the current 1995 directive and will affect all organisations that process EU citizens' data. As the deadline for compliance approaches we will consider how you can understand the impact of this regulation on your organisation and assess your organisation’s compliance readiness. 

 

Watch any of these webinars now by registering here
 

RESOURCES
ACCA’s culture governance tool

How to nurture a positive company culture.


How can you nurture a company culture that promotes behaviours consistent with organisational objectives? 

Corporate culture encourages behaviours that support or impede the achievement of organisational objectives. The challenge is to understand how to nurture a culture that promotes behaviours consistent with organisational objectives. The ACCA culture governance tool seeks to support organisations with their culture goals.

ACCA developed this tool on the basis of research conducted since 2012 under a global initiative called Culture and channelling corporate behaviour. ACCA held a series of roundtables in London, New York, Dubai and Bengaluru alongside a survey of ACCA’s global membership, which drew close to 2,000 responses. 

Subsequent research inspired by the findings – called Effective speak-up arrangements for whistle-blowers – also informed the development of the tool. 

The ACCA culture governance tool helps organisations review culture and determine the course of change. 

There was an overarching agreement that corporate culture is decisive in determining whether an organisation will do the right thing. Furthermore, culture is often driven from the top – corporate leadership has the responsibility for ensuring that an organisation lives and breathes its organisational values. 

The research findings also highlight the importance of interaction within the organisation. Everyone, including senior leadership, experiences peer pressure, formal and informal norms and mirroring of behaviour. The tool captures both aspects of culture. 

Using the tool

This tool helps you design your own organisation’s culture change, based on what you set out to do. It can help you to understand alignment between organisational objectives and corporate culture and:  

  • identify where significant inconsistencies exist between culture and organisational goals and plan actions 
  • help you to review periodically the alignment between culture and organisational goals to promote behaviours that support organisational goals. 


Furthermore, the tool can be used when organisations are going through rapid changes such as fast growth, ownership and capital structure change, or developing a succession plan. It can give a structure for narratives on culture when communicating internally and externally or speaking with interested stakeholders such as investors. 

 

Download the tool now

 

 

Internal audit hub

A resource for members working in internal audit.


A resource for members working in internal audit.

ACCA has dedicated part of its website to ACCA members working in internal audit, providing resources for those wishing to learn about internal audit, improve their technique, undertake CPD, and which can help with internal audit trainees. 

It contains a section called ‘Guides to Internal Audit’ and its aim is to supplement the International Standards for the Professional Practice of Internal Auditing with articles and guides that are easy to read and outline what internal auditing is like in practice and the pitfalls that often occur. This resource – which is broken down further into sections for beginners, the management team, and the audit committee - can help you learn about internal audit or improve your technique, provide you with CPD, or assist in the training of a staff member on internal audit.

 

The internal audit hub also has links to free webinars suitable for internal auditors.