Technical and Insight
Is internal audit the next BlackBerry?
It really is time to reinvent the profession, believes Tim Leech.

It really is time to reinvent the profession, believes Tim Leech. 

In the first part of a two-part article, Tim Leech defines the problems facing the internal audit profession. The second part of this article will appear in the next edition of this eBulletin and will see Tim discuss his solution to the problem

This is an alternative view of the profession that readers and practitioners should consider in the context of their own approach and behaviours. The views expressed in this article are the author’s and may not reflect those of ACCA. 

Executive summary
Over the past decades there has been a series of major corporate governance crises. After each wave post-mortems were convened and efforts made by regulators to identify root causes. The good news – or bad, depending on your perspective – for the internal audit profession is that rarely were questions raised by those commissions and regulators about the role internal audit should have played to avoid the current crisis being reviewed. 

What the commissions did call for was a massive global focus on the need for boards of directors to better oversee risk in their organisations. As pressure on directors mounts globally to improve risk oversight, their dissatisfaction with traditional internal audit services is also growing. This article suggests the root cause of the mounting internal audit customer dissatisfaction globally is internal audit ‘paradigm paralysis’ – a strong attachment to traditional ways of doing internal audits that no longer meet the needs of key customers. Specific recommendations are made to help internal auditors transition past the paradigm paralysis and adopt new methods that better meet the needs of its key customers. 

In 1990 I authored a paper that changed the course of my life and career titled Control & Risk Self-Assessment: The Dawn of a New Era in Corporate Governance. In that paper I called on the internal audit profession to actively support and embrace the need for robust management self-assessment of risk and control. A significantly different role for internal auditors was proposed, a role fostering reliable management risk self-assessment and reporting to the board on the reliability of management’s risk management processes and the risk status information provided by management to the board. 

Later in the 1990s, as the number of control and risk self-assessment (CRSA) pioneers grew, the IIA showed support for this new internal audit paradigm by creating the Certification in Control Self-Assessment (CCSA) and hosting an annual international CSA/CRSA conference. Since CSA/CRSA was still a relatively small fringe movement, the IIA continued to base the core internal audit curriculum on the foundation element of internal auditors doing ‘risk-based audits’, and reporting opinions on ‘internal control effectiveness’ on a small percentage of the total risk universe each year. 

When Sarbanes-Oxley came along in 2002 the focus of the profession regressed and shifted, at least in many of the world’s largest public companies, to providing heavy support for binary opinions from CEOs and CFOs on whether financial accounting internal controls are, or are not, effective. Following the 2008 global financial crisis, IIA Global again showed support for change with changes to the International Professional Practice Framework (IPPF) standards and the creation in 2011 of a new Certification in Risk Management Assurance (CRMA).

Since the idea of internal auditors focusing on reporting on the effectiveness of risk self-assessment processes maintained by management was still seen by the majority of internal auditors globally as a fringe movement, the IIA continued to position traditional internal audit roles, including completing direct report internal audits, reporting on internal control ‘effectiveness’, maintaining ‘audit universes’ and audit plans, and the traditional curriculum in the Certified Internal Auditor (CIA) designation as the core internal audit paradigm.

The core foundation of internal auditors doing direct report internal audits and reporting opinions to their boards on the effectiveness of internal controls on a small percentage of the risk universe each year is now under siege as more and more customers and stakeholders, including the C-Suite, boards of directors, management, and regulators show increasing signs of dissatisfaction.

This article overviews the growing and ominous signs of customer dissatisfaction and proposes a new paradigm in assurance – ‘Objective Centric Five Lines of Assurance’ as a strategy to prevent internal audit becoming the next Blackberry – an organisation that just didn’t see the warning signs and respond soon enough. 

Growing signs of dissatisfaction
Pulse of the Profession surveys done by the IIA and major consulting firms in 2014- 2016 paint a picture of growing customer dissatisfaction with traditional internal audit services. An excerpt from the IIA July 2014 report titled Enhancing Value Through Collaboration shown below is illustrative of the growing levels of customer dissatisfaction. The percentage of unhappy internal audit customers reported in these surveys is simply too big to dismiss as ‘a few bad apples in the barrel’.

Following the 2008 global financial crisis regulators from countries around the world banded together to study root causes. The conclusion of the Financial Stability Board (FSB), an oversight body comprising the world’s superpowers, was that a radical shift in the roles played by boards, senior management and internal audit is necessary.

In the FSB’s November 2013 guide to national financial and securities regulators around the world titled Principles for Effective Risk Appetite Framework, the FSB painted new and significantly different roles for boards, CEOs, risk specialists, and internal auditors. Internal audit’s main role, as envisioned by the FSB, should be reporting on the effectiveness of risk management processes, including the ability of the company’s risk management framework to identify risks, assess risks, treat risks, and deliver reliable information on residual risk status to boards.

Unfortunately, in many organisations today, internal audit still serves as the primary group that completes formal documented risk and control assessments and reports results upwards to the board of directors. A key roadblock to actualising the new FSB vision is that internal audit is often the primary risk/control assessor and reporter to board, not management. As a result, internal audit lacks the independence required by IIA standards to report on the effectiveness of the company’s risk management processes.

The 2014 IIA Annual Report shown below called on internal auditors to be agents of change.  In February 2016, sensing the profession was not responding fast enough, IIA President, Richard Chambers, blogged that To Be Agents of Change Internal Audit Must Embrace Change and focused on the theme of the 2016 Pulse of the Profession report – ‘Time to move out of the comfort zone’. While recognising the need for and importance of change, the IIA has been reluctant to aggressively endorse a radical change agenda for the profession. 

Internal audit competitors sense an opportunity
A 2016 Deloitte report titled Evolution or irrelevance: Deloitte’s 2016 Global Chief Audit Executive Survey is illustrative of the growing sense that here is a big commercial opportunity to be exploited as customer dissatisfaction with traditional internal audit methods grows. 

The survey’s key findings – taken from 1203 respondents in 29 countries and across eight industry sectors – are:  

  • almost all heads of internal audit expect their organisations and their functions to change substantially in the next few years
  • internal audit currently lacks the impact and influence that it wants and needs within the organisation
  • key gaps in certain skills, including analytics, IT and communications, must be addressed in order to increase impact and influence
  • stakeholders’ expect more forward-looking reports as well as insights regarding risks, strategic planning, IT and business performance
  • almost all internal audit budgets will remain flat or increase slightly, which may not be enough to fund needed enhancements to the function

Fortunately, for many in-house internal audit groups, external providers of internal audit services (read competitors) are also still largely wed to the traditional direct report audit paradigm where auditors form subjective opinions on whether they (the auditors) think controls are effective/ineffective. Be warned. however: a major risk to the profession is that one or more ‘APPLE-like’ competitors may yet emerge to seize on the opportunity presented by the current paradigm paralysis in internal auditing and ERM. 

What does history suggest?
In the face of steadily dwindling customer satisfaction what does history say the internal audit profession will do? Research done over many decades provides insight in to one of the greatest risks today to better governance globally – paradigm paralysis in internal audit and ERM. 

A summary of the barriers to change posed by paradigm paralysis is as follows: 

The greatest barrier to a paradigm shift is the reality and incredible inertia of paradigm paralysis. A paradigm paralysis can be defined as the inability or refusal to see beyond current models of thinking. There are countless examples of paradigm paralysis in the history of mankind. 

In Europe, up until the seventeenth century, physicians used to draw out substantial amounts of blood from their patients to ‘purify’ their bodies from some imaginary ‘miasma’. It would, of course, make patients weaker and quicken their death. The first physicians to challenge this absurdity were dismissed and banned from the profession. A better known example of paradigm paralysis is the rejection of Galileo’s theory of a heliocentric universe which revolutionised the field of astronomy. 

If paradigm shifts are the mega-phenomenon of ‘thinking outside the box’, paradigm paralysis is the enemy of progress and can be defined as the sclerosis of ‘thinking inside the box’. In today’s world of social turmoil, constant fast pace change, globalisation, communication revolution, overpopulation, shrinking resources and growing ecological threats, paradigms are double-edged swords. 

On one hand, they give us a structure and the illusion of permanence, which is a false sense of security. On the other hand, current paradigms, which often fall into the category of paradigm paralysis, prevent us from tackling challenges and major problems to keep life sustainable on this planet for future generations. In other words, we need to step out of the ‘illusion box’, both individually and collectively, of established thought paradigms, and jump courageously and resolutely into an uncharted and unknown reality unfolding each time a significant paradigm shift takes place.

The second part of this article, in which Tim discusses his solution to the problems identified, will appear in the next edition of this eBulletin. 

Tim J. Leech, FCPA CIA CRMA CCSA CFE is managing director at Risk Oversight Solutions Inc., based in Oakville, Ontario, Canada and Sarasota, Florida. He has over 30 years of experience in the risk governance, internal audit, IT, and forensic accounting/litigation support fields. 

Leech has provided training for tens of thousands of public and private sector board members, senior executives, professional accountants, auditors and risk management specialists in Canada, the US, the EU, Australia, South America, Africa and the Middle and Far East. He has received worldwide recognition as a pioneer, thought leader and trainer.  His article ‘Reinventing Internal Audit’, featured in the April 2015 issue of Internal Audit, received the Outstanding Contributor award from the IIA.

CPD article: Key cybersecurity principles
In the current climate, internal auditors have a duty to understand what cyber threats mean for their firms.

In the current climate, internal auditors have a duty to understand what cyber threats mean for their organisations. 

Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.  

Over the last 25 years the internet has evolved from small-scale communications between defence organisations to a global vehicle for communications, service delivery, commerce and marketing. Cybersecurity has paralleled this growth. It has evolved from a technology game played by geeks to a global problem involving organised crime, systematic fraud and theft, state sponsored espionage, cyber-warfare, and a free-for-all for hobbyists, terrorists and politically inspired hacktivists. 

Banks have lost hundreds of millions of pounds. The internet for entire countries has been brought down. One state saw its power grid shut off. And it is estimated that global losses will exceed $2 trillion per year by 2019. In the UK losses are more than £700 per person per year. One hack in the UK alone netted more than £100m in February 2016. 

Large areas of the internet are essentially beyond the control of law makers. The laws of many countries are outdated. And so, they host large sophisticated organisations dedicated to cyber-crime who can operate with impunity. The ‘dark web’ – the hidden and unregulated area of the internet – is huge. It is estimated that only 5-10% of the internet is publicly accessible through tools like Google and Bing. It’s an enormous game of cat-and-mouse. Except the cats are criminals and the mice are made of solid gold. 

When businesses move online, cyber becomes a significant business risk – and in some industries, the dominant business risk – faced by boards of directors and shareholders. There have been many high profile expensive hacks and many reputations trashed. As a result, there is increasing regulatory pressure. Companies have been fined for privacy breaches. The UK government has announced a £1.9bn national cyber programme and mandated that all its suppliers have cyber essentials certificates before awarding new contracts. There is an emerging cyber-insurance market that is also driving improved standards such as ISO 27001 Information and Data Security – the latter is not yet universal but will increasingly be a standard requirement. 

And finally, as if all this were not enough to draw the attention of the internal auditor, cyber defence expenditure is rising quickly. The market for cyber services reached $170bn this year with one bank alone – JP Morgan – spending $500m on cyber defence in 2016. And this means, despite the complexity and foreign technical language, auditors must come to grips with their organisations’ cyber problems. And that means the modern internal auditor must first understand the basic principles of cyber. 

Prioritise cyber expenditure
The first principle is that your business must formally prioritise cyber expenditure. You cannot spend enough to prevent all cyber-attacks.  Any increase in expenditure will reduce risk, but risk can never be eliminated. So, some companies give up. They take the view that it is cheaper to pay the regulatory fines and reimburse customers as required. Others will simply outsource everything to ‘the cloud’ – but it’s important to understand that the cloud is just a timeshare on someone else’s computer – a computer that also needs security checks. Neither of these abdication strategies is guaranteed to minimise shareholder risk. 

The recommended approach is to understand the criminal threat specifically to you in detail, review your technology and controls, assess what risks lie in your data and processes, look at reputational risk and then prioritise expenditure and counter measures accordingly. An example – most mergers and acquisitions are highly sensitive and managed in conjunction with external lawyers and investment organisations. But most communication between management and professional advisers is by unencrypted email and can be easily intercepted. 

The weakest link
The second principle is encapsulated in the famous joke about the bear. When two hunters see a bear approaching, one hunter puts on his running shoes. The other reminds him he cannot outrun the bear. ‘I don’t have to outrun the bear,’ says the first, ‘I just need to outrun you’. 

If you are a bank, you don’t want to be the weakest bank. When everyone is vulnerable, your only safety lies in not being the weakest. Understand the norm for your sector, keep abreast of the risks in real time, make it hard for the hackers and they will quickly move on, there is after all a world of easy pickings out there. 

The role of humans
The third principle is that cyber is not just a technical problem. Most hacks are simple – tricking someone out of a password, or conning an employee to click on a bad link – these are known as phishing. A common scam is the CEO fraud – where a well-researched and presented email arrives, supposedly from senior management, asking for critical business data or instructing supplier payment. 

And then there is the inside threat, the employee gone bad. A good security system looks for changes in people’s behaviour, for when the HR employee suddenly becomes interested in accounts payable. Humans are often the weakest link and cyber awareness training, prompt exclusion of leavers and good password hygiene are basic but important security measures. 

Generally accepted security principles
The fourth principle is that, while cyber is still evolving quickly, there is a set of ‘generally accepted security principles’, and each organisation should assess, tailor and implement these to meet their specific needs. From a technical perspective, the top five things to check are that the company has procedures for managing: 

  • boundary firewalls and internet gateways
  • secure configuration
  • access control
  • malware protection
  • patch management.

These are the core elements that make up the cyber essentials certification. For more experienced internal auditors, and companies with high levels of exposure, you can use the CIS Critical Security Controls Framework, which contains 20 recommended controls and 149 behaviours to look for. 

Manage data
The fifth principle is to manage data. You want to see that your organisation has reviewed its data assets, allocated owners, ensured they are backed up, determined what is valuable and decided what should be protected – encrypted – either in its databases or whenever data is transmitted. Does different data have different access control – or is everything open once you are in? Does your company review outgoing traffic to ensure that sensitive data is not included (ie managing data exfiltration). While some of the technology here is complex, it is easy for an internal auditor to check if these things have been considered. 

Prepare to be hacked
And the final principle is that you will be hacked anyway and you should prepare accordingly. Often the losses and reputational damage of a cyber breach are determined more by how quickly and competently the company responds. Your organisation should have a cyber-incident response plan that specifies how an attack will be recognised, who will lead the response, how forensics and investigation will be carried out and – importantly – how you will communicate with clients and regulators. The plan should involve senior management and it should be rehearsed. 

In conclusion, cyber fraud is now the dominant business risk for many businesses and both losses and cyber defence costs are rising quickly. Internal auditors must not be put off by technical jargon, can quickly use standard checklists and should stick to their guns in asking basic questions about what assessments and counter-measures – human and technical – have been established. 

If you have not been trained by your organisation, then there is a good chance they have not addressed the weakest link – their employees. Act accordingly. 

ACCA webinars
Finally, you can find out more about cyber defence via a series of ACCA webinars – scroll down for more details and access to these. 

But before you do – start a new habit: check you are really reading this on an ACCA platform; ensure that the URL in your web browser begins with

Stuart Bladen and Jay Abbott – CEO of Falanx Group and MD of Falanx Cyber Defence  

Cybersecurity webinars 
ACCA UK's Internal Audit Network ran a series of seven webinars on cyber security from March to September 2016. 

Jay Abbott – managing director of Falanx Cyber Defence (part of the Falanx Group of Companies) – presented the series with co-hosts for specialist topics. Jay has over 20 years of industry experience in technology and security. He is a respected keynote speaker who is regularly quoted in the press and a trusted industry expert. 

The series covered: 

  • An introduction to cybersecurity for internal auditors
  • Cybersecurity and data security for internal auditors
  • Cybersecurity and social engineering for internal auditors
  • Cybersecurity and process network control for internal auditors
  • Cybersecurity for internal auditors – how you should react when you are under attack
  • Cybersecurity and outsourcing for internal auditors
  • Cybersecurity for internal auditors – the latest techniques and attacks.

The entire series is now available on demand. Each webinar lasts for an hour and constitutes one unit of CPD where the content is relevant to your current or future role. 

You can access these webinars now

The Bribery Act 2010 – five years on
David Foley presents a mid-term report on legislation that has had a major impact on our profession.

David Foley presents a mid-term report on legislation that has had a major impact on our profession. 

July 2016 marked the fifth anniversary of the introduction of the Bribery Act 2010 – ‘the Act’ – a piece of legislation which, it could be argued, had been a long time coming. Its counterpart across the Atlantic, the Foreign Corruption Practices Act (FCPA), had been used to great effect some time before there had been calls for the UK to update its own ‘corruption’ legislation, but its development wasn’t a simple process. However, it has now passed beyond its difficult birth and initial teething problems and now finds itself a fully developed piece of compliance legislation. 

After the Act’s introduction – admittedly a stalled start resulting in eventual roll out in 2011 – not all voices were complimentary regarding the its arrival. UK plc was thought to be placed at a significant disadvantage in contrast to our non-UK competitors, and would be a difficult place to do business, as nothing would get done without some degree of facilitation; the new child was viewed as a potential disruption to doing business. 

It is not possible to put a figure on the scale of corruption, but it is in the billions, and potentially in the trillions. Estimating corruption levels is a tough task with many studies compiling varying statistics. However, the common theme is that the sums involved are eye-watering. Additionally, the human impact of corruption has led to deprivation and developing countries, in particular, being stripped of their assets as corporations attempt to corner the marketplace for their own benefit. 

Therefore, the concept of having the legislation is not resented by the majority, except for those who seem threatened by the consequences of getting caught out by the specific offences that the Act created. It was also welcomed by those involved in the law enforcement environment, as it provided simplistic, defined offences which the general public could understand and relate to. 

Excitement and trepidation
There was much excitement and trepidation following the introduction of the Act, with law enforcement believing that there was likely to be a deluge of persecutions, whereas many scratched their heads over interpreting the parameters of the Act. There were instances of scaremongering, such as the removal of the Christmas gift of a pen or a sandwich at lunchtime client meetings, and business development generally started being analysed through a different lens. Some of these stories caused cynicism across organisations, with several taking the approach of sitting tight on the basis that their business wasn’t at risk of bribery, and even if they were, given the limitations of prosecution resource within the Serious Fraud Office (SFO), it was unlikely that they would ever end up in the target sights of law enforcement. 

Many ticked the box as part of a compliance exercise, whereas some took the social conscience approach, wanting to do the right thin,g and really invested in resource, projects and ongoing monitoring systems to take effective measures to get themselves away from harm. 

The cynical bunch remained confident until the first conviction by the SFO took place in 2014. Since then, there have been many high profile cases, with notable household and prestigious names caught in the sights of the SFO and prosecution authorities. While this is not good news, it does mean that organisations have reconsidered their position and have moved from their initial position of doing very little, to getting the topic onto the agenda for discussion and real consideration. 

Further developments have taken place, such as the introduction of ‘deferred prosecution agreements’, which provide another perspective that organisations need to take note of. 

The introduction of ‘The Six Principles’ provided a framework from which an organisation could review its risk exposure to incidents of bribery, and act accordingly. From these six principles an organisation can tailor its compliance approach and review both its on-going actions and past practices. This was helpful guidance, but it does require an organisation to apply the model in a bespoke way. There is no one-size-fits-all, which many will appreciate. 

Common areas for improvement
From my experience of working with organisations of differing sizes, from across a range of sectors, while there has been a range of different approaches, appetites and investment, there are some common areas where improvements have occurred, with greater scrutiny on the following: 

  • gifts and hospitality
  • conflicts of interest
  • pre-contract procurement and tender procedures.

In summary, all of this is a step in right direction; indeed some may say it is a giant leap from where we started out. It is not clear really what was expected from the introduction of the Act, given the different impacts it had on businesses, law enforcement and the public. 

Even five years on, it is probably too early to state whether the Act has been a success. Many see it as a work in progress with much still to achieve. It has enormous potential, all of which is within the control of the organisation applying the Act’s principles in how it conducts its business. 

What is certain is that the Act is now firmly in the minds of compliance functions, the general public have a greater awareness of the Act and suppliers have to reconsider how they conduct their business development activity. 

Therefore, in true mid-term school report style: reasonable effort to date but could work harder to reach its potential. 

David Foley is a risk assurance director at RSM, providing proactive and reactive counter-fraud services to large corporate and not for profit organisations.

Bribery, corruption and slavery: assessing the risk to your business
Eversheds International explains how businesses should comply with the legal obligations of the Bribery Act and the Modern Slavery Act.

Eversheds International explains how businesses should comply with the legal obligations of the Bribery Act and the Modern Slavery Act. 

Elsewhere in this e-Bulletin, David Whyte - Editor of How Corrupt is Britain? – considers the spirit of the law rather than the letter of the law. 

Recent years have seen a myriad changes to the legal landscape of bribery, corruption and anti-slavery legislative practices, making treacherous trading conditions for businesses across a wide range of sectors, including construction and engineering, and jurisdictions. More so with the increasingly prominent international marketplace with each jurisdiction procuring its own set of often complex offences and penalties. 

The UK Bribery Act now represents the most expansive and stringent anti-corruption practice in the world. This article will assist in guiding your business through the minefield of risks associated with the new era of bribery, corruption and anti-slavery provisions. 

Bribery Act 2010
Government guidance upon the release of the Bribery Act in 2010 noted the importance of addressing the growing issue of bribery and corruption in the marketplace: “Bribery undermines democracy and the rule of law and poses very serious threats to sustained economic progress in developing and emerging economies and to the proper operation of free markets more generally’

Since then commentators have described the Bribery Act 2010 as having ‘sharp teeth’ due to its hard-hitting approach to reform. The Act introduced a stringent new legislative regime which criminalises the failure of a business to prevent bribery on its behalf. The Act details general offences in relation to bribing another person or being bribed and a specific offence relating to bribing foreign public officials, along with a specific corporate offence of failing to prevent bribery. 

The Chartered Institute of Building reported that 49% of respondents to its survey believe corruption is common within the construction industry. This theory has been blamed on embedded cultural practices combined with difficult economic conditions, such as squeezed tender margins or less activity in the marketplace. This has arguably led some organisations to make reckless decisions which, under the Act, could lead to an unlimited fine and irreparable reputational damage in the marketplace.  

Defining bribery
Very generally, bribery is defined as giving someone a financial or other advantage to encourage that person to perform their functions or activities improperly or to reward that person for actions already performed. 

A bribe has therefore occurred when a person offers, gives or promises to give a monetary benefit or benefit in kind for an action. This is known as active bribery. Passive bribery includes the requesting, agreeing, receiving or acceptance of a bribe. 

The Act provides a new form of corporate liability for failing to prevent bribery on behalf of a commercial organisation. A ‘relevant commercial organisation’ is defined as a body or partnership incorporated or formed in the UK irrespective of where it carries on a business, or an incorporated body or partnership which carries on a business or part of a business in the UK irrespective of the place of incorporation or formation. A commonsense approach will be applied to what should be included in the definition of a commercial organisation: this is likely to therefore include charities, public bodies and education entities. 

A commercial organisation will be liable if a person associated with it bribes another person intending to obtain or retain business or an advantage in the conduct of business for that organisation. There must therefore be a failure on the organisation’s part to prevent the conduct which commissions an offence under the Act. 

An associated person is someone who performs services for or on behalf of the organisation. The objective of this section of the Act ‘is not to bring the full force of the criminal law to bear upon well run commercial organisations that experience an isolated incident of bribery on their behalf’. It is to achieve a balance which will punish those who offend not only wilfully but also inattentively. The organisation will be awarded a full defence if it is able to illustrate it did have adequate procedures in place on the balance of probabilities. 

The key questions prosecutors will consider when determining whether to prosecute under the Act will include the extent of the evidence collected and if a prosecution would be in the interests of the public. Arguably the larger the company the higher onus on its senior staff to comply with the Act. Businesses face unlimited fines should they be found liable under the Act of an offence along with being subject to a confiscation order under the Proceeds of Crime Act 2002. A company director who is convicted may also be disqualified under the Company Directors Disqualification Act 1986. 

What do businesses need to do?
The government offers guidance in the form of the following six principles which should be adhered to when a business is evaluating its position under the Act: 

  • a business should have proportionate procedures in terms of nature, scale and complexity and must these be clear, practical, accessible and effectively implemented and enforced
  • there should be commitment from board level to shop floor to cultivate the correct culture within the organisation
  • regular risk assessments should be performed to address potential bribery risks within the organisation
  • enforcement of the bribery policies should be approached with due diligence
  • communication is key; policies should be embedded, discussed and visible to both internal and external individuals
  • risk within the organisation should be monitored and reviewed regularly.

Key is acting quickly and effectively; if you haven’t already done so review your anti-bribery and corruption policies and procedures. Ensure they are compliant with the Act and filtered into the business at every level. Regular training should take place along with policy updates as and when required in line with updates across the market. 

Modern Slavery Act 2015
The Modern Slavery Act 2015, which came into force in October 2015, provides for the offences of slavery, servitude and forced or compulsory labour and human trafficking) in the UK. 

In the UK an estimated 13,000 people are working as slaves and according to the International Labour Organisation, there are 21m people around the world trapped in some form of forced labour. 

Arguably the nature of work associated with the construction industry naturally correlates to some of the offences defined under the Act. The Act is likely to affect this industry more than others due to the size and complexity of projects often involving lower-skilled workers, alongside the complexity of a multitude of organisations and the growing trend to outsourcing work and cut price contracting. 

The Act requires businesses with a turnover of £36m and above that are supplying goods or services to publicly report steps they have taken to ensure their operations and supply chains are trafficking and slavery free. Similar to the Bribery Act 2010, a commonsense approach as to what goods or services include will be applied. The duty applies to businesses that carry on business in the UK, wherever they may be incorporated. 

There are complexities when it comes to non-UK domiciled companies or subsidiaries that don’t do business in the UK. There is ambiguity in the position of UK companies with wholly-owned subsidiaries operating overseas that don’t provide goods or services to the British market. For example, a UK construction company with a wholly-owned subsidiary in the Middle East operating exclusively in those countries could potentially argue that the provision doesn’t apply to its operations. 

Some businesses are already active or have responded accordingly to the Act - for example, by introducing policies and training as well as employing risk analysis audits, due diligence, complaints mechanisms, stakeholder engagement and a review across the business with particular focus on supply chains. For others, the Act can seem vast with a range of risks and issues which need addressing with the likelihood of this taking time, resource and money. However, businesses need to react quickly to the new regime in order to avoid criminal prosecution or monetary fines and negative, sometimes irreversible, reputational damage.  

What do businesses need to do?
In order to be compliant with the Act businesses that meet the turnover threshold will need to prepare and publish a statement setting out the steps they have taken to ensure slavery is not part of their businesses or part of their supply chain. Guidance as to what should be included in the statement is limited, but the more transparent it can be, the higher the likelihood it will be complaint under the Act. 

Suggestions about input include structural information about the business, policies in relation to slavery and human trafficking, due diligence relating to its supply chain and the identified risks and examples of employee engagement and training in relation to the Act. The statement must be approved at board level. 

The formulation of anti-bribery and modern slavery provisions in the UK creates a complex array of complicated and often high risk provision, each requiring action from board level down. 

To avoid corporate liability for bribery, companies must make sure they have clear, up-to-date and effective anti-bribery policies and procedures in place. This requirement goes further than being effective theoretically; as a strict liability offence companies are required to illustrate how their systems work effectively with adequate procedures designed to prevent persons associated with it from undertaking bribery. This is the only defence businesses may rely upon, limited in scope and application. 

A similar story prevails in relation to the modern slavery provisions, which will doubtless have a vast impact across the marketplace. According to the Guardian newspaper, early analysis of the first 100 company statements revealed that most fell short of the legal requirements and were too broad, generic and brief. 

However, changes in the marketplace are without doubt important for both ethical, moral and commercial objectives. The sooner companies are able to cleanse their processes and procedures the sooner the entire marketplace will move in the right direction to eliminate inhumane and immoral treatment. 

This article is reproduced with the kind permission of Eversheds International and was first produced on its website in June 2016. 

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice.

The normalisation of corruption and public opinion
David Whyte considers the ‘spirit of the law’ when it comes to bribery and corruption.

David Whyte considers the ‘spirit of the law’ when it comes to bribery and corruption. 

Elsewhere in this e-Bulletin, we have an article by Eversheds explaining how businesses should comply with the legal obligations of the Bribery Act and the Modern Slavery Act. 

However, should businesses merely comply or should they consider a broader definition of corruption and desist from practices that although compliant are still immoral? 

The UK is currently the 10th least corrupt country in Transparency International’s benchmark Corruption Perceptions Index (CPI). It has been an unusual rise up the charts from 20th place in 2010, a period in which we have witnessed a series of criminal frauds involving the major players in the UK banking sector (for example the fixing of LIBOR and Forex), a series of police evidence-rigging and bribery scandals (not least Hillsborough, the IPCC investigation into Sapphire Command and the Ellison Review), several political corruption scandals in the headlines (widespread Parliamentary expenses frauds and the periodic re-emergence of ‘cash for influence’ and ‘cash for honours’ scandals).  

Robert Barrington, the head of Transparency International UK, qualified the result by pointing out there are ‘good reasons why people are sceptical about whether Britain really merits a top 10 ranking’. 

There are indeed. The same week that the CPI was published earlier this year, the criminal case against five people accused of the LIBOR frauds collapsed. The following day two more stories about corruption in British institutions broke. The first reported the news that European Commission was investigating complaints that Google’s £130m settlement with the British government amounted to ‘special treatment’ and the second reported that that the Prudential Regulation Authority will investigate the potentially criminal role of HBOS's senior management in the near-collapse of the bank, seven years after the event. 

If it seems as though a lot of corruption of various forms was being reported in the same week that the newspapers were reporting the UK’s miraculous climb up the anti-corruption charts, there was nothing unusual about this. In the UK over the past few years, reports of major corruption scandals of various kinds in the public and private sectors have become daily fodder. 

We are overwhelmed by the scale, frequency and variety of corruption cases in this country, from police manipulation of evidence, to over-charging in out-sourced public contracts, by way of election funding and cash-for-access scandals involving prominent politicians and price fixing, market manipulation and fraud in key sectors of the economy.

But in the UK, our corruption is – for the most part – respectfully hidden. Although the bribery of public officials goes on sometimes, it is not a visible part of everyday life. In most UK cities, we do not (yet) have the option of bribing traffic wardens to avoid a parking ticket or the option of bribing police officers to avoid being charged for a petty offence. Our corruption is of a different order.

Economists sometimes distinguish between collusive corruption (where two parties collude for their common benefit) and extortive corruption (where one party is compelled to make a bribe payment to another). It is less common, for example, to have to bribe a public official in the UK than some other countries. Extortive corruption is not a major problem in this country, though it is probably more widespread than we tend to think it is. 

It is extortive corruption that surveys like the CPI are primarily concerned with. But the British style of corruption that we are increasingly exposed to is collusive. And collusive corruption is not done merely for personal gain, but is largely done for the benefit of the organisation or the institution. Police rigging of evidence for example is typically done to avoid criticism of the police (as in the Hillsborough case). The rigging of LIBOR doubtless benefited the traders that colluded, but benefited the banks and their shareholders much more.  

A poll commissioned with YouGov earlier this year asked a representative cross-section of the British public about how they regarded a range of collusive relationships between the public and private sectors. 

The survey revealed a public sentiment strongly in favour of prohibiting some of the practices that are normal and routine in government – especially those that indicate a close – collusive – relationship between the public and the private sector. In this survey almost three quarters of the respondents said that the practice of ministers or senior civil servants accepting corporate boardroom appointments on leaving office should be banned. Almost two thirds said that inviting private corporations into government to help shape the regulation of business should be banned and more than two thirds said that current PFI arrangements for public projects should be banned. 

In other words, the British public want rid of many of the practices that have become part and parcel of the British way of doing business and doing politics. It is not difficult to see why. The revolving door, and the involvement of the private sector in public functions, have proven to be both a symptom and a cause of institutional corruption in the neo-liberal period. Since the 2008 financial crisis, the UK’s brand of crony capitalism has enriched the few in a very harsh economic climate that has disproportionately punished the poor.  

The UK government conveniently avoids its growing reputation as a crony capitalist state par excellence, preferring in its own Anti-Corruption Plan to more or less follow the World Bank definition of: ‘the offering, giving, receiving or soliciting, directly or indirectly, of anything of value to influence improperly the actions of another party.’ 

The same Anti-Corruption Plan makes it clear that it is government policy to remain fixated on extortion by criminal gangs, rather than collusion between powerful corporations and government departments. Yet, as the Tax Justice Network’s Financial Secrecy Index shows, if all of the British Overseas Territories were counted along with the United Kingdom, then the UK would be number one provider of financial secrecy.    

This level of potential corruption is not merely a problem that can be described as ‘extortion’, but is a routine practice that is used for maintaining and extending the power of corporations, governments and public institutions. The British brand of corruption arises from practices that have become normal in business and politics. 

David Whyte is the editor of How Corrupt is Britain? This article is an edited and updated version of a piece published by Open Democracy.

Global ambitions?
We talk to three people about the international opportunities a career in internal audit can provide.

We talk to three people about the international opportunities a career in internal audit can provide. 

If your passion for travel matches your interest in how objectives, risks, controls and assurance interact then you will already appreciate the many opportunities a career in internal audit can present. 

Many roles offer a life living out of a suitcase, at employers’ expense, in locations beyond holiday brochures. Auditors quickly rack up air-miles and hotel points, enabling upgrades or holidays on the back of their work. 

ACCA UK’s Internal Audit Panel asked three individuals to share their thoughts on what it means to be an internal auditor working around the world.

Zoe Holroyd – senior auditor, Mazars
‘When the opportunity arose to work on client assignments overseas, I did not think twice about taking part – it was the perfect chance to experience working with different cultures and to get a first-hand impression of “how those guys do it”. 

Our clients are within the hospitality and tourism industry, where the audits have ranged from operational to compliance. To date, I have worked in nine countries across Europe, working at the subsidiary client sites and staying in the local area. 

The experiences have been enjoyable and have enabled me to develop communication skills (particularly where there is a language barrier) and gain exposure to meeting with staff at different levels of a business. For example, the contrast between interviewing a hotel receptionist to holding the audit close out meeting with the regional director of operations is certainly a big one, but is also a challenge that I relish and look forward to on a weekly basis. 

A particular experience I will never forget was working in Italy for a week, which involved visits to both Rome and Florence; raising an audit recommendation triggered a fiery discussion, making it clear that the renowned Italian passion very much makes its way into the workplace! 

I have found that planning the audit is a really important factor, especially when working overseas; not only the time required on site but also transport requirements, travel time – especially when direct flights are not available – and the cost of local accommodation. 

I am still studying for the ACCA qualification, and have found that the type of audits I carry out have really assisted with my learning. Vice versa, I have been able to apply knowledge from learning in practice. For example, when recently conducting a foreign exchange audit I was aware of the types of foreign exchange risks and how we can hedge against these, as this is a core topic in the financial management module. 

However, there are some aspects of this lifestyle which can prove demanding. For example, around exam time, it can be challenging to balance the audit with travel time alongside having to knuckle down and study in the evening. I’ve found making the most of the airport and flight time has made a real difference in the past, ensuring you have really planned the trip well to know when any free study time might arise! 

I am looking to work overseas full time in the future, so choosing the ACCA qualification and taking the opportunity to work across Europe was with this in mind. The practice I have seen when working abroad has opened my eyes to how much the local culture impacts on working life, and the skills I have developed will certainly help with my career progression.’ 

John Webb – Webb Sight Consultancy
We asked John what he thinks motivates someone to seek a career as a travelling auditor, and what tips he has for anyone embarking on such a journey. 

‘One of the joys of working in internal audit is the sheer variety of business and support units that we cover each year and the opportunities this affords to see best practices, as well as to understand the lessons learnt from failed processes. Where else, beneath the C-Suite, is this variety of perspectives possible? 

Another delight in store for many is the opportunity to travel occasionally to audit subsidiaries or branches. We will be confronted by innovative solutions, alternative control mechanisms and new ways of thinking, in addition to problems and consequences that we have not encountered (and may wish not to see again). 

My tips are as follows: 

  1. As well as keeping an open mind, ensure that you are particularly well prepared before getting on the plane. Remember that arriving from head office can be a double-edged sword. You may be treated to more attention than at home and find a high level of responsiveness both to audit questions and to the supply of tea and biscuits. On the other hand you may be considered as a representative of head office management, even though you will feel uncomfortable about the implications this has for your independence and possible concerns of your own about particular aspects of group-wide policies.

  2. The chances are that you will only be there for a short period of time, so as well as pre-preparing an audit programme and talking to colleagues at home, carefully research:
    * differences in business practices and whether there is a higher or lower corruption risk and whether what is acceptable at home, may not be overseas
    * local cultures and the impact this may have on how you wish to deal with people, in order to both create a favourable impression and avoid causing offence
    * what local risks there might be that you do not face at home
    * the extent to which risks may vary from what you are familiar with or the level of impact might differ
    * the extent to which you can anticipate, perhaps through background reading, some of these new risk areas (without necessarily having to become an expert). For example, if auditing a financial services branch in the Middle East it may be worth becoming familiar with the key facets of Islamic (Sharia) finance. That way people will appreciate that you have made some effort to understand their daily reality but more importantly, it may immeasurably help your scoping and testing
    * local regulators’ websites, which will indicate what is expected from your overseas subsidiary and also which problems are endemic locally and the range of ways in which they are being addressed
    * google local hot topics in your sector, as you will add to your knowledge base and the matters to think about.

  3. As soon as you can after arriving (and with the co-operation of the local subsidiary), pay a short visit to the external auditors. Half an hour with the engagement manager or partner will give you clear insights into any control concerns they might have and the effectiveness of remedial actions taken or planned. If you ask the right questions, they may also tell you about emerging risks, thematic concerns of the regulators and benchmarking comparisons with their other relevant clients. In one visit to Tokyo it enabled me to borrow one of their experienced auditors who could not only translate documents into English for me but knew which of the documents was likely to be relevant in the first place.’

Neville de Spretter – principal at AdLibero2 Ltd
Finally, we asked Neville for his thoughts on key points to succeed when auditing internationally.

‘There’s no doubt for me that, with 30 years of international assignments behind me, in well over 100 countries in diverse businesses and sectors around the world, internal audit has provided noteworthy variety, significant challenge, and the need for vigilance, flexibility and pragmatism. The challenges have been diverse, both positive and negative, with most relating to how to avoid misunderstandings caused by a lack of knowledge of local language and etiquette.

Amongst many factors, the following always require good planning and preparation before the internal audit visit takes place: 

  • diversity
  • hazards
  • protocols
  • politics
  • pace of change
  • climate
  • how you’re treated and how people in different cultures expect to be treated. 

There are two areas I’d like to expand upon:

Local culture
It has always been useful, and in some cases has proven to be essential, to be able to call on specialist support for practical guidance for international work, and in particular on how to avoid the misunderstandings that can arise because of a lack of knowledge of local language, etiquette, perceptions of right and wrong, local negotiating styles, and body language. So I consider the following: 

  • having a strategy and budget for cross-cultural training and support
  • undertaking basic language training
  • employing destination-specific briefing
  • establishing early contact between internal audit and the host office
  • ensuring the provision of in-country support
  • researching basic information about the host country's social, business, political, religious, and cultural environment
  • having written information, including addresses, about useful amenities and services in the host environment
  • having host office specific intelligence, including, for example, how staff communicate with seniors, subordinates, suppliers, contractors, and customers
  • understanding standard operating procedures 
  • accessing business information.

In the past, where I’ve been on longer assignments, and if the organisation lacks expertise in this area, then external consultants have been employed. This has been helpful for understanding etiquette systems for everyday situations, such as greeting people, meetings, and dining socially. 

But even here things are changing rapidly, especially as education, business and communications are global – so always try to ensure that the information is useful and current, as well as pertinent to the right demographic. For example, many younger people in business around the world have had Western educations and other exposure to Western customs and are a lot more tolerant of Western behaviour.  However, all seem to appreciate the effort taken to understand, take an interest in, and respect local customs and practices, and to speak a little of the local language (even if just to say please, thank you, hello, good morning!).

The legal environment and culture
Having an understanding of the specific legal culture can help avoid adverse consequences. The United Nations Organisation consists of over 180 sovereign states, many with their own legal systems, and often with both religious and secular legal systems. 

There are risks embedded and interconnected in the culture of a legal system, too.  The way that the legal system operates may exhibit unreliability, partisan support, ponderous progress in cases, and present serious risks to international operations.  The legal regime may impact on the audit (for example, contract law, property law, treatment of creditors, data protection, tax, Sharia law and loan interest).

The pace of change in these areas is a key risk, as maintaining knowledge and understanding of country laws and regulations, particularly from one audit assignment to the next, is a major challenge for internal audit.

The application of a risk-based approach, assessing international risks at the level of the audit universe and for in-country internal audit assignments, considering the possible impact of the legal environment and culture, can add useful focus. Planning for the co-sourcing of local expertise can be invaluable.

This all means that having local understanding and using some local language  makes the assignment that much more effective and useful. The use of local language combined with cultural sensitivities and empathy, appreciating local ways of saying and conveying messages, appears to be a good formula for successful overseas assignments.’

Expand your horizons
If this has sparked an interest in working internationally then consider how you are going to achieve this. Does your current employer offer such opportunities? If you would need to move roles register with to find job opportunities. Also consider building your professional network and engaging with other ACCA members working in internal audit around the world via our Internal Audit LinkedIn group

Shaping your ACCA focus groups
We’ve been consulting with our internal auditors across the country. What did you tell us?

We’ve been consulting with our internal auditors across the country. What did you tell us? 

ACCA UK’s Internal Audit Network held three focus groups with members working in internal audit roles this year in London, Manchester and Cambridge. This followed the success of two focus groups held in Birmingham and Bristol last year, the feedback of which was used to determine ACCA UK’s CPD provision for internal auditors for 2016. 

The key issues and points raised at this year’s focus group meetings are highlighted below. 

Members working in internal audit value the ACCA qualification highly. They do not have the time to do the IIA qualification exams – but IIA’s technical content is very good so IIA affiliate membership is valued provided the employer pays for it. Members would consider the CIA qualification if the single fast-track ‘challenge’ exam was offered again – the two qualifications can complement each other. 

ACCA cannot compete with a specialist body like IIA on technical content so ACCA should try to obtain access for its members to IIA content. A link-up between ACCA and IIA resulting in a reduced subscription fee for IIA if you are an ACCA member would be very welcome. 

Experienced internal auditors require specialist training. ACCA’s series of cybersecurity webinars for internal auditors has been well received and any CPD that ACCA provides needs to be in-depth – general coverage of a topic is of little use. For networking to be of use, it needs to be with other members working in internal audit at a similar level. ACCA’s internal audit webinars and CPD articles are a valuable resource for members working in local government or smaller organisations where it is more difficult to meet CPD requirements. 

CPD topics of interest include business transformation, risk culture, quality assurance, Brexit and continuity, OECD changes on transfer pricing, GRC (governance, risk management & compliance), thematic audits, big data and data analytics, and IT-related auditing. 

The three biggest challenges to ACCA members working in internal audit are: 

  • transitioning from transaction to risk-based auditing – internal audit is increasingly being seen as a problem-anticipator as well as problem-solver. It is increasingly involved in the introduction of any new systems and business transformation
  • multi-regulatory environments and the daily changes that can mean laws change overnight when preparation has already been done for a previous situation
  • knowing where your career is going.

The three biggest challenges facing organisations are:  

  • the shortage of internal audit skills in the marketplace
  • older technology that cannot be readily replaced (particularly in the banking sector)
  • Brexit.

The lines between risk management and internal audit are very clear in the banking sector but less so in other sectors. However, all of our members are clear on the objectivity and independence of internal audit. Best practice is to guide the business to make recommendations rather than internal audit making them – this maintains independence for internal audit and secures buy-in from the business to implement its own recommendations. 

Culture is seen as a challenging and subjective topic but it is a real area of interest for all members. The banking sector is focused on conduct risk but in other sectors, culture audits are not being carried out with any consistency. 

Integrated assurance is not well understood in all quarters but is thought to have merit although there is little evidence that it can be made to work effectively in practice. 

ACCA resources for members working in internal audit: 

Internal audit hub

This hub has sections on Guides to Internal Audit, ACCA UK’s Internal Audit e-bulletin, internal audit webinars, auditing in different industry sectors, and specific risks in auditing.

Cyber security series of webinars 
This series of seven webinars is now available on demand - each webinar lasts for an hour and constitutes one unit of CPD where the content is relevant to your current or future role. You can register to view these webinars any time.

ACCA UK’s Internal Audit e-Bulletin 
Our internal audit e-Bulletin is published three times a year and each edition includes a CPD article that can earn you one unit of verifiable CPD if you answer five questions correctly.


ACCA-X: an award-winning platform
ACCA-X is an exciting online learning programme to support learners everywhere interested in accountancy and business.

ACCA-X is an exciting online learning programme to support learners everywhere interested in accountancy and business. Brought to you by ACCA, edX and Epigeum. 

ACCA’s online learning programme, ACCA-X, is an award-winning, innovative digital learning programme to study the ACCA qualification.  Its digital courses have opened up access to the accountancy profession for thousands of individuals and businesses alike, allowing learners access to high quality, flexible and affordable study. 

Launched in April 2015, ACCA-X has seen tremendous interest with registrations coming from 230 territories and countries from around the world. The five courses - two free of charge and three paid for – have had over 100,000 registrations since first being offered. 

ACCA-X is supported by online tutors who guide learners through interactive content that is designed to support individuals gain financial literacy skills. ACCA believes in flexibility to enhance access to the profession which is one of the main reasons why ACCA-X was developed.  

The courses meet the varying needs of students with their career ambitions and fit with their lifestyles. This innovative way of learning ensures that, through global delivery, people can qualify for ACCA and pursue their careers in any country in the world.  

There are five ACCA-X courses running four times per year: 

  • delivered on the respected edX platform, an online learning destination founded by MIT and Harvard, ACCA-X’s open access courses feature professional content developed by Epigeum. 
  • the two free courses - Introduction and Intermediate Financial and Management Accounting courses - are available to anyone, anywhere in the world. These courses prepare learners for ACCA’s foundation level certificates. 
  • the paid for courses are Accountant in Business, Management Accounting and Financial Accounting and are available in over 190 countries. These courses prepare learners for the Diploma in Accounting and Business.
  • success in these three papers and the completion of ACCA’s Professionalism and Ethics module will lead to the Diploma in Accounting and Business. The cost of each course is $89USD. Registration and exam fees also apply.

More information is available about both ACCA-X and the full ACCA Qualification


Access over 150 high-quality courses

Full access to over 150 high-quality courses for only £495.

Full access to over 150 high-quality courses for only £495

A licence to BPP’s full online catalogue provides you with full access for 12 months (from the date of purchase) to a full range of high quality, up to date online CPD learning.
CPD skills webinars
Brush up on key skills in these free webinars.
Brush up on key skills in these free webinars

Join us for an exciting series of free webinars. Highly informative and packed with useful skills our innovative new programme of CPD skills webinars aims to provide you with a flexible and bite-sized approach to develop your expertise, enhance your employability for the future and gain free verifiable CPD,
How to audit culture
Register now for this webinar, with a case study by Barclays Bank.

At a series of focus group meetings with ACCA members working in internal audit earlier this year, ACCA found that culture is seen as a challenging and subjective topic but an area of interest for all members. 

In response to this feedback, ACCA UK’s Internal Audit Network has invited Barclays Bank to present a webinar on how to audit culture. 

Alison Smith - an internal audit director at Barclays – will explain how Barclays Bank audited its culture following the financial crisis and learned some valuable lessons that enabled it to improve its culture. 

About the speaker:
Alison is a Director in Barclays Internal Audit (BIA), responsible for audit coverage of Compliance, HR, Legal and Corporate Relations, and driving audit coverage of conduct and culture across the firm.  Since joining BIA in 2001, Alison has held a variety of leadership positions in audit delivery and audit operations.  Her involvement in risk culture began in 2013 when she was seconded to lead a workstream of a Barclays-wide cultural  transformation programme focusing on instilling a risk mind-set into the DNA of the firm.  

How to audit culture – a case study by Barclays Bank
22 February 2017 | 12.30 – 1.30
CPD units: 1 



Brexit: risk optimisation
Technical factsheet: effective risk management is concerned with risk optimisation, and is an important reference as part of future Brexit planning.

Technical factsheet: effective risk management is concerned with risk optimisation, and is an important reference as part of future Brexit planning.   

It explains what risk management is and the principles that underpin it. The factsheet reviews the risk management cycle, including measurement and documentation, together with key risk concepts. It also provides an overview of the most influential risk management models available today – although there are no legal or regulatory requirements for organisations to adopt these models, the factsheet summarises the benefits of doing so.  

Most importantly, the factsheet encourages professional accountants to ‘think risk’. It shows through examples how effective risk management not only helps prevent loss and protect reputation but also enables better decision-making, thereby increasing the chances of meeting the business’s objectives.  

Download your copy of the factsheet now

Email Software by Newsweaver