Technical and Insight
Stakeholder engagement and management

CPD article: For internal auditors, the ability to communicate well with our various stakeholders is vital.

Reading this article and these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.                           




As a general rule the people who succeed in organisations aren’t necessarily the most able or technically competent.  Rather, they are often the ones who are able to persuade and inspire.  We talk about such people as having charisma and an important part of this is the ability to build rapport and communicate in a way that touches their audience.  As the American poet, Maya Angelou famously said: “I've learned that people will forget what you said, people will forget what you did, but people will never forget how you made them feel.


For internal auditors, the ability to communicate well with our various stakeholders is vital.  We have a broad range of stakeholders: from members of the Board to almost anyone who provides us with information as part of an audit and inevitably, they have different needs and expectations regarding the work that we do.  Another thing that sets us apart from other functions in the organisation is that our job generally involves us spending time in other departments, looking at people’s systems and suggesting ways that they can be improved.  When you are auditing established processes, managed by long-serving members of staff it’s not unusual to get resistance, or even hostility.  It can sometimes seem like you are telling a mother that she has an ugly baby!


While giving such messages will never be easy, there are techniques Internal Auditors can use to try to ensure that what we say is heard in the most palatable and impactful way.




Best practice internal audit departments spend time thinking about how they can add value to the organisation and what their different stakeholders are looking for them to provide.  As Richard Chambers, President and CEO of the IIA put it: “We should never lose sight of the fact that we do not define value.  It's our stakeholders who define what value is.  You must start with the stakeholders as you work through this process.”


Internal auditors typically have three broad groups of stakeholders within the organisation and (depending on the industry) two external groups who they need to communicate with.  In certain organisations in the public sector, it may also be useful to consider the views of “End users”, such as patients in the NHS, or tenants in Housing Associations.  Interaction with end users can be facilitated via bodies which represent them and generally their needs will be similar to the Non-Executive Directors in terms of good governance.  As illustrated below, the different groups may have quite different needs and expectations:


Internal Stakeholders


Board of Directors/Audit Committee

Possible primary needs: Assurance that key risks are being managed within the organisation’s stated risk appetite; a clear (unambiguous) message from the Head of Internal Audit.

Possible KPIs: Delivery of the approved Plan; audit coverage across the whole enterprise, over a set period; number or age of outstanding actions.

Other factors: May have particular areas of concern (e.g. based on their experience at other companies); will probably want concise, high level, thematic information; unlikely to have in-depth knowledge of the organisation’s processes; likely to be particularly sensitive to potential reputational issues (including frauds); may not want IA to perform (much/any) advisory work, at the expense of carrying out core assurance activities.


Executive Management

Possible primary needs: Audits of areas of concern to them; reports that support their personal ‘Agendas’.

Possible KPIs: Savings identified; perceived cost/benefit of the IA team; length of time to issue reports.

Other factors: May want IA support on major projects or other advisory work; will typically want concise information (though may want more detail for their own areas); unlikely to want Red-rated audit reports or large numbers of findings in their areas.


Line Management

Possible primary needs: A clean audit with few findings; pragmatic actions to improve the control environment.

Possible KPIs: Rating of reports; numbers of recommendations; time spent by IA in their department.

Other factors: May want IA to intercede with the Executives on their behalf; may want to use IA as a free resource (e.g. by ‘borrowing’ internal auditors to work for them on secondment).


External Stakeholders


External Auditors

Possible primary needs: Confirmation that Management takes control seriously and that risks are being managed; information regarding any locations they don’t visit themselves.

Possible KPIs: Spread of ratings across reports issued; numbers and age of outstanding actions.

Other factors: External auditors cannot generally place reliance on IA.  However, a professional and effective team can be a useful source of information. May request IA workpapers, for particular areas of interest.



Possible primary needs: Confirmation that Management takes control seriously and that risks are being properly managed.

Possible KPIs: Spread of ratings across reports issued; numbers and age of outstanding actions.

Other factors: Likely to be interested in Audit Reports containing “trigger words”, e.g. “breach” or “non-compliance”. May request IA workpapers – particularly for any Audit Reports containing trigger words.


Preparing a Stakeholder Analysis of this type (for example, in a workshop as part of an internal audit team meeting), can be a useful way of making sure that all members of the department share a common understanding of stakeholders’ expectations. 




Obviously, the best way to find out what your stakeholders want is to ask them.  It can be tempting to communicate with senior managers via questionnaires or regular update emails, where words can be carefully selected and polished.  This approach also enables auditors to stay in the “comfort zone” of their office or cubicle.  However, email is essentially a series of one-way communications and obviously relies on management actually reading the email and bothering to respond.  


Telephone or videoconference calls are a better option and allow a two-way conversation to take place.  Also, if you are dealing with stakeholders in other countries, this may be the most cost-effective option.  However, as a general rule, face-to-face is always best.  Ultimately, internal audit needs to be visible at the most senior level if it is to be effective.  Indeed, a Head of Internal Audit that I used to work with advised me that, particularly when dealing with senior management and Executives, you need to “see the whites of their eyes”!   


Holding face-to-face meetings with senior Executives can be a source of anxiety to some internal auditors (and indeed, some Executives exploit this fact!).  However, it’s possible to learn various techniques to help you stay calm in such circumstances, which will be valuable in your future career.  


In person meetings are a good opportunity to get to know stakeholders better and build rapport.  As well as enabling a proper dialogue and chance to draw out additional information, they also allow the internal auditor to pick up on what is not being said, by observing body language.  I recommend new internal auditors familiarise themselves with the basics of Neuro Linguistic Programming and also Myers Briggs Type Indicators (or one of the more recent derivatives of MBTI).  Some people challenge the science behind these techniques.  However, both do help auditors appreciate that when it comes to communication, there is no “one size fits all”.  We need to be flexible in the way we interact with others and always try to adapt to their communication preferences.  As we try to address their particular needs, it’s useful to think about the stakeholder’s “WIIFM” (i.e. the “What’s In It For Me?”).


Stakeholder Engagement Plan


A Stakeholder Engagement Plan (SEP), which records formal (and informal) meetings that members of the IA department have had with stakeholders can be a useful working document.  As well as being a good place to record what subjects were discussed, the SEP also helps to prompt auditors to have regular contact with their stakeholders.  Obviously, it’s important to strike a balance, so that you are engaging with your stakeholders with the right frequency.  Executives will not thank you for scheduling meetings if you don’t have much to talk about.  However, it can be even more dangerous to assume that their expectations are being met or have remained unchanged since you last spoke to them!  

As the late Steve Jobs said, in a quote which I think is particularly relevant for Internal Audit: “Get closer than ever to your customers.  So close that you tell them what they need well before they realize it themselves.


Greg Coleman - independent consultant


After 25 years of experience in governance, risk management and audit roles for various multinational organisations, Greg now works as an independent consultant.  He runs a variety of internal audit training courses and is an External Quality Assurance reviewer on behalf of both the Chartered Institute of Internal Auditors and their French opposite number, IFACI.


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.


Coronavirus: Business not as usual..and that applies to Internal Audit as well

A few reflections on governance and risk and a few imperatives for Internal Audit in these challenging times.

A week ago, James Paterson posted the original version of this article on LinkedIn and obtained 1200 views in six days. This is an updated and expanded version for ACCA members - starting with governance and risk reflections and moving on to Internal Audit.


COVID19 has reinforced, again, the problem with a “failure of imagination” in many risk management processes.


A failure of imagination was one of the key learnings from the 9/11 tragedy, and it looks like many organisations have found themselves with a similar problem with COVID19, and all its knock-on impacts. It may not be a big priority right now, but all organisations who have felt blind-sided by what has happened should be prepared, at the right time, to take a long hard look at their risk management processes.


What other risks are there where we might be thinking “that will never happen”?

How do we make sure we prioritise impact over probability? 

How good is your organisation in thinking through the knock-on consequences of one risk on other aspects of its operations?


A new coronavirus was first identified on 31st December 2019; when did it start to get on your organisation's radar screen?  


CNN have done a great timeline of the COVID19:


Key points include:

11th January 2020: First death

16th January 2020: In Japan

17th January 2020: Selective screening in the US

21st January 2020: First case in the US

23rd January 2020: Emergency committee of WHO formed

29th January 2020: White House task force

30th January 2020: Person to person transmission in the US

2nd February 2020: First death outside of China (in the Philippines)

14th February 2020: COVID19 found in Egypt


The evolving news story has been well publicised across the world and was effectively an early warning that a pandemic might happen and could have prompted organisations to look at their business continuity arrangements.


So, when, in fact, did your organisation start to make preparations in earnest?

Are there other areas where more attention could be paid to early warning signals?  


Are past assurances given about continuity arrangements proving to be too positive?


Hopefully most organisations are working flat out to prepare themselves for COVID19 and double-checking past plans and assurances. If these are proving to be too positive, and are needing to be revisited, it would suggest that the amount of assurance that is being given needs to be thought about more carefully. This may apply to back-up plans for payroll and IT and home-working as well as third party suppliers and service providers.


When you ask others for assurance, have you defined what assurances you are expecting in terms of service levels – and what assumptions have been made about staffing levels etc.

When you look at arrangements relying on third parties, what do the contractual arrangements say; are there any “force majeure” clauses and are you clear about fall back contact/emergency cover details? 


Whilst organisations need to be pragmatic and flexible to “fight fires” now, how do we ensure we won’t cut corners we will regret in 3-6-12 months time?


If there is a crisis, a fire, let’s put it out. This means organisations may need to adopt the 80/20 rule in many areas – “good enough will be good enough”, but how clear is the organisation about areas where compromises to standards should not be made? This could be in relation to treating customers fairly, or in relation to certain data security and other control processes; otherwise cuts in these areas will just lead to other problems and surprises shortly or in some months’ time.


Are we clear which aspects of our operations can be good enough with the 80/20 rule and which activities need to be continue to be delivered to the highest standards?

What record will be kept of where corners are being cut, so we have visibility of this?

What are the areas where we have zero tolerance to short-cuts?


Turning to Internal Audit


What adjustments are needed to the audit plan?


This is the obvious one -  any planned audits that are not business critical should probably be seriously challenged and/or postponed, since there are undoubtedly key risks/new projects where Internal Audit’s skills could be invaluable, either to assure progress of business critical continuity plans, or to advise on process changes that will maintain operations and compliance where fewer staff are available.


Heads of Audit should urgently clarify with Senior Executives and Audit Committee which audits should continue and which should be postponed, as well as the key areas it might be sensible for Internal Audit to get involved in. One good practice is to have P1 audits on the plan which cannot be sacrificed and P2 which are nice to have.


Also, do not forget the option of seeking “direct assurance” from project managers/executives to the executive/Audit Committee on progress in certain areas. Here IA could be asked to do “follow-on” assurance if there are any key areas of concern about what is being said and done.


Of course, adjustments to the audit plan should factor in possible staffing shortages in the audit team, as well as arrangements for remote working/direct access to systems as much as possible.


Assignments should focus on just the key exam questions


With everything going on at the moment, it is crucial that audits do not progress per business as usual. Ask tough questions about which scope areas are really essential to be covered (particularly in areas not linked to COVID19) and focus only on these. Few business managers will have an interest in “nice to have” matters for the next 3-6-9 months. Likewise audit reports should recommend only the most critical issues are remediated; anything else will likely be challenged with “you auditors are not living in the real-world”. 


Look at open issues and the follow-up process


There are two key considerations. With everything else that’s going on consider the amount of open audit issues and determine which really must be remediated, notwithstanding COVID19. Based on this engage key stakeholders on two key points:

  • Which lesser issues should probably be deferred given everything else that is going on?
  • How to make sure critical issues will be remediated, even if there are staffing and other disruptions.

And, of course: Adopt lean and agile ways of working/reporting etc. so that the internal audit team can speed up the way it delivers 

Some additional lean/agile ways of working for IA are listed below in the Appendix.


In summary although COVID19 poses many fundamental challenges to organisations it also provides a very important opportunity for Internal Audit to “step up to the plate”, so I hope you are working on these issues with your audit team and key stakeholders.


Finally my thoughts go out to all of you in these unsettling times.


James C Paterson is a former CAE, consultant and Author of “Lean Auditing”. /


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.


APPENDIX: COVID 19 - areas to think about (starter for 10)





  • Revisit IMPACT and now PROXIMITY of impacts
  • To prioritise use: High > Very high > Extremely high and Dangerously high ..
  • Frequency of meetings of key committees
  • Contact arrangements remotely

 Risk & Compliance

  • Clarify what is absolutely critical – what can be stopped
  • Frequency of key meetings / depth of reviews of key issues



Finance/Cash flow

  • Can we pay wages
  • Can we collect debts
  • How might forecasts need to be up-dated – have ranges been used? How extreme are the scenarios? What would be the impact

Communications and Crisis Management

  • Internal (Employees/ Contractors) and External (Customers, Suppliers, Service providers and others)


  • What is really key / what should be re-organised
  • Use of contractors – key vs non-essential


  • Key staff terms and conditions
  • Employee policies up-dates
  • Contractor policy up-dates


  • What commitments have been made are about to be made and what impact do they have? 

Change projects

  • Which are critical and must progress without delay, which projects should be suspended so there is resource for other concerns?

Key operations/systems 

  • What is most critical
  • What supplies/services are key (see 3rd party dependencies)
  • What processes/controls are key
  • Who are the key staff – home working arrangements for them/ Who can be emergency cover for them

3rd party dependencies

  • Which are the critical (Tier 1) suppliers – and how should they be managed? 
  • What do the contracts say around force majeure


Lean and agile internal audit in the COVID era

  • Revisit the balance between advice and auditing
  • To avoid duplicating the work of other functions, be clear how to measure how good are their assurances and how we might test this pragmatically  
  • Use a “working hypothesis” to drive to key conclusions without delay
  • Using regular stand-up techniques and observation meetings to speed up audit insights and get these to stakeholders with “flash reports”
  • Implement “How big” “How bad” to separate the wood for the trees
  • Follow up in a smarter way
  • Better metrics – do we really need timesheets for IA at the moment?
Effective communications - conversations with Non-Executive Directors

In the first of a series of articles on how internal auditors can better communicate, Sara I James looks at conversations with Non-Executive Directors.

In the first of a series of articles on how internal auditors can better communicate, Sara I James looks at conversations with Non-Executive Directors.




This is the first of a series of articles on how internal auditors (IAs) can better communicate with non-executive directors (NEDs). IAs often focus on how to persuade middle and senior management to take action. Whether it’s discussing an ad hoc engagement, agreeing findings in a close-out meeting, or issuing an audit report, our audience is all too often those who will introduce or improve controls. But what about those in more senior positions?


We’re all familiar with the Audit Committee; however, the Board, including NEDs, set both strategic objectives and the corporate tone. Understanding these, and the people who set them, are essential if we are to communicate effectively.


NEDs hold a particular position in the organisation. They come from outside the organisation and therefore should be free from any conflicts, interests or involvement in internal disputes. This may also mean, however, that they don’t understand the detail of all the operational information in reports or discussions. They may also feel uncomfortable holding senior managers’ feet to the fire. This is all the more likely if the latter are technical specialists and control the supply of information to the NEDs.


However, NEDs face increasing responsibilities that IAs can help them meet through fruitful conversations and well-written reports. We can do this through encouraging and persuading NEDs to ask the first (and second) line searching questions that require credible answers.


In this piece, we will cover:

  • NEDs’ responsibilities and perspectives, the better to understand where they’re coming from
  • how to obtain and use precious time in conversation with the NED
  • how to elicit useful feedback from the NED
  • how to help them discharge their regulatory duties.

Who are these people? Where do they come from? What are they for?


We should probably start by describing NEDs’ status, and where better than ACCA's guide to directors' responsibilities under the Companies Act 2006?


NEDs are now looked to to provide special input to the process of governance. The fact that NEDs are not involved with their company on an executive, day-to-day basis means that they can offer, and are today expected to offer, a more detached, objective and comprehensive view of how the company’s affairs ought to be directed than might be possible if the company’s board consisted solely of executive directors. Another virtue of NEDs, which is by no means limited to the listed company environment, is that they can provide a board with skills, perspectives and experience to complement the talents of the executive directors.[1]


Traditionally, NEDs are not employees of the organisation they serve, yet they have the same legal duties, responsibilities and liabilities as executive directors. The post can be paid or unpaid, and the time required can range from a few hours a month to much more. The organisation should provide initial and ongoing training to NEDs, so they can keep abreast of relevant regulation as well as good practice in governance.


Understanding this is essential to communicating well with the NEDs we encounter. We may be lucky enough to have experienced, informed, objective, thorough, rigorous people on both the Board and Audit Committee of our organisation. Or we may have to engage with NEDs – or indeed other senior people – who are learning as they go. In the latter case, IAs can help inform and update NEDs, so that the latter can better play their role in good governance.


Often, a NED’s objectivity and fresh perspective is what gives their opinion added weight. Between their Board-level role and their distance from internal enmeshments, they can advise, support and direct in a way few others can.


Whether the NED in question lacks confidence or has too much, one thing you can be sure of: you have limited time in which to make your point and engage the NED. So how can you make the most of whatever time you have – even only five minutes?


Time and tide wait for no one


How can you make the most of what little time you may have with a NED, or indeed any director? While all directors are busy people, NEDs may have only a day a month to dedicate to the organisation. This means you have to structure face-to-face meetings and written communications in ways that make the most of every minute.


Whether sending a document or attending a meeting (both on time, of course!), the temptation may be to plunge straight into the matter, giving as much detail as possible. However, this may be counterproductive, if your reader or interlocutor doesn’t appreciate this approach.


Do your research on your organisation’s NEDs and their backgrounds. Do they come from the same country or region as you, and therefore share the same culture of timekeeping and communication? Even if so, have they perhaps spent much of their career abroad, acquiring different values and methods? Work out first what is likeliest to appeal to their communication style.


Culture matters. Countries, regions and people perceive clear communication differently. What is polite in one culture may seem unclear in another, and frankly evasive in a third. Conversely, what is open and honest in one culture may come across as direct in another, and openly rude in a third. Consider your audience, adapt your style – but remember that people the world over appreciate a concise, useful report.[2]


Even within the same country, region and organisation, the culture may not always be consistent and constructive. If your organisation tends to avoid difficult conversations and direct messages, that is a broader problem. The greater the internal tendency to waffle and obfuscate, the likelier it is people won’t understand each other. And the consequences can be dire, as the LIBOR scandal showed: ‘Barclays appears to have regarded the points raised by Mr Sants as “issues” rather than “concerns”. On the basis of the evidence it is unclear whether Barclays “got the message”.’[3]


Respect your reader, or interlocutor, and respect their time. Be timely and polite, but be as brief and clear as possible. If the other party is in any doubt about your message, you have not only wasted time – you’ve missed a precious opportunity to engage and influence a senior decision-maker.


How can NEDs help you to help them?


You may need to engage closely with a new NED, or one lacking in confidence. However, never underestimate how much they can help you to help them. Maybe the NED can bring useful experience from other countries, sectors and organisations. Such suggestions can improve not only your interactions with the NED in question, but indeed all your communications.


If, however, the NED feels your approach isn’t clear, but can’t say exactly what the problem is, consider using good IA practice to elicit more information.


All IAs should understand how to phrase open-ended questions and practice active listening. (If you need a refresher, look at ACCA's website for resources including its Internal Audit hub.) This should not only prompt the NED to provide more detailed insights, but also strengthen the rapport you are building.


If the problem is with written communication, and the NED is new to your organisation’s reporting conventions, ask what they found helpful in previous roles. If the NED has seen many of your reports, find out what they found most and least useful.


The NED may share with you the Board’s preference for certain layouts or graphics, this is invaluable. After all, if the busiest and most senior decision-makers find these techniques help them grasp critical information quickly, then people throughout the organisation may appreciate them, too.




Keep in mind our role, and the NEDs’. We must provide assurance regarding the organisation’s risk and control framework. NEDs must take business-critical decisions about the organisation’s strategy and direction, including risk appetite. How we communicate directly affects their ability to discharge their regulatory duties.


NEDs need to challenge the business – not just at Board level. All the more reason for IAs to use plain language and focus on the most important elements, rather than overly technical detail. The organisation’s external auditors and regulators, for instance, may not have technical experts equal to the organisation’s own – but they are still bound to review and conclude on various topics.


Different habits, expectations and communication styles all play a part in communicating. However, if you do your research, respect your reader, ask open-ended questions and listen to the answers, both sides will benefit – as well as the organisation.


This is the first in a series of three articles about IAs and NEDs. The second will address accountability; the third, reports and reporting process. Please send your feedback about this first article, and points you’d like addressed in the next two, to




Sara I. James, PhD, CIA, is the owner of Getting Words to Work ( and a member of the Chartered Institute of Internal Auditors.


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

[1] ACCA Global, A guide to directors’ responsibilities under the Companies Act 2006, p. 11.

[2] Sara I. James, ‘Writing the Right Report’, ACCA Global, 2016.

[3] Fixing LIBOR: some preliminary findings (2012), p. 70.

Auditing 'outside the box'

How do you deliver a head of audit opinion in the context of partnership and integrated system working?

How do you deliver a head of audit opinion in the context of partnership and integrated system working?


As the public sector landscape has changed we have seen an increase in organisations working in partnership. Alongside this it is clear that in many settings, not least in health and social care, organisations can no longer deliver strategic objectives and manage risks in isolation.


As the health and social care landscape changes, the architecture of the NHS moves into Integrated Care Systems, there becomes a greater focus on ‘system’ and ‘place’ and a ‘blurring’ of organisational boundaries to enable more agile and effective transformation. Governance within this setting remains critical, and becomes complicated with statutory body requirements, system level governance and the need for collaborative and collective decision making. Regulatory requirements and relationships have started to move to system level, and the latest guidance for organisations states ‘system first’ as a key call to action. 


So where does this leave Internal Audit?


The need for collaboration between internal auditors in the public sector comes from a number of drives, not least:

  • Organisations can no longer deliver objectives on their own
  • Various forms of organisations coming together for health and social care provision
  • Statutory body requirements alongside the need to work together in a ‘system’/ ‘place’
  • Blurred boundaries to organisations, systems and processes, and ‘accountability’
  • Organisations starting to focus on the wider risks and external factors
  • Needing to think differently about what is needed to deliver the HOIA opinion
  • Traditionally difficult to audit across boundaries, relying on third party assurance, limited scopes etc.

Professional standards require us to produce a risk based plan (to determine the priorities in the internal audit activity consistent with the organisation’s goals) and an overall opinion (Head of Internal Audit Opinion). Within the definition of internal audit there is also a clear direction in terms of adding value and helping to improve an organisation’s operations.


In terms of planning this may lead to three levels needing to be considered including system wide assurances, ICS/Place based assurance and local organisation assurance (all of which would feed into the overall Opinion). Traditionally, internal audit plans have predominantly (if not exclusively) been at a local organisation level so it is likely that there will need to be a journey to a more system wide focus. The speed of this transition will very much depend on the system developments, governance, relationships and infrastructure. That said internal auditors are in a unique place to help to contribute to the understanding about assurance at each level and the implications that need to be considered.



What are the barriers and how can we overcome these?


Fundamentally the professional standards, approach and expectations placed on internal auditors are the same across sectors. On a practical level there are a number of barriers that need to be overcome including:

  • IA Planning – how do auditors ensure alignment of risks and priorities? What is a key risk to one organisation may only have a small impact at another, so ‘local’ organisation risk based planning may rightly result in different internal audit plans. In addition to this organisation (and indeed Internal Audit) culture can vary significantly, which means that there could be different expectations and positioning of Internal Audit. Formal approval of plans can also be tricky in this context.
  • IA Delivery -  do we deliver work together, does one team lead or do we just join up the outcomes and placed reliance on each other’s work?  Working together in an integrated way brings the opportunities for shared knowledge, end to end assurance and clearer messages re outcomes but this can be difficult to achieve in practice. The options of splitting scopes/ roles can be more practical but this needs careful consideration of where the boundaries lie, the scope of the work and clear understanding of what we are trying to achieve. The easiest approach on paper is to agree to place reliance on each other’s work, to deliver ‘reviews’ separately and share findings, but this can lead to disjointed assurances which are difficult to explain especially when the timing and format of reports can be vastly different.
  • IA Protocols and processes – do we need a formal protocol in place at the start or do we need to work up a ‘proof of concept’ to enable us to design this? For some organisations a formal written protocol setting out the arrangements will be required and for others there will be opportunity to develop this through working together and testing what works best. Amongst others, its important that areas such as information sharing, audit approach, record keeping, quality assurance, reporting, and terminology are all discussed. This will require some flexibility (and often compromise), not in the fundamental areas in terms of professional standards and legislation but more in the culture, local preferences, audit systems and look and feel of reports.

There is no right or wrong answer to these as there are many factors that need to be taken into consideration, but it is important that these are taken into account, shared and understood.


Key principles


It is important to agree a set of key principles to partnership working, including

  • Shared understanding of the organisation working arrangements and where these cross boundaries.
  • Regular and timely communication to discuss areas of mutual interest.
  • Flexibility needed in terms of approach, timing, reporting styles etc.
  • Where systems are operated within an organisation then the local internal audit team should be directly involved.


This supports the building of relationships, trust and understanding which all contributes to effective outcomes for the organisations, teams and individuals.


Strategic and Operational Planning


The approach to strategic and operational planning, can be seen as an extension to the local internal audit planning approach.

  • Strategic risk assessment of the statutory body(s) by the relevant team
  • Identifying areas of ‘mutual’ interest through sharing and joint discussions
  • Agreeing the best approach to the provision of assurance (this can vary assignment by assignment)
    • Third party assurance
    • Integrated Team
    • Joint Working or
    • Sharing.
  • Establishing the logistics of delivery, including resources, timing, reporting etc.

What does this look like in practice?


As organisations collaborate at scale and operate at a system level, Internal Audit plays a pivotal role in the understanding of system risks, including how they impact on each organisation and how they will be managed.  It is important that the risk assessment is a continuous process throughout the year and the plans will remain flexible to allow for response to emerging challenges, including the delivery of integrated assurance across organisational boundaries.


Case Study - Group risk and assurance:

Flexibility and dynamism can been seen through our work with one of our clients as they brought together a Group structure in 2017 involving 2 statutory bodies (five local hospitals, specialist and acute services, community services and a Local Care Organisation). Within the Group each Care Organisation (COs) is not only responsible for providing healthcare services to local communities but also playing a much broader role in each locality and supporting the establishment of new integrated models of care.

Through the lens of Group Audit Committee the key challenges in a Group model were: 

  1. Asserting consistent focus upon assurance and risk
  2. Understanding what responsibilities sit where
  3. Deploying resources differently and collecting intelligence in new ways.

Therefore the formation of Group required transforming how assurance is provided across boundaries to support integration as well as meeting the requirements of the Group and the two statutory bodies that it currently comprises.

MIAA as the internal audit service provider for both statutory bodies has supported and been a Trusted Advisor on the journey to form a Group model. This has involved developing an innovative approach to the development and delivery of assurance to adapt as the organisation changes. The aim of this review and redesign of the assurance process was to ensure the approach to internal audit supported the vision of integrated assurance across Group and COs and continued to capture the assurance requirements of the statutory bodies.

We worked flexibly and innovatively to redesign and transform all aspects of the internal audit planning, delivery and reporting to ensure that we were aligned to the new risks.


Working Across Boundaries: CCG and Local Authority

Recognising the opportunity to provide joint assurances in areas such as the Better Care Fund, MIAA worked with local authority internal audit teams to undertake a joint review. We worked through a number of practical and logistical challenges in terms of ensuring delivery of work to joint methodologies and reporting arrangements.

This was an innovative approach, the outcome of which was a greater benefit to both organisations in providing a more holistic opinion of the Better Care Fund arrangements by working across organisational boundaries.

Louise Cobain is the Assurance Director at MIAA

Karan Wheatcroft is the Operations Director at MIAA


MIAA is an NHS hosted shared service with a clear mission: To support improved public services outcomes through a world class shared service for audit, assurance, challenge and solutions.


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.

Third party assurance - protecting yourself from reputational damage

Third parties are increasingly prevalent in every aspect of business and day to day life. Is Internal Audit enabling businesses to protect their reputations and is there sufficient due diligence on third-party suppliers?

Third parties are increasingly prevalent in every aspect of business and day to day life. Is Internal Audit enabling businesses to protect their reputations and is there sufficient due diligence on third-party suppliers?


Third parties are increasingly prevalent in every aspect of business and day to day life. From ordering products via Amazon or eBay, where third-party platforms display and profile goods, often with third-party reviews and then using third-party delivery agents, to day to day business administration dependent on third-party cloud hosted software and apps; the third-party can exert strong influence over both brand and product. We are living in a world where the words of a single third-party, such as a social media influencer, can have more impact on a share price than development of a new product or the achievement of a successful quarter. Firms in the UK increasingly rely on third parties to support the core activities across their extended enterprise, and in tough market conditions key third-party support can help businesses gain a competitive edge.


While the use of third parties can offer a range of benefits, increasingly complex supply chains bring additional risk and the need to effectively manage these relationships has never been higher. The current focus on operational resilience, the prevalence of third-party providers in areas such as cloud, security and data management, and the general connected business world has, not for the first time, highlighted third parties as a significant potential cause for operational disruption.


When things don’t go according to plan, there has often been a third-party relationship at the heart of the issue. At times like these, the long-used mantra that “you outsource a process, you don’t outsource responsibility” has significant and more deep felt meaning. Often when incidents occur, be they regulatory breaches, data loss or operational incidents, the third-party does not get mentioned in the press and the user organisation may bear the brunt of customer and regulator focus along with the brunt of any reputational damage. This clearly highlights the need to effectively understand the risk associated with any third-party, and have a plan to manage, mitigate or, in some instances, to accept this risk. 


Despite the reliance on third-party relationships, a 2019 survey by Thomson Reuters found that participating global organisations conducted due diligence on just 62% of their third parties, suppliers and distributors. Additionally, 61% did not know the extent to which their third parties outsourced their work, and just 36% monitored the associated risks on an ongoing basis. While many organisations may not be taking the risks seriously, regulatory and legislative bodies are. In 2015, the PRA issued a fine of over £1 million for a firm who failed to adequately oversee their third-party arrangements. An increasingly complex regulatory landscape may lead to higher fines and serious punitive measures in the future.


Third-party relationships are already monitored through legislation around Anti-Money Laundering, Anti-Bribery and Corruption, the Sarbanes-Oxley Act and the Financial Instruments and Exchange Act; but the introduction of the EU General Data Protection Regulation (GDPR) and the Senior Managers and Certification Regime (SM&CR) bring additional governance and conduct requirements. To demonstrate this in real terms, a high-profile telecoms data breach (due to a cyber-attack on a third-party) resulted in a fine of £400,000 from the Information Commissioner’s Office (ICO) in 2019. However, under GDPR the fine could have been much higher – up to an equivalent to 4% of their annual turnover. Similarly, the Senior Manager Regime in the Financial Services sector allows some management activities to be outsourced, but the regulatory responsibility for that activity remains with the relevant Senior Manager, and they are personally accountable for it. Any issue that could have been addressed through a reasonable steps assessment by the regulators may result in fines, remuneration clawback or even a prison term.


Internal audit functions have a key part to play in ensuring that their business understands the risk exposure for the business from each of the third parties that the business is associated with. It is important that this third-party risk is undertaken throughout the third-party lifecycle, from pre-selection due diligence through to end of agreement, as there are risk exposures to the user organisation at all points. The challenge is the sheer breadth of third-party impact, the evolving nature of these relationships across the extended enterprise, and the subtle ways in which these organisations can impact the business. 


Organisations should be able to demonstrate to their clients and regulators that they have an adequate framework in place to control and minimise risk from their third-party relationships. Failure to do so may result in regulatory censure, fines and loss of confidence amongst partners.


A recently introduced key requirement of effective third-party risk management is to improve financial stability by minimising disruption to institutions in areas including, but not restricted to,

  • Business continuity – keeping the organisation running, or promptly returning to business as usual, in the event of a serious incident or event.
  • Operational resilience – managing the critical services that, if disrupted, could cause serious financial harm to individuals or the wider economy.

While these are key issues in terms of financial stability, regulators often take a proportionate stance in terms of their application, with more stringent requirements for sub-outsourcing or those in a different regulatory jurisdiction. Outsourced functions that support critical services – referred to as material outsourcing – also face additional scrutiny. But each outsourced relationship should not be reviewed in isolation and it is important to monitor the cumulative effect of outsourcing to prevent both undue risk and the organisation becoming an empty shell.


It is important to consider the benefits of outsourcing within the context of each individual firm, its unique risk profile, and the type of activity being outsourced. Reviewing the proposed activity, as part of a robust risk assessment, will help to identify material functions, and determine if outsourcing would add any undue risk or reduce the faculty for effective supervision. The aggregated impact of multiple outsourcing arrangements, and current governance of them, should also be considered. A third-party should undergo strict due diligence processes for evidence of capabilities, reputation, financial stability, group structure, ownership and regulatory supervision, amongst others. The supplier’s approach to data protection should be reviewed, with reference to the specific activity being outsourced, the type of data involved and the jurisdiction in which it is to take place. The additional risk of any proposed sub-outsourcing arrangement should also be reviewed, for example loss of influence and oversight across a longer supply chain. Considering the criticality of the outsourced activity, and the potential harm from a disrupted service, significant organisations should review the overall sustainability of the proposed provider. Specifically, what would happen if the supplier suffered stressed conditions and needed financial or operational support to maintain the outsourced activity?


Firms are free to outsource multiple functions, including those that are regulated or material, but they must ensure this does not result in an organisation that is essentially an empty shell. When managing outsourced relationships, organisations must retain their core as an organisation, and be able to assert influence over their third parties in order to govern the relationship effectively. 


Without adequate business oversight including involvement of internal audit across the whole extended enterprise, the many commercial advantages of using third parties will be adversely impacted if the responsibility is not retained. The associated reputational impact may just be the start of the problems that this may cause.


You can outsource a process but you can’t outsource the impact to your business when things at your third-party provider go wrong.



Authors: Sandy Kumar FCCA is a Partner and Head of Business Risk Services for the Financial Services Sector at Grant Thornton UK LLP. Ravi Joshi is the Head of Technology Risk Services at Grant Thornton UK LLP.


If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.


Future ready: accountancy careers in the 2020s

Technology is just one of many forces coming together to reshape the future of careers in accountancy. Read ACCA's latest report to find out more.

While technology is a major force transforming the world of work, there are also a number of other forces at play too, including changing expectations of individuals in the workplace, shifting social norms and values, new types and levels of connectivity and demographics. 


Our latest report, Future ready: accountancy careers in the 2020s, draws on ACCA’s collective research over the last three years, as well as new research. It examines what all of this tells us about the trends changing careers in accountancy. It’s a story of opportunity as the profession takes centre stage in building sustainable organisations for the future.


We see five exciting career zones emerging. These zones represent broad areas of opportunity which individuals may develop their careers in, or indeed navigate across. Career paths in the profession will become more diverse and working lives will evolve as technology blurs the work divide between humans and machines:


  • The assurance advocate is essential to the strong stewardship of sustainable organisations for the future in areas such as auditing, risk management, and compliance. They bring new levels of trust and integrity to organisational operations. 
  • The business transformer is the architect of organisational change, driving the strategies of organisations, and supporting sustainable businesses for the future. They may be leading innovative smaller accountancy firms or SMEs, or exploring careers in advisory or business transformation. 
  • The data navigator is a true business partner. They see extraordinary opportunities from the growth of data and uses emerging analytical tools to drive insights that deliver business outcomes. They champion ever-growing multi-rich data sets and use smart data to generate brilliant forward-looking analysis to support decision making.
  • The digital playmaker is a technology evangelist, who champions technology adoption and data governance within the organisation and sees remarkable possibilities with emerging digital tools in transforming the organisations in which they work. 
  • The sustainability trailblazer is at the heart of performance management in the organisation. They play a key role in establishing frameworks that capture, evaluate and report on the activities that truly drive value and in ways that are much more transparent and meaningful to the outside world. They will transform management accounting fit for a multi-capital world and see emerging opportunities with better external disclosures to ever-growing stakeholder groups.

Read the full report here.


New webinar: Internal Audit and technology

ACCA UK’s Internal Audit Network is running a webinar on the common problems and barriers that Internal Audit faces with technology on 16 April.

ACCA UK’s Internal Audit Network is running a webinar on the common problems and barriers that Internal Audit faces with technology on 16 April.


Join us at 12.30pm that day to hear Dr Andrew Davidson of Johnston Carmichael cover the following issues for Internal Audit with technology:


  • Expectation gap - management thinks that new software will do everything, solve all problems and give 100% reliable answers
  • Training and change - staff can be reluctant to change to a new way of doing things
  • Ongoing monitoring - it is rare that new technologies are implemented flawlessly and work exactly as anticipated
  • Data management - for software technologies, the data required (or produced) may be more or less than that required by the business
  • Techno-joy - people may use software despite it not being relevant and try to force it to do the job.

For each area, he will look at the concern for Internal Audit and the solution.

The webinar will provide one unit of verifiable CPD where it is relevant to your work. You can register here to join us live or listen later on demand.

Webinar series - Future Trends in Internal Audit

Register for our on demand webinar series on Future Trends in Internal Audit

Webinar series - Future Trends in Internal Audit

ACCA UK’s Internal Audit Network ran a series of three webinars on future trends in Internal Audit in November and December which are now available on demand.


Speakers included Chris Spedding of Barclays Internal Audit, Geraint Davies CBE, and Michelle Holmes and Harrison Jardine of Protiviti and they covered:

  • Adding value with agile auditing
  • Can Internal Auditors really be independent?
  • Robotic Process Automation for internal auditors.

Each webinar will provide one unit of verifiable CPD where it is relevant to your work. You can register for any or all of these on demand webinars here.





Bite-size webinar series

Check out our series of bite-size webinars by Gregory Coleman for those moving into Internal Audit.

ACCA UK’s Internal Audit Network has developed a new resource for those moving into Internal Audit including a series of bite-size webinars by Gregory Coleman.


Greg spent over 25 years working in governance, risk management and audit roles for various multinational organisations operating in the financial services, pharmaceutical, engineering and Fast Moving Consumer Goods industries in both the UK and US.  He was also Chief Audit Executive in three public limited companies listed on the UK Stock Exchange.   

Now an independent consultant, he carries out risk management work and runs training courses. Greg currently serves as a member of the Audit and Risk Committee at the Honourable Society of Lincolns Inn and is a member of the Chartered Institute of Internal Auditors.


Greg covers these topics in his bite-size webinars:


  • Designing the test plan
  • Sampling
  • Executing testing


You can register for any or all of these on demand webinars here.


Click here for more information about our new resource for moving into Internal Audit.

ACCA resources for internal auditors

ACCA's Internal Audit hub is a great resource for those working in Internal Audit or thinking of moving into Internal Audit.

ACCA’s Internal Audit hub provides support to our members working in governance, risk, assurance, control and efficiency (GRACE). The latest edition to the hub is a resource for those moving into Internal Audit. Resources already available include:


  • making the move from external audit to internal audit
  • what is internal audit and what does it do?
  • core skills such as interviewing, designing the test plan, sampling, executing testing, evidence recording and report writing

The content is a mixture of bite-size webinars, brief guides, articles and presentations. We will be adding to the resource over time.


Other sections in the hub:


Learn about internal audit

This section explores what internal auditing is like in practice and the many pitfalls to avoid. A series of guides covers internal audit for beginners, the management team, the audit committee and Heads of Internal Audit. New to this part of the hub is a section on evidencing compliance with professional standards.


Our webinars and other resources

ACCA UK’s Internal Audit Network regularly runs free webinars for its members working in internal audit. Search here for past webinar series on blockchain and crypto currencies for internal auditors, cyber security, de-mystifying IT audit and GDPR.


This section also has a new Resources by theme area that collates material produced by ACCA in the past few year by the themes of ethics, audit management, IT and regulation/legislation.


Our publications and other research

Here you'll find a link to the most recent edition of this e-bulletin and you can also search for CPD articles for internal auditors. 


Internal Audit blog

If you would like to gain some insight into the life of an internal auditor then look at our blog series “A day in the life of the invisible auditor” where a different internal auditor provided some thoughts every week in 2019.