Technical and Insight
Audit leadership
Rania Bejjani provides a chief auditor’s perspective on how to lead an internal audit function and what people should look for in an audit leader.

Rania Bejjani provides a chief auditor’s perspective on how to lead an internal audit function and what people should look for in an audit leader. 

This is the second in a two-part series looking at internal audit leadership. The first article (published in November) was from the perspective of a recruitment consultant, while here Rania Bejjani - a head of internal audit - shares her view. 

I believe that a successful internal audit function is one that is sponsored by the ExCo and audit committee, delivers fit-for-purpose value-added business solutions and is perceived as a trusted adviser and partner to the business. 

Bringing that to life requires the chief auditor to build a robust technical foundation, a risk-based plan and methodology and a strong team that delivers quality work. However, what really makes the significant difference and enables the leap into that upper quartile is the chief auditor's ability to create a function that:

  • demonstrates an in-depth understanding of the business and alignment of the audit focus to what matters
  • influences and communicates effectively across the full spectrum of stakeholders and particularly upwards
  • responds to change swiftly and strategically.

This is where the skills of the audit leader come into play. In our current era of fast change, global businesses and increased complexity, technical competence alone is no longer sufficient. Technical competence, objectivity, independence and ethics are naturally important and necessary. However, it is the chief auditor's leadership, emotional intelligence and relationship skills that set them apart from the crowd. Audit is all about people – people in the team and people with whom the team interacts. Relational skills are paramount today. 

The chief auditor must be able to set a vision for the team, deliver results and adapt fast to change. Auditors can no longer afford to think of themselves as a back-office function; instead, they are service providers at the heart of their organisations. It is up to the chief auditor to lead their team as a value-generating service business and articulate that value to all stakeholders highlighting the benefits their service brings to them.  

In addition, the leader’s approach to attract, retain, nurture and grow talent in the team is crucial. The chief auditor's ability to align the team to the vision they have set, to equip them with the relevant technical and interpersonal skills to deliver that vision and to motivate and inspire them is now critical. Just as a maestro brings out the best out of every musician in their orchestra to collectively produce great music, the chief auditor orchestrates their team towards excellence. The more skilled, harmonious and highly performing individual team members become, the more influential and empowered the function becomes and the more positive change they can effect in their organisation.  

The heart of partnerships
The chief auditor would not only look to win the hearts and minds of their team: very importantly they reach out to the business at large. They achieve this valuable connection through skilful dialogue, empathy and customer-intimacy. Getting to know the internal customer, listening to them, understanding their challenges and flexing the style and delivery to reflect their commercial reality and work together towards win-win solutions are at the heart of partnership. Most importantly, emotional intelligence, effective communication and behavioural flexibility are the core platform to build relationships and influence and are now the key differentiating skills of a successful chief auditor. 

Managing conflict
Those relationships are not always smooth sailing though. Conflicts, misunderstandings and differences of opinion do arise occasionally and they put those relationships to the test. In the face of such adversity, the empathy the chief auditor shows towards others, their awareness, flexibility, discernment and pragmatism define the outcome. It takes a skilful and emotionally intelligent chief auditor to evaluate the situation critically, read people's motivations, assess the bigger picture and understand the political dynamics then communicate accordingly to manage and resolve conflicts effectively.  

The extent to which the chief auditor does that successfully impacts on the credibility and respect they – and as a result the function – earn in the organisation. At times, the chief auditor may come under pressure to paint an unjustified better picture of the reality. In such times, the chief auditor needs to call on the highest standards of ethics, objectivity and independence and have the courage to assertively stand firm as necessary. Businesses are also constantly changing and evolving. New products or services are launched, new technologies arise, new markets are entered and new structures and channels are formed.   

The chief auditor's competence is revealed in their ability to keep up with innovations and evolve the function to respond to those changes. The agility, swiftness and business acumen with which they identify emerging risks, shift focus and resources, and retrain the team to accompany the organisation on their change journey are critical success factors. Cultural awareness in our ever expanding global market, sensitivity to local differences and the ability to speak the business's language are also key strengths for becoming that trusted adviser. 

What boards are looking for
This wealth of technical and interpersonal skills is what boards are looking for in a chief auditor. The board also looks for the leader to tell them the risks and challenges found, the linkage and impact of these on key strategic and commercial initiatives and what priority actions are needed. The competence of a chief auditor in conveying those concisely but clearly in a balanced concerted message to the ExCo and audit committee is also highly valued and sought. 

In summary, a paradigm shift is occurring. In today's world being an accomplished accountant is no longer enough to successfully lead an internal audit function. The role today requires the chief auditor to be a strategist, an inspirational leader, a keen negotiator, an outstanding communicator and an astute relationship builder. 

Rania Bejjani – global director internal audit – interim, FirstGroup plc

Board assurance frameworks – don’t just stand in line
A good BAF can benefit both a client  and the internal audit function.

A good BAF can benefit both a client  and the internal audit function. 

The concept of Board Assurance Frameworks (BAFs) isn’t exactly new, but at the same time they are not exactly a routine established part of many organisations' governance arrangements. The process of establishing a BAF itself instigates many beneficial conversations internally and introduces or reinforces an improved appreciation of risk, control, appetite and monitoring. 

Probably the most common BAF model is based upon three lines of defence; while variants exist the fundamentals boil down to the same common themes with additional lines typically referring to the ‘tone at the top’ and elements of an organisation’s governance arrangements. 

The first line of defence is the internal control environment recognising the policies, procedures and processes put in place by management, the second is management’s own monitoring and risk assurance processes including those escalated up through the governance framework and the third is independent assurance, providing a position statement for internal audit within organisations. 

Why should we embrace BAF?
As internal auditors why should we embrace the BAF concept? If the organisation’s BAF is suitably robust this can be used as a good basis to effectively direct our activity, ensuring we remain agile and responsive to organisational needs. It also reinforces the need for our work to be reported in an effective and timely manner to make a positive contribution to the organisation’s risk agenda and governance statements. 

In the face of constrained audit resources it can help to ensure that those at our disposal are deployed and used effectively to maximise the benefit of our clients’ investment, whether in-house or out-sourced, focusing audit attention to ensure we add the value expected of us and fulfil our ‘consulting’ role as recognised by the IIA International Professional Practice Framework (IPPF) and provide a suitable breath of assurance to our clients as required by Standards 2110 Governance, 2120 Risk Management and 2130 Control. 

The BAF is a useful starting point in assisting the head of internal audit in fulfilling their responsibility to identify, review and consider the wider assurances received by the organisation and use these to inform their annual opinion: helping address Standard 2050 Coordination. 

I query how well sources of assurance are understood by organisations; the BAF provides a starting point to assess this. Audit committees rightly look to internal audit as a core source of assurance; however, we must also recognise and promote other assurance sources. In my experience unless the term ‘auditor’ is used then the outcome of other work may not always find its way to positively informing and assisting the audit committee in fulfilling its responsibilities. Maybe this is an unintended consequence of its given identity prompted by legislation, regulation and standards; maybe a wider identity such as Risk and Assurance Committee throws the doors more widely open. 

Simply illustrated the risk of data loss through deliberate targeted attacks is nowadays high up the risk agenda of many organisations in the digital age and rightly so; it is not a sector specific risk with well-publicised events including online dating, telecoms, social housing, councils, airlines, retailers and financial services. While management may be commissioning penetration testing the results even at the highest level aren’t necessarily communicated and does the audit committee know to ask about them? 

Third line of defence
Internal audit must play a crucial and effective role in the third line of defence; however, we should also recognise that we are not the only provider of independent assurance. Some commentators rightly challenge the resources and experience of an internal audit function to deliver the assurance needs of an organisation, prompting the need for a pool of specialisms and skills. I don’t believe we should aim, claim or strive to be a one-size fits all solution; if we do we will almost certainly at some point be criticised for our cost especially in times of austerity. Rather we should work with our clients to ensure the key risks that justify independent review are suitably understood and the best assurance provider and solution identified to achieve this. 

In order to place reliance on the BAF in directing the efforts of internal audit we need to first assure ourselves that robust arrangements are in place; if not then this is ideal territory for internal audit to fulfil its consulting role and assist in the development of effective arrangements. 

Second line of defence
A crucial element of the second line of defence is an organisation’s performance monitoring arrangements feeding management and governance processes. As an internal auditor it never fails to surprise me how disjointed performance reporting can be from the strategic objectives of the organisation and the key risks it is facing. Often this appears to have developed over the passage of time with management information or the corporate dashboard either being poorly defined or failing to keep pace with change, particularly in a world where both the internal and external environment change faster than ever. 

Performance reporting processes have been reported as being flawed by a 2015 ACCA/KPMG report entitled An eye on the facts; performance indicators, data capture processes, data management and performance reporting systems are fundamental elements of the second line and, based on personal experience, are areas where internal audit can provide significant value. 

Importantly, where positive assurance isn’t possible this should be an area where  strong internal auditors' skills firmly lend themselves to consulting and helping their clients improve in a fundamental area of their business. Input from internal audit should provide confidence in both financial and non-financial data to assist in tackling issues highlighted by the ACCA/KPMG report such as almost 40% of decisions being grounded not on information-based insight but ‘gut instinct’. 

From a selfish perspective the internal auditor should also have a personal interest in the quality of reported data; it should provide useful intelligence in respect of directing audit attention. 

The 2015 analysis of audit committee reporting published by accountancy firm BDO entitled A Gathering Storm highlighted deficiencies in the effectiveness of internal audit reporting. As internal auditors we can use the underlying basis of the BAF model to direct our efforts, focus assurance on key risks and business critical controls and effectively talk the same language as our clients, ensuring a clear ‘on target’ message regarding residual risk exposure and affording both senior management and importantly other key stakeholder groups such as audit committee a clear basis upon which to assess the acceptability or otherwise of residual risk exposure within the context of the organisation’s appetite - particularly important in respect of Standard 2060 and 2600 Communicating the Acceptance of Risks. 

A key tool
The BAF is a key tool for the audit committee in fulfilling its responsibility to ensure that the organisation is effectively managing its inherent risks within risk appetite: not simply those of a financial nature but across an organisation’s operational activity, most of which will ultimately have a financial consequence but which may originate from operating in its chosen product line, service line or market. 

We are regularly asked by our clients to ‘add value’ which if we perform our role with the engagement, freedom, professionalism and enthusiasm it deserves we should achieve either through the assurance we are providing to our clients, enabling them to sleep well at night, or through the improvements we identify to their internal control, governance and risk management frameworks, which if implemented help our clients’ reduce their residual risk exposure through informing the first and second lines; but we need to ensure this is visible and understood by our clients. 

I firmly believe a good BAF benefits our clients but also importantly allows internal audit to position itself correctly within the organisation, embed ourselves through talking the same language as our clients, focus attention and effectively work together towards the delivery of strategic goals within risk appetite. 

Is an effective BAF in place? Questions to consider

As internal auditors this is one of the, if not the, most important question we should be asking ourselves and challenging our clients about. Through considering this we can answer some underlying fundamentals:

a) Does our client understand its risks and have suitable risk reduction plans in place?
b) Does it communicate effectively with the Board and therefore focus attention on the right areas?
c) Is there a good understanding by all parties of the existing sources of assurance?
d) Are any gaps in assurance well understood?
e) Is this resulting in well-informed, clear, annual governance statements? 

Lee Glover FCCA

Risk appetite and risk tolerance
The Institute of Risk Management highlights some practical considerations around introducing a risk appetite statement.

The Institute of Risk Management highlights some practical considerations around introducing a risk appetite statement. 

Identifying the risk appetite of an organisation can be difficult. Writing a risk appetite statement can be even more difficult. And ensuring that the risk appetite statement serves a useful purpose is the most difficult thing of all. This article explores some of the practical considerations and discusses a recently published example.

Requirement to produce a risk appetite statement
There has been a great deal of discussion in the business community about how to define ‘risk appetite’, including how to develop a risk appetite statement. For many organisations, this has become an urgent issue because they are listed companies required to comply with guidance issued under the UK Corporate Governance Code.

The Financial Reporting Council (FRC) issued risk guidance in September 2014 requiring listed companies to report on their principal risks and risk appetite. The requirements include the need to undertake a robust assessment of risks to the business model and strategy, as well as clear identification of the risks the organisation is willing to take (its risk appetite).

These reporting requirements came fully into force for UK listed companies with a year end after 30 September 2015. Therefore, the first examples of annual report and accounts that take account of the new FRC requirements are now being published.

Statements for financial institutions
For financial institutions, identifying risk appetite in relation to credit risk is fairly straightforward. It is relatively simple to decide the basis on which a bank will lend money and the nature of a client that represents a good credit risk. Banks will normally seek a portfolio of clients with different credit ratings, so that they can charge different interest rates based on the level of credit risk each client represents.

A good example of a company that provides a detailed insight into its risk appetite is Nationwide Building Society. Its Report and Accounts 2014 uses the phrase ‘risk appetite’ a total of 50 times. Nationwide defines risk appetite as ‘the level and type of risk that the group is willing to assume in pursuit of the strategic goals’.

Recent example of a risk appetite statement
Network Rail has recently published its risk appetite statement and this is summarised below this article. Although it is not a quantitative statement, it provides a good example of how risk appetite statements are being structured. 

The Institute of Risk Management uses the FIRM risk scorecard to classify strategic risks. Risks can be considered to be financial, infrastructure, reputational and/or marketplace. The Network Rail risk appetite statement follows a similar structure to the FIRM risk scorecard.

When developing a risk appetite statement, the structure of the statement should be aligned with its own risk classification system. This is essential, because organisations will have different appetites for different types of risk. Almost all organisations will tend to have a low risk appetite for financial risks, such as fraud or the incorrect allocation of capital. Also, almost all organisations will have very low risk appetite for circumstances that can damage the reputation of the organisation. Indeed, Network Rail does identify itself as having a very low appetite for reputational risks.

Infrastructure risks include people, premises and processes. Generally speaking, organisations will have a very low risk appetite for safety risks that can cause injury or ill-health to people. However, the same organisations may have a higher risk appetite in relation to other components of their infrastructure. Some organisations are willing to take considerable risks with their processes and information systems. There may be a desire to outsource many activities within an extensive range of suppliers and contractors. For example, the willingness to accept low to moderate risks in relation to information systems is clearly stated by Network Rail.

Appetite for marketplace risks
It is, perhaps, in relation to marketplace risks that the greatest variation in risk appetite can be found between different organisations. Organisations involved in developing innovative products, especially in relation to electronic equipment, as well as companies involved in the development and testing of pharmaceuticals, are almost invariably going to have a high risk appetite for product development. When the organisation has a high risk appetite for product development, the risk management protocols will need to be extremely robust. 

Organisations are required to identify their principal risks and clearly state the risks that they are willing to take, so there is an explicit obligation to clearly identify and manage risks. It is generally accepted that the UK Financial Reporting Council is establishing world leading best practice guidance on risk reporting. In addition to assisting management within an organisation when making decisions, the risk appetite statement will also help shareholders and other stakeholders form an opinion of how seriously the organisation takes its risk management responsibilities. 

Paul Hopkin is technical director at the Institute of Risk Management and has previously been head of risk management at The Rank Group and the BBC.

Case study: Network Rail
In the Annual Report and Accounts 2015, Network Rail defines its risk appetite statement as follows: 

‘Network Rail has no appetite for safety risk exposure that could result in injury or loss of life to public, passengers and workforce. Safety drives all major decisions in the organisation. All safety targets are met and improved year on year. In the pursuit of its objectives, Network Rail is willing to accept, in some circumstances, risks that may result in some financial loss or exposure including a small chance of breach of the loan limit. It will not pursue additional income generating or cost saving initiatives unless returns are probable.

The company will only tolerate low to moderate gross exposure to delivery of operational performance targets including network reliability and capacity and asset condition, disaster recovery and succession planning, breakdown in information systems or information integrity. The company wants to be seen as best in class and respected across industry. It will not accept any negative impact on reputation with any of its key stakeholders, and will only tolerate minimum exposure ie, minor negative media coverage, no impact on employees, and no political impacts.’

Creating the internal audit centre of excellence
The Government Internal Audit Agency (GIAA) is one year old. What did it take to create this single, integrated internal audit service?

The Government Internal Audit Agency (GIAA) is one year old. What did it take to create this single, integrated internal audit service? 

On 1 April the Government Internal Audit Agency (GIAA) celebrated its first year of operation. In this article we look at the process, aims and objectives of an organisational change which brought about the establishment of this single, integrated internal audit service. 

In 2012 the Civil Service Reform plan was published by the then coalition government, focusing on up-skilling and improving the civil service. It included an aspiration to create shared services across departments, a move that gained momentum when the National Audit Office published a report examining the effectiveness of internal audit in central government, covering both main departments and their associated arm’s length bodies. 

The report’s conclusion – that the government was not getting value for money from the service, in part due to quality variations - proved to be another major catalyst for change. 

At the end of the 2013, the die was finally cast by a Treasury policy document – Review of financial management in government – which proposed consolidating internal audit services over the medium term and providing a single, integrated internal audit service as an independent agency to the Treasury. 

Migration of services
The new Government Internal Audit Agency (GIAA) was duly launched, using an existing cross-departmental shared service, initially focused on migrating services across from eight departments, including BIS, DCLG and the Cabinet Office. Others were picked up as the year went on with the latest to join on 1 April 2016 being the Home Office and the Department for Work and Pensions. 

‘This move doubles our size and means that, in terms of department and staff numbers, we have reached the halfway point. So there is still a long way to go’, said Ian Coates – chief operating officer, Government Internal Audit Agency, who spoke recently at an ACCA event. 

Although the government hasn’t opted for a ‘big stick’ approach to driving the organisational change and no date has been set by which all departments have to migrate over to GIAA, never to do so is not a tenable position. However, it is up to the agency to persuade the departmental accounting officers that the time is right to join by selling its benefits. 

‘We have spent a lot of time with accounting officers in different departments convincing them that joining us is the right thing to do,’ Ian said. ‘The power of the agency only happens when we get the majority of staff and services in with us. We knew that until we had that we didn’t have the economy of scale or weight of numbers to be able to implement necessary changes, investing in IT and making GIAA a more worthwhile place to work. 

'The addition of the Home Office and the Department for Work and Pensions gives us the solid ground on which to move forward and we have a commitment from MOJ and Defra to join us over the next 12 months', said Ian. 

Reversing perceptions
The agency’s vision for ‘a flexible and responsive internal audit service which has a reputation among top management of making a real difference, provides excellent value for money and is regarded as a great place to work,’ is important as, according to Ian,  it reverses common perceptions of internal audit. ‘As a profession we tend to be seen as staid and staying in our silos, rather than flexible,’ he said. ‘Neither have we always enjoyed a reputation among top management for making a real difference.’ 

GIAA seeks to change these perceptions but recognises that it faces many diverse challenges, including tackling and bringing together different individual working practices, local methodologies, cultures and working terms and conditions. 

‘There is a huge amount of disparity out there,’ Ian admitted. ‘Another major challenge is one of geography. Government is spread across the country, not all the headquarters are in London and there are currently 80 locations where staff are physically based. The question is: “How do we rationalise that footprint — not in terms of moving out of cities but in getting the power of all auditors sitting and working together and sharing ideas?”.’ 

So how did the agency get off the ground? Early steps included setting up projects around the design and mechanics of the organisation — getting a common payroll, deciding on the IT platform and specialist software, creating job descriptions and role profiles, creating branding, and addressing culture to name but a few. Each project was led by the chief internal auditors of the departments that had committed to join the agency. 

‘This was part of the carrot dangled in front of them,’ Ian said. ‘A commitment to joining the agency meant they could help design it. It was important that people felt part of the change and not that it had been imposed on them. Most have their own ways of doing things and probably from their perspective they work well. Having an agency come in and say they are throwing everything out of the window is hardly the way to win hearts and minds.’ 

‘It makes sense to have people inside who can harness the best parts of what already exists and help shape the future and that has been a huge part of the change programme. I won’t pretend it has all been straightforward. There have been differences of opinion along the way but we are getting to a place where there is a single way of doing things for the common good.’ 

Finishing touches
One of GIAA’s key priorities for the coming six months is to get the organisational design finalised and implemented. The senior management team is in place and includes two operational directors, each responsible for clusters of staff and a portfolio of customers. Area directors will pick up the challenges of the different geographical areas, picking up pastoral care and ensuring that everyone feels part of the agency. 

Job descriptions are being finalised and plans made for new investment in learning and development, supported by the funding now available through pooled budgets. The agency is keen to introduce a training scheme to attract new talent, whether that is graduates or more experienced people, and by doing so to start to invest in the next generation of auditors. On-the-job job mentoring across the agency will be important as part of a strategy to put GIAA on the ‘milk round’ map. Secondments – both in and out – will also be actively promoted. 

Delivering the agency’s work in a cost-effective manner is important, but cost savings are not the driver for establishing the agency, despite the current period of austerity. ‘The agency has not been created as a cost-saving vehicle,’ Ian insisted. ‘However, that’s not to say that it won’t achieve efficiencies, and we will respond to departments looking to us to reduce the cost of their service as part of their Spending Review settlement. On average, we expect to deliver 15% of efficiency saving across the first three years.’ 

Key objective
The agency’s key objective, however, is to deliver on its promise of making a real difference to top management by providing a service which is more flexible and responsive to their needs. 

On-going priorities include making use of the collective purchasing power of government internal audit; strengthening customer support around sharing best practice and access to specialist skills; and developing the framework for providing assurance around cross-government and inter-organisational risks. 

Ultimately, the aim is to expand GIAA to become the single internal audit provider to government.

Jill Wyatt - freelance journalist

CPD article: Higher education and the comprehensive spending review
How will the comprehensive spending review impact on internal audit in the higher education sector?

How will the comprehensive spending review impact on internal audit in the higher education sector? 

Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.

The higher education sector continues to be challenged by changes in the funding regime. Last November’s comprehensive spending review (CSR) exercise will result in further reductions in funding in a number of key areas and the way the money is shared out will be subject to change. Institutions will need to react to ensure that they are at the front of the queue to get their hands on the cash. Some have already done so, but further work is needed.

So where does this leave internal audit? Can it play a part in helping institutions to succeed (and maybe even survive) in the ever changing environment in which they operate? Does internal audit need to adapt to address these challenges? The answer must be ‘yes’.

There is a need to adopt a ‘zero based’ approach to audit planning, based on a thorough understanding of the corporate strategy and the more significant risks facing achievement of corporate objectives. Audit plans should focus on what really matters to the institution and avoid the tendency to recycle old, low risk audits.

Take payroll for example, always an auditor favourite, but rarely a high risk. So why do auditors insist that this has to be audited regularly, and even annually? It makes far more sense to focus internal audit efforts on areas where most assurance value can be delivered. A more strategically focused audit plan might therefore include audits such as those set out below.

Achieving more for less
Value for money (VFM) has been part of the narrative between institutions and HEFCE, the sector funder and regulator. As VFM becomes ever more a strategic imperative for institutions, internal auditors need to innovate and move more into an advisory capacity, working alongside institutions as they develop robust VFM and performance improvement strategies. The ability to compare and contrast alternative approaches across a cohort of institutions enhances the value from audit. 

Reorganisation and restructuring
Institutions are changing their shape and what and how they deliver to students. Whether this is through merger, internal departmental combinations, or cutting or replacing courses, these changes can have a significant disruptive effect on operations, and can increase risk. Auditors need to be actively engaged during the lifetime of these projects, rather than at the end (or even avoiding the change altogether), to ensure they are well managed and that risk mitigation strategies are in place. Further, they need to challenge whether the organisational change is delivering the benefits expected.

Marketing and business development
In an increasingly competitive market, institutions will look to maintain and increase student numbers and revenues from other sources of income. Audit needs to be equipped to review marketing strategies and processes to ensure they are aligned with the requirements of the institution and they are effective in growing the top line. This may mean specialist training is provided for audit staff to enhance their capability in this area.

Institutions have for a long time been engaged in the international arena, seeking to grow student numbers, and fee income, from overseas, as well as forming partnerships with local universities and colleges. That strategy continues, although many now have to develop new target markets because of the effects of government policy, for example increased immigration controls, on recruitment.  Investing in new markets can be a high risk strategy and some institutions lack the governance and management control experience in these areas. Surely an area for internal audit to focus on? 

The above is by no means an exhaustive list and there are many other areas worthy of consideration by auditors. The starting point is, of course, the institutional risk register. This must drive audit planning, to ensure audit effort is appropriately targeted on key areas of risk. This should be supplemented by active and regular engagement with senior executives to sense check what is in the risk register, and to identify changes to the risk profile, and emerging risks. 

Overall, changing auditor focus is necessary to ensure the service remains highly relevant. Maintaining the status quo isn’t an option. 

Alan Lees BA FCA – managing director, KCG  

About the author
Alan is managing director of Kingston City Group (KCG), a higher education consortium, providing internal audit and risk advisory services to 15 universities and HE colleges in London and the South East. Prior to joining KCG in May 2015 Alan had a successful career in the accounting profession, most notably at Robson Rhodes where he set up Risk Assurance Services and then, following merger, with Grant Thornton where he led internal audit and risk management services for the central government and not for profit sectors. 

He has worked with some of the most complex organisations in these sectors including HM Treasury, the Department of Health and the Oxbridge universities. He also has significant experience of working with industry regulators, including the GMC and HEFCE.

Is internal audit communicating?
Communication is key for ACCA’s own internal audit team as it seeks to build organisational-wide engagement.

Communication is key for ACCA’s own internal audit team as it seeks to build organisational-wide engagement. 

Internal audit within ACCA in recent years has expanded the number of channels by which we communicate and the frequency of communication within these channels in an attempt to build organisational-wide engagement with internal controls and internal audit and ultimately to deliver improved outcomes for ACCA.  We are now delivering our messages within ACCA more and more outside of the traditional reporting methods. 

The initial driver for us to change the way we communicate with the organisation was driven by the adoption by ACCA of a social media style intranet. Auditors being auditors we did initially see the potential for the compliance environment to be weakened through a more casual style of communication; we worried that policies could become less co-ordinated and prevalent and less important in the new ubiquitous and more informal style of communication.  

However, it was important that we engaged with the new intranet early on during the development phase to ensure involvement in the development of the policy and compliance sections of the intranet and to ensure we were optimising how our own messages could be delivered. 

Regular communications
Following the roll-out of the new intranet we now have a well-established regular programme of communications, in addition to establishing a programme of communications through the intranet; all members of the team regularly attend at key management meetings and forums across the organisation including attendance at departmental meetings to discuss upcoming audits and internal control themes identified within recent audits. We are also currently in the process of establishing delivery of internal control messages and training through the central learning and development programme for staff and managers.          

For 2016-17 we have kicked off the year by communicating a fairly straightforward item in the form of the internal audit plan for the year ahead; we promoted the plan page so that it trended on the intranet in order to attract further attention for the plan.  

More engaging
In addition for the start of the financial year, we also wanted to deliver a communication with a less functional style which will hopefully be more engaging for staff; for this communication we will be delivering a message which will be aligned with the end of year report to the audit committee. By communicating to the organisation the percentage of positive and negative assurance ratings along with themes and trends for controls improvement, we are hoping that management at ACCA will accept the challenge to improve on the 2015-16 audit outcomes. Our plan of communications for 2016-17 is aligned with key organisational, governance and internal audit events in order to make the communications as topical and engaging as possible.    

Our plan for 2016-17 includes days specifically to promote and undertake workshops on internal controls to facilitate the self-assessment and improved documentation of internal controls across ACCA.     

Our establishment of annual communications plans allows us to deliver regular communications in a manner which is not overly resource intensive for us. The aim of the plan is to build interest in internal controls and internal audit, while signposting avenues of engagement available to the organisation outside the audit process.

We want management to see the value of investing time and resource in their internal controls by reiterating their important part in the delivery of the overall ACCA strategy. Ultimately our aim is for internal controls and risk management to become part of the language of how things get done and become an important part of ACCA’s working culture.

Corporate culture
When considering delivery of effective communications we feel it is important that internal audit influences the departments that set ACCA’s corporate culture and this forms an important part of our communication plan. Our plan therefore includes activities to work closely with the departments that most influence ACCA strategy and culture such as our strategy development, human resources, talent and organisational capability and investment teams that collectively drive the strategy, delivery plans, policy and learning environment of ACCA.  

In considering how we can add value to ACCA outside of audits we do not make the following assumptions:  

  • staff are aware of what an internal control is, the importance of internal controls and how internal controls should be formalised
  • staff know on what basis we score our audits and how they can achieve a positive assurance rating
  • staff know what audits are taking place during the year and on what basis we have selected our audits
  • staff are aware that ACCA has an assurance map and that they have a part to play in ensuring that the assurance map is effective
  • other assurance providers are aware of audit outcomes, for example, we do not want risk to reduce risk scores based on controls that are not effective    
  • ACCA at large knows uniformly how internal audit is delivering value; this could be departmental outcomes and audit opinions. 

By explicitly dedicating internal audit resource to these activities outside of auditing we feel that there are benefits not only to the organisation, but also to the internal audit department itself as internal auditors further develop their skill-set, obtain further insights into the organisation, build relationships and further their career.     

Jamie Burrows FCCA – internal auditor, ACCA

Bridging the gap between human rights and business
How auditors are key to helping companies implement the UK’s Modern Slavery Act 2015.

How auditors are key to helping companies implement the UK’s Modern Slavery Act 2015. 

You may be forgiven for thinking that the new UK Modern Slavery Act 2015 (MSA), introduced in October 2015, is a domain solely for lawyers to advise upon. Of course legal advice is important, in particular with regard to the wording of existing and new contracts. However, for companies to fully demonstrate compliance with the MSA, a change in corporate behaviour will be required.

As an audit partner of 17 years, and having worked in the field of business and human rights for the last three years, our training and understanding of business puts us in an ideal position to bridge the gap between human rights and business. Our inquiring nature, a healthy dose of professional scepticism and our independence and integrity are the perfect competencies required to advise companies.

Following the introduction of the Bribery Act in 2010, professional firms of accountants started advising companies on the implementation of anti-bribery programmes. They have also been providing internal audit services to management as to the effectiveness of those programmes. In some countries in the EU, this assurance is even provided externally to demonstrate to companies’ stakeholders that this issue is taken seriously by the company and its board.

In the UK, the MSA was partly based on the Bribery Act, and much of the way companies have implemented the Bribery Act also applies to the MSA.

However, there is one issue, initiated in the Bribery Act, that has gone deeper in the MSA. The Bribery Act applies to all UK companies and subsidiaries whether incorporated in the UK or internationally. These companies don’t have a responsibility to take steps to ensure their suppliers are free of bribery (unless specifically involved in the provision of that product or service for the UK related company). However, under the MSA, these companies do have a responsibility to take steps to ensure slavery and human trafficking does not exist in their supply chain, no matter what the tier of the supplier or lack of contractual relationship with the UK related company.

This is the biggest complication for companies; it is asking them to take responsibility for the behaviours of companies outside of their legal control, and in particular ones with whom they may not even have a contractual relationship.

The facts about the Modern Slavery Act 2015
The Modern Slavery Act applies to all UK legally incorporated entities with total turnover of more than £36m. Where there is a UK parent of a group with overseas subsidiaries, the turnover threshold applies to the whole group. For example, a UK company that has £1m of turnover arising from UK business but has overseas subsidiaries with £35m of turnover will still need to comply. 

The principal obligation for companies lies in Section 54 of the Act. This requires companies to prepare a slavery and human trafficking statement for each financial year. This is now also being referred to as the Transparency in Supply Chains Statement. 

This statement must be prepared for each financial year and is either: 

  1. a statement of the steps the organisation has taken during the financial year to ensure that slavery and human trafficking is not taking place:
    1. in any of its supply chains, and
    2. in any part of its own business; or
  2. a statement that the organisation has taken no such steps.

The Act suggests that this statement may include information about: 

  1. the organisation’s structure, its business and its supply chains
  2. its policies in relation to slavery and human trafficking
  3. its due diligence processes in relation to slavery and human trafficking in its business and supply chains
  4. the parts of its business and supply chains where there is a risk of slavery and human trafficking taking place, and the steps it has taken to assess and manage that risk
  5. its effectiveness in ensuring that slavery and human trafficking is not taking place in its business or supply chains, measured against such performance indicators as it considers appropriate
  6. the training about slavery and human trafficking available to its staff.

The main reason that companies are trying to work out how best to comply is because this statement must be signed by a director, approved by the board and published in a ‘prominent’ place on the company’s website. 

If it wasn’t for this requirement, it is unlikely that the Act would be attracting so much attention. 

Although the MSA states that the duty to make this statement can be enforced by civil injunction, it would seem that the main driver for companies is that of reputational risk. The potential for adverse PR is likely to result in companies properly addressing the spirit of the law and not just the letter. 

There will also be pressure from the larger UK companies who will have to be seen to be enquiring about the steps their suppliers are taking to ensure that there is no slavery or human trafficking in their business or in their supply chains. While the MSA applies to those companies meeting the turnover threshold, the reality is that companies under the threshold will need to update their policies and processes if they want to work in supply chains of companies over the threshold.

The solution
The solution is likely to require two sets of advisers: first, lawyers to advise on the wording of clauses in supplier contracts and, second, professional services firms to advise on the design, implementation and monitoring of processes within both the company and its supply chain.

To help with the latter, the government issued guidance to help companies in their implementation of the MSA. The guidance recommends the use of the United Nations Guiding Principles Reporting Framework to meet their responsibilities. This guidance was co-developed by the large professional services firm Mazars, and the core team that drafted the United Nations Guiding principles on Business and Human Rights.

For companies, the key will be to demonstrate authenticity in their statements.  They shouldn’t over-claim, but they should set out the pragmatic steps they are taking, or will take, to do their best to ensure there is no slavery or human trafficking. Typical steps may include: 

  • the senior management team participating in a training workshop
  • understanding where current and potential impacts may lie
  • mapping supply chains and focusing on those high-risk areas
  • designing and implementing policies and procedures
  • training the workforce and suppliers
  • monitoring the effectiveness of procedures.

While the MSA has good intentions for improving corporate behaviours, the lack of realistic direct sanction may prove its shortcoming.  In the meantime, there is great potential for negative reputational impacts if companies are called to account by journalists and NGOs.  The positives of compliance are also worth playing for: a greater understanding of behaviours within supply chains should lead to improved supply chain performance (both financially and reputationally); enhanced brand differentiation through improved ethical performance and a superior culture demonstrated by respect for the individual. 

Richard Karmel – partner, Mazars LLP

About the author
Richard is responsible for Mazars’ award-winning business and human rights reporting line in the UK. Along with his team, Richard has devised an approach to help protect the reputation of organisations while ensuring they align their activities with the United Nations Guiding Principles. Currently, Richard is a key member of the project team for the Reporting and Assurance Framework Initiative which has designed a government and United Nations recommended reporting framework that is a guide for companies on what good reporting of their human rights performance looks like. The team is also in the process of designing a related Assurance Guidance to act as a guide for both internal and external assurance providers. In 2014, this Initiative was officially supported by the United Nations Working Group on Business and Human Rights. His more recent work includes advising companies on how best to address the UK’s Modern Slavery Act. 

Richard qualified as a Chartered Accountant in 1992 with a large firm of accountants. Richard is seen as an expert in the field of Business and Human Rights and is regularly asked to speak publicly on the subject at universities and think tanks. In November 2015, at the United Nations Forum in Geneva, he moderated a panel with experts from business, government and standard setters.

Acting on your feedback
We recognise the effort you've put into becoming an ACCA member. We are on this journey with you and we too are committed…

We recognise the effort you've put into becoming an ACCA member or fellow (ACCA/FCCA). We are on this journey with you and we too are committed…  

  • to improving your career prospects by giving you the tools you need to be where you aspire to be
  • to being a lifelong career partner you can rely on
  • to building and maintaining a forward thinking, globally recognised and respected brand that you can be proud of.

We have explained how we will achieve this in a new interactive section on our website. Do take a few minutes to have a look – you’ll find details of new tools to help you as an individual and to promote your own firm to prospective clients. 

Don’t forget to read Ambition, a new magazine which looks at career trends in 2016. 

Get a job, post a job
We are excited to announce the re-launch of our newly designed ACCA Careers website!

We are excited to announce the re-launch of our newly designed ACCA Careers website! We have listened to the feedback from our students, affiliates and members and are constantly working to improve your online experience. The new ACCA Careers website has enhanced features and benefits, giving you access to the largest and fastest-growing global job board for aspiring and experienced ACCA finance professionals. 

Boost your career by creating your unique account. Once you have access, complete your account profile and upload your CV – this will make your profile more searchable for recruiters and employers, as well as supporting your career aspirations. 

Your success is our mission. Whether an ACCA member, affiliate or student, we’re by your side throughout your career. We’ll make sure you’re connected to the resources, education and employment networks you need so that you remain in demand. 

Get the most out of ACCA Careers and create your account today.

Assurance through the looking glass
ACCA UK’s popular annual internal audit conference returns in May. Book now for an early bird discount.

ACCA UK’s popular annual internal audit conference returns in May. Book now for an early bird discount.

: Thursday 19 May
Location: Ambra Hotel, Marble Arch, London
Cost: £199

Discounts: Book on or before 19 April 2016 and save £29 by paying £170 per delegate

Book online now

Some internal auditors do not believe that integrated assurance exists or can work. There is no evidence of it having worked effectively in practice although many internal auditors talk about it.

This conference will approach integrated assurance on the basis of the pros and cons – the benefits and the challenges. Is integrated assurance a good thing or not – is it a pipe dream or is it the way forward? Does it lead to over-auditing and is there too much assurance going on? Can we even agree on a definition of what integrated assurance is? With differing views on what assurance is, how can you move forward with integrated assurance?

This day-long conference will consist of five sessions:

The trials and tribulations of integrating assurance in real organisations
Roy Millard
Observations from a project-manager/internal auditor on the difficulties faced in bringing assurance providers and customers closer together, drawn from his experiences at TfL and from developing industry-wide guidance in the Association for Project Management. Nobody (well, almost nobody) deliberately gets in the way, but there are a host of organisational, behavioural, cultural and historical challenges to overcome. Perseverance pays off, though; providing you don’t set your sights too high, some benefits are quite easy to achieve. You will be encouraged to think for yourselves to compare and contrast your experiences with his.

Integrated assurance provides synergistic benefits to the stakeholders
Vicky Kubitscheck
In the absence of a universally agreed definition of integrated assurance either as a concept, process or methodology, it is unsurprising that we all have different impressions of what, how and even where it could be used. With greater emphasis on personal accountability and the need for more effective risk governance in the boardroom, Vicky will discuss the rationale and the ways in which integrated assurance is being implemented and, in doing so, proposes a framework with which integrated assurance can be defined and applied consistently in a manner that is aligned with the needs of the firm and its stakeholders.

Integrated what?
Graeme Clarke 
The topics of integrated assurance and assurance frameworks are, and have been, all the rage for some time. They are areas which continue to attract and interest internal auditors from all backgrounds.

Commercial organisations are perceived as being in the driving seat for this but how do public and not for profit organisations fare? Is integrated assurance an unachievable objective or an organisational necessity in the context of the current public sector financial environment?

The session will provide a personal perspective of the development of integrated assurance and assurance frameworks within the public and not for profit arena including:

  • guidance and best practice
  • awareness and understanding of the concept
  • practical design and implementation; and
  • ongoing monitoring and management.

Integrated assurance – can internal audit really place reliance on others?
Sally Clark
For integrated assurance to work in practice collaboration across all key stakeholder populations is essential, including regulators, business management and internally within the audit function itself. This session covers the cultural challenges associated with audit, considering audit's historical approach and how the industry can move forward. Practical considerations include potential change in audit skills, responsibilities and competencies as well as how to know when it’s acceptable to place reliance on other assurance providers in the firm. Sally will share her thoughts as well as experience gained in her role as chief internal auditor at Barclays.

Integrated assurance – too late to integrate?
Siebe Postuma
Internal audit has followed a rapid growth journey in maturing from ‘childhood’ to a robust and respected ‘adult’ within the company, originating with a focus of identifying gaps in the financial control area and helping or advising management to implement a sound (financial) control framework to address weaknesses and gaps. In the current era of big data and digitisation, we should ask ourselves how this affects the way we do controls and assurance.

In this session, Siebe will share some experiences (best practices and challenges) on how he sees IA investing more time and effort to support the business in the journey of maturing their controls and assurance activities. In addition he will bring some unique experiences of how IA can further transform in this new ‘data driven environment’ and respond to questions like:

  • how to become more agile? (‘static’ approach to ‘dynamic’ audit approach’)
  • how and where to innovate (continuous auditing, data analytics, real time assurance etc)
  • traditional reporting to the board versus the modern way of communication and reporting.

How to book
Book on or before 19 April 2016 and save £29 by paying £170 per delegate. Book online now

CPD skills webinar programme
Our innovative new CPD skills programme covers the core business skills required of today’s finance professional.

The CPD skills webinar programme

Our innovative new CPD skills programme covers the core business skills required of today’s finance professional. These lively, thought provoking webinars provide you with a free, flexible and bite-sized approach to develop your expertise, enhance your employability for the future and gain some free verifiable CPD.

Free cybersecurity webinars for internal auditors
Watch a recording of our first cybersecurity webinar and register for further webinars in 2016.

Watch a recording of our first cybersecurity webinar and register for further webinars in 2016. 

ACCA UK's Internal Audit Network is running a series of seven webinars on cybersecurity. 

On 23 March the first one saw Jay Abbott – managing director of Advanced Security Consulting Ltd – explain what cybersecurity is, why it is important and why it matters to internal auditors. This is not an area that is restricted to IT auditors – all internal auditors need to be knowledgeable on this area. This session covered the concepts of phishing, farming, malware, using plug-ins and the risks of WiFi. 

You can watch a recording of this webinar on demand

Further webinars
Register now to watch the following free webinars live, or on demand:

Cybersecurity and data security for internal auditors – 20 April 

Cybersecurity and social engineering for internal auditors – 18 May 

Cybersecurity and process network control for internal auditors – 22 June 

Cybersecurity for internal auditors – how to react when you are under attack – 20 July 

Cybersecurity and outsourcing for internal auditors – 24 August 

Cybersecurity for internal auditors – latest techniques and attacks – 21 September


Webcast – de-mystifying business process improvement
Watch a webcast of this recent internal audit event.

Watch a webcast of this recent internal audit event. 

On 17 February, Mark Taylor – head of consulting for corporate markets, RSM - spoke at an ACCA event on De-mystifying business process improvement for internal auditors 

In this video
, Mark explains its relevance to internal auditors, identifies some 'quick wins' to take away, and poses the question – is business process improvement just internal audit in a cuter outfit?




Email Software by Newsweaver