Technical and Insight
Maximising the value from assurance
In a special CPD article, Aaron Oxborough demonstrates how an assurance map can help you deliver better value by better understanding the risk landscape.

In a special CPD article, Aaron Oxborough demonstrates how an assurance map can help you deliver better value by better understanding the risk landscape. 

Studying this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest that you use this as a guide when allocating yourself CPD units. 

The topic of corporate governance continues to be at the forefront of boards’ and regulators’ focus. Whether it be one of the recent public sector failings, or the manipulation of financial markets, getting to grips with the risks that organisations face is harder than it used to be. Risks are more complex and increasingly technical (for example, the prefix ‘cyber’ is now a necessary part of boardroom vocabulary) and the recognised root causes of issues often cut much deeper to the heart of the organisation, with an increasing understanding of the role that culture plays. In addition, non-executive directors now face increased expectations of their role. 

The need for senior management and boards to understand the enterprise risks, the assurance provided and the effectiveness of controls has never been greater. Many are requesting more and more risk information, and some are turning to an assurance map to help provide this view. 

Building an assurance map
The objective of an assurance map is to provide an overview of all assurance activity in order to better understand the risk landscape and the assurance provided (including any gaps in assurance). It could include:

  • Build the audit / risk universe - To provide a picture of assurance across an organisation, you first need to map out what the organisation looks like. The most common way of doing this is to identify the audit units by risk category / individual risks, or by organisational structure (by directorate / business unit) and process view. Less common structural approaches are a view by legal entity or by product view. The important factor in deciding the structure of the assurance map is understanding how the organisation is currently managed and aligning it to other performance management information (MI) of the organisation, eg financial MI. This supports the success of the assurance mapping as it supports clear accountability for the management of risk.
  • Consistent risk scoring - Historically, internal audit has always maintained its own view of risk and risk scoring. However, for assurance maps to work, the organisation must have a ‘single view of the truth’ – which means a corporate understanding of the risk universe, a corporate methodology for scoring risk and a corporate methodology and language for assessing the results of assurance.
  • Structure of the assurance map - Complicated assurance maps can be contrary to the primary objectives of the assurance map, to build a clear overview of all assurance activity. A common way of structuring the assurance map is to record the audit / risk universe (with risk scoring) on the y axis of the matrix, with the assurance providers recorded across the x axis of the matrix. (A simple example is outlined in Figure 1.)
  • Build a picture of assurance - Finally, map out the conclusion from each assurance provider, against each of the audit / risk units (where applicable), highlighting the last date of review. There is also value in using some form of RAG rating to quickly identify risk hot spots.


Seems straight-forward? Almost. There are a few challenges to producing and maintaining an assurance map, which can impact on its interpretation if not fully understood by the reader:

  • Definition of assurance – The first challenge is what activities constitute ‘assurance’? Internal audit as the 3rd line of defence is easy, but how much of what risk and compliance functions (2nd line of defence) produce is assurance? What about management as the 1st line of defence (the control owners): do they produce any assurance? Organisations must be very clear on the key attributes of assurance. These may include principles of being evidence based, supported by sufficient documentation, or a clear link to the risk / controls of an organisation; however, it is for each organisation to confirm what is an acceptable level of assurance provided to be included in the assurance map.
  • Level of independence – Another consideration is the relative independence of the assurance provider. Is the value derived from 1st line of defence assurance any less than that provided by internal audit? 1st line of defence assurance has its place and can add significant value to the organisation, but it also runs the risk of being distorted, influenced by bias.
  • Scope and extent of assurance provided – While visually easy to read, the use of RAG ratings can distort the actual comfort gained by the reader if they do not fully understand the scope of the assurance activity and the extent of testing undertaken to provide the assurance. This challenge may be lessened if the structure of the assurance map was aligned more closely to individual risks; albeit this level of detail may become a little unwieldy.

What is internal audit’s role in the assurance map?
In addition to being a good sense check of assurance coverage by audit committees / boards, the assurance map is a useful tool for internal audit. It helps to inform internal audit’s assessment of the enterprise-wide control environment and can provide a source of identifying emerging risk events. 

However, one of the risks in using the assurance map is that internal audit relies solely on the work of other lines of defence to avoid any duplication of effort. 

As was identified above, assurance from the 1st and 2nd lines of defence has its challenges and therefore must not be a total substitute for internal audit’s attention. The Chartered Institute of Internal Auditors (CIIA) issued its guidance for financial services internal audit functions in July 2013, Effective Internal Audit in the Financial Services Sector. In its guidance, the CIIA stated that ’Internal audit must have an enterprise-wide remit – ”the assurance map” cannot be carved up between the internal audit, risk and compliance functions'.

Assurance maps can be a powerful tool for internal audit and can provide great insights for senior management and the board. Before implementation, organisations should seek to align their corporate risk language, the accepted definition of assurance, and the limitations of assurance provided by each line of defence. Being cognisant of these challenges will allow its users to take appropriate comfort over the assurance received, maximising the value from assurance. 

Aaron Oxborough is an internal audit director at PwC, specialising in the insurance industry

Lean auditing – what, why and how
Want to understand lean auditing, but unsure where to start? James Paterson's overview gives you everything you need to know to get started.

Want to understand lean auditing, but unsure where to start? James Paterson's overview gives you everything you need to know to get started. 

When I was head of internal audit (HIA) for the pharmaceuticals company AstraZeneca Plc, I became increasingly interested in two key questions about internal auditing:

  • how could I be sure the internal audit function was adding the maximum value it could?
  • how could I be sure the internal audit function was as efficient as it could be – moving beyond benchmarking, and going back to first principles?

While I was HIA we developed a lean auditing approach and obtained recognition internally and externally for our greater contribution to the organisation, while driving efficiency improvements of around 20%. 

Several years later I started to work as a freelance consultant and took what I had learned at AstraZeneca and applied and enhanced it with my clients. I also started to run training on lean auditing in the UK and further afield. 

In 2013 I was approached by John Wiley & Co to write a book on lean auditing. which was published in January 2015. 

In the process of writing the book I was fortunate to interview Richard Chambers, CEO of the IIA in the USA, and also Chris Baker, technical manager of the IIA UK, as well as over 20 HIAs of leading organisations. 

What follows is a (very) brief overview of  lean auditing and some of the key messages from the book. 

What is lean and what can it offer us?
The label ‘lean’ was first used in 1987 by John Krafcik, who researched the productivity methods of Toyota. He observed that their systems and processes:

  • required less investment for a given production capacity
  • went from concept to delivery with less time and effort
  • delivered products with fewer defects.

He explained: ‘It needs less of everything to create a given amount of value, so let’s call it lean.’ 

Typical benefits obtained from lean ways of working include:

  • reductions in: defects, lead times, cost, inventory and waste
  • improvements in: customer satisfaction, productivity, capacity, responsiveness and quality.

Lean techniques have been successfully applied in a range of sectors outside of motor manufacturing (eg in white goods manufacture) and in service sectors.  Lean has also been applied to support functions, such as finance, IT and admin, and so lean auditing is really just an extension of this to internal audit. 

Key principles of lean
The overall aim of lean is to maximise customer value while minimising waste.  It is outside the scope of this article to outline all of the excellent tools and techniques lean can offer but key points include:

  • specify value from the perspective of the end customer and always ask: would a customer pay for what is being done?
  • pay careful attention to what really happens in an organisation (called Gemba or Go Look See)
  • aim for a flow of valuable work and a greater understanding of waste (Muda) such as waiting, rework, duplication etc., as well as unevenness of workloads (creating lulls) as well as points of overburden (that create bottlenecks)
  • create a culture of discipline to perfect and streamline processes and drive constant improvement through clear measures and other techniques (eg just in time, automation and error proofing).

Benefits from a lean audit approach
The use of lean re-orients an audit function to progressive ways of working, in which there is a clear contribution to the organisational agenda and the things that matter, and a much more dynamic, productive function. 

Specific benefits include:

  • the creation of an audit culture that is focused on delivering value add and that recognises the importance of engaging stakeholders on a regular basis
  • a plan that is more closely, and demonstrably, aligned with the key value drivers of the organisation
  • helping to ‘join up the assurance jigsaw’ of multiple functions doing similar things
  • audit assignments that are appropriately resourced, and delivered to time and budget
  • audit findings, reports and other forms of communication, that are short, insightful and recognise the wider context of the organisation and the challenges it is facing
  • an audit function that is able to highlight appropriate efficiency opportunities, including instances where the streamlining of compliance and control processes would be beneficial
  • a function that can clearly demonstrate a positive return on its cost.

Here are some of the insights from contributors to the book: 

Assignment planning
‘Planning an assignment is key because when I see things going wrong, including delays in delivery, it is often because we didn’t think enough up front. It can be as simple as not recognising a key contact is travelling or on holiday for two weeks during the assignment. Unless people have really thought about what they want and sufficiently planned and been rigorous in engaging the business, problems will arise.' 

‘Good audit departments put a lot of effort into thinking about and agreeing the scope of their audits so they are addressing important points; and as a result key findings will then be meaningful to the organisation.'

‘IIA Standards say that you need to gather sufficient evidence and have sufficient relevant information to be confident about what you are concluding. However, that's often translated into a whole load of advice about how many records you need to look at and how many tests you need to do to substantiate everything, when, in point of fact, if we are focusing on risk and adding value it should be different from that. It’s wrong to stick to sample requirements in a rigid way.' 

Root cause analysis
‘I think that reporting the findings in terms of symptoms and then stopping is ridiculous. If you just report the reconciliations are not being done, without asking more questions that may be needed to identify the root cause, the issues don't go away. You're actually not curing the patient. You're just pointing out the problem.'

‘Before we put pen to paper and waste our time, let's write up a list of findings and first of all decide whether we agree these are all important. After that we can look at the findings and the proposed corrective actions and start to see whether there are patterns, so that they can be combined. This approach makes sure that audit reports are more focused, with less need of rewriting. It also helps you to combine points making reports as concise and readable as possible, and also helping stakeholders better judge the relative significance of what is being found.'

One CFO I interviewed explained: ‘I’m looking for internal audit to have a really good business and commercial understanding. You want people to be able to translate the dry accounting and control terminology in a meaningful way that they can engage their internal customers. You don't want them using technical speak – you want them to put them into common sense. This is what it means to your business area or your business unit.' 

Final reflections
My work on lean auditing has highlighted that there is a considerable amount of progressive, value adding, practice in the internal audit profession across a range of countries and sectors.

Lean Auditing is a book that will enable functions to assess how much they are really orientated towards value and productivity, and will likely provide practical tips that can be easily implemented to make further improvements. The book also contains key points for senior managers and audit committee members to consider, since they play an important role in helping audit teams ‘unlock’ the value and productivity improvements that are possible.

Sometimes lean can have a bad name – and I understand why this happens – but I have tried hard to demonstrate in the book that the sensible application of lean principles can be a very energising thing for the audit function and those who come into contact with audit.

In addition I have gained strong support from senior leaders in the IIA to say that following the practices in the book is not incompatible with what the IIA requires; indeed many of the recommendations better reflect what the IIA is looking for, in terms of a more risk based, value-adding approach.

Finally, the book addresses the myth (which I myself believed years ago) that to implement lean ways of working requires a lot of time, effort and consulting support. This is not what my book advocates – indeed I think the reason my approach to lean auditing has gained traction is precisely because of the ways in which it encourages some activities to be cut back, or stopped, and others to be piloted without a lot of time and effort.

Lean Auditing is available from Amazon  and Risk and Assurance Insights 

James Paterson – director, Risk & Assurance Insights Ltd

Third party assurance provision
Does your organisation have robust policies in place around third party provisions, asks Paul Haley?

Does your organisation have robust policies in place around third party provisions, asks Paul Haley? 

We live in a vastly complex business world where organisations in any sector need to work in partnership with an ever-increasing array of suppliers and partners. The provision of goods and services to us, in order that we can deliver the end product and service to customers, requires a thorough understanding of contractual terms, service level agreements, risk management, clear transparency and disclosure, monitoring and review, competence, shared values and goals, and trust. 

Above all, though, our organisations require assurance that we will achieve our objectives. This is relatively easy internally – we can rely on internal management controls, management inspection and compliance teams, and internal audit. These are often referred to as the ‘three lines of defence’, as posited by an Institute of Internal Audit Position Statement. 

However, it can become more difficult to gain assurances throughout our supply chain, which requires external assurances and thus potentially reliance on ‘third party assurances’. 

Third party provisions
Our organisations have moved away from a traditional structure designed to do everything in-house. We have concentrated on developing our core competencies and then have looked to partners to provide their unique skills. So it is now accepted common practice to have third party provision of IT infrastructure/ networks/ database/ website/ e-commerce/ systems, transport and distribution, security, estates management, telecommunications, call centres, warehousing, and shared service functions for finance, HR, payroll, marketing – even internal audit itself could be provided from outside the organisation. 

This is reflected in the diagram above which shows a movement from a triangle to a diamond-shaped organisation. However, in order to deliver our end product, our risks remain within the traditional triangle. The challenge is to ensure our risk management and internal control frameworks reflect this. Equally, we must gain enterprise-wide risk management assurances. 

Supply chain grey areas
A growing area of concern is what I describe as the grey area of our supply chain, which is when prime contractor suppliers have sub-contracted work out, or are similarly relying on their supply chain to provide services that are intrinsic to continuity of service to us. How might we be affected by these unknown points of failure? Worryingly, you may not be able to answer until this happens and you suffer immediate loss of service, or loss of your data, or both. 

You may wish to consider to what extent the risk has been mitigated through contractually preventing sub-contracting. And of course whether this is a reliable control. 

Organisations therefore need to manage supply chain risks through optimising assurances. These could come from the three lines of defence as already mentioned. But this will depend on what terms and conditions you have with suppliers, such as:

  • have you ensured a right of audit access for your internal assurance teams?
  • did you select partners based on how willing they are to provide assurances?
  • have you determined what lines of defence your suppliers have?
  • do they have their own internal audit team?

Also, have you established assurance requirements such as holding valid ISO accreditations for quality, environment, health & safety, risk management, information security, or even Investors In People? These will offer a level of assurance that a minimum standard has been reached, is being maintained, and is being subject to independent third party checking & certification. 

If you have ensured rights of audit access to suppliers, you need to risk assess your supply chain and determine where and how to gain assurances. Do you send in your assurance teams? Do you seek written confirmation from the suppliers' own assurance teams? Do you obtain regular written assurance from the suppliers' boards? 

Your own internal audit team will be more likely to place reliance on the work of supplier audit teams if they can demonstrate similar professional competence and qualifications and that work is performed to professional standards, such as the IIA’s International Professional Practices Framework which comprise the International Standards for the Professional Practice of Internal Auditing. One of these, Performance Standard 2050 sets out Cooperation with Other Providers of Assurance. 

Assurance maps and frameworks
An area of much activity is the development of assurance maps and frameworks. This enables organisations to understand where assurances over risks can be gained. It can illustrate where there is duplication of assurance which can sometimes be a burden on the business operations, and where there are assurance gaps. This kind of assurance mapping is particularly useful to an audit committee which will have governance responsibilities to provide assurance to the main board on the governance, internal control and risk management processes, and likelihood that corporate objectives will be achieved. 

A clear assurance framework will ensure an audit committee enables demand-led assurance, which can focus on a cost effective and clear process of inspection, compliance, and audit review. This can and should also include regulatory inspection and external audit, which also provides further assurance albeit often driven by specific somewhat narrow legislative compliance. This gives a complete picture, or an auditable trail of assurances which, when combined with further assurance from your organisation’s directors, from the various governance committee chairs (audit, remuneration, nominations etc) can enable the construction of the annual governance statement for your chief executive to issue within the annual report and accounts. 

Reasonable assurance
A key aspect to consider is to have a board level debate around defining ‘reasonable assurance’. This could include setting risk appetite which could be quantitative and qualitative – eg all risks having an impact multiplied by probability score of x or less, and 97% of customers are satisfied. A board could then set out what ‘green’ assurance looks like across various parts of the organisation. Once there is agreement on what is reasonable, the audit committee and the three lines of defence can determine where all the assurances are required and how it can bring together all the third party assurances as already explained. 

One further thing to consider: why make all this effort just to support the annual governance statement? Organisations can speed up the assurance mechanisms to pull the levers bi-annually, or even quarterly, and embed this into the regular performance monitoring systems. 

Paul Haley – director of strategic operations, BHBi

Paul Haley is a chartered internal auditor and director of BHBi, one of the UK’s leading specialist private sector training providers for internal audit, with leading expertise in integrated assurance, reliance and coordination. 

For further information, contact or on 0800 0 329 923 or see BHBi 

Questioning techniques for internal auditors
Remember these tips to master a key skill of being an internal auditor, says Jane Allen.

Remember these tips to master a key skill of being an internal auditor, says Jane Allen. 

At an ACCA UK Internal Audit Network event at ACCA’s head office on 2 February, Jane Allan of Jane Allan & Associates discussed how to get the information you need to carry out your role as internal auditor. A webcast of the event can be found on ACCA’s website, while below we share some of the highlights. 

It’s your job to ask questions. If you enjoy your job then you are happy with questions. Other people may not be. In fact most people don’t like being questioned. Thinking about the person you need to question and their likely mindset will make your job of getting an answer easier. We need to consider both how they react and how they receive or filter your question. 

Why ask?
You need to collect information in order to fulfil your role. Without the necessary information you cannot do your job. It’s worth remembering that often people assume you know what they know. Maybe you just need confirmation. That can seem pointless to someone to whom the situation is obvious. Perhaps you need help understanding what, when, and why; let alone how. But they have their secrets, their special tricks that make them important or essential and may not want to share them. 

What do you really need to know? We’ve been here before and we’ll be here again. Do you need to ask the same questions as last time? If yes, can you redesign them? Do you want outlines to be able to tick off your checklist? Are you looking for confirmation in the form of actual evidence? Do you need specific information or is this a general fact finding approach? Depending on what you want and who you are asking, you will need to design your questions carefully. 

If all you are seeking is confirmation that things are as you expect or as they should be, you can take two approaches: the blatant ‘any changes I should know about?’ or ‘is the system running as programmed?’ Just be very careful that when you phrase your question you do not tell them what you want to hear as an answer. 

If your need is to understand then you have a bigger challenge. Assumptions will be made as to what is ‘obvious’ which may well not be obvious to you. If your need for knowledge seems to threaten their unique selling points they may become reluctant to explain in sufficient depth. If it is glaringly obvious to them, they may treat you as an idiot for asking.

The way we respond to questions reflects not just our knowledge but our mindsets too. Some people see any question as a form of attack on their credibility or as an assumption that they have done something wrong. This results in them becoming defensive. Others enjoy the opportunity to tell you all they know in great detail because it is so interesting to them and they assume you are equally fascinated. Perhaps the ones who just answer your question as briefly as possible are your favourites.

To anyone who instinctively finds questions intrusive, you are the enemy and putting them under threat or attack. As a result they attack back, clam up or simply lie to avoid the perceived threat. And all you wanted was an answer! You won’t get the information you need from these individuals unless you change your approach.

The big danger of getting an answer from those who love to give you the unexpurgated version is that you switch off. Yes, they can be very boring and no, they don’t pause for breath. Of course they are going to tell you things you don’t need to know and often they will drift from the main question while peppering their answer with what they find fascinating. Sometimes though, buried deep in the ramble are essential facts you might not otherwise gain access to. 

So the concise question responder is the best? Well, yes, often they are. They are unlikely to give you evidence in the form of examples, unless specifically requested to do so, and they may quickly lose patience if they think you are going on too long. The real problem though is that you get what you ask for and nothing more, even when something more might clarify or change a given situation. If they are intelligent and see themselves as perceptive they may well first guess what you need to know and why you need to know it and temper their answers accordingly. 

Dealing with defensive
Arguing with someone who is naturally defensive only makes it worse. Denying that you are attacking them simply confirms their suspicions that you are doing just that. It takes time but you need to go prepared and turn the whole thing into a discussion. You need to show concern for their concerns and interest in their interests. ‘So what happens if….?’ can work once they feel you are on their side. Of course they may well lie and those lies could well be glaringly obvious. Nevertheless don’t challenge them, note them and ignore them. Remember behind the lie might lie an unknown truth. 

Dealing with unexpurgated
Many people are proud of their knowledge, fascinated by their department and what it does. They enjoy the opportunity to let others into their special world. They feel they are doing you a favour by explaining in detail. If you interrupt they will feel affronted or assume you need to hear it all again. So only interrupt with a thoughtful plan that will enable you to steer the conversation and not dominate it. Remember too these are the people who alert you to things you were totally unaware of and might never have learned without their help. 

Dealing with concise
If you know you are dealing with a concise soul, start by setting the scene. Let them understand the context of your questions so they can tune their answers accordingly. Make sure your question leaves the choice of answer open and does not indicate what you expect or want to hear. These individuals will not mind probing questions: expect and plan to ask them. Ask for specific examples too. Knowing what you need to know will enable them to help you with context. 

Personal filters
We all filter information as we receive it and thoughts as we have them. In all there are some 14 or so recognised filters – not all of them are relevant here. Four key ones are relevant and mixed with question attitudes will change how the person questioned responds:

  • away from: towards (eg I am going to lose weight versus I shall be slim)
  • centre stage: behind the scenes (me-centred versus self-effacing)
  • hands on: not me (accepting responsibility versus denying it)
  • emotion: logic (reacting and overreacting versus taking things calmly).

Away from: towards
‘Away from’ + ‘defensive’ often results in denial of responsibility, even before the question is posed.
‘Away from’ + ‘concise’ can simply be a blank look or a shrug of the shoulders.
‘Towards’ in these circumstances will inevitably be a pushing of responsibility or blame onto someone else. 

Centre stage: behind the scenes
Any ‘centre stage’ filter will result in answers built around the individual being questioned. If it is an ‘unexpurgated’ answer you will learn their life history; if it is ‘concise’ you will get bullet points but only those relevant to the speaker. ‘Behind the scenes’ responses are self-effacing, concentrating only on the tasks or systems. 

Hands on: not me
‘Hands on’ simply puts the questioned into the key role, responsible for everything. The more senior the individual the less likely you are to learn the detail.
‘Not me’ is always an attempt to shift the blame. It may come in the form of no information at all or it may be specifically directed at pushing responsibility onto someone else. 

Emotion: logic
Where emotion is involved it usually turns personal – either the belief that you are attacking the individual or that life, systems and indeed your questions are attacking the entire team or department in the form of added stress. Logic is what you need but take care – if it is coupled with the concise then you may simply get the rule book re-invented.

Changes to IIA qualifications
Qualification in Internal Audit Leadership (QIAL) and the Certified Internal Auditor (CIA) to be introduced in the UK and Ireland.

Qualification in Internal Audit Leadership (QIAL) and the Certified Internal Auditor (CIA) to be introduced in the UK and Ireland. 

The Chartered Institute of Internal Auditors has recently reached agreement with IIA Global on the introduction of its new Qualification in Internal Audit Leadership (QIAL) and the Certified Internal Auditor (CIA) into the UK and Ireland. 

The new qualifications will replace the current IIA Diploma and IIA Advanced Diploma.  Chartered Internal Auditor status (CMIIA) will be awarded to those who have successfully completed the formal examinations for the Qualification in Internal Audit Leadership.

The CIA and QIAL will be introduced from 22 June 2015. Current Diploma and Advanced Diploma students will have a three year period in which to complete their studies but no new registrations for these qualifications will be possible after June. 

While Chartered Internal Auditor status will remain, the changes will mean that the current ‘fast-track’ pathway arrangement for ACCA members to do the IIA Diploma and Advanced Diploma will no longer be available.

More information is available here

Join our LinkedIn group!
Have you joined the official ACCA UK Internal Audit Network LinkedIn Group yet?

Official ACCA UK LinkedIn groups have been set up for each of ACCA UK’s sector specific networks including the Internal Audit Network. The Internal Audit Network group is only open to ACCA members in the UK. These groups: 

  • stimulate discussion and debate by providing a forum to share ideas and discuss issues amongst members working in internal audit and associated fields
  • highlight current issues of interest to members working in internal audit
  • encourage discussion of policy and consultation documents.

If you have not already done so, joining the group is easy!  

For members with an existing LinkedIn account, access the group here and click the ‘Join’ button on the top right hand corner of the page. An email will then be sent to your registered LinkedIn account email address asking for you to verify your membership details. Follow these instructions and once your membership has been validated you will be admitted to the group. 

If you do not currently have a LinkedIn profile, you can register for a free account here.

Auditing the four horsemen of the apocalypse
Join our acclaimed annual internal audit conference.

Join our acclaimed annual internal audit conference next month when the focus will be on auditing the four horsemen of the apocalypse. 

ACCA UK Annual Internal Audit Conference – Auditing the four horsemen of the apocalypse
Wednesday 13 May
£190 (discounts available)
Book now 

The four horsemen of the apocalypse have variously been interpreted as representing war, false prophets or sickness, famine and death. 

The four horsemen have their modern day equivalents in the battles within the European Union, those on its borders and in the Middle East; overstated profits at Tesco; the Ebola virus disease; austerity measures; and organisational death where entities do not recover - to give just a few examples. 

Is internal audit always shutting the barn door after the horsemen of the apocalypse have bolted? Are we so blinkered by our focus on historic failures of risk management that we fail to identify the elephant in the room that our current risk management has not learned the lessons we all blithely speak about? Do we always just fix the last problem rather than look ahead to potential problems? 

We seem to suffer from collective amnesia – failures happen over and over again and organisations always think that it will not happen to them. We cannot just tick the boxes and hope for the best; we must live up to our professional obligations to the organisations we represent and society as a whole. 

Regardless of which sector you work in, the globalisation of everything has made us more vulnerable. With so many people working overseas and travelling for work, could Ebola land on our shores? Bird flu has come back – will this affect our food chain? If the conflicts in the Middle East and Eastern Europe cannot be resolved, what does it mean for our energy security? 

Having shored up our banks, what will be the next crisis into which public money will be poured to prevent collapse – will it be the postal service which is already threatened by competition from external organisations not constrained by the obligations of Royal Mail? 

Internal audit has a vital role to play in assurance including in relation to the effectiveness of governance, strategic objective setting, risk management, execution of ‘business as usual’ activities and continuous learning and improvement. 

Our speakers will share their insights from being involved in major incidents at their organisations and will discuss practical responses to four types of catastrophic risks that delegates can take back with them. 

Key features
This conference aims to explore a world in turmoil and the issues of reputational management that accompany such turmoil. Internal audit has an important role to play in ensuring that an organisation is prepared to respond to these potential risks. Sessions will cover: 

1) The four horsemen of the apocalypse 
Andrew Garner – CEO, Andrew Garner Associates 

This session will address the issues presented by market changes, risk in its various forms, the current priorities and behaviours of Plc boards and senior commercial management, especially as they relate to the internal audit function. In doing so Andrew has chosen to frame his remarks around the ‘Four Horsemen of the Apocalypse’ as a metaphor which, instead of invoking mythology, will revolve around examples of issues that are framing the world in which we are all striving to be successful in making a living for ourselves and trying to create a safe environment for our children and generations to come.

2) Cyber security for internal auditors
Darren Brooks, MEng PhD CISSP – practice director, Wipro 

Internal auditors are often asked what is being done about cyber security by the board without either party understanding the subject. Our speaker will put a definition on what cyber security actually is and will explain how the cyber threat landscape has evolved in the past five years. The speaker will also talk about some of the recent cyber-attack trends and techniques. 

To have an intelligent conversation about how cyber security is being managed in an organisation, a key starting point is to ask how cyber risk should be managed and by whom. It is important to define sets of activities and capabilities that are required at all levels of the organisation. Our speaker will discuss how internal audit can assess the effectiveness of those activities and capabilities in managing cyber risk. 

In this world of cyber security, does your internal audit team have the knowledge and skills to play its part in the defence of shareholder value from cyber-attack and if not, what do you do about that? 

3) Crisis and continuity planning – thinking outside the box
Daniel Roberts – group head of risk, FCG 

So, we didn’t plan for this scenario, and now it’s all gone wrong? Risk management has failed and we are no longer in a ‘business as usual’ situation. So what happened, and why didn’t we see this coming? More importantly, how do we set ourselves up for success in advance of the crisis and how do we navigate through the three phases of crisis management, disaster recovery and business continuity? This session will look at how to recover from the unplanned, the unexpected and the unknown. 

4) Implementing risk management – practical lessons 
Rui Bastos – group head of audit & risk management at Reliance Industries 

Enterprise Risk Management (ERM) is one of the cornerstones of modern corporate governance. The implementation of ERM processes in major corporates has significantly increased but with different degrees of success and effectiveness. While there is extensive literature on ERM, many still view the topic as more of an art than a management science. The session focuses on the practical aspects of implementing and operating an ERM system in a corporate environment. The presentation discusses the key deployment and operational challenges and lessons learnt with a focus on: 

  • establishing the business case for ERM
  • building management support and ownership 
  • establishing and embedding sustainable ERM processes 
  • ensuring effective risk management discussions to drive value from risk management outcomes 
  • enabling ERM processes through systems such as SAP – risk management
  • aligning the corporate risk management ecosystem – risk management, internal control and assurance functions.

5) Practical auditing of project risk management
Richard Archer, B.A. M.Sc. App Dip MIRM – chief risk adviser, BT Business 

Risk management is crucial to project success, and audit can contribute massively by making sure that project managers are being effective with their risk management. With projects people are often working with the ‘new’: new ventures, in new teams, with new technology, in new markets etc, and cannot rely on past experiences to manage risks effectively. This session will consider the aspects of project risk management that project managers must get right, consider the pitfalls for auditors of project risk management and touch on advanced practice. 

Prices and how to book
At only £190, this full-day conference already represents tremendous value for money but book two or more delegates and pay only £170 per delegate. 

£170 is also a special rate for ACCA students. 

Book your place now

Frauditing for internal auditors – free CPD webinar

Register now for our next free CPD webinar on 16 June.

Register now for our next free CPD webinar on 16 June. 

Join ACCA and a panel of experts for a free 60-minute webinar on 16 June as we explore the fraud landscape and what you should do if you come across fraud during an internal audit. 

We will hear from speakers from three different organisations: 

CIFAS (the UK’s fraud prevention service)
Sophie Keen is the business engagement manager at CIFAS which involves helping organisations from both the private and public sectors to see the benefits gained from data sharing to combat both customer and internal fraud. Before taking on this role, she was the manager of the Internal Fraud Database, focusing on insider threats and working with organisations across all sectors to help combat these. 

By examining the cases of internal fraud filed with CIFAS in the last year, Sophie will give an overview of what threats are on the increase and what steps can be taken to help counter these. 

NHS Protect (which leads on work to safeguard NHS staff and resources from crime)
Nicole McLaughlin is the area anti-fraud specialist for the South East of England and provides advice, guidance and direction in matters relating to counter fraud arrangements within NHS health bodies, particularly to local counter fraud specialists (LCFS) and directors of finance (DOF). Main elements of this work are: developing and promoting an anti-fraud culture, supporting deterrence work, prevention detection, supporting LCFS in their conducting of investigations, promoting the application of a full range of sanctions and promoting the pursuit of redress. 

Nicole will be talking about how NHS Protect deals with fraud within the NHS. 

Grant Thornton (specialists in managing investigations and delivering practical fraud risk management solutions)
Tim Foster-Key is a director at Grant Thornton’s Business Risk Services practice. He has a wide variety of experience in both IT audit and risk based assignment. His client base covers large corporate through to public sector and not for profit organisations. His technology and accounting background gives him the ability to provide practical solutions, such as through the use of data analytics to identify trends or exceptions that help identify process and control weaknesses. 

Tim will discuss the issues and subsequent approach used to follow through an audit delivery when data analytics are used as part of your internal audit approach and data issues that have been identified that may suggest weak processes/controls or potential fraud. 

A Q&A session at the end of the session will allow listeners to participate. 

Live on 16 June 2015 at 10am
Available on-demand from 17 June 

Register now  

There is no charge to attend the webinar. 

Webinar: questioning techniques
The latest Internal Audit Network webcast on ‘questioning techniques for internal auditors’ is available now.

The latest Internal Audit Network webcast on ‘questioning techniques for internal auditors’ is available now. 

As an internal auditor you deal in information. To get to the information which will allow you to help your internal client, you need to pose questions – and that’s where the trouble can start. 

In this world there are three common types of responses when posed a question:

  • the defensive: why are they asking me that response
  • the unexpurgated: let me tell you all I know and you don’t need to know response
  • the answer: an answer to the question you ask.

None of them is perfect. The defensive response turns you into an interrogator, the enemy; the unexpurgated response means you are in danger of switching off before you get what you need to know, and the answer response answers only the question you asked which means the information is limited to your question. 

So what is the ‘right’ question to ask? It depends on your client. And that means you need to think through their mindset before posing your question and to be flexible in how you phrase it. You need a personal library of questions that will access the same information. The right question matched to the recipient is dynamite: it blasts open the information you need and creates a good working relationship. It can even turn around an interview that has started off badly. 

On 2 February 2015, Jane Allan of Jane Allan & Associates provided the keys to set up your question library and the tricks to sidestep the three answer styles and get your hands on what you need to know. 

Read a write up of the event or watch a webcast of the event now.


Internal audit hub – a new resource for ACCA members
ACCA’s new hub for members working in internal audit has many benefits.

ACCA’s new hub for members working in internal audit has many benefits. 

The internal audit hub provides resources for those wishing to learn about internal audit, improve their technique, undertake CPD, and can help with internal audit trainees. 

It contains a section called ‘learning about internal audit’ and its aim is to supplement the International Standards for the Professional Practice of Internal Auditing with articles and guides that are easy to read and outline what internal auditing is like in practice and the pitfalls that often arise. 

This resource – which is broken down further into sections for beginners, the management team, and the audit committee – can help you learn about internal audit or improve your technique, provide you with CPD, or assist in the training of a staff member on internal audit. 

The hub also has podcasts of events that our Internal Audit Network has held as well as further sections on ‘auditing specific risks’ and ‘auditing in different industries’. 

Access this new resource now


Useful reading
Benefit from new publications on risk reporting and measuring culture.

Benefit from new publications on risk reporting and measuring culture

Risk reporting

This ACCA report examines how the quality and value of risk reporting can be improved. It reviews current practice in risk reporting, the barriers to better risk reporting, the wishes of users, and the concerns of preparers. 

There is a growing agreement among users, preparers and advisers that risk reporting needs to improve; better risk reporting is integral to better governance. The question of how best to balance what investors and other users want to see in a risk report with what organisations are willing to disclose, however, remains to be answered. 

In particular, organisations are reluctant to disclose anything that might threaten competitive advantage or to discuss potential risks in detail in case this alarms stakeholders (especially providers of finance). The result, too often, is a boilerplate, generic risk report that serves no one’s interest. Shareholders and stakeholders are entitled to better information. 

In 2014, ACCA conducted research to identify how the quality and value of risk reporting can be improved. Through a series of interviews with investors and regulators, as well as preparers of risk reports, the research examined current practice in risk reporting, the barriers to better risk reporting, the wishes of users, and the concerns of preparers. This report summarises the main messages that emerged.  

It is clear that, as a discipline, risk reporting is still evolving and that users and preparers are still negotiating what the former want to know and what the latter want to provide.  

Read the full report


How can you measure culture?

A new ACCA report provides business leaders with innovative guidance on the path to cultural assessment and change. Corporate scandals such as the recent Libor scandal have revealed how tougher regulation proved unsuccessful in preventing dysfunctional behaviour from spreading and thriving businesses from collapsing. 

Many now believe that poor corporate culture is at the heart of the issue and that drastic change is needed to restore public trust in business. However, culture is not derived from a mechanistic patter that can simply be changed at will; a quantitative approach will at best capture the tip of a much bigger iceberg. This report provides another solution. 

Read the full report

Guide to audit process management

Our latest internal audit practitioner guide helps explain audit process management.

Our latest internal audit practitioner guide helps explain audit process management. 

ACCA UK has produced a series of Internal Audit Practitioner Guides which can be found in the new internal audit hub. These guides are easy to read and outline what internal auditing is like in practice and the pitfalls that often arise. 

Our latest guide is on audit process management