Internal audit and the ethical compass
Briefly speaking … the key issues raised at ACCA’s recent Internal Audit Conference.
Briefly speaking … a summary of the key issues raised at ACCA’s recent Internal Audit Conference.
Internal auditors sometimes come under pressure from within an organisation to amend or bury findings that reflect unfavourably on it. At this year’s ACCA annual internal audit conference, held in London in May, speakers considered challenges ranging from corporate culture to speaking-up/becoming a whistle-blower.
Corporate culture is the new frontier in governance. As boards respond to the need to regain public trust, they must learn to define and shape behaviour in their organisation and understand its social impact or risk losing the licence to operate. This was the message Peter Montagnon, associate director, Institute of Business Ethics, had for conference delegates.
‘The problem with the term “corporate culture” is that no one really knows what it means,’ he said. ‘So from now on I am going to avoid it and refer to “behaviours” instead. The headline story is this: boards need to adjust their governance approach to take greater account of the drivers of behaviour throughout the organisation.’
In the current climate, Peter suggested, boards need to pay much more attention than they have in the past to understanding their company and the impact it is having on the society from which they get their licence. Increasingly the public is distrustful and hostile to big business and the reasons include remuneration and taxation.
‘Remuneration is one area where governance has failed,’ Peter said. ‘It has not got to grips with a lot of problems around pay, which has got out of control and been very damaging to the reputations of companies.’
Recurring scandals, which have hit a large collection of companies, have also played a big role in feeding public mistrust. Using the recent scandal involving Volkswagen as an example, Peter said that one key problem was that VW has focused on what had happened and not why. Only if you ask ‘why?’ can you fix the difficulties. Instead, the VW leadership's instinct was to find out what happened, find someone to blame, put some sticking plaster on the problem and move on without changing anything fundamental. If you leave it at that, there is always the possibility of the same thing happening again.
Organisations need to move away from the inward-looking, process-driven approach which has characterised governance until now, towards a more outward looking, engaged approach.
‘It will be a huge error if we duck the challenge in addressing the substance around behaviour and its social impact,’ Peter concluded. ‘There is evidence that the companies who get this right produce better results in the long term. So, government codes and regulation are one thing, but there is no substitution for knuckling down and getting on with addressing damaging behaviours. Internal audit will have an important role to play in this.’
Developing ethical cultures
The relationship between the chair of the audit committee and the head of internal audit was central to a presentation by Anthony Harbinson, director of Safer Communities, Department of Justice for Northern Ireland.
‘The roles of both are clear,’ he said. ‘The former is responsible for the effective functioning of the audit committee and the latter occupies a critical position in helping the organisation achieve its objectives by giving assurance on its internal control arrangements and promoting good corporate governance. It is therefore essential that the relationship between the two is right. But all relationships are difficult and have to be worked on constantly, particularly if the aim is to build a strategic partnership.’
Making up a relationship ‘triangle’ is the CEO, and meetings between the three parties should be open and transparent.
In developing a culture of openness, there are many ‘do’s’ and they include:
- having a focus on purposes and outcomes
- striving for transparency and full accountability
- building a culture of honesty, integrity and ethics.
Numbering among the don’ts are:
- allowing a lack of clarity
- saying what you don’t mean or won’t deliver
- setting low levels of accountability
- undermining or undervaluing the reports you don’t like.
‘We need to do more than simply rely on the honesty, ethics and integrity of the individuals,’ Anthony said. ‘The chief executive and the head of internal audit need to develop a holistic approach to how they act individually and how they work together and build relationships. That will say much more to the organisation than the words they use or the documents they sign.
‘People judge us not by our words but by our actions. Body language is important. There should be real communication between all stakeholders. Ethical cultures don’t just exist and they don’t just grow. We must develop them and to show that they are valued. People need to know that they are real.
‘It’s a long road and we must travel it together,’ he concluded.
Support at hand
In a presentation on how ACCA supports its members, Raymond Jack, executive director, finance and operations, stressed that ethics is a key theme throughout the Association’s qualification. ‘ACCA ensures all students have an understanding of what it means to work and act professionally and ethically in the workplace,’ he said.
The development of a new ethics and professional skills module, due to be launched in October, reflects the crucial role ACCA views ethics playing in both protecting the public interest and delivering public value.
This on-going commitment is also demonstrated by ACCA’s engagement with the IESBA concerning the latter’s Code of Ethics for Professional Accountants, which is incorporated into the ACCA Code of Ethics and Conduct in its entirety. Consultations between the two bodies concerning the structure of the code and safeguards and non-compliance with laws and regulations (NOCLAR) are currently taking place.
European-wide, Jack pointed out, there is a move towards greater protection for whistle-blowers. An EU Commission whistle-blower protection consultation has recently been completed and ACCA will be responding and developing a position on this.
Meanwhile, a range of resources on ethics, including case studies and guidance on creating a code of conduct for organisations and an article detailing practical recommendations on effective speak-up arrangements, is available to members
Jill Wyatt, business journalist
ACCA is conducting a confidential survey on ethical pressure and where it presents in the internal audit process. The survey is for ACCA members working in internal audit and the results will form the basis of an article in the next issue of this e-bulletin. The survey will remain open until Friday 11 August and will only take 10 minutes to complete. ACCA would be grateful if you would complete the survey before the closing date so that the results and conclusions can be as relevant as possible for the article.
The ethical challenges to your moral compass
Internal auditors face pressure and ethical dilemmas while trying to do their job with professional integrity, delegates at ACCA's Internal Audit Conference learned.
Internal auditors face many pressures and ethical dilemmas while simply trying to do their job well and with professional integrity.
Internal auditors must be trusted and the organisations and people they service need to have total confidence in the advice and opinions they express. This may seem to be a ‘given’, but Derek Anderson – head of internal audit, Northern Ireland Department of Justice – asked delegates at this year’s ACCA annual internal audit conference in London - Internal Audit and the Ethical Compass – to look more closely at their moral compass.
There might sometimes appear to be grey areas in the definition of right and wrong, he suggested. Might ‘right’ depend on the situation? What if you don’t know if something is right or wrong? Everyone is capable of rationalising situations and may occasionally need to re-visit or correct their moral compass.
The consequences of getting it wrong have been demonstrated very clearly in recent times, Derek said, alluding to the United Airlines’ fiasco which had damaged the company’s reputation ‘in seconds’. Quoting the words of Billy Graham, he added: ‘When wealth is lost, nothing is lost; when health is lost, something is lost; when character is lost, all is lost.’
Fortunately for internal auditors, Derek pointed out, the ACCA’s Code of Ethics offers a clear set of instructions on what is right and wrong, detailing expectations, rules and – in the worst-case scenario – penalties and outcomes for transgressions.
The code covers integrity, which Derek said implied ‘not merely honesty but firm truthfulness’, which is easily spoken about but challenging to live up to. In professional lives, he suggested, many, if not most people, have known when advice or recommendations might not go down well and therefore sugared unpalatable truths. ‘Nevertheless, there are real dangers in not being truly honest.’
Remaining objective and transparent about potential conflicts of interest is also vital. ‘In our job, we must be whiter than white,’ Derek said. ‘As I tell my auditors, there are people waiting in the long grass for the first time we step out of line. So, we can’t ever give them that opportunity. We must be seen to be above reproach at all times.’
Confidentiality, ensuring that whatever happens in an organisation stays in the organisation, is also key. This may be a challenge in cases where someone is auditing many different organisations. However, the only reason to consider sharing information is if one organisation could benefit from another’s good practice. ‘In this case they can be put in touch with one another, but that’s the only time you can step outside the confidentiality rule,’ Derek said.
Highlighting the importance of professional behaviour, courtesy and consideration and moral integrity, he stressed: ‘It is not just internal auditors who are expected to display these behaviours at all times, but senior management team must also walk the talk.’
Blowing the whistle
So, what about the responsibility of internal auditors to blow the whistle on any wrongdoing? Derek acknowledged that it is an extraordinarily hard move to make. ‘We all know what we should do - we should report what we see,’ he said. ‘But do we do it or do we just satisfy ourselves by trying to put a stop to it or looking the other way?
‘Reporting wrongdoing or becoming a whistle-blower is difficult and there is no shortage of people who became whistle-blowers and had bad things happen to them. But what does our code of ethics say we should do? It says that we should report wrongdoing. That’s quite a challenge.
‘In a poem, Seamus Heaney says: “Whatever you say, say nothing”. Is that true of us? We all know somebody who took a decision that didn’t go down well. Are we going to make that mistake? It’s easy to say that you should be courageous, but not easy to do.’
Moving from poetry to music, Derek reminded delegates of a Kenny Rogers song about playing poker, which included what he viewed as good advice. ‘He said… “you need to know when to hold them, know when to fold them, know when to walk away and know when to run”. That’s good advice when it comes to the work we do, the findings we’re reporting, the recommendations that we're making and the reaction we get from management. It’s about gauging the balance. You have to be able to stand your ground when it’s the right thing to do. Equally you have to know when it’s time to go away.’
Looking from the other side, Derek pointed out that internal auditors were often urging change when people were quite happy doing things the way they always had. ‘So it’s not a surprise that the second our backs are turned they put things back again or just tell us to go away,’ he said. ‘We have to make a compelling case and then we might have to come back to make sure they’ve implemented our recommendations. Otherwise we’re wasting our time.’
There are many famous examples of people who had paid a high price for maintaining moral integrity. Derek cited Marta Andreasen, the former chief accountant of the European Commission, Nigel Woodford, former chief executive of Olympus in Japan, and Basil Brookes, former finance director at Maxwell Communication Corporation, who all raised concerns about flaws in their organisations’ accounting systems.
‘If you ever have to work for someone like Maxwell then the advice I have for you is run away as quickly as possible for your own sanity,’ he said. ‘What does our code of ethics tell us we should do in those sorts of situations? The advice is that we should resign and turn whistle-blower. Well, that’s easy to say, isn’t it!’
Derek concluded with a personal story from early in his career when a new senior manager joined his organisation and proved unwilling to hear about the issues he was dealing with in the organisation. Despite his best attempts, the relationship deteriorated to a point where he feared for his independence and ability to do his job with integrity.
Resigning was the right thing to do but he had a wife, family and mortgage, the problem came in the middle of the recession when jobs were thin on the ground. Eventually an opportunity came up and he took it. ‘I cried with sheer relief at getting out of that situation,’ he said. ‘My point? It’s a whole lot easier to resign when you have a job.’
Jill Wyatt, business journalist
When should an internal auditor blow the whistle?
Developing a culture of speaking-up remains a challenge for many, heard delegates at ACCA's Internal Audit Conference.
Developing a culture of speaking-up remains a challenge for many, heard delegates at ACCA's annual Internal Audit Conference.
Employees who voice concerns about perceived irregularities within their organisations can help prevent behaviours that lead to major financial and reputational losses. However, developing a culture of speaking-up remains a challenge, Jo Iwaski, Head of Corporate Governance, ACCA, told delegates to this year’s annual ACCA Internal Audit Conference in London.
Recent research, jointly funded by ACCA and the UK's Economic and Social Research Council (ESRC), examines the challenges, opportunities and best practices associated with various types of speak-up arrangements. The resulting report – Effective speak-up arrangements for whistle-blowers - reveals that, for speak-up arrangements to be effective, it is important to have more than one channel available to employees.
‘People experience a degree of reluctance when they are raising concerns with people who are involved in their day-to-day job function,’ Jo said. ‘We can understand that because they probably feel they’re disclosing something about their colleagues and are concerned about possible misunderstandings. That’s why people who speak-up want to do it as discreetly as possible.’
Externally, the channels often offer more independence, she pointed out. The use of technology, such as voice channels using digital technology, may have benefits for whistle-blowers because they can use an automated service and are not required to have conversations about the concerns they are trying to raise. However, it is still early days to say how effective these channels may be: for example, they can present a challenge when additional information is needed.
The importance of multi-channels
Four case studies on speaking-up arrangements – an NHS trust, an international bank, engineering company and central government in south-east Asia – have further confirmed the importance of multi-channels being available to employees so that they can choose the means which they feel most comfortable with. They also highlight that, over time, employees often start to use open and direct communication if they have gained positive experiences from external and independent channels.
‘When a loss of trust prevails amongst employees, they are unlikely to use internal channels,’ said Jo. ‘In that case alternatives, including independent and external channels, are very important. People need to feel safe if they are to speak out.’
However, ultimately, the aim is for whistle-blowing to become part of the broad structure of an organisation’s risk culture and corporate culture.
A UK-based survey relating to whistle-blowing showed that the number of people who raised concerns only once was about 44%, those who did so twice was about 40%; those for a third time, 14 % and those a fourth time 2.5%.
The important thing to note is that people don't raise concerns only once but many times. ‘That indicates that when people come across something that they have an issue with they want to do the right thing,’ Jo said. ‘And people generally feel that certain things have to be dealt with at a management or even more senior level if necessary.’
The same study shows that most speak-ups start internally with 90% choosing this option at the first attempt against just 8.6% opting for an external channel. A small proportion of people would use a union. And for a second attempt over 70% of people will still use an internal channel. Unsurprisingly, at the third and fourth attempt, a growing percentage of whistle-blowers opt for external channels including their union.
Effective speak-up arrangements rely on trust, and trust is dependent on robust and consistent response systems. In addition to the existence of multiple channels, Jo said that it is important to have a response system set out clearly internally.
‘When information comes in from employees, concerns must be processed following an established protocol. It is essential that, across the organisation – and especially at management level and above – everyone understands how to follow that.’
Another lesson from research is that tendencies for managers at local level to speak directly to the person raising concerns can be counter-productive because, if information is not recorded and passed on, learning within the rest of the organisation doesn’t take place.
‘It is important for organisations to centrally record and track how employee concerns are dealt with. This enables top management and the board to understand the culture around the trustworthiness of the organisation. But patterns emerging from speak-up data can also help them spot real issues underlying unsubstantiated concerns.
While public disclosure about what sort of whistle-blowing arrangements exist or speak-up data is not very common in organisations’ reports, Jo highlighted that researchers in this area say there is great potential for cross-learning to help the development of better practice.
Meanwhile, a major consultation at European level is currently focusing on looking at legislation that will introduce sanctions for breaches of confidentiality and sanctions for retaliation against whistle-blowers, as well as minimum standards for speak-up arrangements.
‘I think we will see improvements in this area in the very near future,’ Jo concluded, before passing over to Simon Webley, research director of the Institute of Business Ethics.
Using the ‘right’ terminology
Simon said that the Institute viewed business ethics as vital in maintaining a culture of integrity in any type of organisation with speaking-up being a really important part of this.
‘Speaking up needs to happen before a situation becomes a crisis, not after,’ he said, highlighting his preference for this terminology over ‘whistle-blowing’, which he said was less user-friendly.
For members of professional bodies there are two channels of raising concerns. The most immediate is by speaking up to a superior, or someone else, in the given organisation. The second, if this does not feel appropriate, is by turning to the ACCA, which will offer support. Statistics show that around 66% of ACCA members have experienced concerns around an issue relating to audit.
‘We know from surveys that around half the issues that are raised by people speaking-up relate to HR issues,’ he revealed. ‘The other areas are legal breaches and increasingly we're hearing that small fraud is becoming an issue that people need to speak up about so that it can be investigated.’
Alongside these are what Simon described as ‘ethical breaches’. The most common of these, seldom reported, is the misuse of gifts and hospitality by either offering or accepting them. The rules in this area, he said, are covered by all organisations but it is an issue that comes up very regularly.
Another is conflict of interest, which is not covered by law but nevertheless can be a real threat to reputation if it isn't done properly.
Looking to the reasons that stop employees from speaking up, Simon said that one reason revealed by surveys is that people feel nothing will be done about the concern raised. The second is ‘it’s none of my business’ and the third one is fear of retaliation.
‘These are the most common reasons and there are some very disturbing statistics about the number of employees who have seen things but not reported them,’ he said. ‘This is around 40 to 50%, which is quite concerning.’
One of the roles that internal audit has been asked to take on in ethics is due diligence. ‘This is not easy to do but there are things called symptomatic indicators which you can use to learn what's going on,’ he concluded. ‘They are very useful in doing that quite difficult type of work.’
Jill Wyatt, business journalist
General Data Protection Regulations
Major changes to how businesses handle data are coming. Are you ready?
Major changes to how businesses handle data are coming. Are you ready?
The General Data Protection Regulations (GDPR) come into force on 25 May 2018. They will affect every business (sole trader to corporation), charity and public sector body that processes or holds personal data of EU citizens, regardless of where in the world it is based.
Elizabeth Denham, UK Information Commissioner, views it as ‘the gold standard for data protection’, stating ‘Europe has taken the best elements of data protection from the previous Directive and added other concepts that are innovative and represent the best practices from around the world … Embedded into law are privacy by design and default, data breach notification, privacy impact assessments, data protection officers and accountability’ coupled with ‘very meaningful enforcement mechanisms through substantial fines’.
She’s not kidding! With a requirement to report breaches that pose a risk to individuals to the Data Protection Authority within 72 hours (and to the individuals concerned without undue delay), and fines up to the greater of €20m or 4% of prior financial year global turnover (revenue), regulators are serious about ensuring compliance!
Personal data is any information that could be used to recognise someone: photographs, IP addresses, genetic profiles in addition to traditional economic, medical or identity information.
Key empowering ‘Rights’ for individuals and ‘Obligations’ for organisations include:
- Right to access: on request, organisations must confirm if they’re processing an individual’s data, where, why and provide a free electronic copy of data concerned.
- Right to be forgotten: consent withdrawal including erasure and halting 3rd party processing/further data dissemination; unless overriding ‘public interest in the availability of the data’ (for example accounting/tax/HSE records would still need to be retained in a situation where a customer/employee requested to be forgotten). Where there’s an overriding interest, it’s likely the data will have to be retained for the required period but cannot be used other than for the legal purpose for which it’s been held.
- Right to data portability: provision of personal data in a ‘commonly used and machine readable format’ to competitor/3rd party on a subject’s request. This will make comparison websites and supplier switches much more accurate based on actual data.
- Privacy by design: ‘built in, not bolted on’ data protection with privacy impact assessments evidenced for higher risk activities. Organisations need controls that are both effective and fit for purpose. They will include manual and IT solutions that: minimise personal data collected; and process only to the extent necessary. They will also restrict data access to essential personnel. Data lifecycle management is essential!
- Data Protection Officers (DPO) required for: Public Authorities/Organisations performing systematic monitoring of personal data/large scale processing of sensitive personal data; or special categories of data (eg criminal convictions/offences). Appointed DPO MUST have:
- expert current knowledge on Data Protection law/practices
- adequate resources to effect compliance
- direct reporting to top-level management
- no role conflicting interests
- be notified to the Data Protection Authority.
- Consent management: requires distinct, unambiguous, plain language statement recording data gathering/processing purpose with explicit consent for processing sensitive personal data. Withdrawal must be as easy as provision. Parental consent required for online services data processing of under-16s although member states may legislate that down to 13.
- Data Transfer outside EU: Non-EU controllers may have to appoint EU representative; equivalence requirements must be met.
- Pseudonymised data, for statistical research, is not subject to regulation providing segregated storage of decryption key and data.
Doing nothing isn’t an option!
So what should internal audit be doing at this point?
First, check it’s on management’s radar and they are already considering how and when they need to take action in order to be ready for the changes.
Remember if your organisation fails to get marketing consent before the deadline, you may be breaking the law by asking for it afterwards, so preparation is key!
Are the right departments (legal, IT, marketing, HR etc) involved?
Have you established if you need a DPO? If so, do you know who will perform that role (will it be an in-house position or outsourced to a specialist)?
Do you know what data you hold, whether or not it’s sensitive, where it’s held, what it’s used for, who is processing it and for what purposes and can you evidence informed consent? If someone asks for it, can you easily retrieve to provide it?
If you have foreign subsidiaries or controllers then are they aware that the legislation is extra-territorial? What training do you need to put in place to ensure they don’t breach the regulation bearing in mind the fines will be based on global turnover so damages could be punitive if an insignificant subsidiary causes a breach?
A lot of focus is on the IT compliance side of GDPR at the moment but actually the legal and business risks should probably take precedence to establish the extent of legislative exposure for your entity and the risk appetite of how you control that risk. The IT solutions will then be obvious as part of the next step in your controlling strategy.
Schedule your ‘go live readiness’ audit early enough to enable remediation if you find the business isn’t ... and be ready to audit compliance controls across your organisation (including foreign subsidiaries or controllers) at least until you are sure the controls are effectively embedded and operationally sound.
Sarah Pumfrett FCCA – Vice Chair, ACCA UK Internal Audit Network Panel
Difficult auditees and auditors
CPD article: perspectives on avoiding conflict from those involved in an audit.
CPD article: perspectives on avoiding conflict from those involved in an audit.
Auditors and auditees often feel that they are in conflict with each other – the business does not feel that it gets what it needs from internal audit, while internal auditors can feel that the business is resistant to the role that they need to carry out.
In this article, we get the view from both sides of the fence. First, Alan Lees (managing director, Kingston City Group) puts the case for business, then Maria Arpa (founder of the Centre for Peaceful Solutions) provides some tips for managing difficult auditees.
Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.
What should the CEO expect from their head of internal audit?
In discharging their responsibilities on behalf of the board, the CEO will often turn their attention to the level of assurance that is being provided to control the risks that their organisation is facing. Organisations will often adopt a three line defence model, with the first line being those functions that directly manage and mitigate specific risks, the second provided by functions that oversee risk, control and compliance, and the third provided by independent assurance providers, such as internal audit.
An effective internal audit function needs the CEO to recognise that s/he should have an effective working relationship with the Head of Internal Audit (HIA). This is particularly important when identifying audit priorities to ensure audit plans are designed to deliver the level of assurance required not just by the audit committee but also the CEO.
The CEO should be readily accessible to the HIA, and should welcome the opportunity to discuss emerging issues from current audit assignments, whether significant risks are being mitigated and to obtain comfort about there being demonstrable management commitment to take action to implement control improvements.
Contact time between CEO and HIA also provides an opportunity for the CEO to find out what is really happening on the ‘shop floor’, particularly where managers are not responding well to audit examination, by refusing to engage in the process or failing to implement recommendations. The HIA isn’t quite the eyes and ears of the CEO but s/he can provide valuable insight.
Regular CEO/HIA meetings also provide for constructive challenge and debate about how well the organisation is responding to external pressures, potential future risks that could impact and what the audit should provide in terms of the level of assurances required.
The CEO has a right to expect the HIA to have sufficient knowledge of the business and its industry sector to effectively engage in discussions concerning the range of ‘what if’ scenarios that the CEO is looking to have controlled and ultimately at what cost. This should include working knowledge and consideration of a variety of factors including the regulatory and legislative environment, sector developments, the robustness of governance arrangements, the overall position of the business in the market and competitor threats, and the future level of investment in people, technology and equipment.
The CEO expects the HIA to be pragmatic in these discussions and have the confidence to debate concisely the control problems that could occur if a particular course of action is taken. The HIA should, however, be seen as a critical friend, not the prophet of doom. There is a fine line here but establishing an effective dialogue will ensure the CEO values the views of the HIA without impairing his/her independence and objectivity.
Internal audit is a precious resource and the role of the HIA as an independent assurance provider has never been more important in meeting the expectations of the CEO in supporting the business in meeting its strategic aims and objectives. The HIA is in a unique position in having a cross-organisational perspective on what is important to the CEO, a view on what is happening out in the external environment and how that impacts on corporate objectives and insight into what is happening internally.
With respect to the latter, this might be about the HIA raising concerns and issues about some corporate behaviours that might be below the CEO’s radar but which might have a significant impact on control effectiveness, or indeed might be an indication of more deep seated corporate malaise.
Alan Lees – managing director, Kingston City Group
Conducting an audit with difficult participants
You’re carrying out an audit. Your auditees are indifferent, ambivalent or downright hostile. What do you do?
You could threaten people into compliance. Calling on a higher authority or using intimidation may get you a short term result. There might also be a longer term price to pay for using force. If you are expected to continue a working relationship with the person and your manner affected them adversely, the potential for grievances, complaints or damage to your reputation should not be underestimated.
There is a more skilful way to engage the auditee.
Here are some of the dynamics which can enhance cooperation set out as a four step process – R.O.P.E.
Being task driven without paying attention to the human relationship is unlikely to foster cooperation. If a task requires that you engage with others remember to engage in the relationship so that there is mutual respect. If you need to complete a task with someone you have found difficult, it’s worth considering how you might mend fences. A simple acknowledgement might put things right – ‘Hey John, I know we haven’t always found dealing with each other easy but I’m wondering if we might set that aside and try to make this easy for each other?’ – or the problems may be so entrenched it could be worth considering mediation. Clearing the air is the first place to start. If there have been no prior difficulties, consider your approach so as not to create difficulties. Take a genuine interest in the other person’s workload or wellbeing. This means enquiring and being receptive and appreciative of their response.
Once the air is cleared, contract with the person in such a way that everyone is clear about what needs doing and the difference their contribution makes to the final outcome. Once that is established you can make an offer of how it should be done and any deadlines, while creating contingency. For example, an auditee might agree to deliver something but an unexpected family emergency takes them out of the office leaving them with a backlog. How likely is it that your requests would go to the bottom of the pile? As part of the contracting it’s good to create a back-up plan. At this stage it’s vital to elicit agreement. Explain that you would like to agree a plan for how to get the task complete which takes into account anything that might get in the way. Agreement is demonstrated by enabling the other person to contribute meaningfully to the plan so their views were heard, respected and included.
Remember that your deadline might not constitute an emergency for the other person and a rushed tone of voice may create pressure which the other person resents. Before you approach someone take an internal barometer reading and check you’re not going in like a hurricane on legs. If you have an urgent deadline and you want someone to help you meet the deadline, try inviting them to assist you and let them know how their assistance will benefit them, their department and the business.
Now you’ve contracted properly and there is an agreed plan, something is bound to go wrong. Not everyone meets agreements on time, every time. This is where it becomes essential to meet the human being and not an auditee. Sometimes when we want to get a job done and we are under pressure, we fail to see the whole human being in front of us. If we only want a result at any cost, the other person will have even fewer reasons to be cooperative.
Taking a human approach to cooperation is more likely to get the job done in a spirit of goodwill. And, there are times when we need to call on that goodwill to get the job done.
Maria Arpa – founder of the Centre for Peaceful Solutions
Internal audit - expect more
The time has come for internal audit to be bold, courageous and innovative in order to capitalise on the growing need to provide strategic insight, writes PwC's Susan King.
The time has come for internal audit to be bold, courageous and innovative in order to capitalise on the growing need to provide strategic insight, writes PwC's Susan King.
The business environment has changed and continues to do so, affecting every organisation, in every market, to one degree or another. As the risk landscape expands – and with it the complexity of doing business – challenges arise and new opportunities are being created. It is essential for organisations to be ready to respond, but it’s by no means easy.
Boards and senior management are being placed under unprecedented pressure to stay on top of current and emerging risks and internal audit’s mandate now extends beyond processes, financial systems and regulation. Stakeholders expect internal audit to ‘look deeper and see further’, acting as a lever for change and supporting an organisation’s strategic agenda. The time has come for internal audit to be bold, courageous and innovative in order to capitalise on the growing need to provide strategic insight.
The first step is an effective internal audit plan designed to meet the rising expectations of the internal audit function’s stakeholders. In this article we draw upon some of our previous thought leadership and explore four key considerations which allow internal audit to deliver the greatest value through the planning cycle.
A holistic view of risk
The risk assessment process is not only a requirement to meet IIA standards, but also a foundation to how internal audit develops a plan aligned to the strategic objectives and risks of its organisation.
In our 2016 publication ‘Rising to the challenge - Keeping pace with stakeholder expectations’ we discuss internal audit’s journey from assurance provider to trusted adviser and explore the concept of being ‘risk focused’ as one of the eight attributes of internal audit excellence. An internal audit function operating as an assurance provider will evaluate the enterprise risk management function, adapt the internal audit plan to focus on management’s response to risks and then refine the plan to focus on the residual risk.
Trusted advisers, on the other hand, are forward-looking and take a holistic view of risk that considers internal, external, short term and emerging risk factors. They have a thorough understanding of the organisation’s risk culture, risk appetite, and regulatory and legal requirements. They invest the appropriate amount of time in performing a dynamic risk assessment that encompasses top-down, strategic perspectives focused on identifying the most critical risks facing the organisation today and in the future.
This strategic top-down risk focus is often calibrated with a bottom-up approach centred on where risks are manifesting themselves in the organisation today. For certain areas, such as IT risks, a second-tier, more specific risk assessment is performed, leveraging subject matter experts to pinpoint where these risks may materialise.
Build the inevitability of disruption into planning
Disruptions are significant, quickly developing, and potentially unplanned or unanticipated events that create risk and potential opportunity, demanding the attention and resources of the business. Disruptions are no longer episodic; in fact, they are constant, ranging from disruptive innovation that creates a new market, to economic volatility, regulatory changes or even a catastrophic event. This fast-changing, unpredictable environment necessitates that businesses anticipate and react to all kinds of change to survive and thrive.
It’s impossible to identify all potential business disruptions, but one can be fairly certain that at least some will occur during the course of each year. In our 2017 State of the Internal Audit profession study, half of the functions described as agile have increased or shifted internal audit budget to enable greater participation in areas of business disruption, compared to just 27% of less agile functions.
Agile internal audit functions look ahead for potential disruptions and prepare accordingly. They are enabled by a planning process that is forward-looking in identifying emerging disruptions and associated business needs and create flexibility in their planning and resource allocation so they can address disruptive events when they happen. In anticipation of business changes and disruption, the risk assessment is also refreshed at regular intervals to keep the audit plan focused on the most critical and value added areas.
‘Our success is not measured on whether we complete our audit plan. It’s important to have the ability to be nimble and have the freedom to say “This is more important than the audit plan”.’
Chief Audit Executive, interviewed for 2017 State of the Internal Audit profession study
Meaningful collaboration with other lines of defence
Coordination across the lines of defence has been discussed for some time and most internal audit functions are working towards that. But, there is a difference between coordination and true collaboration. Internal audit functions that are well-linked work cross-functionally with the other lines of defence in a unified and integrated manner to address both strategic and operational risks in the face of disruption. No one team can address the volume and pace of these factors alone. Their collaboration goes well beyond sharing what is in each function’s plan and what findings each team is discovering.
Collaborative lines of defence have a clearly defined corporate risk appetite, leverage a common risk assessment approach, have a common risk language across the business and a framework for clear risk aggregation and communication. As a result, their organisations derive significant value from the combined effort of the lines of defence.
Leverage data analytics
Increased focus on risk, compliance and transparency has required internal audit to develop a deeper understanding of the organisation. They must evaluate a wealth of information to identify patterns, trends, anomalous behaviour, and ultimately find ways to enhance the internal audit value proposition for stakeholders. It has become common practice to leverage data analytics during the fieldwork stage of the audit, but by embedding independent and meaningful data analytics into the planning cycle, internal audit can not only ensure that the right areas are audited, but enhance coverage, efficiency and effectiveness of the plan. Key areas to consider when leveraging data during planning include:
- What sources of data analytics and business intelligence already exist? – this could include internal risk reporting and MI or third party benchmarks and data sources.
- What groups within the organisation could internal audit partner with to capture and evaluate this data?
- What historical trends do the data show that provide insight into business risks? – ie compliance failure across the group or performance variances within specific locations or operating segments.
In conclusion, our research has found that incremental changes being made by internal audit leaders are not being implemented quickly enough to keep pace with business change. There is a very real risk that if disruptions are taking internal audit off course – or internal audit is failing to address disruption related risks – the function will likely fall behind as the business charges ahead.
In an environment of increasing stakeholder expectations, it is imperative that internal audit is prepared to adapt, and truly embedding this agility within the function starts with enhancing the planning cycle.
Susan King, PwC Internal Audit
What’s on your mind?
Members share their thoughts, concerns and suggestions with ACCA.
From March to May this year, ACCA UK’s Sector Specific Member Networks team ran a total of 24 focus groups across the country attended by nearly 200 members in 13 locations.
Four of these focus groups were specifically for ACCA members working in internal audit and were held in Birmingham, Manchester and two in London. Areas of discussion included big data, recruiting suitable talent, the blurring of lines between risk management and internal audit, auditing culture, and ethics.
Feedback from members in public practice, the corporate sector, financial services and internal audit was gathered through these focus groups and analysed to provide a clear picture on their thoughts and concerns. A webinar was held on 11 July co-presented by John Williams, Head of ACCA UK, and Kevin Reed, former editor of Accountancy Age and now a freelance journalist. The webinar covered the highlights of the feedback garnered and a discussion of the role that ACCA should play.
A follow up webinar will be held on 13 October when John and Kevin will discuss what ACCA can and will do in response to this feedback from members. You can register for that webinar as well as the on demand version of the first webinar.
ACCA survey on ethical pressure
Take our short survey now.
ACCA UK’s annual Internal Audit Conference took place in May. This year’s conference theme was Internal Audit and the Ethical Compass and there are three articles within this e-bulletin that report on the sessions.
In preparation for the conference, ACCA conducted a confidential survey on ethical pressure and where it presents in the internal audit process. The survey results were used to help set the context of the conference sessions but due to interest, we have re-opened the survey for any ACCA member working in internal audit who would like to complete it. The results will form the basis of an article in the next issue of this e-bulletin.
The survey will remain open until 11 August and will only take 10 minutes to complete. ACCA would be grateful if you complete the survey before the closing date so that the results and conclusions can be as relevant as possible for the article.
If you have already completed the survey then please accept our thanks for doing so, and could you please forward the link to any ACCA members you know of who also work in internal audit.
Webinars: De-mystifying IT audit for business auditors
Sign up now for any of seven webinars on de-mystifying IT audit for business auditors.
De-mystifying IT audit for business auditors – stop being afraid of the black box.
ACCA UK's Internal Audit Network is running a series of seven webinars on de-mystifying IT audit for business auditors. The series features two main presenters – Vincent Mulligan FCCA (IT Audit Consultant at Eisteoir Consulting Ltd) and Mike Hughes CISA, SGEIT, CRISC (Partner at Haines Watts) – as well as additional specialist guest presenters during the series.
Introductory session (available on demand)
As accountants and auditors, we recognise the importance of information technology (IT) for organisations and that the examination of the management controls over IT and the management of information are an essential part of a review of those organisations. In this introductory session, we will consider some of the ways we organise ourselves and the approaches we adopt to conduct these reviews.
IT General Controls (available on demand)
ITGC or General Computer Controls (GCC) relate to the environment that supports our IT applications and that are therefore applicable to all applications. In this session, we will consider the nature of these ITGC, the challenges we face reviewing them and the approaches we can use to audit them.
Application audit review (available on demand)
Application controls are controls that we have implemented over our application systems to ensure they operate as intended and ensure the accuracy and completeness of the data, calculations and records. In this session, we will consider the types of these controls and the approaches we can use to audit them.
17 August – 12.30-13.30
Infrastructure audit review
IT infrastructure consists of the hardware, software, network resources and IT management services that we leverage to deliver the IT environment that supports our organisations. As the complexity of our IT environment increases and our dependence on IT grows, providing assurance on the effectiveness of the controls over these assets and services is critical to management and other key stakeholders. In this session, we will consider how we can effectively review IT Infrastructure and the organisations and processes we have put in place to manage it.
5 September 12.30-13.30
Integrating IT audit into the business audit
We use our information technology to support our business processes therefore it is logical that we consider the key controls we have implemented to manage the financial, operational, organisational, IT and other key risks that impact on that business process or function. Integrated reviews which leverage the skills and experience of multi-discipline teams allow us to provide assurance across these key risks. In this session, we will consider how we can effectively organise and implement integrated audits.
10 October 12.30-13.30
How to audit cyber security
As our organisations take advantage of the opportunities of the internet and digital technologies and implement ever-greater connectivity with our customers, vendors and other stakeholders our exposure to a wide range of cyber threats grows. As the expectations of our key stakeholders including our boards, management and regulators for assurance over the effectiveness of the controls managing these risks grow we will consider how we can deliver cyber security audits.
16 November – 12.30-13.30
General Data Privacy Regulations
The EU General Data Privacy Regulations (GDPR) were adopted on 27 April 2016 and will become effective on 25 May 2018 after a two-year transition period. This will replace the current 1995 directive and will affect all organisations that process EU citizens' data. As the deadline for compliance approaches we will consider how you can understand the impact of this regulation on your organisation and assess your organisation’s compliance readiness.
Register your place on any of these webinars now
ACCA’s culture governance tool
How to nurture a positive company culture.
How can you nurture a company culture that promotes behaviours consistent with organisational objectives?
Corporate culture encourages behaviours that support or impede the achievement of organisational objectives. The challenge is to understand how to nurture a culture that promotes behaviours consistent with organisational objectives. The ACCA culture governance tool seeks to support organisations with their culture goals.
ACCA developed this tool on the basis of research conducted since 2012 under a global initiative called Culture and channelling corporate behaviour. ACCA held a series of roundtables in London, New York, Dubai and Bengaluru alongside a survey of ACCA’s global membership, which drew close to 2,000 responses.
Subsequent research inspired by the findings – called Effective speak-up arrangements for whistle-blowers – also informed the development of the tool.
The ACCA culture governance tool helps organisations review culture and determine the course of change.
There was an overarching agreement that corporate culture is decisive in determining whether an organisation will do the right thing. Furthermore, culture is often driven from the top – corporate leadership has the responsibility for ensuring that an organisation lives and breathes its organisational values.
The research findings also highlight the importance of interaction within the organisation. Everyone, including senior leadership, experiences peer pressure, formal and informal norms and mirroring of behaviour. The tool captures both aspects of culture.
Using the tool
This tool helps you design your own organisation’s culture change, based on what you set out to do. It can help you to understand alignment between organisational objectives and corporate culture and:
- identify where significant inconsistencies exist between culture and organisational goals and plan actions
- help you to review periodically the alignment between culture and organisational goals to promote behaviours that support organisational goals.
Furthermore, the tool can be used when organisations are going through rapid changes such as fast growth, ownership and capital structure change, or developing a succession plan. It can give a structure for narratives on culture when communicating internally and externally or speaking with interested stakeholders such as investors.
Download the tool now
Internal audit hub
A resource for members working in internal audit.
A resource for members working in internal audit.
ACCA has dedicated part of its website to ACCA members working in internal audit, providing resources for those wishing to learn about internal audit, improve their technique, undertake CPD, and which can help with internal audit trainees.
It contains a section called ‘Guides to Internal Audit’ and its aim is to supplement the International Standards for the Professional Practice of Internal Auditing with articles and guides that are easy to read and outline what internal auditing is like in practice and the pitfalls that often occur. This resource – which is broken down further into sections for beginners, the management team, and the audit committee - can help you learn about internal audit or improve your technique, provide you with CPD, or assist in the training of a staff member on internal audit.
The internal audit hub also has links to free webinars suitable for internal auditors.