Technical and Insight
HR Auditing

CPD article: John Chesshire examines how Internal Audit is uniquely placed to identify how HR helps make 'tone at the top' a reality.

Reading this article and these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.                           


One of the most important functions in any organisation will be Human Resources (HR, formerly known as Personnel). Even if the majority of an organisation’s operations are automated, people are essential to deciding why, how and when to automate what. Making sure the right people are in the right roles helps the organisation achieve its objectives, and it can’t do so without HR.


We often associate HR with ‘JML’ – the policies and processes that govern staff joining, moving within, and leaving the organisation. Within those three categories are numerous other sub-categories: workforce planning, recruitment, hiring and induction; personal development, well-being, performance management, promotion; resignation, retirement, redundancy, industrial relations, dismissal, or death in service.


In addition, there is a range of much more sensitive matters that HR must help management address. These include misconduct, grievances and formal complaints of bullying, discrimination, or harassment, as well as allegations of criminal wrongdoing.


It makes sense that if an HR function manages these delicate situations well, it will reduce the financial, reputational and legal risk and organisation faces. Ultimately, however, HR reflects the culture set by the Board – if the Board is indifferent to staff wellbeing and behaviour, then HR will have difficulty persuading senior managers to recruit, retain and promote people with positive values and ethical standards.


Internal auditors must approach any engagement with a thorough understanding of the organisation’s objectives and culture. The ‘tone at the top’, set by the Board, should tell everyone inside and outside the organisation what the culture is – ‘the way we do things around here.’ And this is absolutely within Internal Audit’s remit, as the Chartered Institute of Internal Auditors Code of Practice for Internal Audit makes clear.


Even if the ‘tone at the top’ champions integrity, transparency, and the like, this doesn’t mean it will prevail. The Board may say one thing officially, for the regulators and media, but internally support or ignore poor behaviour. Even if the Board is sincere in its statements, not all regions or departments may comply. Again, Internal Audit must play a key role in observing and reporting this.


An HR audit is an excellent opportunity to see how the function not only communicates, but also behaves in accordance with the organisation’s values. Internal Audit will therefore review not only controls such as policies and processes, but also behaviour, communications, and staff survey results. After all, the documented control may tell one story – people’s everyday actions, another.


Any disconnect between the two will come into sharp relief during conflict. Entrenched disagreements, allegations of misconduct, instances of mistreatment – all these very human situations show whether an organisation’s professed beliefs mean anything in practice.


Whistleblowing or raising concerns procedures are a tool many organisations use, ideally in accordance with the 1998 UK Public Interest Disclosure Act (PIDA) and the UK Corporate Governance Code (2018). Although many senior managers may feel nervous about an anonymous ‘tip line’, it is essential for staff to have a channel through which they can safely report serious concerns – anything from bullying to fraud, or other criminal activity. Moreover, it’s in the organisation’s interest to encourage speaking out, whether openly or via a whistleblowing channel. If something is badly wrong, then staff need to be able to tell managers about it; if managers can’t or won’t listen, staff need a mechanism to alert those who will. Not having speaking-out mechanisms presents serious risks for an organisation – it will miss out on the benefits and opportunities of such ‘early warning systems’. Worse, a lack of confidential channels implies a culture of defensiveness and lack of trust. Few organisations can thrive in such circumstances.


It is for Internal Audit to understand what the procedures are and how confidently staff use them. In some cases, Internal Audit may have a role in the procedures – its independence and objectivity make it an obvious choice. However, depending on the role Internal Audit plays, it may then have to step back from any associated assurance engagements. Once Internal Audit either initially assesses (triages) allegations, or investigates them, it cannot provide independent assurance over the organisation’s whistleblowing framework.


If Internal Audit does stand apart from this control, it can conduct assurance or consultancy engagements. In either case, HR is likely to play a role in the whistleblowing framework, either through helping to establish it, carry out certain tasks within it, or simply communicating to staff its purpose and workings. If Internal Audit observes that HR’s role in whistleblowing doesn’t support objectivity, anonymity, and thoroughness in addressing staff allegations, that is worth pursuing. Is this because HR doesn’t understand the value and purpose of whistleblowing? Does it not understand the controls needed to maintain staff confidence in the mechanism? Or is it because the ‘tone at the top’ proudly broadcasts the existence of a whistleblowing process, yet doesn’t truly support it? These are all questions internal auditors can and must seek to answer.


Of course, staff complaints and grievances do not always come through whistleblowing channels. HR has a major role to play in helping managers respond to problems as varied as dysfunction within teams to poor individual performance. If the problem is managers themselves, then HR must have processes in place to manage the matter fairly, striking the right balance between openness and discretion.


All too often, HR will find itself helping managers to ‘manage out’ individuals or even entire teams. Internal Audit needs to be sure that HR is not applying the same approach in all instances.


A poorly performing member of staff should not simply be shunted off to another luckless team, for another manager to suffer. Nor is the solution sacking the individual on spurious grounds.


Organisations may be automating operations and therefore needing fewer staff – is HR helping senior management ‘restructure’ properly? Many HR functions have key skills that can assist in organisational design and development. Or is HR simply doing management’s bidding, processing the paperwork to make people redundant without properly analysis or, where required, consultation? Internal Audit should be alert to situations where redundancy is a fig-leaf for removing poor performers – or whistleblowers.


Sometimes ‘managing out’ is senior management’s preferred option to deal with a difficult member of staff. HR will be called upon to help with the process and must ensure that it is as fair and transparent as possible. If the member of staff is suspected or even known to be a whistleblower, then HR should encourage managers to use great caution. Even if the reason for the member of staff’s departure is completely unrelated to their whistleblowing, most people will assume the person is being punished for speaking out. This can of course lead to serious reputational and possibly financial and legal risks, if the former member of staff goes public.

To manage this risk, many organisations have started using non-disclosure agreements (NDAs) more frequently. This has long been standard practice in companies specialising in technical research and development, where an NDA could prevent a former employee from sharing precious intellectual property with a rival. However, recent cases have shown organisations using NDAs to ‘gag’ former employees who have endured criminal abuse. An audit of HR practices when ‘managing out’ staff should look carefully at when, how and why NDAs are used. Are they genuinely to protect the organisation’s investment in proprietary data? Or are they an abuse of power, designed to protect senior staff members who have engaged in unethical or criminal activity?


If so, what and who is the organisation protecting, and why? And how does this fit with the ‘tone at the top’?


How an organisation responds to credible accusations of harassment, discrimination, assault, and other crimes tells its staff – and the world – what its values are. Does it investigate, discipline and, if necessary, report the culpable party to law enforcement? Does it do this – but only at less senior levels? Or does it sweep everything under the carpet, ‘managing out’ the complaining employee, insisting on an NDA?


If the organisation believes it is protecting its reputation, its brand and ultimately its income through the last two approaches, Internal Audit can identify the problem and warn senior managers of the risks. They may think the approach is sustainable, but Internal Audit should point to the serious and prolonged damage it can cause. Employees know when senior managers protect themselves, not staff. Likely effects include high turnover, absenteeism, cynicism, poor productivity, possibly fraud – and of course management time wasted on repeated complaints about the same people causing the same problems. HR will be involved in or aware of all these consequences.


Ultimately, it’s up to you as internal auditors – which approach do you think best helps an organisation achieve its objectives? Assuming your organisation has a meaningful policy on ethics, and robustly stands behind controls such as a code of conduct, then Internal Audit is uniquely placed to identify how HR helps make ‘tone at the top’ a reality.



John Chesshire, CFIIA


John Chesshire, is the part-time Chief Assurance Officer for the States of Guernsey, leading its internal audit, risk management and wider assurance communities. He is also the Independent Internal Audit Committee Chair at the London Borough of Hillingdon and runs his own internal audit training company, JC Audit Ltd, His recent clients include FTSE listed companies, multinationals, central and local government, law enforcement, professional services firms, CIPFA, NATO, the OECD and the Chartered Institute of Internal Auditors, IIA Hellenic, IIA Latvia and IIA Lithuania. He particularly enjoys leading audit engagements and delivering training on auditing HR and people risk!


Additional Reading:



If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.


Effective communications - the report and the reporting process

In the final of a series of three articles on how internal auditors can better communicate with NEDs, Sara I James looks at how a clear, concise and compelling report helps NEDs understand our findings and prompts senior managers to act.

In the final of a series of three articles on how internal auditors can better communicate with NEDs, Sara I James looks at how a clear, concise and compelling report helps NEDs understand our findings and prompts senior managers to act.




This year, we have focussed on how internal auditors (IAs) can better communicate with non-executive directors (NEDs). Whether NEDs sit on the Audit Committee or the Board, understanding and influencing them is essential to improving an organisation’s overall risk and control framework.


In the first article, we discussed the unique position NEDs hold; in the second, accountability. A common theme, though, is IAs’ unique ability to provide NEDs with objective information and insight, crucial for NEDs to fulfil their roles.


This last article addresses what many may have expected to come first: reports and the reporting process. After all, traditionally IAs convey plans, progress and findings to NEDs (and others) through reports, not informal discussions, although much has changed recently.


In this piece, we will touch on some of the basics of report-writing – it’s easy for everyone to fall into bad habits, especially under pressure. But we will also cover how a clear, concise, compelling report helps NEDs understand our findings and prompts senior managers to act.




In a 2016 ACCA IA eBulletin article, ‘Writing the right report’, we established that all reporting must be clear, concise and useful. This seems obvious enough, until we realise what it demands of us.


Clear means no vagueness, euphemism or jargon. This requires writers to understand what they have done, how and why. Concise means only what is needed. Many of the NEDs you work with – and other readers – will receive monthly and quarterly reports running into hundreds of pages. If you want to contribute to making your organisation better run, better informed and more successful, cut the verbiage.

Concise writing is part of clear writing – each needs the other. Both lead, happily, to useful, which means relevant. Make clear how your findings and recommendations link to the organisation’s objectives. Just because something happened doesn’t mean it earns space on the page.


Achieving this is hard. We all want to reassure readers we’ve been thorough and attentive. However, consider them and their needs – not our egos. Our readers, whether clients, NEDs or regulators, need to understand promptly what is wrong and how to fix it.


Some teams may want to replace the final report with an exit meeting using slides. While this can be an excellent mechanism to communicate engagement results and take questions, it is unlikely to be the final record of an engagement.


Other IAs have recently wondered if ‘agile’ auditing precludes issuing a final report. Why not simply issue a series of individual findings and recommendations, as and when they arise, they ask. While this suggestion proceeds from a correct observation – too many teams spend too long drafting unwieldy reports – it is risky.


If, for example, an IA team communicates only findings in isolation, how will it detect and articulate underlying problems and overarching themes? The process of fieldwork and drafting findings, performed correctly, should lead IAs to examine root cause, and to identify and articulate broader, underlying issues.


Isolating findings from each other makes this difficult. The result is likely to be repeat findings, as recommendations will have been limited and superficial. This does not add value. Recording these findings and any common themes in a clear, concise, useful report does!




As of this year, the EU requires annual financial reports to be filed digitally. However, much more than that has moved online since then. The move to more interactive, digital engagement means that many teams have had to streamline both reports and the reporting process. While everyone is keen for the current crisis to abate, not everyone is keen to return to previous practice.


How can we take what we have developed this year and improve it further? If you have been using virtual meetings to discuss and agree engagement results and recommendations, why not keep doing so? If the resulting reports have been shorter and more to the point, why return to previous, less effective habits?


If this year has forced your team to improve processes, your report structure can benefit. Does the template you currently use force colleagues to include irrelevant information? Does it repeat itself, or hide the most important message halfway through the document? If so, change it. After all, if you make readers flick or scroll through too much content to get to what they need, you are not communicating effectively.


The simple approach would be to start with the executive summary. This is crucial, not only for NEDs and their colleagues, but for anyone who wants to grasp immediately your high-level conclusions.


After the executive summary come findings, resolutions and deadlines. List the findings in order of their importance, so that those with the greatest risk for the organisation come first. Even if you prioritise in this way, remember – findings alone cannot convey the broader underlying problems. The executive summary does that.


Consider too whether you need to draw attention to specific ratings. Many teams put a summary of findings and high/medium/low ratings (often colour-coded) towards the front of the report. Given that this is primarily a matter for IAs and the audit committee to agree, does highlighting it in this way distract other readers, or put them on the defensive? Does it lead to horse-trading between IAs and senior managers, a war of attrition that often downgrades ratings with little justification other than the desire for a quiet life?


If so, you are incorporating unnecessary conflict into your reports, with the high risk of withholding the true picture from senior decision-makers, including NEDs. Every ‘downward’ negotiation of a finding means that we are not adequately identifying significant matters to the executive. This in turn prevents NEDs from holding executive management to account effectively.




Most IAs put great effort into their work, only to be disheartened by colleagues who don’t review constructively. If most people spend too long writing reports – or more importantly, write too-long reports – then most people also spend too long reviewing, without doing it very well.


If writers write less, but better, then reviewers can play their parts more effectively. If the report contains fewer, but more precise words, reviewers will spend less time slogging through pages of verbiage, unsure of the meaning.


We can also hope that shorter, sharper reports will prompt reviewers to display similar levels of discipline. Some believe they alone understand grammar – not true. Others are frustrated novelists, and love nothing more than wordsmithing other people’s perfectly acceptable drafts. Yet others, terrified of resistance from readers, will agonise over every word – delaying the report while failing to improve it. This isn’t simply a waste of time; it actively damages IA morale and effectiveness.


The result is the same outside the IA function. If writers and reviewers spend too long on the wrong tasks, producing lengthy but woolly reports, what value do readers get? How can anyone tasked with making improvements understand what they are to do? And how can senior decision-makers such as NEDs grasp what the underlying problems are they need to take action on?




Although this year has seen many IAs forced to change their working practices, this has been an opportunity to streamline reporting practice. In content, structure and review, think first of your readers and the action they should take. In doing so, you will give NEDs an excellent resource, enabling them to challenge and encourage senior management.



Sara I. James, PhD, CIA, is the owner of Getting Words to Work ( and a member of the Chartered Institute of Internal Auditors.



If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.
Why climate change should matter to internal auditors

In a recent IIA survey, only 14% of European CAEs cited environmental and climate change as one their top five risks to their organisation. Sonia Shah explains why it should be higher up the agenda.

In a recent IIA survey, only 14% of European CAEs cited environmental and climate change as one their top five risks to their organisation. Sonia Shah explains why it should be higher up the agenda.


ACCA member Sonia Shah of Grant Thornton has written a series of insights articles that highlight the importance of climate risk. The financial sector is already starting to regulate in this area and it's important that internal auditors recognise this risk:


Where to start with climate risk scenario planning

Stress testing can help firms identify and mitigate risks, but climate risk is an emerging area of research and it can be difficult to know where to start. Read about scenario planning in this article.


Creating a governance framework for climate risk

Good governance starts with the board. Climate risk management is an emerging field, and it's important to keep the board informed on new developments, with the right information and tools to make informed decisions. Read the rest of the article here.


Meeting the PRA's expectations on climate risk

Climate risk is an emerging field, with industry-wide working groups and guidelines gradually moving towards regulation. Last year the Prudential Regulation Authority (PRA) released Supervisory Statement 3/19 (SS3/19), which introduced new requirements for governance, risk management, scenario analysis and disclosure. Further, the PRA recently issued a Dear CEO letter, announcing the end of 2021 as the deadline to embed an approach to managing climate related financial risk. This is the first regulation on climate risk in the financial sector, but as the sector matures more regulators and central banks will follow suit. Read the rest of the article here.


How to manage financial risks due to climate change

Climate risk is an emerging area of research, and finding the right approach to manage that risk will take time. This article looks at the two approaches that firms can take when addressing climate change risk.


Sonia Shah - Grant Thornton Financial Services Group

FS COVID-19 hub -


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

Managing IT risk - learning as we go

Enabling staff to work remotely during the pandemic has meant that managing IT risk has become a particular challenge as Steve Connor explains.

Enabling staff to work remotely during the pandemic has meant that managing IT risk has become a particular challenge.


As we all adjust to working remotely, this new norm has driven larger companies to change their working practices, almost overnight. Working practices that are supported by established policies and procedures are having to be completely re-evaluated.


Whenever a transformation programme is initiated, it generally finds it place near the top of a organisations risk register and is nearly always considered a security risk. A technology driven transformation programme is usually carefully planned with landmark dates that under GDPR has to have at its core the principle of Privacy by Design and Default. This means both security of and access to data is maintained, however, Covid-19 has not afforded us that time to carefully plan, develop, test and roll out.


In addition to the speed of the transformation it is also a very public one; attackers are aware of the situation and exploiting it.


The first thought for management has generally been how to continue when the office for many is out of bounds? The answer for many was to turn to video conferencing. The use of Microsoft Teams and Zoom has expanded exponentially with both developing their platforms on the hoof and Zoom in particular, initially found it difficult to keep up with demand. As of the end of December last year, the maximum number of daily meeting participants, was approximately 10 million. In March this year, the figure reached more than 300 million.


This demand increase has been driven by the corporate sector and has forced Zoom to move from a concept driven by ease of use and accessibility to a tool that was adopted at an Enterprise level only to be found lacking in the security department.


Many of us will have read of Zoom’s issues in the press, notably criticised for its security (or lack of it). It came under fire for something that has been termed ‘Zoombombing’. With a meeting ID, anyone could join a public video call and screen share, broadcasting whatever they like. There were also issues around meeting data being shared. Ex-NSA (National Security Agency) hacker Patrick Wardle also identified a series of issues, including a flaw which left Mac users vulnerable to having webcams and microphones hijacked.


However, with its Zoom 5.0 update in early June many of the known issues were addressed with a number of security features rolled out including encryption, the ability to report a user and a better password policy.

After considering how to communicate with employees and customers, attention turned to how to maintain some sort of continuity of service; the afterthought which generally followed a few days or even weeks later was “do these changes to working practices impact on our security?”


The office IT environment is capable of high levels of control and monitoring. Even where there is a mix of in-house and hosted solutions, the IT function are dealing with manageable and generally known issues.


Use of policies and tools allow an organisation to manage cyber risk by using filters on their firewalls, controlling access to routers and switches, ensuring that security patches are kept up to date, employing email spam filters and using tools to restrict and monitor access to the web. Plus, the increasing use of mobile device management tools, means they are also able to monitor and maintain security for manged mobile devices.


Remote working makes these tasks more complex and difficult to deliver. Many organisations, across all sectors have struggled to source equipment and this has resulted in people using their own laptops and desktops.


Anyone has been shopping for IT kit over the past few months, especially for laptops, webcams and headsets, will have noticed that stock shortages are common and lead times are extending.


Communications from the home environment necessitate using domestic routers and switches, and WiFi. These may or may not be secure and are out of the control of the IT department. But some may have to use unsecured public WiFi networks which are prime spots for malicious parties to spy on internet traffic and collect confidential information.


Access via VPN can add some security, but many smaller companies will not have the necessary expertise on tap to securely manage the remote devices. For many in IT this represents a ‘loss of control’ that could impact on systems and data security.


Without the ability to monitor and manage the IT estate the onus can fall on individual employees to show greater vigilance and dare I say it at this point in time ‘adherence to the rules’ where they have been considered and updated to accommodate the new remote working practices.


Since the start of the pandemic there has been a 600% increase in phishing attacks, and these are the sort of headlines that keep IT professional awake at night.


The ICO have issued general guidance, the caveat being an assumption that the organisation will have “adapted their approach to ensure that data is adequately protected.”

  1. Avoid the temptation to do things in a way you think is more convenient, such as sending emails through your personal account or using the video conferencing app that you use with friends for work calls.
  2. Only use approved technology for handling personal data
  3. Consider confidentiality when holding conversations or using a screen
  4. Take care with print outs – store them securely and it is unlikely you will have access to confidential waste bins
  5. If you have to work using your own device and software, keep your organisation’s data separate to avoid accidentally keeping hold of data for longer than is necessary.
  6. To avoid loss or theft of personal data, put print outs and devices away at the end of the working day if possible
  7. Be extra vigilant about opening web links and attachments in emails or other messages
  8. Use strong passwords
  9. Communicate securely - use the communication facilities provided to you by your organisation where available. If not, password protect documents and share password by a different channel ie: text.
  10. Keep software up to date.

There is more information on the ICO website.


By far the majority of security incidents and data breaches still require a certain element of assistance from us. Some companies invest heavily in cyber awareness training but still fall victim to a cyber breach facilitated by the action of an employee. It has been a long-held view in some quarters that if we can link corporate objectives to personal objective then we will see greater engagement and a reduction in cyber incidents in the workplace.


COVID 19 has presented an opportunity to create such a link. By helping employees bring greater levels of cyber security awareness to remote working we are also helping employees protect their home environments and their own data in addition to the employer’s data.


To link safeguarding corporate data assets with an employee’s desire to ensure their own personal data assets are better protected, could this make instilling good practice in regard to cyber security an easier sell?


Five tips courtesy of the SANS Institute


1. Be Alert to Scammers. 

Cyber criminals have learned that the easiest way to get what they want is to target you, rather than your computer or other devices. This happened to me while I was writing this article. A very polite gentlemen called and said they were from Openreach and informed me that my internet connection was running at a much-reduced speed and to help identify the fault they needed to access my computer. My internet speed was fine, and I simply hung up. Another ploy is to email, claiming that your package cannot be delivered unless you confirm your mailing address by clicking on a link, which ultimately allows them to hack into your computer. 


2. Secure your home’s wireless network. 

To secure your wireless network, do the following:

  • Change the default administrator password. An attacker can easily discover the default password that the manufacturer has provided. 
  • Only let people you trust connect to your network. Require a password for anyone to connect to your wireless network. It will encrypt their activity once they are connected. If you have workmen in your home, as we did, they may ask to connect to your WiFi if the phone signal is weak. Genuine as the request may be, don’t take a risk. If available enable the guest network or politely refuse.
  • Make passwords strong. The passwords people use to connect to your wireless network must be strong and different from the administrator password.


3. Employ Multi Factor Authentication if available.  

Two-step verification is probably the most important step you can take to protect your online accounts. If your organisation has an Office 365 subscription, then it is worth visiting the Microsoft site for guidance on how to implement. 


4. Ensure your devices, programs and apps are running the latest version of software. 

Cyber attackers are constantly looking for new software vulnerabilities, and when they discover them, they use special programs to exploit them and hack into the devices you are using. By making sure to install the latest software updates promptly, you make it much harder for someone to hack you.


5. Don’t let anyone else use your work devices. 

Something you most likely don’t have to worry about at the office is children, guests or other family members interrupting your work or using your work laptop or other devices. Make sure your family and friends understand they cannot use your work devices as they can accidentally erase or modify information or, perhaps even worse, accidentally infect the device with a virus.


The above tips were taken from the SANS Institute.



Steven Connors - Director, HWCA


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.


Geographic risk - knowing where to go

Tas Zaki and Harry Henson of Protiviti discuss the importance of measuring geographic risk.

Tas Zaki and Harry Henson of Protiviti discuss the importance of measuring geographic risk.


Globalisation has meant that businesses now increasingly open their doors to new locations, often setting themselves up in countries with sharply contrasting business and legal practises. While this expansion is fantastic for business growth, it also brings with it its own type of risk that the business may be exposed to in a country. From levels of perceived corruption to the likelihood of natural disasters the risks are as varied as the variables to measure them are numerous. The risk that stems from a business’s presence in a particular country or jurisdiction is commonly referred to as geographic or country risk.


As some global organisations have found out the hard way, it is no longer possible for a business’s subsidiary in London to isolate itself from the business’s operations in Mexico. It is therefore important to understand the geographic risk that stems from a particular location and to have that risk documented and applied across the business’s global operations in a consistent manner.


Additionally, the nature of geographic risk will also vary depending on the industry and sector type. For example, a global payment service provider’s greatest risk in Country X may be the risk of money laundering. However, for a hospitality chain the most concerning risk factors for that same Country X may be direct exposure to the risk of human trafficking. Therefore, careful consideration must be given to the risk posed to each business according to its industry and sector type.


The most common technique to understand geographic risk is through a risk index that can allocate comparative scores to countires across the world. While off the shelf indices are available, increasingly businesses have looked to create their own bespoke geographic risk index.


In this article, we focus on some of the factors that businesses will need to consider when creating such a geographic risk index.


Making Your Own Composite Geographic Risk Index


The starting point is to identify the nature of risk your business faces and whether there are any unique risk criteria that need to be measured. Having a clear risk appetite statement or risk tolerance level endorsed by senior executives is also important.


In our experience, businesses within the financial services sector will often have sets of risk criteria defined by regulation that will form the core of their approach to measuring geographic risk. Some of these risk criteria in the financial services are factors such money laundering, high levels of corruption within local government, presence of international sanctions, offshore financing and tax efficiency, high levels of secrecy and lack of transparency. However, businesses outside of the financial services sector may have to think of other factors such as high levels of narcotic and human trafficking, poor public administration and governance, high incidences of natural disasters, poor access to health and medical provisions among others, so that these are aligned to their business operation and reflects the unique risks within the industry or sector.


Secondly, identify your businesses ‘non-negotiables’. These are essentially strategic boundary conditions often derived from regulatory expectations and political tensions between countires. For example, businesses that trade in dual use goods and technology will have to comply with international sanctions regulations in relation dual use goods, that either comprehensively prohibit or partially restrict trading activity with sanctioned jurisdictions. Violations of international sanctions can invite severe regulatory censure, media scrutiny and reputational damage. As a result, businesses are expected to have certain auto-prohibit or auto-restrict criteria applied to certain territories. In the language of a risk index they are your overrides. Any presence in these territories should automatically override the risk scoring to prohibited or restricted.


The next step is to identify all publicly available sources of information that can be utilised to measure these risks. There are several “off the shelf” risk indexes such as the Basel AML index, that can be used for this purpose. Additionally, international NGOs, foundations and research organisations also produce unbiased and objective data in relation to most countries across the world, examples of these would be country scores published by the United Nations (UN), the European Union (EU), the Financial Action Task Force (FATF), the Heritage Foundation and Transparency International (TI) etc.  


While “off the shelf” indices allow easy cross comparison from one country to another, they are not be-spoke to the needs of specific business operations or industry type. A more refined approach might require creating a tailored table of relevant geography risk factors drawn from multiple sources. There is a plethora of independent, public source information that can be utilised for this purpose. In very high-risk industries, it is also not unheard of for businesses to utilise private intelligence firms to inform their geographic risk assessments.


Finally, businesses must also think about whether a single approach will be uniformly sufficient for all of its business operations or whether the variety of products and services being offered under a single business brand may require the adoption of multiple, differing approaches for each underlying business activity.


Getting A Bit Technical


Once the data sources for the purposes of creating a bespoke index have been identified, the development of the index needs to be carefully thought through. So, let us have a look at some of the common data related hurdles that can create problems and how to navigate them.   


Standardisation: when comparing data sets from multiple sources you may find that different scoring methodologies are applied for measuring the same factors. For instance, you may have an index with a scoring system of 1 to 10 where 10 is the highest risk and 1 denotes the lowest risk. However, you may find another index where the scoring model is the exact opposite. It is important to standardise these scoring models before you can start aggregating and utilising the underlying data for your index.


Classification: it is important that indices that measure the same risk factor are classified and grouped together. So, for example, there are several indices dedicated to the measurement of tax transparency. When building your bespoke risk index, these should all be put together and classified as a single group indicating the scores for tax transparency. Other groupings could be risk of bribery and corruption, environment, health and safety etc. This is to the help ensure that the overall risk of a country does not get skewed by a country’s score in relation to one group. This classification will also help you to decide how much weight you want to allocate to each grouping in accordance with its relevance to your business.


Absent data: Often a country may not have data available to measure particular risk factors. This could be due to lack of transparency or lack of information to measure particular risk factors in that country. Resolving this issue is somewhat trickier and requires a documented risk-based approach to be agreed within the business. It is important to note here that lack of transparency of information in and of itself could be an indication of high risk. However, there are several ways to overcome the challenge of missing data, these include but are not limited to:

  • only using data sources where all countries, or only the countries the business operates in, are represented. In some instances, this may have the impact of significantly reducing the footprint of your country risk index
  • removing the data field with the missing data from the entire index. In some instances, this may have an impact on the actual utility of the index
  • replacing missing data with average scores taken from other data points in relation to that same country
  • replacing missing data with information from relevant countries e.g. using the score from UK where data is missing in relation to a British crown dependency.

No matter what method is used, it is very important to document this in your methodology and to be transparent about the data imputations and their underlying assumptions to be able to show the rationale to any regulatory or third party reviewer. 


Weighting: once data sets have been standardised and missing data has been imputed, weighting has to be given to each risk classification or bucket, so that the total aggregated score is weighed to reflect risks that are unique to your business. For instance, a global construction company on a public procurement contract in Country X may be more interested in the risk of bribery and corruption in the public procurement sector than in the risk of lack of access to education and health services. By contrast, a company seeking to relocate staff to Country X may very well realise that lack of access to education and health provisions are a big hurdle to staff relocation and attrition. The weighting given of these two risk factors will be significantly different in the above two businesses. 


Scoring: ultimately the aim of a risk index is to generate a scoring model for each country so that the score can be utilised to make a strategic decision. This could inform decisions such as where to expand the businesses operations to,  whether to build relationships with client’s or partners from certain countries or jurisdictions, as well as whether more robust controls should be placed on existing operations around the globe. It is important that your scoring model is aligned to your overall business risk appetite and is neither too prohibitive nor too permissive in allowing key business decisions to be made.


Finally, regular review and updating of the geographic risk index will help you to stay current and ensure that business decisions can be revised and reflect the reality on ground.


At Protiviti we help clients build bespoke risk indices that are tailored to their businesses and will be happy to discuss this topic with you in more detail.


Tas Zaki is a Senior Manager at Protiviti ( 


Harry Henson is a Consultant at Protiviti ( 


About Protiviti

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independent and locally owned Member Firms provide clients with consulting and managed solutions in finance, technology, operations, data, analytics, governance, risk and internal audit through our network of more than 85 offices in over 25 countries.


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

Audit planning for Internal Audit

James Paterson describes how a good audit planning process should also act as a platform to showcase what audit can do and build closer relationships with key stakeholders.

James Paterson describes how a good audit planning process should also act as a platform to showcase what audit can do and build closer relationships with key stakeholders.


For the past 10 years I have been running a course on Auditing planning. It’s two days long and we often start with heads of audit and audit managers explaining their planning process. Common planning steps include; “consulting managers and the audit committee”, “up-dating the audit universe” and “considering areas of concern” for internal audit and/or a regulator. After that, differences start to emerge, from:

  • “Cross-checking against the key risk register” to “We can’t rely on the risk register”
  • “Co-ordinating with other functions and external audit” to “We do our most of our plan independent of others”
  • “Calculating priority based on number of years since the last audit” to “We have a blend of factors we use to calculate priorities, and we adjust these if we don’t think the plan is right”.


Then greater differences emerge when we discuss the length of any audit cycle, or what items are in/out of the scope of the audit universe, and what the weighting factors are for the audit universe risk ranking.


It then dawns on many that their audit planning process is effectively a hotchpotch of historical steps, overlaid with specific priorities, where specific factors and weightings cannot be justified other than by explaining that i) they were used in the past, and ii) they seem to give a reasonable result that stakeholders are happy with, and iii) they weren’t challenged in the last EQA.  


The net result of this is that some audit functions are auditing “the risks that matter”: i.e. strategic risks, major projects and programmes and key third-party dependencies, whereas others are auditing mostly basic compliance, control and other standard processes.


We then discuss key finding areas from recent IIA External Quality Assessments and learn that many audit functions fall down against the IIA standard for planning and IIA requirements around co-ordination with others. The requirements include:

  • Audit plans should be aligned with the strategies, objectives and risks of the organisation etc. and adjusted at intervals, (IIA IPPF 2010), and
  • There should be co-ordination with other assurance functions, and reliance on others where appropriate, (with a clear process for the basis of reliance on others) (IIA IPPF 2050).

Thus the reason there are short-comings in audit plans is because they are mostly based on stakeholder opinions and an audit universe, which is then retrospectively tied back to key risks etc. Most decent EQAs nowadays can tell this is how the plan was prepared, and may have concerns about why some items are in/not in the audit plan.


Remember: You can’t get a good plan by pressing entering data into a model and pressing a compute button and: you don’t have a good audit plan just because everyone is happy with it!


You can read the rest of this article here.


James Paterson, Risk & Assurance Insights Limited


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

Health and wellbeing: a challenge in the home 'workplace' of 2020

Richard Mills considers the three levels at which the health and wellbeing of employees working from home can be maintained or even enhanced.

Richard Mills considers the three levels at which the health and wellbeing of employees working from home can be maintained or even enhanced.


The history and full impact of the COVID 19 pandemic will be endlessly examined and written about for decades to come. Living through these turbulent times has and will affect us all. We have experienced through a series of lockdowns and restrictions a simultaneous deceleration and limitation in our own personal lives and interactions coupled with an acceleration of changes in the economy and wider society. Numerous sectors of the economy are undergoing fundamental and potentially existential change not experienced for decades.


For almost half of the working population1, this time of ‘radical uncertainty’ has been typified by working from home. A situation which has created both challenges and opportunities for creating a better ‘work-life’ or is it ‘life-work’ balance?


A major challenge is that while we work within our home we may for example have spouses, partners, flatmates, pre-school and home-schooled children, teenagers at college studying on-line or loved ones who we are carers for, all at home as well; equally one might be living on one’s own and not physically going into work and interacting with work colleagues can be a hard adjustment to make. On the flipside the opportunities not to commute, to have lunch with one’s family, to be able to concentrate on work while not in a large open plan office, to exercise or to put a load in the washing machine at midday have been enjoyed by many.


The rise of the virtual office from your bedroom, kitchen or living room with the ubiquitous video conference meetings has created a whole new debate on the ‘rights and wrongs’ of the etiquette of its use and our interactions with it. Arguably the phrase ‘to zoom’ has to some become a verb as to do the ‘hoovering’ once was to others.


The backdrop, the clothes we wear to ‘the office’ and our skills on line are all up for evaluation and sometimes unnecessary self-criticism. We are yet to have a full evidence research base as to the subtle and not so subtle effects that constant ‘back-to-back’ video conferencing has on employee productivity, motivation and health and wellbeing compared to more traditional ‘face-to-face’ meetings and work patterns.  


Dependent on the economic sector and location of offices the future of work for some post-pandemic is heading towards a ‘blended working pattern’ – with a regular pattern of working virtually from home and attending a physical work space.


Both now and post pandemic how can the health and wellbeing of employees working from home be maintained if not enhanced?


The answer has to be viewed at three levels – that of the organisational entity, the working teams within it and the individual employee.


As a counsellor you won’t be surprised to note, that to me, it is at the individual level that health and wellbeing has to be centred and focussed.


However, the organisational entity and its managers at all levels are absolutely key to facilitating a cultural environment and providing a set of resources to fully support employees to realise as good a level of health and wellbeing while working at home as possible.


At the board or senior management team level a strategy for mental health and wellbeing should be in place which has alignment with overall corporate objectives in a balanced scorecard approach. It has to be integral not an add on. If employees believe it is phoney or simply a tick box exercise, they will not buy into it and it could even be counter-productive. Leaders who are open about their mental health and wellbeing struggles and challenges can engender an open culture which can galvanise the overall positive mental health and wellbeing of any workplace. A happier workplace really can be a more productive one.


In an environment of homeworking it is even more important that all in an organisation offer their views on and experiences of the virtual working environment in a constructive manner to their work colleagues, both peers and their managers alike. 


Prior to typing this sentence, I was drinking my tea from a mug that states “Being totally honest with oneself is a good exercise.2” If any one individual feels, that they are struggling with the new home working environment to a point where they feel overwhelmed by it, then they could and must be supported to reach out for help. As leaders, managers, team members and colleagues being available to offer a friendly word and proportionate level of camaraderie is an ideal first step.


At an organisational level ensuring there is clear signposting and advice on how to access occupational health services and counselling via external employee assistance programmes is vital.


Talking to a GP about your feelings is also an obvious option and fortuitously it is now possibly easier to access a five-minute GP telephone appointment than previously having to take hours off work to attend in person.


Appraisal systems and regular ‘one-to ones’, can also be sensitively used to encourage and allow employees to check in and talk about the challenges for them of a virtual and perhaps then blended work pattern.


When considering how to best manage and cope with the challenges and restrictions of working at home there are many ideas/frameworks that we can all pick up, think about, adapt and act on.


A recent simple two minute watch is Dr Radha Modgil from BBC Radio 1’s Life Hacks with her 5 ‘C’s for surviving the second lockdown – control, care, continuity, creativity and compassion. All good principles that you can use to view working from home.3 For those who have more time and want to view life ‘in the round’, I recommend psychotherapist Julia Samuel’s recent book “This Too Shall Pass: Stories of Change, Crisis and Hopeful Beginnings”.4


Finally, do stay safe and wherever you are in the UK and beyond please do follow all the relevant applicable regulations and guidelines. The sooner we can build forward better together, the better it will be for all of our health and wellbeing.


This short article is an initial ‘think-piece’ not a ‘blue-print’. It is a suggestion to reflect on and start thinking about how we might all at corporate, team and individual level react to a fundamental change in the way many of us will be working from now on. Please email to any ideas and questions you may have emerging from your organisation, sector, team or individual situation on maintaining/enhancing mental health and wellbeing while working from home. Your ideas and questions can be shared and considered in a subsequent newsletter article (anonymously or attributed as you prefer).


Richard Mills is a qualified counsellor who volunteers with a local mental health charity offering support to individual clients for up to two years. He also works as a charity Trusts Fundraiser. He writes this article wholly in a personal capacity.



  1. April 2020 statistics released by the UK's Office for National Statistics showed 49.2% of adults in employment were working from home, as a result of social distancing measures introduced in response to the coronavirus pandemic.
  2. Sigmund Freud from a letter to Wilhelm Fliess on the 15th October 1897.


ACCA has produced an on demand webinar about mental health and wellbeing where Victoria Fellowes of StrideForth explores the vital role that internal auditors play in a company's mental health and wellbeing - register here.


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

NED aspirations

John Webb suggests how you can prepare for a NED directorship and provide an essential service to the community at the same time.

John Webb discusses how to prepare for a NED directorship and provide an essential service to the community at the same time.


There comes a time in the careers of many professionals and managers, when they realise that one day they may like to seek a Non-Executive Directorship, perhaps as part of a portfolio career. If you fall into this category, please bear in mind that these roles are very popular, so competition will be intense. As with so much in life, early planning and preparation will increase the chances of any one of us becoming successful.


One of the ways to prepare and also to provide an essential service to the community, is to become a governor of a local school. Not only will this be mutually beneficial but it will broaden one’s perspective and experience. Other pro bono appointments, such as becoming a trustee for a charity, could achieve a similar benefit and of course, could be done at the same time.


So thinking ahead, if you think you might like to become a Non-Executive Director (NED) in retirement or before, you could apply for school governor roles many years before that. Some schools are short of governors and both the depth and breadth of your expertise can be put to good use from the beginning. Just like a NED, you will be a “critical friend” and provide long term benefits to scholars, teaching staff and school administrators.


If you want to know more, Inspiring Governance has a website ( and this is an easy way for anyone without a connection to a particular school to be linked to an appropriate school. On the website navigation bar at the top of the homepage, you'll see a link for “Become a Governor” and there is guidance therein under the caption “Become a school governor.”


It has been said that the top four key NED skills are: -


  1. Integrity, including independence, strong principles and ethical standards
  2. Business judgement
  3. Financial strength
  4. Governance understanding.


You will start with the first and can further develop the second, third and fourth in an educational setting. There are plenty of governor opportunities out there and I hope you will consider the benefits of putting your unique combination of skills and experience to wider use and there is no time like the present.


John Webb, FCCA & Certified Fraud Examiner

Copyright: © 2020


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

Boards' role in leading a resiliency recovery

The OECD has identified corporate governance as key to a sustainable future.

Rachael Johnson, head of risk management and corporate governance in ACCA's professional insights team, reflects on the OECD's identification of corporate governance as key to a sustainable future in this ACCA article.

Nothing beats a site visit

The Wirecard accounting scandal shows that physical validation is key in fraud investigations.

The Wirecard accounting scandal shows that physical validation is key in fraud investigations as Kip Singh writes in this ACCA article.


ACCA UK Internal Audit webinars available on demand now

ACCA UK's Internal Audit Network webinar programme for the year is now available on demand.

ACCA UK’s Internal Audit Network webinar programme for the year is now available on demand.


Internal Audit and technology - managing common problems and barriers


Dr Andrew Davidson of Johnston Carmichael covers the following issues for Internal Audit with technology and for each area, he looks at the concern for Internal Audit and the solution:


  • Expectation gap - management thinks that new software will do everything, solve all problems and give 100% reliable answers
  • Training and change - staff can be reluctant to change to a new way of doing things
  • Ongoing monitoring - it is rare that new technologies are implemented flawlessly and work exactly as anticipated
  • Data management - for software technologies, the data required (or produced) may be more or less than that required by the business
  • Techno-joy - people may use software despite it not being relevant and try to force it to do the job.


The Next Generation of Internal Auditing

In this webinar, the team at Protiviti explain how they are using Active Assurance as a strategy to remain relevant in a very dynamic environment. The session includes a demonstration of their tool for process mining and showcases other next generation tools that they are currently leveraging when supporting their clients with their assurance agenda.

Protiviti can offer further support on Active Assurance during this time of uncertainty.

Mental health and wellbeing

In the turbulent times of Covid-19 and the fundamental changes that businesses are undergoing as a result, internal auditors face challenging times and daunting tasks. With the right tools, they can leverage their unique ability to look right across all areas of a company and ensure positive mental health and wellbeing for everyone alongisde company growth and sucess. Victoria Fellowes of StrideForth eplores how they can do this.

Business resilience

Business resilience focuses mainly on managing the consequences of crisis events and restoring normality within a set timescale, or indeed, defining a new normality. As we start to recover from Covid-19, Gillies Crichton considers how can we improve business resilience? 

Auditing agile

Alison Booth and Mark Paton of Pelicam Assured Delivery explain how auditing agile can align project risk and corporate governance.

Climate Change

Internal Audit has a role to play in determining whether stakeholder reporting about climate change is accurate, and to challenge the data presented. Sonia Shah and Sylvia Ashley of Grant Thornton look at the key considerations.

ACCA resources for internal auditors

ACCA's Internal Audit hub is a great resource for those working in Internal Audit or thinking of moving into Internal Audit.

ACCA’s Internal Audit hub provides support to our members working in governance, risk, assurance, control and efficiency (GRACE). The latest edition to the hub is a resource for those moving into Internal Audit. Resources already available include:


  • making the move from external audit to internal audit
  • what is internal audit and what does it do?
  • core skills such as interviewing, designing the test plan, sampling, executing testing, evidence recording and report writing

The content is a mixture of bite-size webinars, brief guides, articles and presentations. We will be adding to the resource over time.


Other sections in the hub:


Learn about internal audit

This section explores what internal auditing is like in practice and the many pitfalls to avoid. A series of guides covers internal audit for beginners, the management team, the audit committee and Heads of Internal Audit. New to this part of the hub is a section on evidencing compliance with professional standards.


Our webinars and other resources

ACCA UK’s Internal Audit Network regularly runs free webinars for its members working in internal audit. Search here for past webinar series on blockchain and crypto currencies for internal auditors, cyber security, de-mystifying IT audit and GDPR.


This section also has a new Resources by theme area that collates material produced by ACCA in the past few year by the themes of ethics, audit management, IT and regulation/legislation.


Our publications and other research

Here you'll find a link to the most recent edition of this e-bulletin and you can also search for CPD articles for internal auditors. 


Internal Audit blog

If you would like to gain some insight into the life of an internal auditor then look at our blog series “A day in the life of the invisible auditor” where a different internal auditor provided some thoughts every week in 2019.

Covid-19 support from BSI

The British Standards Institute has Covid-19 resources and updates on its website.

The British Standards Institute has Covid-19 resources and updates on its website.


BSI has been working closely with Governments, regulators and organisations globally to share best practice and expertise, providing insight and information to help navigate the risks, mitigate crisis and enable resilience. Its website includes the following resources:

  • updated safe working guidance
  • guide to masks and face coverings
  • suite of best practice standards to help UK businesses
  • FAQs on CE marking of PPE for use in healthcare settings
  • guide to support non-PPE manufacturers
  • report on working in the 'new normal'
  • suite of health, safety, wellbeing and hygiene solutions designed to support a phased approach to resilience.