Technical and Insight
Is internal audit the next BlackBerry?
Tim J. Leech outlines why it really is time to reinvent the profession.

Tim J. Leech outlines why it really is time to reinvent the profession. 

In part one of this article – published in the November issue of the Internal Audit e-Bulletin, Tim Leech defined the problems facing the internal audit profession. Here, Tim discusses his solution to the problem. 

This is an alternative view of the profession that readers and practitioners should consider in the context of their own approach and behaviours. The views expressed in this article are the author’s and may not reflect those of ACCA.

Executive summary
Over recent decades there has been a series of major corporate governance crises.  After each, post-mortems were convened and efforts made by regulators to identify root causes. The good news – or the bad, depending on your perspective – for the internal audit profession is that rarely were questions raised by those commissions and regulators about the role internal audit should have played to ensure these crises were avoided. 

What the commissions did call for was a massive global focus on the need for boards of directors to better oversee risk in their organisations. As global pressure on directors mounts to improve risk oversight their dissatisfaction with traditional internal audit services is also growing. This article suggests the root cause of the mounting internal audit customer dissatisfaction globally is internal audit ‘paradigm paralysis’ – a strong attachment to traditional ways of conducting internal audits that no longer meet the needs of key customers. Specific recommendations are made to help internal auditors transition past the paradigm paralysis and adopt new methods that better meet the needs of its key customers. 

The way forward: objective centric five lines of assurance
If you are willing to consider the central thesis of the article that the internal audit profession is at, what is sometimes called, a ‘tipping point’; and agree the profession is being crippled – or at least seriously negatively impacted by paradigm paralysis – including a strong attachment to traditional point-in-time direct report audits of internal control effectiveness covering a small percentage of the risk universe each year, a logical question has to be: 

  • What can be done to prevent the internal audit profession becoming the next BlackBerry?

The first step in an ideal world would be for the internal audit profession, including IIA Global, to candidly acknowledge the failings of the current direct report internal audit paradigm and aggressively call for management to self-assess risk and risk treatments linked to key value creation and value preservation objectives[1] and embark on a radical paradigm shift change strategy.   

Unfortunately, if we accept the premise that IIA Global is simply too invested in the current direct report internal audit paradigm to be the one to drive the changes necessary fast enough, it suggests change must come from what Joel Barker, a noted futurist and paradigm paralysis expert, called ‘the fringes’[2].  

When Apple was created in 1976 its founders were often referred to as ‘hippies and nerds’, or ‘the fringes’ in Joel Barker’s taxonomy. Today, candidates to lead change in the profession include ACCA’s Internal Audit Network (which has commissioned this article); the Institute of Chartered Internal Auditors in UK which has published ground-breaking guidance for its members, particularly in the financial services sector; blogs and presentations calling for change by Norman Marks[3] and Paul Sobel; IIA Canada members who led the CRSA/CSA movement in the 1990s and have consistently recognised work designed to drive radical change; IIA CCSA and CRSA certificate holders; and other ‘fringe’ participants. 

It is important to note that in an ideal world change would be driven by the customers of internal audit services. For a variety of reasons, this is not likely to happen. Boards and the c-suite simply have bigger things to worry and think about. Unfortunately, excepting the FSB guidance on effective risk appetite frameworks, the majority of national regulators continue to show strong attachment to having internal auditors play the role of ‘controls police’, while at the same time calling on companies to implement more effective risk management frameworks. The views of regulators are a key element of the current internal audit paradigm paralysis. 

As a replacement for the current direct report internal audit paradigm I believe, based on 30 years of studying the evolution of internal auditing  and customer needs globally, that an OBJECTIVE CENTRIC FIVE LINES OF ASSURANCE approach is best suited to meeting the needs of today’s boards, senior management, regulators and society at large.   

Change has to start somewhere. The small body of loyal Apple disciples in the late 1970s were the seeds that grew into what is now one of the largest and most successful companies and support movements in the world. Experts generally agree that changing paradigms is possible, but very difficult. It will take a concerted effort from more than a few to change the current internal audit paradigm.   

Objective centric five lines of assurance – core attributes

Attribute #1 – Senior management, with board oversight and assistance from internal audit and risk specialists, make conscious decisions on the organisation’s top value creation and value preservation objectives and document them in an objectives register – simply put, these are the end result objectives they believe necessary for the organisation’s sustained success. Careful consideration is given to the costs and benefits of requiring more formal and visible assurance methods for each objective that is added to the register.

Attribute #2 – Senior management, with board oversight, assign ‘owner/sponsors’ and responsibility to report upwards on the current residual risk status for each of the objectives included in the organisation’s objectives register (the risk position related to the objective being assessed remaining after considering current risk treatment/responses).

Attribute #3 – Senior management, with board oversight, decide on the level of risk assessment rigour each of the objectives will receive; the level of independent assurance they want on each objective, if any; and the person, department or outside party that will provide the required level of independent assurance. For many objectives included in objectives registers this will be internal audit.

Attribute #4 – Internal audit’s work plan is driven by the assurance requirements defined in the objectives register. Internal audit also provides comments and recommendations if it believes there are objectives that should be in the objectives register that aren’t included. Internal audit may also be asked in the early phases to help owner/sponsors through training and facilitation services to complete risk assessments at the level of risk assessment rigour defined by senior management and the board. In organisations that have an ERM support group, their work plan is driven by helping owner/sponsors complete objective risk assessments on assigned objectives at the level of risk assessment rigour defined by senior management and the board, and helping management respond to quality assurance reviews done by independent assurance providers.

Attribute #5 – Senior management and the board receive regular reports from the CEO and/or his/her designate on the objectives in the objectives register, including concise information on which objectives are considered to have residual risk positions within the organisation and board’s risk appetite/tolerance, those that are not, how serious the situation is currently, and action plans to address those objectives currently outside of risk appetite/tolerance.  They will also be provided with reports from independent assurance providers, including internal audit, where management has indicated in their assessment that the current risk status is within the organisation’s risk appetite/tolerance, but the assurance provider believes that it is not, or is unsure if the current residual risk status is within the board’s risk appetite/tolerance.

Key benefits of objective centric five lines of assurance

Benefit #1 – accountability for managing and reporting on risk status is positioned squarely with the responsible party – management

Benefit #2 – senior management and the board receive timely and reliable information on risk status linked to top value creation and preservation objectives they need to meet escalating duty of care expectations

Benefit #3 the framework focuses expensive assurance resources, including the time of management and assurance providers, on the objectives most key to the organisation’s long term success

Benefit #4 – the recommended RiskStatusline® risk assessment approach (see Attachment 1)  focuses on creating reliable information on the true state of residual risk linked to specific objectives, as well as ‘optimising’ the risk treatment strategy (ie the lowest cost possible combination of risk treatments capable of producing an acceptable level of residual risk), which helps drive continuous improvement and innovation

Benefit #5 – the level of internal audit resources required is defined by senior management and the board when they decide how many objectives will be included in the objectives register, the level of risk assessment rigour required, and the level of independent assurance. Without clearly defined end results there is no defensible way to define whether a company has an ‘effective’ internal audit function. Simply stating the company has an internal audit function, has an audit plan, and completes audits, an element that is currently expected by the FRC via the UK Governance Code, serves little purpose beyond creating the illusion of assurance. This risk was recently commented on by Richard Chambers in an October 2016 blog post[4]

Benefit #6 – the work of all assurance providers, including internal audit, external audit, safety, compliance, environment, quality, insurance, legal services and others is integrated

Benefit #7 – the framework is designed to integrate directly with the organisation’s strategic planning process. New strategic objectives being considered can be risk assessed on a pro-forma basis to determine if they are likely to be achieved operating within the organisation’s risk appetite/tolerance. Independent assurance providers can review and report on those assessments if management and/or the board believe it will add value

Benefit #8 – the approach integrates with core elements of ISO 31000, the global risk management standard and the intent described in the executive summary of the 2016 COSO ERM exposure draft

Benefit #9 – the curriculum necessary to train internal auditors to meet their defined role will be able to focus internal audit efforts on better meeting the needs of customers who are increasingly indicating they are unhappy with traditional direct report internal audit methods (ie where internal is the primary risk assessor/reporter). In the approach proposed in this article customers define what they want and internal audit focuses its works to meet customer defined assurance requirements. It is a ‘demand driven’ not ‘supply driven’ model

Benefit #10 – internal audit’s appeal as a profession will be substantially increased and salaries adjusted to reflect internal audit’s increased stature as a profession focused on helping organisations manage uncertainty linked to their most important objectives.

Are small steps possible?
For many organisations the new paradigm described in this paper will, quite simply, be too radical and not a good fit with the existing corporate culture. My suggestion for those that are in that situation is to start by completing all internal audit and ERM work using the objective centric risk assessment methodology described in Attachment 1. Over time this will lead to the evolution of a board and management driven corporate objective register and a slow transfer of responsibility for completing risk assessments to those most directly responsible for the objective(s) being assessed – management. 

Can the internal audit profession change or will internal audit become the next BlackBerry?
My honest answer after decades of studying the evolution of the internal audit profession is ‘I’m not sure’. There are many examples of organisations that have been able to reinvent themselves and go on to even greater levels of success.  My sincere hope, particularly as a parent who has a daughter in the internal audit profession, is that the profession can change and go on to even greater levels of success in the years ahead. The ‘fringes’ described earlier in this article will need to play key roles and be doggedly persistent and effective as important paradigm paralysis change agents.   

Tim J. Leech FCPA CIA CCSA CRMA – managing director at Risk Oversight Solutions Inc.

Risk Oversight Solutions focuses on helping companies more effectively manage risk and assurance to meet escalating board risk oversight expectations and add real value.  Tim has over 30 years of experience in the board risk oversight, ERM, internal audit, and forensic accounting fields, including expert witness testimony in civil and criminal proceedings, and global experience helping public and private sector organisations with ERM and internal audit transformation initiatives.  

Tim has provided training for tens of thousands of public and private sector board members, senior executives, professional accountants, auditors and risk management specialists in Canada, the US, the EU, Australia, South America, Africa and the Middle and Far East. He has received worldwide recognition as a pioneer, thought leader and trainer.  His article ‘Reinventing Internal Audit’, featured in the April 2015 issue of Internal Audit, received the Outstanding Contributor award from the IIA.  

[1] Authors’ definition: Value creation objective: Objectives key to the long term success of the enterprise that will create enhanced shareholder value. (Example: Increase market share by 20%).Value preservation objective: Objectives which, if not achieved, have significant potential to erode stakeholder value. (Example: Ensure reliable financial statements/disclosures) 

[2] For more details see THE POWER OF PARADIGMS

[3] See Norman Mark’s October 14, 2016 IIA blog Focusing on the Wrong Line of Defense as an example 

[4] For more on the illusion of assurance see Richard Chambers IIA CEO October 24, 2016 blog post No Internal Audit? It Could Be Worse  

CPD article: Auditing culture – a case study by Barclays Bank
Understanding what culture is and why it is important gives you a view as to why there is a need to audit culture as an element. Learn some practical tips from this Barclays case study.

Understanding what culture is and why it is important gives you a view as to why there is a need to audit culture as an element. Learn some practical tips from this Barclays case study. 

Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units. 

At a series of focus group meetings with ACCA members working in internal audit last year, ACCA found that culture is seen as a challenging and subjective topic but an area of interest for all members. In response to this feedback, ACCA UK’s Internal Audit Network invited Barclays Bank to present a webinar on how to audit culture. 

Alison Smith - a director in Barclays Internal Audit – presented the webinar in February and this CPD article covers some of the highlights of the content. To listen to the full webinar and Q&A session, please click here to register.

Understanding what culture is and why it is important gives you a view as to why there is a need to audit culture as an element. There are different approaches to auditing culture within the financial services sector, before you even consider approaches used in other industries. However, having a view of the Barclays approach may help readers to develop some ideas on what they can do in their own organisations. Any approach will need to evolve over time but it can be difficult to know where to start.

What is culture?
There are many definitions of organisational culture but McKinsey coined arguably the most well-known over 50 years ago – ‘culture is the way that we do things around here’. That culture is driven predominantly by the attitudes and beliefs of the people that work within the organisation and is usually set at a high level within the organisation – the ‘tone from the top’. 

Structurally, the espoused organisational culture and values tend to come down through organisational policy and standards. Barclays is not alone in having such values written down and communicated regularly both internally and externally. However, an organisational culture is much more than that – it means actually living those values (and the behaviours that are driven from those values) on a day to day basis. 

The organisational culture determines the approach to risk management – the risk culture being the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common intended purpose, in particular the leadership and employees of an organisation (Institute of Risk Management). For Alison, the risk culture is both a product of the organisational culture but also a determinant of overall organisational culture.

Fundamentally the culture is about doing the right thing – not because it is written down in those policies and procedures but because it is the right thing to do. 

Why is culture important?
Culture is important because the regulators say so, the IIA and ACCA say so, but most importantly, because poor organisational culture has been identified as one of the root causes of poor behaviour in corporates and has caused harm to both customers and reputation. Alison’s view is that managing culture is a vital issue for boards to ensure that not only are they setting the right tone at the top but that all employees are acting in accordance with their organisation’s ethics and values.

Within the financial services industry, stakeholders including regulators are keenly focused on culture within their observations and much has been written and researched by industry commentators, rule setters and implementers. The Group of 30 report Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform and the Financial Reporting Council’s report Corporate Culture and the Role of Boards are good examples. Investors have now taken a keen interest – just as they took an interest in CSR and organisations contributing to the community, investors are taking an interest in the cultural elements of an organisation.

In these reports there is considerable reference to the importance of having a strong three lines of defence within an organisation and the role of internal audit in assessing the culture, challenging it, and highlighting to management where there may be cultural failings. 

Barclays approach
The failings of culture within the financial services industry have been well documented. Barclays took a stand very early on in 2012 to look at a transformational programme. Part of that programme was around culture and values within the organisation and setting up a common purpose of ‘helping people to achieve their ambitions - in the right way’. The purpose is supported by five values – Respect, Integrity, Service, Excellence and Stewardship.

The transformation programme was about ensuring that these values were lived on a daily basis and not just espoused. The first activity that Barclays undertook to embed those values throughout the organisation was to have all 140,000 colleagues spend half a day talking about what those values meant – not from a theoretical perspective but what they meant to individuals. This allowed colleagues to engage with those values, consider whether they were values that they had personally as individuals, identifying which ones were challenging to fulfil on a day to day basis in their roles, and highlighting the ones they felt were particularly important for their role and area of the organisation.

The tone from the top was critical to its success - the chief executive and executive team provided time for all of the 140,000 colleagues to attend these courses so they could start to engage with those values. After that, Barclays built their values into all elements of the employee lifecycle from recruitment to performance management. Recruitment was not just based on what candidates could do but also the values that they held. Once the right people were recruited, their induction into the organisation reinforced the values that were important to Barclays.

Existing employees were helped to engage with the values through a change in the performance management process – objectives were set not just on what people would deliver but also how they would deliver, with a real focus on values. That involved educating employees and their managers, but it meant that employees were rewarded and incentivised on the basis of the values of the organisation.

Alison’s early thinking around culture started with a paper that was produced by the Financial Stability Board (Guidance on Supervisory Interaction with Financial Institutions on Risk Culture - A Framework for Assessing Risk Culture) that highlighted four critical elements required to achieve cultural change and drive culture throughout an organisation. Open communication channels were critical, as was the tone from the top, so that people felt they were empowered to challenge and escalate. Accountability through clear roles and responsibilities, and incentives that reinforce the maintenance of desired risk management behaviour, were the other two critical elements highlighted as necessary for a sound risk culture.

It was recognised that colleagues would need support for difficult decisions where there was potential for conflicts of interest. As well as training on the values, colleagues were also trained in ‘the Barclays Lens’ – a decision making tool for assessing the impact of decisions on all stakeholders.

Why do we audit culture?
Alison provided real life examples of how the culture of an organisation can overcome controls – illustrating why it is so important to audit culture. One example was the accident that happened on the Smiler ride at Alton Towers in 2015 – engineers failed to notice that a carriage had stopped mid-way around the ride. They assumed that there was a problem with the computer and over-rode the stop mechanism, setting another train in motion and into the empty carriage with tragic consequences. The culture overcame the controls in that example – a culture that did not give sufficient weight to warning signs to the point where it was felt that they could be ignored. 

Who should do a culture audit?
A culture audit is a different beast to auditing processes and controls, so there is a need to consider the skillsets that the internal audit function needs to be able to deliver those audits. With culture audits, observation of the behaviour of people is core. You can understand the culture either through surveys, through speaking with people, or through observation – some of the techniques used for assessing controls.

With that in mind, it may not take much additional training for internal auditors to be able to look at culture within an organisation. More important is having the right mind set – being open to thinking about what is happening within your organisation, why things work the way they do, and being able to challenge that. You could consider whether those skillsets already exist within the organisation – not just necessarily within internal audit – and whether it is possible to upskill people, or work in multi-disciplinary teams.

How do we audit culture?
There are different ways to tackle audit of culture. Some organisations have gone down the route of bringing specialist skills into internal audit – such as organisational psychologists who may be able to help with understanding behaviours and the culture within an organisation. Another consideration under ‘how’ is whether there are certain areas that you might want to deep dive into to understand the subcultures within the firm, or at the other extreme, looking at it more globally in terms of what messages are coming from very senior colleagues. 

Barclays internal audit approach
During the transformation process, Alison was working in multi-disciplinary teams – principally risk, HR and compliance - on how they were going to start to think about culture and how they were going to measure the impact of the cultural change programme that was happening within the firm. An argument had to be made for why it was necessary to measure the impact – which was to know that the culture was changing in the way they wanted it to and that the values were really being lived on a day to day basis inside the business. That was the genesis of three-pronged Barclays internal approach as illustrated by the diagram below. 

The first element was initially to audit the way that the business was thinking about how it would measure the cultural change. Now that there is a cultural measurement framework in place, it is about auditing that framework. Alison’s team has recently conducted the first review of auditing the measurement framework and that will be reported to the board. That audit was at a group level – over the next 12-18 months, her team will start to look at not just the measurement but also how that framework is being used and how the metrics provided by the framework are used.

The second element is around the drivers and enablers of cultural change – all the aspects around the employee life cycle mentioned earlier. It is possible to audit recruitment processes, the way that employees are inducted into the firm and the objectives that are set for people (is there anything within those objectives that may be contrary to the culture we are trying to establish?). Disciplinary and grievance processes can be audited and assessed for any indicators about organisational culture. Attrition levels within the organisation can also be assessed for any cultural reasons driving those attrition levels.

The final element is termed ‘audit everywhere’. For any standard business audit, a management control approach is conducted – so as well as giving an assessment for the control environment, the area is also assessed for its management control approach. This looks at risk culture and how effective management is in unearthing issues and then fixing them. It looks at their approach to risk management – to controls – and how they ensure that people within their part of the organisation really understand what their responsibilities are in relation to operating control and also escalating where controls are not working as they should do.

Regular reporting of the audit results to the audit committee ensure this is reviewed by the board.

Exploring behavioural observation tools
Alison and her team are considering different ways to evolve their approach to auditing culture. With every approach, their aim is to ensure that they act as a true third line of defence rather than doing anything that would be expected of the first or second line. As part of evolving their approach, they are starting to explore techniques that can be used to better equip their auditors to observe behaviour – including the use of ethnography[1] as promoted by the Banking Standards Board as a different way to observe culture. This is not necessarily another element but it is a possible means of improving assessment around their management control approach. 

To listen to the full webinar and Q&A session, please click here to register. 

ACCA culture-governance tool
The ACCA culture-governance tool seeks to support organisations with their culture goals. ACCA developed this tool on the basis of research conducted since 2012 under a global initiative called Culture and channelling corporate behaviour. Under this initiative ACCA held a series of international roundtables in London, New York, Dubai and Bengaluru alongside a survey of ACCA’s global membership, to which close to 2,000 members responded. A number of reports were produced. 

Subsequent research inspired by the findings called Effective speak-up arrangements for whistle-blowers also informed the development of the tool.

The ACCA culture-governance tool helps organisations to review culture and determine the course of change.  

[1] Ethnography is the systematic study of people and cultures. It is designed to explore cultural phenomena where the researcher observes society from the point of view of the subject of the study. The resulting field study or case report reflects the knowledge and the system of meanings in the lives of a cultural group.

Blockchain – dark currencies and the risks
Smart ledgers may provide one of the best tools for reshaping a more open, trusting society, and should be a boon to auditors, writes Professor Michael Mainelli.

Smart ledgers may provide one of the best tools for reshaping a more open, trusting society, and should be a boon to auditors, writes Professor Michael Mainelli

From at least the time of the Sumerians we have had ledgers. The technology of ledgers has evolved over the millennia from cuneiform tablets to papyrus, tally sticks, paper, and databases. We are witnessing a further stage of evolution to smart ledgers. 

Central or ‘trusted’ third parties are the traditional custodians of central ledgers. The central third party approach, while scarcely bettered over millennia of civilisation, has its problems. The two biggest problems are corruption and monopoly. Any central registry becomes a target for cheating and the controllers of the ledger are an obvious weakness. The officials, public or private, are susceptible to bribery or other inducements to collude with cheaters. This is often seen as a third-world problem, but the global traded markets have seen corruption in LIBOR and foreign exchange markets ‘fixing’ certain important pricing benchmarks through central functions. Any successful registry or exchange is also susceptible to becoming a natural monopoly, and thus strongly tempted towards excessive charges.

Mutual distributed ledgers (MDLs, aka blockchains) and smart contracts are the ‘next big thing’ in technology. MDLs are multi-organisational databases with a super audit trail. MDLs have been used for years but gained fame, or notoriety, as they began to be used since 2009 in cryptocurrencies such as Bitcoin, as the ‘Bitcoin blockchain’. A ‘smart contract’ or ‘sprite’ is ‘the implementation of contract terms as executable computer code’. Smart contracts can be embedded in MDLs to record what has been agreed to happen when certain events occur. A simple example of a smart contract is a contract which pays $50,000 on every day in July when the temperature recorded by a given field on the Met Office website is above 33 °C.

A smart contract can be anything that has a time, a test, and a trigger, for example a premium uplift, a notification of change of circumstances, or a claim. While bankers have been a-twitter about cryptocurrencies for payment systems, other sectors have already quietly implemented them, such as healthcare organisations using smart ledgers to chronicle clinical trials, or insurers using them to log swaps of data. Smart ledgers are particularly suited to identity, document, and agreement exchange (IDAX). IDAX may be their ‘killer app’.

Smart ledgers are a technology for fair play in a globalised world. Three characteristics enhance fairness. First, most smart ledgers have no centre. This means fair play for everyone regardless of their location. Second, the permanent records are distributed and immutable. A benefit of decentralisation is strong cybersecurity and physical robustness. The process which lets many computers all over the world process transactions together also means that if a machine is compromised it does not affect the rest of the computers holding the smart ledger. Third, ‘mutual’ means held in common or owned by no one. Nobody has to be in charge of a smart ledger; they operate by consensus. Local smart ledgers can be run by a sovereign entity or a company, and they can choose who can participate, similar to an existing corporate network but more secure.

Audit this!
Smart ledgers pose big challenges to auditors. The DAO (Decentralized Autonomous Organization) was launched on the Ethereum blockchain on 30 April 2016 with a website and a 28-day crowd sale to fund the organisation. By 21 May it had raised capital of more than US$150m from more than 11,000 investors. On 17 June an unknown attacker ‘stole’ from the DAO around 3.6M ‘ether’, Ethereum’s online currency similar to Bitcoin. At the time 3.6M ether was about $55m dollars and represented around a third of the DAO’s assets. 

The DAO was intended to operate as a hub that dispersed funds in ether to suitable projects. Investors received voting rights by means of a digital share token and voted on proposals that were submitted by ‘contractors’ while a group of volunteers called ‘curators’ checked the identity of people submitting proposals and made sure the projects were legal before ‘whitelisting’ them. The profits from the investments would then go back to its stakeholders.

The underlying technology powering the DAO was a ‘blockchain’, similar to bitcoin, overlaid with ‘smart contracts’. The DAO was controlled by the votes of its members (anyone who transferred ether to it) and transactions occurred automatically once enough members voted for them. A vulnerability in the code was exploited by the attacker, who used a race-to-empty or recursive call attack, to appropriate ether.

Complex legal questions remain over whether the attack was really ‘theft’. In effect, the Ethereum project claimed to ‘let the code’ decide, and the code decided to transfer 3.6M ether to an account. However, the eventual solution, a ‘hard fork’ that moved the ‘stolen’ ether back into a new version of the DAO, in effect replaced 'tyranny of the code' with ‘tyranny of the majority’.

A learning experience
There is an incorrect assumption that all MDLs are alike. In fact, MDLs can be built in a wide variety of ways for a wide variety of purposes. A cryptocurrency ledger is concerned with supporting a proof-of-work consensus mechanism; an internet-of-things datalogging MDL is concerned with speed and efficiency. Both may be subject to audit, eg not just cryptocurrency cash, but also billing or liabilities recorded by a utility company’s MDL. Let’s explore four challenges for now, understanding the technology, defining the boundary of the system, auditing the system, and examining governance. 

The technology is not especially complicated, but these ‘multi-organisational databases with a super audit trail’ are built on foundations unfamiliar to many, even programmers using them. Cryptography and hashing are two core techniques for MDLs. Cryptography is the process of storing data in such a way that it can only be read by those with the correct keys. Hashing is the process of reducing computer files to an individual, unique signature. MDLs are constructed using hashing of records one into the next, but often use cryptographic techniques as well. If the MDL is not just recording, but perhaps supporting a token or cryptocurrency, then a host of transaction validation techniques may need to be understood, such as proof-of-work, proof-of-stake, proof-of-burn, full consensus, broadcasting, or voting mechanisms. Finally, if the MDL is a smart ledger, then many of the rules are based in pieces of code embedded within the MDL itself.

Defining the boundary of the system is frequently quite wide, not just a cryptocurrency, but also the wallets and exchanges that are used for the transactions. This distributed system is itself subject to attacks. Cryptocurrencies are seen by many as big ‘honeypots’, worth probing and attacking by hackers because the rewards for stealing cryptocurrency can be enormous. In auditing one cryptocurrency system we needed to trace accounts from their ledger into other cryptocurrencies that had been used for payment. Immediately we hit problems tracing the sources of funds from wallets and exchanges that had made the deposits, as well as problems identifying where transactions had potential conflicts with regulatory jurisdictions.

Auditing the system is not especially different from auditing a normal ledger database, but there are some wrinkles. These ledgers are typically very large, requiring extra data handling resource. Performance can be volatile. We have been examining an ‘active audit’ process whereby we are simulating the overall system performance and contrasting that simulation with what happened in reality in order to identify anomalies for further audit tests. For clients, these simulations serve as the basis for constructing a permanent ‘market quality’ dashboard.

Examining governance is possibly the greatest challenge. The strength of smart ledgers lies precisely in the lack of ownership. The DAO attack alone raises serious questions about the types of safeguards that investors should have with such collective investments and the governance issues of the wider system for making such decisions. Z/Yen has conducted some initial work on governance standards, with more to come.

Possibly the best way to think of governance just now is to contrast smart ledgers with email of old. Email is ungoverned as it passes from machine to machine. In the early days, auditors paid a lot of attention to validating email trails. We have come to rely on email to the point we rarely audit email trails technically. We can also expect to see forms of indemnity and insurance arising on smart ledgers. If I pay to use your data you may also have to provide me with an indemnity, for example paying me in the event that a digitally signed document authenticated by you proves to be false.

Smart ledgers are here, and show every sign of increasing deployment due to their amelioration of the central third party problem, their technological flexibility, and their power. Smart ledgers may provide one of the best tools for reshaping a more open, trusting society, and should be a boon to auditors. As system auditors, our responsibility is to get learning and thinking now about how best to use smart ledgers for mutual good and common wealth.

Professor Michael Mainelli – executive chairman, Z/Yen Group and principal adviser to Long Finance. 

Y/Yen has been building and analysing mutual distributed ledgers (aka blockchains) since 1995 and has a smart ledger architecture community, ChainZy. 

Michael’s latest book, The Price of Fish: A New Approach to Wicked Economics and Better Decisions, written with Ian Harris, won the 2012 Independent Publisher Book Awards Finance, Investment & Economics Gold Prize.

Internal audit’s role in providing assurance over the Modern Slavery Act
Internal audit is well positioned to support organisations with their anti-slavery and human trafficking framework and accompanying statements, explains Daniel Maycock.

Internal audit is well positioned to support organisations with their anti-slavery and human trafficking framework and accompanying statements, explains Daniel Maycock. 

When people hear the terms ‘slavery’ or ‘forced labour’, many believe it no longer exists in today’s society and think of it simply as a relic of history, abolished with the introduction of the Anti-Slavery Act in 1883. Tragically, this could not be further from the truth. 

Obtaining precise statistics around the number of people in slavery is notoriously difficult; however, the International Labour Organisation estimates that there are a shocking 21m victims of forced labour globally, which generates estimated profits of $150m. This covers labour exploitation, sexual exploitation and state imposed forced labour.

It is also too easy to simply dismiss this as an issue which applies only to third world or developing countries. The British government has estimated that there are up to 13,000 people in modern slavery in the UK: a truly terrifying statistic. Most commonly people are trafficked into industries such as agriculture, construction and hospitality and women and girls are often forced into prostitution.

The increased focus on social responsibility has helped to significantly raise the profile of modern slavery, and many organisations are already taking proactive steps to promote ethical business practices to prevent their workers from abuse and exploitation. However, slavery continues to be an issue globally and some businesses continue to turn a blind eye either within their own organisation or within their supply chains, which are increasingly complex and global.

So what is the Modern Slavery Act?
The UK government wishes to be a global leader in reducing the prevalence of modern slavery and in October 2015 introduced the Modern Slavery Act. This is a piece of legislation championed by the previous Home Secretary (and now Prime Minister), Theresa May, which covers the offences of slavery, servitude, and forced or compulsory labour.

A key provision of the Act places a reporting requirement on those organisations that meet a defined set of criteria to produce an annual statement, setting out the steps they have taken to ensure that slavery and human trafficking do not exist within their business and, crucially, their supply chain.

It is important to note that the purpose of the Act is not for a business to guarantee that slavery or human trafficking does not exist within its business or its entire supply chain, only to formally set out what steps it has taken to assure itself that it does not exist; in theory a business could report that they have taken no action whatsoever; however, it is likely this would not be looked upon favourably by stakeholders and therefore this is an unlikely scenario.

Is my organisation required to produce a slavery and human trafficking statement?
Organisations are required to produce a statement if they: 

  • are a body corporate or a partnership, irrespective of where they were incorporated
  • carry on a business, or part of a business, in the United Kingdom
  • supply goods or services
  • have a global annual turnover of £36m or more.

Of course it would not be a classic piece of UK legislation without a smattering of vagaries and grey areas. No definitions are provided for ‘carrying on a business’ or ‘in any part of the United Kingdom’. Instead the government expects a ‘common sense approach’ to be taken (again, this is not defined). Ultimately it is hoped that this will create a ‘race to the top’ and both the benefits, and potential reputational implications in particular, will encourage organisations to err on the side of caution when it comes to the interpretation of these rather ambiguous criteria. 

What about groups which have only a minor presence in the UK?
Each parent and subsidiary company that meets the requirements above must produce an annual statement. However, it is possible for the parent to produce a single, overarching statement as long as it adequately covers all of the steps they have taken to ensure slavery does not exist within each subsidiary, and their respective supply chains, which is captured within the scope of the Act.

Just because a group does have a UK subsidiary does not, in itself, mean that the parent is carrying on business in the UK if the subsidiary is acting ‘completely independently’ of its parent or other group companies. Exactly how an organisation can demonstrate this is not specified within the legislation and the lack of legal precedent adds greater uncertainly in this area.

Who should approve the statement?
The statement must be signed by an appropriately senior individual within the business depending on the type of organisation: 

  • for an incorporated business it should be approved by the board of directors and signed by a director
  • for a charity it should be approved by the board of trustees and approved by a trustee.
  • for a Limited Liability Partnership (LLP) it should be approved by the members and signed by a designated member
  • for a partnership it should be signed by a partner.

Where should the statement be published?
The statement must be published on the organisation’s website in a prominent position on the homepage (eg a direct link or within a dropdown menu). For those businesses with more than one website, or where a single statement has been created for multiple entities as part of a group structure, it is recommended that a link is included on each relevant website.

If your organisation does not have a website, a copy of the statement must be provided within 30 days of any request.

So what does this have to do with internal audit?
As businesses try to understand and comply with the requirements of the Modern Slavery Act this offers a fantastic opportunity for internal audit to demonstrate added value to the business, in either an advisory or assurance capacity.

Internal audit is one of the few functions within an organisation which will have an excellent understanding of its operational, financial, technological and compliance processes, and where weaknesses may exist.

Internal audit is therefore perfectly positioned to support their organisation with their anti-slavery and human trafficking framework and accompanying statement. There are various ways in which internal audit can do this. Examples include:

  • Facilitation of slavery and human trafficking risk workshops: Until a business understands its modern slavery risks, both internally and within their supply chain, it cannot effectively identify what mitigation exists or where further action is necessary. Attendees at such workshops will often view risks through the prism of their own function; however, by supporting the facilitation of such workshops internal audit can bring together the various inputs to provide a ‘helicopter’ view and contribute to a roadmap of further action to be owned and undertaken by the business. 
  • Data analytics: The use of data analytic tools is becoming increasingly common to identify areas of control weaknesses within large volumes of data. Where the capability or skills do not exist within the business, it may be appropriate for internal audit to undertake some targeted analysis to identify trends or patterns which may indicate unusual activity. For example, multiple workers registered to the same address or the same bank details being used for the payment of multiple staff are often indicators of exploitation. 
  • Targeted assurance: Internal audit may focus on processes or controls which mitigate slavery and human trafficking risks to provide independent assurance over their effectiveness (eg supplier due diligence and on-boarding). This may even include undertaking announced or unannounced supplier audits. It may be that elements of key processes or controls have already been subject to review by internal audit. If so, what existing knowledge can be leveraged and shared with the business to assist in the identification or mitigation of slavery and human trafficking risks? 
  • Independent challenge of the Slavery and Human Trafficking Statement: The requirement for a senior individual to formally sign the statement will require these individuals to challenge the accuracy of the content within the statement. Internal audit could undertake an independent review of the evidence base which supports and underpins the assertions made within the statement, providing a level of comfort to those who are charged with its approval. 
  • On-going monitoring of further action required: In the same way that internal audit recommendations should be revisited to assess whether they have been adequately implemented, internal audit could also monitor the status of specific actions required to further strengthen an organisation's anti-slavery and human trafficking framework, providing visibility to senior individuals on progress and where slippage has occurred. 

While internal audit functions should remain cognisant of their independence, and the balance between advisory and assurance activity, this undoubtedly provides yet another fantastic opportunity for an internal audit function to demonstrate and apply its knowledge of the business in a way which has a meaningful and tangible impact.

Daniel Maycock – risk assurance director, RSM

Daniel provides internal audit and risk management services, including supporting organisations in establishing and developing anti-slavery and human trafficking frameworks.

Internal auditing – a career to aspire to
Tim Sandwell looks at how internal audit roles have been transformed and the opportunities they provide.

Tim Sandwell looks at how internal audit roles have been transformed and the opportunities they provide today. 

Modern internal auditing emerged over 70 years ago as an independent checking function in the public sector before being adopted by the private sector. From what was then, rather unkindly, often labelled as a group of number crunchers and corporate policemen, internal auditing has evolved into what is today a highly sophisticated control function.

In response to corporate scandals such as Barings, Enron and more recently Lehman Brothers, there has been a sea-change in the role of internal audit and its activities. Today internal audit provides crucial reassurance regarding risk and control, maximising the effectiveness of business processes and ensuring that best practice is properly disseminated.

It is beyond question that internal audit has developed as a vital part of corporate governance but what can it offer in terms of a longer term career to aspiring ACCAs?

It is true that for many decades newly qualified accountants joined an internal audit function as an entry point into a wider corporate career development plan. Internal auditors are privileged in having access to all business operations and corporate functions, therefore providing a natural training environment for future executives.

Many young accountants would spend several years auditing in various corporate and often international environments, moving through a number of promotions. Ultimately they would gain the credibility and experience to further their career outside of internal audit.

Historically, commonplace moves would have been into accountancy and finance, with more occasional ventures into areas such as project management, corporate treasury or regulatory compliance. For those who remained in internal audit the future would be dictated by promotions through the audit ranks, increasing management responsibility and with the ultimate goal of becoming a chief auditor. 

Unfortunately for many, senior promotions were not always achieved, leaving internal audit functions with layers of career auditors who were effectively stuck. In previous decades this negative perception of an environment lacking ambition or ability was detrimental to aspirational accountants choosing their career options.

Internal audit has changed
Over the past ten years internal audit has experienced a significant upskilling of the discipline, with increasing technical specialisation and a much heightened profile both within the public and private sectors. This has been driven not only by the importance of internal audit to effective corporate governance, but also by the methodologies employed which require industry or technical specialists who can relate to senior management. Executive management, regulators and shareholders are demanding internal auditors have an in-depth understanding of complex areas of their operations, which previously may not have been needed. Whether this is looking at international financial reporting, financial crime, cyber security or transformation projects, internal auditors now need much more than the generalist control experience of the past. 

Internal audit functions in all sectors now require specialists. Suitable candidates may have developed their skills within internal audit, or increasingly from other specialist business disciplines. We have seen an influx of professionals with diverse backgrounds including actuaries, programme management, data analytics, financial modelling or technology, who perceive internal audit as an exciting career option. Those with accounting backgrounds are also supplementing their technical skills with business experience and professional qualifications in order to qualify for opportunities.  

Where have the grey suits gone?
The grey-suited auditor is a thing of the past. Internal auditors today require a whole range of soft skills to deal with the diverse stakeholders they are likely to encounter. Direct exposure to executive management and specialist committees, regulators, third parties, suppliers and external auditors is part of the role. Internal auditors need to be able to explain, educate, negotiate and influence at all levels. They also need to be credible, articulate and, at times, resolute in their convictions. The levels at which they are operating will also require them to be increasingly experienced, offering career options that previously did not exist. 

The professional development of internal auditing has also made it a much more competitive environment in terms of both the calibre of potential recruits and the remuneration offered to attract and retain them. 

Plan your career well
So how will a career in internal audit develop for an aspiring ACCA? The career direction may well be influenced by the industry sector you work in and this is something you should consider carefully when embarking on a career plan. More regulated industries will inevitably have stronger control functions and may offer greater diversity going forward. Consider what your specific interests are. Specialist audit teams will exist to cover activities in a range of technologies, business sectors, central functions, project management, financial crime or change. When applying for roles, look at the different teams or divisions within group audit and where you might be able to pursue international opportunities or potential secondments. 

You can also enhance your career prospects by augmenting your accounting qualification. Many internal auditors no longer have a single qualification such as ACCA but acquire further certifications allowing them to be credible subject matter experts. Not only does further specialisation increase professional adeptness, but it combines with more sophisticated inter-personal, negotiating and influencing skills to mould highly effective senior executives. Increasingly we are seeing senior audit executives moving into other executive committee positions or directly to head up other functions such as compliance or change.

While internal audit now offers a challenging and rewarding career in itself, the diverse skills acquired can open up a whole range of opportunities in other areas, allowing internal audit to become a mobile and flourishing environment for professional development.

If you would like to know more about the current market for internal auditors, please review our recent 2017 Internal Audit Market Report

Tim Sandwell – Director of Barclay Simpson, international specialists in internal audit and corporate governance recruitment

New opportunities for training accountancy apprentices
Is your business considering hiring and training an apprentice?

In last month's Budget the Chancellor emphasised the importance of the Apprenticeship Levy and training to boost productivity. 

Apprenticeship funding is available to the majority of employers – whether they are paying the new Apprenticeship Levy or not.  

Apprenticeships offer employers huge gains, enabling them to grow their team and increase productivity while minimising the financial risk associated with recruiting staff.

A new system for funding apprenticeships in England – the Apprenticeship Levy – will become active from 1 May 2017 (levy payments apply from April). All apprenticeships that commence after this date will be funded according to the new rules (this applies to both employers who are paying the levy and those who are not).

In its guidance, the government has stated that ‘if an employer has not paid the levy and would like to train an apprentice, they will need to co-invest 10% and will benefit from government funding to cover the remaining 90% of the cost. This will also apply to any levy-paying employer who wants to invest more in apprenticeship training than they hold in their digital account. In this case, if in any single month a levy-paying employer has insufficient funds available in their digital account to meet the full costs of training and assessment, they will need to co-invest 10% of the remaining balance, with the government paying the remainder. All employers will need to meet, in full, any costs above the funding band limit for any particular apprenticeship.’

The system will see digital accounts established for employers but co-investment in the first year will need to be paid directly to the provider rather than via a digital account.

The definition of workplace has also been clarified as ‘the physical place of work, designated by the employer, where the apprentice is expected to spend the majority of their time during their apprenticeship (50% or more) ... Employers will be required to confirm the workplace location as part of their written agreement with the main training provider in the evidence pack for each apprentice.’

ACCA has been heavily involved in the development of the new employer-led Trailblazer apprenticeship standard. We are excited to be among the first to train apprentices under the new ACCA Accounting Technician Apprenticeship (Level 4 Trailblazer) and have been accepted onto the Register of Apprenticeship Assessment Organisations.  

If you are an employer in Wales or Scotland you will continue with the current access to apprenticeship training.

If you are thinking about taking on an apprentice and want to know more about the ACCA apprenticeship, please email  

To get involved in helping us to promote apprenticeships to schools in your local area, please email

Internal audit and the ethical compass
Secure your place now at our popular Internal Audit Conference in London in May.

Secure your place now at our popular Internal Audit Conference in London on 17 May. 

ACCA is also conducting a confidential survey on ethical pressure and where it presents in the internal audit process. The survey results will be used to help set the context of the conference sessions, and will also be reported on in a future article in this e-Bulletin. The survey will be open until 10 May and will only take 10 minutes to complete. ACCA would be grateful if you would complete the survey before the closing date. 

ACCA UK Internal Audit Conference 2017
Wednesday 17 May | 09:30 –16:30
The Amba Hotel Marble Arch, London

Cost: £209
Early booking discount: Save £20 and pay just £189 when you book before 17 April 2017 

Book your place online now

Alternatively, download a paper booking form

Every internal auditor has faced pressure to amend or even bury findings to provide a favourable picture from within the organisation – sometimes from within the internal audit department itself.

This has to be seen in the context of a wider cultural debate but this conference will focus on the internal auditor as a contributor to the ethical conscience of the organisation and to an extreme as a whistle-blower. 

This conference will provide reassurance that any given internal auditor is not alone in facing such pressures, as well as provide information on how to get help to deal with the pressure. There will be a number of different considerations as to how an internal auditor deals with an ethical situation with the most extreme option of becoming a whistle-blower. 

What should an internal auditor do if he/she is side-lined out of an organisation for trying to report wrong-doing – walk away or whistleblow? The conference will also touch on life after whistle-blowing if the most extreme option has to be taken.

Key sessions: 

  1. Keynote session – Peter Montagnon, Associate Director, Institute of Business Ethics
  2. Governance of the audit team and audit committeeAnthony Harbinson, Director of Safer Communities, Department of Justice for Northern Ireland
  3. How to deal with ethical situations – Derek Anderson, Head of Internal Audit, Northern Ireland Department of Justice
  4. Q&A Panel session
  5. How ACCA supports its membersRaymond Jack, Executive Director - Finance and Operations, ACCA
  6. When should an internal auditor blow the whistle?


IIA International Conference
L.I.V.E the global experience... in Sydney, Australia.
Date: 23–26 July
Location: Sydney, Australia

Join The IIA’s 2017 International Conference, 23–26 July in the stunning new International Convention Centre (ICC Sydney) right in the heart of Sydney, Australia.

Earn CPD units while you learn and network. ACCA member offer: Register before 13 April 2017 and save up to 200 AUD - enter code ACCA2017 

The IIA International Conference: L.I.V.E the global experience


Webinars: De-mystifying IT audit for business auditors
Sign up now for any of seven webinars on de-mystifying IT audit for business auditors.

De-mystifying IT audit for business auditors – stop being afraid of the black box.  

ACCA UK's Internal Audit Network is running a series of seven webinars on de-mystifying IT audit for business auditors. The series will run from May to November and will feature two main presenters – Vincent Mulligan FCCA (IT Audit Consultant at Eisteoir Consulting Ltd) and Mike Hughes CISA, SGEIT, CRISC (Partner at Haines Watts) – as well as additional specialist guest presenters during the series. 

15 May – 12.30-13.30
Introductory session
As accountants and auditors, we recognise the importance of information technology (IT) for organisations and that the examination of the management controls over IT and the management of information are an essential part of a review of those organisations. In this introductory session, we will consider some of the ways we organise ourselves and the approaches we adopt to conduct these reviews. 

8 June – 12.30-13.30
IT General Controls
ITGC or General Computer Controls (GCC) relate to the environment that supports our IT applications and that are therefore applicable to all applications. In this session, we will consider the nature of these ITGC, the challenges we face reviewing them and the approaches we can use to audit them.

4 July – 12.30-13.30
Application audit review
Application controls are controls that we have implemented over our application systems to ensure they operate as intended and ensure the accuracy and completeness of the data, calculations and records. In this session, we will consider the types of these controls and the approaches we can use to audit them.

17 August – 12.30-13.30
Infrastructure audit review
IT infrastructure consists of the hardware, software, network resources and IT management services that we leverage to deliver the IT environment that supports our organisations. As the complexity of our IT environment increases and our dependence on IT grows, providing assurance on the effectiveness of the controls over these assets and services is critical to management and other key stakeholders. In this session, we will consider how we can effectively review IT Infrastructure and the organisations and processes we have put in place to manage it. 

5 September 12.30-13.30
Integrating IT audit into the business audit
We use our information technology to support our business processes therefore it is logical that we consider the key controls we have implemented to manage the financial, operational, organisation, IT and other key risks that impact on that business process or function. Integrated reviews which leverage the skills and experience of multi-discipline teams allow us to provide assurance across these key risks. In this session, we will consider the how we can effectively organise and implement integrated audits.

10 October 12.30-13.30
How to audit cyber security
As our organisations take advantage of the opportunities of the internet and digital technologies and implement ever-greater connectivity with our customers, vendors and other stakeholders our exposure to a wide range of cyber threats grows. As the expectations of our key stakeholders including our boards, management and regulators for assurance over the effectiveness of the controls managing these risks grow we will consider how we can deliver cyber security audits.

16 November – 12.30-13.30
General Data Privacy Regulations
The EU General Data Privacy Regulations (GDPR) were adopted on 27 April 2016 and will become effective on 25 May 2018 after a two-year transition period. This will replace the current 1995 directive and will affect all organisations that process EU citizens' data. As the deadline for compliance approaches we will consider how you can understand the impact of this regulation on your organisation and assess your organisation’s compliance readiness. 

Register your place on any of these webinars now