Technical and Insight
Internal Audit's role in whistleblowing

CPD article: Whistleblowing has been a highly controversial area, with individuals blowing the whistle often subjected to retribution. So, when Time magazine named three whistleblowers as its “persons of the year” in 2002 it was making an important statement.


Reading this article and these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.                           

 

Whistleblowing has been a highly controversial area, with individuals blowing the whistle often subjected to retribution. So, when Time magazine named three whistleblowers as its “persons of the year” in 2002 it was making an important statement. They were: Colleen Rowley, FBI agent who wrote to the Director of the FBI in 2002 setting out failures of US intelligence agencies prior to the terrorist attacks on 11 September 2001; Sherron Watkins, the Enron executive who alerted Enron’s chairman to concerns about accounting tricks that the company was using to boost its share price; and Cynthia Cooper, the Head of Internal Audit at WorldCom who uncovered and reported to the Audit Committee one of the largest senior management accounting frauds in history.

 

Introduction

 

In an era when blowing the whistle attracted much controversy, Time magazine presented the three women as heroes. That decision was notable, it helped to change attitudes. In many countries, whistleblowers are now protected by law. Learning lessons from the Financial Crisis, governance standards are more robust today - there is a sharper focus on corporate culture, personal behaviour and business ethics. In 2019, effective whistleblowing arrangements are widely regarded as an important feature of good corporate governance.

 

This article considers the role of Internal Audit in whistleblowing and examines the different approaches that it can adopt. Its independence from management means that it has the potential to be directly involved in whistleblowing arrangements, whether in a triage role or as investigators.  Alternatively, Internal Audit’s role around improving controls makes it ideally placed to provide assurance to the board on the effectiveness of the whistleblowing processes. It cannot do both, however.     

 

Why whistleblowing is increasingly important

 

Whistleblowing is the raising of a concern, either by an employee or a third party, about suspected wrongdoing at work, using confidential reporting mechanisms rather than normal line-manager channels. Most mechanisms involve a dedicated telephone number (or “hotline”) but can include a web-based reporting system or traditional reporting by mail to a specified address. Confidential reporting can be achieved using internal processes established by the organization (internal whistleblowing) or to an external body such as a regulator (external whistleblowing).   

 

Today, whistleblowing is an important feature of good governance. It can uncover organizational failures that may culminate in serious harm better and faster than other mechanisms and it is relatively cost-effective. Such failures include: criminal activity (e.g. fraud or bribery and corruption); health and safety shortfalls; environmental damage; negligence (in a school, hospital or care home for example); and the mis-selling of financial products.

 

In 2018, the UK Corporate Governance Code was significantly revised. Whistleblowing was included in one the Code principles - Principle E: “The workforce should be able to raise any matters of concern”. Provision 6 expands on this:

 

“There should be a means for the workforce to raise concerns in confidence and – if they wish – anonymously. The board should routinely review this and the reports arising from its operation. It should ensure that arrangements are in place for the proportionate and independent investigation of such matters and for follow-up action.”

 

This highlights the importance of establishing and maintaining an effective whistleblower programme. The Code applies to companies listed on the London Stock Exchange, but it provides a signpost of best governance practices and any organisation may benefit from its guidance.   

 

Ultimate responsibility for the whistleblower programme lies with the board. The detailed operational arrangements are the responsibility of managers. Whistleblowing disclosures are sensitive, with conflict of interest situations highly likely. Internal Audit plays an important role in supporting the board and management in ensuring that whistleblowing arrangements are fully effective as part of a healthy organisational culture. This support can either be direct or by way of assurance services.     

 

Direct involvement

 

Blowing the whistle carries professional and personal risk. There are two important barriers to people coming forward with their suspicions: first, fears that the organisation’s assurances of confidentiality will not be respected; and secondly concerns that the reports will not be properly investigated, so that the underlying issues remain unresolved.

 

Trust in the process is required for effective whistleblowing. Internal auditors can help here. If they are seen to be an integral part of the day to day arrangements, their independence and objectivity will help to promote trust in the whistleblowing process.

 

Internal Audit can act as a communications channel for the whistleblowing hotline, coordinating responses. There are two specific areas of internal audit work to consider: at triage and during investigations.

 

Internal auditors acting in a triage role

Established and trusted whistleblowing hotlines are likely to experience an increasing number of calls and tip-offs. In these circumstances, it is important to have a process for evaluating and prioritising reports. Medical triage programmes provide a good model. Used by modern emergency departments, paramedics and first responders, triage is the process of determining the priority of patients’ treatments based on the severity of their condition. Internal auditors should take a risk-based approach, with the following recommendations:

  • The initial capture of the tip-offs is crucial - all reports should be acknowledged and responded to as quickly as possible
  • Prioritise action on the reports according to risk. Whilst allegations of fraud or corruption are almost always serious, tip-offs concerning health and safety, or environmental breaches may be critical depending on the risk profile of the organisation
  • Delegate reports that reflect misunderstandings, personal grievances or minor errors to a support group such as HR which can handle them efficiently (complaints and grievances should be subject to a separate procedure - often in practice they are not).

 

Internal auditors as investigators

It is crucial for the credibility of the whistleblowing programme that all disclosures are responded to quickly and are properly investigated. Internal auditors often perform investigations, especially those involving fraud (or where other teams are conflicted). Key recommendations for internal auditors are:

  • Commit to investigating all matters fully, fairly, quickly and confidentially
  • Make recommendations for further action (disciplinary and/or reporting to the police) and liaise with the police where criminality is suspected
  • Maintain a feedback loop to whistleblowers – where their identity is known, the whistleblower should be kept informed of progress and outcomes, not ignored following interview.

 

It is crucial that Internal Audit is properly resourced to carry out this work in terms of staffing and skills. For example, investigators require training in the rules of evidence and conducting interviews, especially those under conditions of stress.

 

The board has an important role to play here. It must ensure that Internal Audit’s main functions and wider assurance role are not compromised by its direct involvement in the whistleblowing process. Also, the board must ensure that there is a separate, independent mechanism to provide it with the required assurance on the effectiveness of the whistleblowing process.

 

Assurance services

 

In situations where it is not directly involved, Internal Audit should provide the board with assurance on the effectiveness of the whistleblowing system. Whistleblowing is a key governance control and an important component of an open corporate culture that encourages concerns to be raised. To be effective it depends on the right culture being in place.

 

Internal Audit’s assurance role includes: promoting whistleblowing best practice; testing case files; monitoring policy and procedures; and recommending improvements where needed. Here are three key areas:

 

Review the whistleblowing policy, in particular:

    • Scope – in addition to all workers, best practice supports expansion with advantage to include suppliers, customers and other stakeholders
    • Reporting lines – providing different alternatives facilitates disclosure, these might include line managers, senior management, and an external service provider such as Protect (formerly Public Concern at Work)

Consider basic functionality – is the hotline adequately supported including funding and staffing by individuals with training and expertise to handle different types of cases

Carry out surveys to assess how the workforce views the whistleblowing arrangements: are employees aware of the programme; do they feel safe from retaliation, trust their organisation’s commitment to confidentiality and/or anonymity; do they understand their reporting obligations?

 

Many organisations outsource their hotlines. Benefits include access to experience and expertise, together with the appearance of independence. Hotline providers often allow 24/7 access and provide services in many languages. Internal Audit has an important part to play in reviewing the supplier selection process prior to and during its application. On implementation, Internal Audit should examine the performance management arrangements used by the service team that owns the relationship with the outsourced provider – typically HR for hotline services. It should include a report from the outsourced provider on annual activity in its report to the board.

 

Of course, ultimate operational responsibility for whistleblowing procedures lies not with Internal Audit but with senior management reporting to the board.    

 

Epilogue

 

Despite being honoured by Time magazine, it is ironic that Cynthia Cooper was not really a whistleblower. She communicated information to the board, which is normal internal audit activity – it was the circumstances that made her actions extraordinary.

 

Sometimes, internal audit concerns are not taken seriously or are overridden. Then an internal auditor may face the prospect of communicating the information outside of the organisation, either by external whistleblowing to a regulator or by public disclosure. This is never an easy situation. Ultimately, it comes down to a professional decision by the internal auditor about their obligations to their employer.

 

Steve Giles (MA Oxon. ACA), Independent Consultant, Lecturer and Author

 

If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

 

Future trends in Internal Audit

ACCA UK’s Internal Audit Network is running a series of three free webinars on future trends in Internal Audit in November and December.


ACCA UK’s Internal Audit Network is running a series of three free webinars on future trends in Internal Audit in November and December:

 

Adding value with agile auditing 18 November 12.30pm

Speaker: Chris Spedding, Chief of Staff, Barclays Internal Audit

 

Can Internal Auditors really be independent? 27 November 12.30pm

Speaker: Geraint Davies CBE, portfolio non-executive director

 

Robotic Process Automation for internal auditors 2 December 12.30pm

Speaker: Michelle Holmes, Managing Director – Protiviti and Harrison Jardine, Senior RPA Consultant – Protiviti

 

 

Each webinar will provide one unit of verifiable CPD where it is relevant to your work. You can register for any or all of these webinars here.

 

It's the people thing

Following on the heels of the collapse of the FTSE100 multinational facilities management and construction company Carillion plc, the IIA has published a draft Internal Audit Code of Practice. Neville de Spretter, FCCA, CPFA, chair of ACCA UK’s Internal Audit Network Panel, comments.


Following on the heels of the collapse of the FTSE100 multinational facilities management and construction company Carillion plc, the IIA has published a draft Internal Audit Code of Practice. Neville de Spretter, FCCA, CPFA, chair of ACCA UK’s Internal Audit Network Panel, comments.

 

The draft Code contains commendable objectives. It seeks to “strengthen corporate governance and help reduce the risk of major corporate collapses by boosting the status, standards, scope and skills of internal audit”. IIA’s focus on a principles-based approach, covering what for many Chief Audit Executives (CAEs) are major challenges, should be encouraging.

 

The Internal Audit Code of Practice Steering Committee Chair, Brendan Nelson, explains it like so: “One of the best ways to help organisations better protect their assets and manage risk is to boost the status, standards, scope and skills of internal audit. The draft…Code…contains 30 recommendations to strengthen corporate governance, key among them being unrestricted access for internal audit, full access for internal audit to senior meetings and full access for internal audit to key management information. The draft Code offers invaluable guidance about raising internal audit performance to help businesses and other organisations protect their assets, reputation and sustainability.”

 

But, will it meet those objectives? From the standpoint of someone who’s been both a CAE and an executive, it appears that the real heart of the matter is being missed once again – it’s not about more or different guidance or regulation, it’s fundamentally about people, and that’s because it’s bad behaviour that results in poor corporate practice and collapse, and if there’s one thing I’ve seen repeated it’s that “money usurps morality”. Looking back over decades of corporate failures, there’s nearly always been the reaction of adding more regulation and more guidance. Regulation and guidance are conjectural, but with the authors’ confidence that they’re also logical. But people are not logical, and therein lies the real problem. Furthermore, while audit has improved since the financial crisis, it remains retrospective, dependent on people behaving properly, subjective, and un-systemic. It examines what has happened, and the past is an unreliable guide to the future. It can’t provide assurance.

 

Regarding people’s behaviour, the draft Code looks to tackle the challenge of independence. Section 17 outlines that “The primary reporting line for the chief internal auditor should be to the chair of the audit committee” and “The reporting line must avoid any impairment to internal audit’s independence and objectivity”. But question 5 (Should the secondary executive reporting line be to the CEO, or should we adopt a more flexible approach in the new Code?) appears to dilute the critical issue adding that, “However, whilst a secondary reporting line to the CEO is now common practice in the financial services sector, for other organisations it is often the case that they will have a secondary reporting line to another member of the executive management team such as the CFO.”

 

Several commentators and thought leaders in the internal audit arena have voiced concerns in recent years about CAE independence. Among them, Norman Marks, commenting in his 2012 article in the IIA, Time to Face Facts About CAE Independence, calls into question the mythology around independence in general, and how, in particular, there’s “the dismal record of CAEs being pushed out the door after reporting significant issues.”

 

Another commentator, president and CEO of The IIA Richard Chambers, in his 2015 article, Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit, explains “creating a new internal audit department…that reports to an independent director outside the company” and  with “the appropriate…independence to carry out its work”, “will be the better for it and possibly serve as that shining example that other…corporations should emulate. In the meantime, there are lessons in the Toshiba scandal for all of us who seek to modernize internal audit functions.”

 

Tim Leech, another vocal critic of regulation and guidance, wrote in 2011, “A sample of macro-level risks at the root of some of the most significant accounting mis-statements in history…include:

 

  1. CEO and CFO have significant financial incentives to falsify or inappropriately manage financial results.
  2. Senior management has major financial incentives to direct backdating of stock options.
  3. Senior management directs fraudulent post-close journal entries to manage profits and hit earning targets disclosed to the market.
  4. Management overrides controls to hit bonus targets or prevent loss of positions.
  5. Audit committees have financial incentives not to ask management tough questions ...”

 

ACCA has also examined the matter. A survey of members before the 2017 annual Internal Audit conference, examined the pressure on the CAE and reported in its Internal Audit e-bulletin that “serious issues” were raised: the survey highlighted that there was pessimism, including concerns over audit committees' understanding of internal audit’s role; and, a small but significant number of occasions where ethical pressures impacted on internal auditors. A small but significant number quit jobs or witnessed unethical behaviour due to pressures placed upon them and colleagues. Careers have been negatively impacted - long-serving internal auditors were unsure about whether they would remain in role; five long-servers wanted to change career; and two respondents raised doubts about their future.

 

It’s also hugely telling when the Chief Executive of ICAEW observed about both external and internal audit that “The latest joint hearing into Carillion by the Work and Pensions and the Business Select Committees produced some damning verdicts on the limitations of audit and the role it plays in corporate governance. Frank Field MP called the auditors ‘mere spectators’ to the company’s collapse; if anything, Rachel Reeves MP was even more scathing, commenting that ‘audits appear to be a colossal waste of time and money, fit only to provide false assurance’.”

 

Of course, a self-regulating body can publish a Code of Practice for its members to follow. Members generally undertake to comply with the code as a condition of membership. But, organisational codes of practice don’t have legal authority. And, critically, audit can’t be effective because internal (and external) auditors are paid by the organisations they’re auditing and risk losing their jobs if they’re completely honest about the state of the organisation.

 

Are there any answers? In short, Internal Audit will be useful and meaningful in corporate governance when it is a mandated requirement, reporting to shareholders and investors. In particular, internal auditors should be more activist and have a beneficial whistleblowing role, liberated from company management, to provide a framework that facilitates company managers to demonstrate that they’re doing the right things.

 

As both a GRC professional and an investor (aren’t we all through our pensions, ISAs etc?) I want Internal Audit that is agile, transparent, integrated and predictive – I want to see that the organisation has a specific and measurable picture of its future outcomes, and the activities and resources required to deliver them, its causes of success are identified, the risks against achieving the outcomes are clearly shown, and internal audit is using a platform to assure the quality of the model and that the outcomes are being delivered. This needs to be continual, not point-in-time, covering all connectivity and inter-dependencies, not the small percentage of business activity covered in an annual audit plan, and be direct, not encumbered through a chain of command and reporting.

 

Unless this is mandated by the regulators the concerns will remain.  It’s the people thing, not the logic.

 

Neville de Spretter, FCCA, CPFA, chair of ACCA UK’s Internal Audit Network Panel

 

If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

Re-positioning Internal Audit

In the first of two articles looking back at ACCA UK’s Internal Audit Conference, we look at how Internal Audit can be positioned as a trusted, valued and strategic advisor.


In the first of two articles looking back at ACCA UK’s Internal Audit Conference, we look at how Internal Audit can be positioned as a trusted, valued and strategic advisor.

 

Transformation programmes are always challenging to manage and demanding on everyone affected by them. Derek Anderson, Head of Internal Audit and Assurance, Northern Ireland Education Authority, describes leading the authority’s internal audit service towards a position of “trusted key player” in an ambitious programme of change.

 

“Don’t go there, it’s a basket case”, Derek Anderson was warned when was offered the post of Head of Internal Audit and Assurance for the Northern Ireland Education Authority in September 2017. Choosing to ignore this advice, he took up the formidable task of re-positioning the organisation’s internal audit service during an ambitious programme of change.

 

“All assurance was down to me - what a challenge!” he told delegates to this year’s ACCA UK Internal Audit Conference, “Collaborative Independence”, held in May in Birmingham. It certainly was. The Northern Ireland Education Authority had gone from five separate organisations to one, responsible for over 1,000 schools across the country.

 

“But while five organisations had merged, it was almost as if no-one had told them,” Derek said. “They were behaving as if they were still separate: there was no communication between the five teams, no single processes or systems, no consistency in the way they were working and they were auditing the wrong things in the wrong way. Did it amount to assurance? No, it didn’t.

 

“In the first year, I don’t even know how I provided assurance or what I based it on – other than a wing and a prayer. We were ridiculously inefficient. The Department of Education, the body that sponsors and monitors us, had lost faith in us and the NI Audit Office couldn’t place any faith in our audit reports. I was barely able to justify providing annual assurance. All I could do was promise that it would get better.”

 

A blank sheet of paper

The only sensible strategy was to start from scratch, which meant carrying out an audit needs assessment, establishing a key risks map, defining to the organisation what every audit was and what it would be looking at.

 

Activities that Derek deemed were not Internal Audit’s job were stopped. These included visiting every school to check that the annual school census they supplied was correct. Another, which proved unpopular, was ceasing to do a financial audit of private school funds, a responsibility which he said lies with the school board of governors.

 

Fraud investigations, which the authority’s internal audit service is responsible for, were many other eye-openers. “I thought there wouldn’t be many but boy was I wrong,” Derek admitted. “Wherever you have cash in an organisation you have huge risk. If I had one wish now it would be to take all cash out of Northern Ireland schools, and so we are trying to move to cash-free systems.”

 

Across the five teams, a range of job titles, descriptions and pay grades also needed sorting out. There were members of the teams who possessed no audit qualifications, so a programme of training was put in place. Around 50% of the auditing team passed all their exams.

 

Derek encountered a lot of resistance to the changes he made, having genuinely believed that if he explained why they were needed that they would be accepted. Nearly two years on, methods and process protocols have all changed and audits are far better. “We are getting there but the journey has been tortuous.” Derek said.

 

Maintaining independence?

The authority has brought in a new management team and Derek’s understanding of the business has placed him in a unique position. “I am sought after for interview panels, which is a huge demand on my time, but means I get a hand in appointing the right people with the right skills,” he said. “We are becoming digital by default, moving away from paper-based systems and introducing digital applications for jobs. We’re on our way to realising my vision: a future role for Internal Audit as a trusted, valued and strategic advisor.”

 

This vision raises the question of how, as an adviser, it is possible to retain the independence demanded of Internal Audit.

 

“I know what the standards say about independence and objectivity and I know there are a whole list of things that Internal Audit should not be doing,” Derek said. “Well, it’s really difficult. In my previous job, I was so far across that line I’m not sure I could find my way back again. I felt I was being involved in every decision.”

 

Acknowledging that this was going too far, he admitted that he sometimes wondered if his opinion and advice was really wanted or whether he was put in that position so he could be blamed when something went wrong. “That’s a big risk, isn’t it? he observed. “How do you square that circle?  If I’m closely involved in, for instance designing a system, I can stop it going wrong. On the other hand, how can I then audit it and retain my independence?”

 

Drawing together a corporate risk register was probably not something he should do, he admitted, but no-one else was doing it. “However, now I have that register, I have managed to divorce myself from it and hand it over to another team. The register is there, as it should be, to provide independence assurance and commentary to the audit committee.”

 

The sticky stuff

Derek suggested to conference delegates that if an organisation was “up to their middle in the sticky stuff”, it was not very effective to cite independence and objectivity as a reason not to come to its aid.

 

“That’s not helping the organisation in my view. And that’s the argument for riding a coach and horses through the independence thing. It is far better to help by putting in controls and processes that stop the organisation getting into problems again and then stand aside. Obviously, I can’t permanently be pulling the organisation out of the sticky stuff because that’s not my job. But I don’t think I could just let her go down.”

 

So, if organisations currently want understanding of the business and useful advice and guidance from Internal Audit, what will they want in the fast-changing future? “In the Brave New World of new technologies and AI, we are going to need to respond quicker, apply more judgement and use more real time outputs to deliver the organisation’s messages and meet stakeholder need,” Derek concluded. “That’s the future and we need to embrace it. “

 

Jill Wyatt is a business journalist

 

If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

Reaching for nirvana

In the second of two articles looking back at ACCA UK’s Internal Audit Conference, we look at the benefits of integrated assurance.


In the second of two articles looking back at ACCA UK’s Internal Audit Conference, we look at the benefits of integrated assurance.

 

As organisations become more complex, the demand for lateral communication mushrooms. Stuart Wooldridge, partner, KPMG, considers some of the collaborative road blocks and how organisations are overcoming them.

 

“Integrated assurance is what companies regard as nirvana - it's where they want to get to and it's something that larger organisations have a better chance of achieving.” This was the view of KPMG Partner, Stuart Wooldridge, addressing delegates to ACCA UK’s 2019 Internal Audit conference, held recently in Birmingham.   

 

“’Assurance is the interesting word here,” he said. “What is assurance and who provides it?”

 

Stuart suggested agreeing on the IFAC definition: that assurance can only be provided when where there are three parties: the auditor, the body receiving the assurance and the body being audited. Further, it has to have an opinion and must be based on criteria that everyone understands.

 

He asked his audience to consider whether the individual compliance, risk and internal audit functions provide assurance and suggested that the answer in all cases was “possibly”.

 

It is also important to consider what integrated assurance is not. “It is not a conceptual framework, reporting approach, technology solution or additional bureaucratic layer. And it does not eliminate the need for existing assurance functions.”

 

What is clear, Stuart said, is that assurance presents a challenge which cannot be met without buy-in from all key risk control and compliance functions. Among the problems and hindrances associated with the provision of integrated assurance, the greatest, in his view, is the politics that operate across lines of defence. “If, for instance, the governance function isn’t pushing for it, it won’t happen.”

 

Key benefits

Acknowledging truth in the view that integrated assurance has high costs at the start and then tails off, he pointed out that, over time, there is an opportunity for it to help the organisations understand and manage cost more.

 

One of the challenges that control functions face is that they are constrained by budget. The cost-saving opportunity created by integrated assurance, Stuart said, is that it allows control functions to reallocate cost and expand what they do and the assurance they can provide in other areas.

 

The avoidance of duplication is another key benefit. So many different bodies are providing oversight and assurance that a spaghetti effect is being created with organisations ending up with multiple reports, often unaligned and saying different things. “It’s madness,” Stuart said. “So try and push integrated assurance’s ability to create one way of reporting, evaluating and communicating the importance of an issue. If integrated assurance led to the production of one reporting tool that would a good start.”

 

Fundamentally, integrated assurance is about is taking the “spaghetti” away and establishing first line of defence control groups. “Businesses are saying: ‘We’re audited umpteen times throughout the year and we’ve had enough of the inconsistencies – let’s get ourselves in order,’” Stuart said. “So they create their own control functions. Big banks have had them for years and insurance companies are not far behind.”

 

Improved risk management is arguably the most important advantage of integrated assurance. “It is a useful tool to help internal audit with its planning but the body that gets most benefit from is the audit committee,” Stuart said. “This is because it helps them get a much better view of whose doing what and where they doing it It helps them understand where there might be gaps and point the control functions at those gaps. That’s where integrated assurance really gives value. Rationalising information to drive better business is what are we seeing.”

 

After highly turbulent times, a relatively benign risk environment has been in place for some time. This relative stability has meant that organisations are starting to wonder if they are needing so many controls or whether they can be rationalised to create greater efficiency.

 

“That doesn’t happen when you have a volatile risk environment,” Stuart pointed out.  “Integrated assurance gives that broader view and encourages organisations to think more about what the feedback from the assurance functions tells them. If the outlook is green, it could provoke the question: “Are we taking enough risk?”

 

A long journey

So how do organisations achieve integrated assurance? To start the process, someone in the organisation needs to recognise the synergies between difference functions and the benefits that rationalisation of their activities can bring.

 

“If you’ve got alignment of objectives between leaders in the lines of defence, you’ve got the chance of achieving integrated assurance but you’re on the start of a long journey,” Stuart said.

 

“You have to have a shared assurance vision and strategy. You’ve got to be able to talk about who owns risk, who monitors it and who provides assurance. If you can do that you’ve got an assurance model. You also need freedom from budget constraints and coordination of reporting, which means you need to get out of politics.

 

“If you’re going to do this well, you’ve got to have a common language and methodology,” Stuart stressed. “Ask yourselves: ‘What are our definitions and toolkits and how do we communicate around what we’ve done?’”

 

Above all, Stuart concluded, there needs to be a shared definition of assurance. “How often do I see that exist? Never. But that’s where we need to start.”

 

Jill Wyatt is a business journalist

 

If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

The internal auditor and ACCA’s seven quotients

Find out how ACCA's seven quotients relate to the role of an internal auditor.


Following the canvassing of 2000 professional accountants and C-suite executives across the globe, ACCA concluded that the skills required to future proof the profession could be categorised in seven quotients: Technical Skills and Ethics (TEQ), Intelligence (IQ), Creative (CQ), Digital (DQ), Emotional intelligence (EQ), Vision (VQ), and Experience (EQ). A number of articles have been written providing comprehensive explanations and definitions of the quotients and can be found in the Accounting and Business magazine, or on the ACCA website, and links to these reference documents can be found in this footnote[i].

 

This article is intended to provide guidance on the quotients in the context the role of an in internal auditor. As with all professions there is no formula that can determine the optimal mix of quotients (the Professional Quotient – PQ) for you; the balance is not static and will change as your career, role and responsibilities develop, and external factors influence the industry you are employed in. So, for example, the PQ for an internal auditor in a health trust will be different to an internal auditor in a global financial services company. The good news is that competency in any of the quotients can be improved by training, experience and learning, but it is important to have self-awareness of the areas that may require development and to address them.

 

Technical skills and ethics (TEQ)

This is defined as the skills and abilities to perform activities consistently to a defined standard while maintaining the highest standards of integrity, independence and scepticism.

This is the most basic and fundamental quotient and the words in this definition should be found in the job description of all internal auditors of all levels. The integrity of an internal auditor must be unquestionable as without it the results of our work would have no value; opinion must be without bias and evidentially based and, if it is forward looking, founded on impartial market intelligence. Independence of internal audit should be derived from a reporting line for the Head of Internal Audit to the Chair of the Audit Committee (or other independent NED) and any conflicts of interest, or pressure from the executive of the company, need to be identified and addressed.

 

Professional scepticism is part and parcel of the role of an internal auditor and that is why even though we are told that controls are in place and work we will test to confirm. We will always look for tangible evidence to support statements that are made or, as a minimum, corroboration. In addition to the highest ethical standards that we are obliged to follow as members of a professional accountancy body we are expected to understand and apply the IIA International Standards (as supplemented by the Financial Services code, if applicable), or be able to explain why they are not applicable. For anyone working in a regulated industry a good understanding of the regulations, as they apply to your company and products, is essential.

TEQ also means that we need to understand and acknowledge any gaps in our technical skills and engage subject matter experts to provide valued input to eliminate the risk of providing false assurance to our clients.

 

Intelligence (IQ)

This is defined as the ability to acquire and use knowledge: thinking, reasoning and solving problems. Again, this is very much part of the job description of an internal auditor of any level, where understanding and contextualising the issues we encounter is a continual requirement. When looking at the results of testing, or considering assertions that are provided to us, we have to think about whether these are what we should encounter in the circumstances, and are logical, or if there is something that does not ring true. When presenting issues identified from sample testing, an understanding of the assurance level is required when extrapolating the results for the whole population and context may be necessary. To be credible the profession needs rounded people who have the skills to see and analyse the big picture, including from the perspective of the auditee, and not just the issue or shortcoming identified (if a control has failed, or is not performed, what are the implications upstream, or downstream, or for the other tasks performed by the same person?). The IQ of an internal auditor should be continually challenged and expanded through training and development to remain abreast of new products and practices, both in our profession and in the industry in which we are working.

 

Creative (CQ)

This is defined as the ability to use existing knowledge in a new situation, to make connections, explore potential outcomes, and generate new ideas. Historically this would have been considered to be outside the comfort zone for an internal auditor as we were generally perceived to be box tickers and appliers of rules, with little appreciation of any colour other than black or white! Fortunately, with the latest generation of professionals, this is changing with our risk based, or outcomes based, approach, but there is scope to further improve with practice and training.

 

There may not be a great deal of scope to be creative during the simple completion of an assignment, but by remaining abreast of the strategy of the company and the evolution of the industry we can keep our eyes on the horizon and not just the records we are reviewing. Make sure that you understand the company’s risk appetite and articulate your conclusions in the context of that (as well as considering the appropriateness of the risk appetite in the context of the company’s strategy!). Avoid becoming dogmatic, or entrenched, when presenting conclusions and embrace the challenges the business provides.

 

Digital (DQ)

This is defined as the awareness and application of existing and emerging digital technologies, capabilities, practices and strategies. Technology is moving fast and while internal audit tends to have specialist IT auditors we should all keep up to speed with developments, which would currently include cyber security, Artificial Intelligence (AI), robotics and blockchain. These are becoming part of everyday business lexicon, and every business will be at least touching, if not embracing, one or all of these (and the next generation of technology will not be far away!). Emerging technologies and processes, and the controls that go with them, need to be understood to be able to challenge the governance that is proposed and this will require both IT and operational internal auditors. Our colleagues in the external audit firms can be an excellent source of intelligence on this and there are webinars and other material available from the ACCA Internal Audit Network.

 

Technology brings opportunity, so embrace it! Data mining is now widely used, and its use will continue to grow, and this provides the advantage that we can interrogate the whole population and are not restricted to representative samples, so see how you can use it in your business.

 

Emotional intelligence (EQ)

This is defined as the ability to identify your own emotions and those of others, harness and apply them to tasks, and regulate and manage them. EQ refers to both personal and interpersonal skills and so includes understanding the impact that our emotions and behaviours have on others.  Equally, you need to recognise the emotions in those you are dealing with, although this is clearly easier with those with whom you work more closely, manage the situation, accommodate it, or work around it. Empathy is essential with the members of our teams, but also you should focus on developing this with the business as it will go a long way to helping you get to the position where you are a “trusted advisor”.

 

Communication is a key ingredient in EQ and as internal auditors we need to be able to articulate the results of our work clearly in non-technical language, so that anyone reading our reports, or hearing our presentations, can understand the message and further explanation or definition is not required.

 

Vision (VQ)

This is defined as the ability to anticipate future trends accurately by extrapolating existing trends and facts, and filling the gaps by thinking innovatively. VQ means that we have to think “outside the box” and this is where keeping up to date with industry trends, news and innovations is essential even for an internal auditor. If you are responsible for preparing the audit plans, stop and think after you have analysed your firm and prioritised the work and ask “what is not on here?”. To further prompt you, or help with this, topically there are two further questions that you could ask: what are we, as a company, doing about environmental or ESG (environmental, social and governance) issues and is there anything internal audit should be doing, or raising, in this space?; and, strategically what are our competitors doing and is my company leading or lagging the sector benchmark? It may not be feasible to undertake assignments on these subjects immediately, but these should form discussions with the executive team and be included in future plans.

 

Experience (XQ)

This is defined as the ability and skills to understand customer expectations, meet desired outcomes and create value. With each assignment that we participate in we are gaining experience, either practically or theoretically through the research that we do in relation to the area under review. XQ may be no more than being incorrectly challenged by the business on the issues we raise and having to defend our position in intimidating circumstances. Experience will help in recognising whether responses we are given are feasible and logical or if they are no more than an attempt to baffle us, so do not be afraid to say that you do not understand and a further explanation, or practical illustration, is needed. Internal audits should not be limited to financial matters and should include policies, processes and strategy (as well as the other matters mentioned earlier such as ESG and culture) and experience will equip you for these.

 

 

 

 

If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

 

NEWS
The top 10 risks facing businesses

The Chartered IIA’s Risk in Focus 2020 report published in September identified the top 10 risks reported by Chief Internal Auditors in Europe.


The Chartered IIA’s Risk in Focus 2020 report published in September found that the top 10 risks reported by Chief Internal Auditors in Europe were:

  1. Cybersecurity and data security – 78%
  2. Regulatory change and compliance – 59%
  3. Digitalisation, disruptive technology and other innovation – 58%
  4. Outsourcing, supply chains and third-party risk – 36%
  5. Business continuity/resilience – 31%
  6. Financial risks – 30%
  7. Macroeconomic and political uncertainty – 29%
  8. Human resources – 27%
  9. Corporate governance and reporting – 26%
  10. Communications and reputation – 22%

528 Chief Internal Auditors (125 from the UK and Ireland) undertook the survey between March and May 2019. Risk in Focus 2020 contains guidance for organisations about tackling the major issues they face. The report recommends a number of ways that businesses can increase protection against cyber threats such as:

  • Assessing how their customer service chatbots are protected against breachs
  • Recruiting an internal or external cybersecurity expert to minimise corporate risks
  • Reviewing the security of their cloud services – including ensuring robust systems and processes are in place to prevent misconfigurations.

On the increasing burden of regulatory changes resulting from the introduction of GDPR and new legal frameworks for online payments, the report advises businesses to consider whether they are taking a sufficient forward-looking approach to regulatory changes. eg. a regulatory implementation calendar.

 

It also focusses on digitalisation and advances in technology such as AI and blockchain. The report includes guidance for businesses to consider whether they have sufficient capacity and capabilities to innovate and if projects are sufficiently controlled and appropriately measured.

 

ACCA UK’s Internal Audit Network ran a series of four webinars on crypto currencies and blockchain for internal auditors in April which are now available on demand. Speakers included Professor Michael Mainelli of Z/Yen Group, Rodney Prescott of PwC and independent consultant Matthew Leitch and they cover these topics:

 

  • Introduction to blockchain
  • Smart ledgers and security
  • Immutability – a key blockchain and crypto feature
  • The reality of cryptocurrencies and their audit implications.

 

Each webinar provides one unit of verifiable CPD where it is relevant to your work. You can register for any or all of these on demand webinars here.

CPD
Future trends in Internal Audit

ACCA UK’s Internal Audit Network is running a series of three free webinars on future trends in Internal Audit in November and December.


ACCA UK’s Internal Audit Network is running a series of three free webinars on future trends in Internal Audit in November and December:

 

Adding value with agile auditing 18 November 12.30pm

Speaker: Chris Spedding, Chief of Staff, Barclays Internal Audit

 

Can Internal Auditors really be independent? 27 November 12.30pm

Speaker: Geraint Davies CBE, portfolio non-executive director

 

Robotic Process Automation for internal auditors 2 December 12.30pm

Speaker: Michelle Holmes, Managing Director – Protiviti and Harrison Jardine, Senior RPA Consultant – Protiviti

 

 

Each webinar will provide one unit of verifiable CPD where it is relevant to your work. You can register for any or all of these webinars here.

 

Webinar series - unblocking the crypto chain

Register for our on demand webinar series on crypto currencies and blockchain for internal auditors


Webinar series - Unblocking the Crypto Chain

ACCA UK’s Internal Audit Network ran a series of four webinars on crypto currencies and blockchain for internal auditors in April which are now available on demand. Speakers included Professor Michael Mainelli of Z/Yen Group, Rodney Prescott of PwC and independent consultant Matthew Leitch and they cover these topics:

  • Introduction to blockchain
  • Smart ledgers and security
  • Immutability – a key blockchain and crypto feature
  • The reality of cryptocurrencies and their audit implications.

Each webinar provides one unit of verifiable CPD where it is relevant to your work. You can register for any or all of these on demand webinars here.

 

 

Bite-size webinar series

Check out our series of bite-size webinars by Gregory Coleman for those moving into Internal Audit.


ACCA UK’s Internal Audit Network has developed a new resource for those moving into Internal Audit including a series of bite-size webinars by Gregory Coleman.

 

Greg spent over 25 years working in governance, risk management and audit roles for various multinational organisations operating in the financial services, pharmaceutical, engineering and Fast Moving Consumer Goods industries in both the UK and US.  He was also Chief Audit Executive in three public limited companies listed on the UK Stock Exchange.   


Now an independent consultant, he carries out risk management work and runs training courses. Greg currently serves as a member of the Audit and Risk Committee at the Honourable Society of Lincolns Inn and is a member of the Chartered Institute of Internal Auditors.

 

Greg covers these topics in his bite-size webinars:

 

  • Designing the test plan
  • Sampling
  • Executing testing

 

You can register for any or all of these on demand webinars here.

 

Click here for more information about our new resource for moving into Internal Audit.

RESOURCES
New ACCA resources for internal auditors

A new resource for those moving into Internal Audit is now available on ACCA's Internal Audit hub.


ACCA’s Internal Audit hub provides support to our members working in governance, risk, assurance, control and efficiency (GRACE). The latest edition to the hub is a resource for those moving into Internal Audit. Resources already available include:

 

  • making the move from external audit to internal audit
  • what is internal audit and what does it do?
  • core skills such as interviewing, designing the test plan, sampling, executing testing, evidence recording and report writing

The content is a mixture of bite-size webinars, brief guides, articles and presentations. We will be adding to the resource over time.

 

Other sections in the hub:

 

Learn about internal audit

This section explores what internal auditing is like in practice and the many pitfalls to avoid. A series of guides covers internal audit for beginners, the management team, the audit committee and Heads of Internal Audit. New to this part of the hub is a section on evidencing compliance with professional standards.

 

Our webinars and other resources

ACCA UK’s Internal Audit Network regularly runs free webinars for its members working in internal audit. Search here for our upcoming webinar series on blockchain and crypto currencies for internal auditors, as well as webinars available on demand on cyber security, de-mystifying IT audit and GDPR.

 

This section also has a new Resources by theme area that collates material produced by ACCA in the past few year by the themes of ethics, audit management, IT and regulation/legislation.

 

Our publications and other research

Here you'll find a link to the most recent edition of this e-bulletin and you can also search for CPD articles for internal auditors. 

 

Internal Audit blog

If you would like to gain some insight into the life of an internal auditor then look at our blog series “A day in the life of the invisible auditor” where a different internal auditor will provide some thoughts every week in 2019.