Technical and Insight
Assessing risk culture

CPD article: Internal audit is increasingly expected to play a role in ensuring a company’s core values and vision is understood and practiced by employees.

CPD article: Internal audit is increasingly expected to play a role in ensuring a company’s core values and vision is understood and practiced by employees.


Reading this article and these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.


Business leadership is looking to the audit function to assess not only tone and conduct at the top of the organisation, but also how and if those things are reflected throughout the business. They want to know if the company’s core values and strategic vision are understood and actively practiced by employees.


Internal audit leaders have often had to adapt their practices and rethink their roles in their organisations to meet the challenges they and their teams face – from helping the business to navigate a financial crisis, to assessing the risk of new technologies.


Many internal audit leaders have started to recognise the importance of partnering with boards of directors and senior management to create greater transparency, establish sound corporate governance and better understand risk exposures. Today, many internal auditors serve as strategic advisers to the business – a role they fully embrace.


A fundamental shift toward collaborative working is required from any internal audit function. One can wonder if collaborative working would impact internal audit’s ability to be independent and objective. However, the reality shows that collaborative work environments foster trust which, in turn, helps to support a more effective audit process.


Core values

Nowadays, we find many internal auditors staring down yet another challenge that places them into unfamiliar and somewhat uncomfortable territory: auditing risk culture. Business leadership is looking to the audit function to assess not only tone and conduct at the top of the organisation, but also how and if those things are reflected throughout the business. They want to know if the company’s core values and strategic vision are understood and actively practiced by employees.


For many of the organisations featured in Protiviti’s Internal Auditing Around the World® XIII, risk culture audits are new endeavours that are only at the planning or pilot stage. Senior management and boards are looking to internal audit leaders to help the business develop the right approach for, and get the most value from, these types of audits. The function has a clear opportunity to play a transformative role in responding to the needs of key stakeholders, particularly boards, who want assurance that the organisation is aware of and addressing all types of potential risk.


Strong risk culture

Weak organisational cultures in entities across the world’s financial system are widely considered to be one of the primary causes of the global financial crisis a decade ago. Perhaps as a result, maintaining a strong risk culture is an imperative for all major businesses today – as well as an expectation by their stakeholders, regulators and customers. Many of these organisations look squarely to their internal audit functions to provide assurance that their risk culture is indeed effective.


Fulfilling this mandate requires internal auditors to tread carefully and adhere to a well-structured approach. The definition of internal auditing from The Institute of Internal Auditors (The IIA) sheds light on why:


  • Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.


Auditing risk culture seems to fall neatly under internal audit’s mandate to help the organisation improve the effectiveness of its risk management and governance. However, when considering other components of The IIA’s definition – namely, the word ‘objective’ – it becomes clear why an internal auditor would view auditing any aspect of the organisation’s culture as potentially problematic. The core concern is that, in reviewing and measuring an intangible thing like culture, the internal auditor would be at risk of making a subjective assessment of the state of that culture.


Defining culture

Culture is complex and different within every organisation. There are some guideposts available – for example, risk culture, as defined by the Risk Management Association (RMA) and Protiviti, is ‘the set of encouraged and acceptable behaviours, discussions, decisions and attitudes toward taking and managing risk within an institution.’ But even when defined, culture remains largely abstract.


Through our research for Volume XIII of Protiviti’s Internal Auditing Around the World®, we learned that the internal audit leaders in many of the organisations already auditing, or that intend to audit, their risk culture are taking great pains to create methodologies, frameworks and processes that can give structure to the abstract.


Some internal audit groups are taking incremental steps toward formalising an approach to assessing and monitoring risk culture. Some have modified their quarterly enterprise risk management dashboard to include a specific line for culture. Other internal audit departments look to their organisation’s guiding principles and core values – as well as its ‘tone at the top’ – to help give structure to their process for auditing culture.


Several of the leaders we interviewed said they recognised early the importance of examining and strengthening the culture within the internal audit function before moving to assess the culture elsewhere in the organisation.


The right approach takes time

A company’s culture may be abstract, but one thing is clear from an internal audit perspective: developing the right approach for auditing an organisation’s risk culture takes time and careful planning. And for any business, the value of undertaking this process is developing a better understanding of the cultural causes that create risk – in short, human behaviours. Ironically, it is the internal audit function – the objective eye of the organisation – that is uniquely qualified to bring a ‘systematic, disciplined approach’ to a potentially subjective process.


We hope that the profiles in Protiviti’s Internal Auditing Around the World provide valuable insight on how an organisation can approach auditing its risk culture. It is a new frontier for many internal auditors. But just like partnering effectively across the organisation and working in a collaborative environment, it is a challenge worth conquering.


Esther Delgado – director, Protiviti

Corporate governance theatre: risk culture, plausible deniability and wilful blindness

James C Paterson provides an overview of plausible deniability, wilful blindness and associated phenomena around corporate governance.

James C Paterson provides an overview of plausible deniability, wilful blindness and associated phenomena around corporate governance.


Background and introduction

My role as a consultant is to work closely with clients on governance, risk, compliance (GRC) and assurance challenges. Our aim is to ensure GRC improvements are genuinely welcomed and used by business managers, alongside risk, compliance and audit professionals; balancing rigour with pragmatism and cultural fit.


Earlier in 2018, I wrote an article on why we continue to get GRC and assurance surprises of some magnitude, despite management assurances and auditor sign offs. My perspective is that too often we have ‘corporate governance theatre’. Things look good in many ways, but – just below the surface – there are ‘hairline cracks’ that are missed by management, boards and even auditors and regulators, until it is too late.


After writing this article, I was happy to be asked by ACCA to write an article on risk culture – including ‘plausible deniability’ and ‘wilful blindness’, which are part of the theatre problem – and here this article:

  • provides an overview of plausible deniability, wilful blindness and associated phenomena
  • how and why these behaviours arise
  • warning signs to watch out for
  • practical steps in the context of GRC to make meaningful progress.


Note that, in my experience, progress is not about implementing new systems (though these may help), but rather by looking at what is currently being done from a different angle, with the objective of ‘getting real’ about the issues, and potential gaps, that matter the most.  


Read my article in full now


James C Paterson – director, Risk & Assurance Insights Ltd

Protecting the third little pig’s blushes

A quick introduction to cryptocurrency.

A quick introduction to cryptocurrency.


In daily life we are increasingly hearing new terms surrounding cyber technology. For example the ‘internet of things’ allows us to turn on our heating on the way home from work, turn the lights on before we approach and simultaneously start the coffee maker to welcome us home on dark winter nights. 


While automation is a physical and relatively easy to understand concept, less so are the terms ‘blockchain’ and ‘cryptocurrency’; nevertheless, we hear of them on a daily basis. Whilst these are less familiar terms, they could facilitate how we buy our more tangible gadgets in the future. Do we really understand these terms? If our clients are talking about them, how well do we understand the risks – both upside and downside – that they represent to the business?


The background to blockchain

When I first heard these terms I turned to the internet – and confused myself further! I then spoke with a friend was able to explain them in layman terms and suddenly clarity dawned. If we are to consider the impact of these concepts upon our clients and audit work, we need to first establish a basic understanding.


Blockchain was invented by Satoshi Nakamoto in order to create Bitcoin. No one knows the true identity of Satoshi Nakamoto, or if indeed he was one person or a group of individuals. But one thing is clear, the origin of blockchain and cryptocurrency is one and the same. The reason people distinguish between them today is because ideas from blockchain can be applied to other areas.


Since the release of Bitcoin in 2008 multitudes of other cryptocurrencies have started with 1,658 now in circulation; however the majority of these are very small. Bitcoin dominates with a market capitalisation bigger than all the other cryptocurrencies put together (approximately 67% market share).


Wider potential

Though blockchain came from the creation of Bitcoin, people have started to realise its potential for other areas, thanks largely to blockchain's ability to solve the double-spending problem without the need for a trusted authority. Put simply, it means we don't need a controlling body to manage transactions. Normally banks would fulfil this function, so without banks how do cryptocurrencies work?


Everyone has access to a ledger that contains all the transactions that have ever taken place. When someone wants to spend some ‘coins’, the transaction has to be verified by ‘miners’ on the network. Miners are people who have bought dedicated mining rigs (processors specifically built to crack cryptography problems) to find new coins. They are purely focused on mining coins, but the process of mining continually checks the transactions. If you try to fool the network by saying a transaction took place when it didn't, then the miners will reject the transaction. This is the equivalent to having your bank card rejected by a card machine. Sorry, the computer says no!


Blockchain creates a very secure network. But it also creates potential privacy problems which cryptocurrencies are only able to resolve through anonymity. In order to understand this, we have to understand a new problem created by the distributed ledger.


Below is an example where identities have not been hidden:

  • ‘Mr Wolf’ paid ‘’ £30
  • ‘1st Little Pig’ paid ‘2nd Little pig’ £500
  • ‘3rd Little Pig’ paid ‘Whips&’ £29.99
  • ‘The Gingerbread Man’ paid ‘Mr Wolf’ £15,000


As everyone gets to see the ledger, you can see it's possible for anyone to work out that Mr Wolf has a lot of money in his wallet at the moment. Also if we visit Whips& to find out what the 3rd Little Pig has been up to, we'll be able to work out that he appears to be paying a monthly subscription for their premium package. This entitles him to unlimited access for one-on-one rubber fetish webcam experiences. Oh dear, now you see the problem of not hiding identities when everyone can see the ledger.


So let's hide their identities with four digits (actual addresses are 25-34 characters in length):

  • ‘1234’ paid ‘8101’ £30
  • ‘6423’ paid ‘1982’ £500
  • ‘1087’ paid ‘7624’ £29.99
  • ‘0213’ paid ‘9767’ £15,000.


You will see that ‘1234’ has been substituted for ‘Mr Wolf’. But nobody knows it was Mr Wolf except for Mr Wolf. Also each time there is a transaction his wallet address changes. Notice when he receives £15,000 from The Gingerbread Man his wallet address becomes ‘9767’ making it impossible to link any transactions.


Hiding identity is not just about privacy, it can also be a matter of safety. Normally, if someone had £10m pounds, they would keep it in a bank. But the value of cryptocurrency is in the coins. If someone can gain access to your coins on your device, then they can steal them. So if people could work out who had a lot of Bitcoin and where they lived, then it would be easier to kick down their door rather than trying to rob a bank.


We are used to the idea that everyone's identity is known, but personal financial information is hidden. Cryptocurrencies can only work because they are the total reverse. All financial information is known, but personal identities are hidden.


Other uses

But cryptocurrencies aren't the only use for blockchain. For example a bank could use a permissioned blockchain system for keeping their customer accounts. If an external hacker managed to break into the system, any changes made would automatically get rejected. This would occur because all the other nodes within the network would be working to validate the transactions. The system would instantly know that it had been compromised, and would be able to activate an alarm to signal a breech.


The culture to hide identities is not one that sits well with the established financial institutions – meaning that cryptocurrencies are often viewed with suspicion. However, the potential benefits that blockchain technology could bring to the industry have meant that most financial services will have an internal blockchain project of some kind.


Now, I wonder what The Gingerbread Man and Mr Wolf are up to?


Lee Glover – director of internal audit, Haines Watts


Current and future resources

ACCA UK’s Internal Audit Network will be running a series of webinars on crypto currencies and blockchain for internal auditors in April. Information about the Unblocking the Crypto Chain webinar series and how to register will be released in January 2019.


Until then, you can brush up on your knowledge by registering for ACCA’s free CPD skills webinar: Blockchain and its application: An accountant’s perspective, or read ACCA’s report on the professional accountant’s guide to distributed ledgers and blockchain: Divided we fall, distributed we stand.


Getting started in data analytics

Data analytics can be a powerful tool – when you understand how to successfully implement it.

Data analytics can be a powerful tool – when you understand how to successfully implement it.


The subject of data analytics is being discussed more frequently in audits and is often touted as ‘the future of auditing’.


However, this has led to many audit teams believing that to perform an effective audit they must use data analytics and the result is often not what they hoped for or expected.


Trying to force data analytics into an audit rather than looking at where it might align with audit strategy wastes time, resources and can give false comfort to those who rely on the results without understanding how the tests work.


The main issue is almost a catch-22 situation: You can’t implement suitable data analytics without prior experience and understanding and you can’t obtain good experience and understanding of data analytics without applying it in a real audit.


Choosing your tools appropriately

To help audit teams get started there are plenty of data analysis tools available ranging from easy-to-use Excel add-ins to more complex and powerful systems which often require additional investment in training. There are even tools which use machine learning (often under the banner of AI (artificial intelligence) that can review large amounts of data against criteria but adapt reporting and vary the criteria based on the auditor’s responses or unusual activity. This allows focus to be on key issues while ignoring standard exceptions which are known and have mitigating controls.


This variety leads many audit teams to their first big question – which one do I need for my business?


Due to the cost and complexity of these tools, simply exploring them all to find the best fit is inefficient. Understandably there is a lot of hesitation when deciding whether to take a risk and invest in software which might not be right for you.


The main driver for the software should always be to match an audit need and achieve a required goal. For example, if you have low volumes of data for which you want to do straightforward analytical review (like looking at large values or duplicates) then a simpler solution which requires minimal training, such as Excel, is most likely to suit your needs to begin with.


Alternatively, if you want to review data from multiple sources in a variety of formats to look for any correlations and trends then you are likely to need more powerful tools (resulting in more software and training costs).


Whatever the complexity, if you haven’t at least explored solving your analytical needs using basic spreadsheet software to understand your current limits, then you risk taking on advanced tools without fully understand your own requirements. Often a small investment in Excel training can be enough to drive the role of analytics forward in a business.


Thankfully, many software providers are happy to offer detailed demonstrations (often for free) and discuss their suitability in relation to your needs.


When should we use data analytics in the audit?

One good indicator that analytics could help is where the current substantive testing approach involves reviewing a large number of items from single or multiple data sources against fixed measurable criteria (such as items over a given amount etc). In this case there’s a good chance that automating the substantive test can give 100% comfort with a high level of efficiency.


However, a better question might be to review when you should not use data analytics? Many audit teams have become frustrated when their first attempt using analytics has failed.


Situations which often result in analytics failing are:

  • Data unreliable - if you cannot demonstrate that the source data is complete and accurate or that the system is robust to prevent unauthorised manipulation, then you cannot have comfort in your analytical conclusions. In this case, the first step would be to seek to improve the client’s control environment so that future analysis can be performed on reliable data.
  • Data extraction issues - many systems and applications can’t easily generate the level of detail required for analysis in a single report. For example, if the aim is to review all customer details but the system can only extract one customer report at a time then the effort required to pull together all the required data may outweigh any analytical benefits.
  • Walkthrough failed - before you perform any analytical test, you should perform a walkthrough with a smaller data set (even one record would do). If you cannot apply your analysis to a single set of data and get an understandable result, then there is no point in attempting to extract and test 100% of a large data set. For example, you might be testing sales orders to invoices but on testing one you find that matching them requires a manual inspection of the physical invoice. In which case you are unlikely to be able to match them analytically.
  • Data is unstructured - if the data is not in a tabular format (with field titles and ordered columns) it becomes more challenging and time consuming to ‘clean’ the data manually. The potential to make mistakes at this point is high. Data analysis is still possible but the risk of error increases and therefore in such cases, exploring different ways to produce the data would be advisable.



Getting the most out of data analytics

To maximise the benefits from data analytics it is essential to build a suitable framework and methodology which suits your auditing needs and maintains consistency in practice. But creating this is often a challenge without prior experience and so the audit team should consider the following to help:

  • Start small - understanding and experience is essential to implementing data analytics and so to build this expertise up it can be useful to start with straight forward analytical routines on Excel replacing basic tests or running in parallel with normal testing to ensure that the results meet expectations. This is an investment in time and resources but helps quickly build up an understanding and can lead to more complex analytical testing.
  • Focus training - training too many staff in analytics at the start is often problematic as without regular use of the tools and techniques the training can quickly be forgotten. Instead, training a small number of staff who can then, through repeated application of those skills, develop their expertise and then train others as required can be a more suitable use of resources.
  • Don’t replace thinking with analysis - many auditors have found themselves simply running the same analysis scripts and routines from previous years, putting the results on file and moving straight onto the next test without challenging what just happened. The risk could be that circumstances have changed, either with the process or even a corruption of the scripting. It’s not unheard of for people to discover new ways around automated detection. For example, analysis may pick out staff who post large unusual expense claims without authorisation but then someone discovers that posting multiple small claims goes undetected. As with all audit tests, analysis should be continually challenged to ensure it meets the audit requirements.


In conclusion

Data analytics can drive large efficiencies in audits and allow a deeper and wider understanding of the challenges facing a business, but it might not suit every audit. Starting small and building up knowledge and understanding is key to successfully implementing data analytics. More advanced toolkits can then be explored to address understood needs.


Finally – never forget that the role of the auditor hasn’t changed. The audit still requires interpretation of results, professional scepticism and a challenge for continual improvement. Data analytics simply allows the auditor to apply these skills more effectively.


Andrew Davidson – IT audit senior manager, Johnston Carmichael


Additional resources: webinars

ACCA UK's Internal Audit Network ran a series of four webinars on big data and how to use it from March to May this year on the following topics:

  • what is big data?
  • the legislation around big data
  • data analytics – assurance from an audit perspective
  • how internal audit can use data to provide assurance.


Each webinar lasts approximately one hour and provides one unit of verifiable CPD where it is relevant to your work. You can register for the on demand version of these webinars here


Coping with modern technology

In the first of two articles looking back at ACCA UK’s Internal Audit Conference, we look at how you can identify and mange risks posed by modern technology.

In the first of two articles looking back at ACCA UK’s Internal Audit Conference, we look at how you can identify and mange risks posed by modern technology.


Digital technology continues to transform and disrupt the business world, exposing organisations to both opportunities and threats. To demonstrate the revolution in modern technology over 50 years, Stephen Hill, managing director of Hill Bingham Ltd, compared Apollo 11, which landed the first two humans on the moon in 1969, with the iphone 6, launched in 2014.


‘A now relatively old piece of technology, the iphone 6, has 130,000 times as many transistors as Apollo 11, is 80,800,000 faster in delivering instructions per second and in terms of overall performance is 120,000,000 times speedier,’ he told delegates at ACCA UK’s annual Internal Audit Conference in Birmingham. ‘Theoretically, it could guide 120m rockets to land on the moon at the same time.’


While there are clearly benefits to this jaw-dropping advances in technology, Stephen suggested the speed of change has increased too quickly to keep up with from a risk perspective. ‘This is the reason cyber criminals are so successful today,’ he said. ‘New technology is creating new opportunities to take advantage of operations that haven’t been tested properly.’


The business models have changed substantially, as well, with just a few examples including Uber, the world’s largest taxi company which owns no taxis, Airbnb, the biggest accommodation provider which owns no hotels, and Netflix, the biggest movie house that owns no cinemas. The transition is also evident in the financial sector, with SocietyOne, the fastest growing bank, having no physical money.


So, what is information technology risk? The Institute of Risk Management definition is simple: any risk related to information technology. Over the last 20 years, risk has centred on issues such as IT security, hardware and software malfunction and power failure leading to data loss. ‘But that’s yesterday’s world,’ Stephen said. ‘One of the biggest challenges is that traditional security models focus on keeping external attackers out, but the reality is that there are as many threats inside an organisation. The risk posed by mobile technology, cloud computing, social media and employee error should be our focus in 2018.’


Examples of high profile disasters in recent years include the Microsoft Azure outage, caused by human error, a cyber-attack on Deloitte that compromised the confidential emails and plans of some of its blue-chip clients, and data theft from Yahoo that affected at least 3bn accounts.


‘We put lot of trust in big companies but cyber-attacks have had big names in the frame,’ Stephen pointed out.


‘Cybersecurity is continuously in the news but the risks posed by weak and outdated security measures are hardly new,’ he added. ‘Cybersecurity is widely recognised as a challenge for governments and businesses alike. It was once considered the sole preserve of IT departments and security professionals but companies now recognise that a wider response is required and boards are seeing cyber-risk not as a technology risk, but as a strategic, enterprise-wide risk.’


Cyber-crime, Stephen explained, can be divided into two: cyber-dependent crime and cyber-enabled crime. Cyber-dependent crimes are offences that can only be committed using a computer, computer networks or other forms of information communication technology. This type of crime is primarily directed against computers or network resources and includes malware, hacking and viruses.


Cyber-enabled crimes are crimes such as theft, fraud, hate crime and sexual offending against children, which are increased in scale or reach by using computers, computer networks or other information communication technology.


At the beginning of 2018, Ciaran Martin, Head of the UK’s National Cyber Security, said: ‘A major cyber-attack on the UK is a matter of “when, not if”.’ Stephen agrees. ‘Everyone in this room and their organisations will experience one,’ he said. ‘We are losing the battle against the perpetrators for three reasons: humans will always make mistakes; system and application vulnerabilities continue to merge; and malware detection will always lag. Worryingly, the gap between attacker capabilities and capabilities of business to protect themselves is growing significantly.’


Impact of a cyber-attack

A cyber-attack can have devastating consequences for an organisation by disrupting the business with resulting financial implications, causing loss of information and data and, perhaps most importantly, damaging the company’s reputation.


Mobile technological advancement brings new concerns, which include potential loss of important business information, theft of the device and navigation of the grey line on privacy and monitoring between personal and company use of the device.


In a snapshot of risks created by cloud computing provision, Stephen highlighted loss of control over data, compliance breaches, inadequate security of data and rogue or phantom clouds. ‘Internal audit needs to understand how the organisation is going to use cloud technology and the risk the business faces,’ he said.


For the profession, assessing risk is about considering what could happen, how bad it could be and how often it might happen, while security is about the protection of data and includes prevention, detection and reaction.


‘Remember why attacks are possible,’ he urged. ‘The top five are that the end user didn’t think before clicking on unprotected websites, using free public wi-fi, or responding to an email; a weak password; insecure configuration; use of legacy or un-patched hardware or software and lack of basic network security protection/segmentation.’


However, on a more positive note, a key cyber-crime prediction for 2018-19 is that employee training will continue to grow in importance, generating the most return on investment out of any enterprise data security solution.


Stephen left his audience with a quote from Iain Lobban, former director of GCHQ: ‘About 80% of known attacks would be defeated by embedding basic information security practices for your people, processes and technology.’


Top tips

  • use up-to-date anti-malware and firewall systems
  • use authentication to allow only authorised people through your perimeter
  • establish and enforce mobile device management for all remote working
  • use data loss/prevention technologies to prevent data being leaked
  • use encryption to protect your most valuable or sensitive data, in addition to strict password policies
  • train your staff in security awareness
  • put policies in place concerning the use of social media and BYOD.


Jill Wyatt is a business journalist

Time to step out and stand out

In the second of two articles looking back at ACCA UK’s Internal Audit Conference, we look at the key steps that internal auditors must take to flourish and lead during challenge and change?

In the second of two articles looking back at ACCA UK’s Internal Audit Conference, we look at the key steps that internal auditors must take to flourish and lead during challenge and change?


There is just a seven-second window for someone to make that all-important strong ‘first impression’, on someone else. This is the conclusion of research, but Joy Marsden, motivational speaker and trainer, told delegates at ACCA UK’s annual Internal Audit Conference that making their mind up about someone in such a short time is ‘just wrong’.  


To illustrate her point, Joy offered up some seemingly unlikely options about her own activities and achievements. She asked delegates to guess which were true. Did she audition for Britain’s Got Talent? Does she play the piano? Love to sky-dive? The guesses made by delegates were far from accurate.


‘You see, you can’t tell what people can do, just by looking at them,’ Joy said. ‘How we think about people and how we treat them cannot be based on an impression made in seven seconds.’


However, while discouraging snap judgments, Joy did suggest that people largely fall into four categories:

  • those who anticipate and predict what someone is going to say or do
  • those who claim to be amazed and inspired by what others say and do but act on nothing they’ve heard or learned
  • others that worry that they don’t fit in and are anxious about just about everything
  • the ‘warriors’, whose stance is: ‘I’m ready for everything the world brings my way. Bring it on.’


Today, you need to be a warrior to survive. Sitting in the middle of all these different types of people, internal auditors need to manage up, manage down and engage sideways. ‘You’re finding information that may not be palatable for the people you’re sharing it with. Doing things that not everyone can do. I would say that this room is full of warriors,’ Joy said.


‘And I am going to encourage you to step up. Not because you are not doing well in your role, but because you must to excel in your role. Your motivation plus your ability equals your potential. You know your ability but have you reached your potential? To get you there also depends on the amount of energy you put in.  How much energy do you have? It will affect everything you feel, do and how other people engage with you.’


Stepping out

Joy told her audience to ‘step out’ because not everything they did do today would necessarily serve them for things they do tomorrow, next month and the year after. ‘If you don’t continue to grow, to push the boundaries and try and do things, differently do you think you are going to have a job in 10 years? It’s a bit scary but we are living in a fast-paced world and we know what we do today is not necessarily going to serve us tomorrow.’


The third move to make to survive and flourish in a changing world is to ‘stand out’ for all those things that make the world go around – integrity, honesty, trust and truth. Do you say what you mean and mean what you say? Are you the same person at home and at work? ‘Stand out for those things that really matter to you,’ Joy urged.


Everyone develops habits that don’t necessarily serve them and the people around them. That’s because old habits die hard. One of the keys to success is to take time to identify what needs to change and then commit to working on it. ‘Take one step at a time because change doesn’t happen straight away. If you decide to change people are going to notice. But don’t go back to your old ways.’


The way someone positions themselves in life is important. ‘Do you position yourself as a victim?’ Joy asked. ‘Have you positioned yourself as a success? How you position yourself will determine where you go from here.’


‘And you need to focus on the right thing. Focus on what you can do, not on what you can’t do and put your energy into that. A lot of us use our energy to run away from the things that we don’t want; this is channelling energy in the wrong direction. Where you focus your attention will have a huge impact on the outcome of your day.’


An individual’s ego can help or stand in the way of success. ‘As adults, the more we know, the less we like to show how much we don’t know,’ Joy observed. ‘We’re in the age of making impressions, of thinking we have to look good. But there are times when you need to put hand your up. It’s not belittling, it’s just saying you need a little help or support. Don’t let ego get in the way of your growth.’


Moving through the importance of the different types of communication – formal, informal, group etc – Joy urged delegates to be mindful of their options and reminded them that the way they choose to engage has an impact on everyone else.


Taking a risk

So, what is the one skill that researchers worldwide are highlighting as the key to success? Self-awareness.


The more you know yourself the better off you will be ‘because you will know the impact you have on other people’, according to this motivation supremo, who also noted: ‘We have managers today managing other people who haven’t learned how to manage themselves.’


Summing up, Joy acknowledged that it is a risk to show yourselves for who you are. ‘But that’s who you’re supposed to be like,’ she said. ‘You are you! You’re a human being. So, has the world seen the fullness of who you are yet? I want you encourage you to step up and step out and stand out – and to keep stepping.’


Jill Wyatt is a business journalist

Big data and how to use it

Watch our 'big data' webinar series on demand now.

ACCA UK's Internal Audit Network ran a series of four webinars on Big Data and how to use it from March to May this year featuring different speakers on the following topics:

  • What is big data?
  • The legislation around big data
  • Data analytics – assurance from an audit perspective
  • How internal audit can use data to provide assurance.


Each webinar lasts approximately one hour and provides one unit of verifiable CPD where it is relevant to your work. You can register for the on demand version of these webinars here.

GDPR for internal auditors

Get the lowdown on GDPR for internal auditors with our free webinars.

ACCA UK's Internal Audit Network is hosting a series of five webinars on GDPR for internal auditors, presented by Mike Hughes and Steve Connors (both partners at Haines Watts):


Beyond GDPR

The 25th of May and the enforcement of GDPR by the Information Commissioners Office (ICO) has come and gone - what do we need to do now and how do we build this into the overall approach to an information governance framework?


Big Data vs GDPR

Explore the issues faced by businesses looking to leverage value from the emerging digital economy while staying compliant with GDPR. This session will consider the impact of GDPR on a business's marketing strategy and introduce the concept of data rights versus data ownership.


Managing your cyber risk

Increasingly we are becoming a very connected society. Learn about the vulnerabilities and threats the world of cyber brings, increasing business risk, and what we can do to manage this risk. We will look at some of the tools that are available to help organisations manage the cyber risk.


Third party/supply chain assurance

How do you identify and manage your critical third party suppliers through your entire supply-chain - from the selection of the third party, through due-diligence and then onto ongoing contract and service management? This webinar will consider these areas and also include tips on supplier relationship management and the use of metrics and key indicators to flag when issues may be around the corner. 


Protecting IP and your business reputation in the digital age

This webinar will look at moving away from the traditional reactive approach to cyber security towards a proactive approach to monitoring by considering some of the latest thinking and products, and assessing the scalability of these enterprise level products and services to help an SME protect its intellectual property and reputation.


Register now to watch any of these webinars on demand 

Shaping your ACCA

The results of our recent focus groups are in...

Shaping your ACCA – Internal Audit focus groups 2018


ACCA’s extensive outreach programme has seen views received from over 170 ACCA members in 13 different locations across the UK. These focus groups covered members in public practice, the corporate sector, financial services, internal audit, health and the public sector.


The purpose of these focus groups is to identify the challenges our members face in internal audit and the support that ACCA might be able to provide them as they meet these challenges. These meetings play an important role in helping to shape ACCA strategy, products and services and ACCA is grateful to the members who attend these groups to provide feedback.


Three focus groups were held with members working in Internal Audit - in London, Birmingham and Manchester. Discussion areas included data analytics, data access, IT audits, the blurring of lines between risk management and internal audit, top audits for the year, key challenges as an internal auditor right now, how ACCA can help, and the development of the internal audit profession.


A report on the findings and a 15 minute highlights webinar are now available.

ACCA UK's Internal Audit Conference 2019

A sneak peak of our 2019 internal audit conference.

ACCA UK’s 2019 annual Internal Audit Conference on Collaborative Independence will take place on 16 May 2019 in Birmingham.


The International Standards for the Professional Practice of Internal Auditing makes reference to the necessity for Independence and Objectivity (Standard 1100). Independence is defined as meaning ‘the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner’. In other words, an absence of interference, threat or restriction on access to personnel and information required to do the job. 


Objectivity, on the other hand, relates to the auditor’s own mentality in approaching the work – recognition of conscious and unconscious bias and their ability to provide an opinion substantiated by complete, accurate and valid data rather than preference and compromise.


However, we’re all faced with challenges to ‘do more with less’, ‘rely on other assurance providers’ and ‘accept that the compliance work is covered by others’.  So how can we, as internal auditors, make a positive step change in delivery through ‘collaborative independence’, and what would this mean in reality?


Join us on 16 May 2019 as we consider these challenges.


Register your interest now and we’ll ensure you receive a personal invitation as soon as bookings open. Simply email our Professional Courses team.