Internal Audit Conference 2023: insights and highlights
Stark warnings were issued to delegates alongside a plethora of insights at the Chartered Institute’s 2023 annual conference. Internal auditors, whether apprentices or seasoned chief audit executives were left in no doubt that the profession is changing. And that change is necessary.
Liz Sandwith, Special Advisor, International Internal Audit Standards Board, told delegates now was the time to be concerned about the impending change that the new Global Internal Audit Standards will bring saying “it is a shift, there is no doubt about that”. Current estimates are for publication in January 2024 with conformance by January 2025.
Peter Elam opened the conference as President, his last act before handing the chain of office to Sandro Boeri later that day at the AGM. Referencing Risk in Focus 2024’s polycrisis of risk facing organisations and internal auditors he notes that our work has become “even more challenging, even more important, even more interesting and exciting – never has there been a better time to be an internal auditor.”
Looking ahead to the future workforce, Preeti Sadarangani, Global HIA, Vodafone reminded delegates that diversity is great but inclusion is even more important for both recruitment and retention. When recruiting it is essential to challenge personal bias and be open to candidates that are able to think outside of the box and be assets in a variety of ways, not because of having a specific degree or experience. Despite this Julia White, Associate Director, IAC cautioned that the classic route into internal audit remains ACA qualified from external audit. She said that the profession is missing an opportunity and also noted that Brexit continues to impact the talent pool as many organisations are reluctant to sponsor candidates.
Closing the conference, Richard Chambers, Senior Internal Audit Advisor, Auditboard proposed five priorities to transform our profession:
- Transformation begins with mindset – embrace ambiguity, champion collaboration, focus on the client, create a culture of experimentation and learning
- Impactful stakeholder communications – be relevant, informed, concise, timely and insightful
- Identify emerging risks – leverage systematic processes, collaborate, think PESTLE
- Continuously monitor risks – work across the three lines, recognise risk velocity and volatility, use key risk indicators, understand industry trends
- Use automation and analytics – technology is a capacity multiplier, AI, NLP, RPA, etc.
There were many themes across the two days encompassing sustainability, culture, collaboration, role of governance in success, fragility of geopolitics and macroeconomics, crisis planning and the need for confidence and courage.
Our summary focuses on some of these themes.
Making a case for change, Elizabeth Honer, CEO, Government Internal Audit Agency, informed delegates that management critics consider the formality of internal control to be stuck in the 1970’s. She went on to say that controls are important but “the way they are exercised needs to transform to meet the pace of change today, with internal audit needing to transform alongside. It will require much greater attention to culture, behaviour and values. For in today’s world, these are what matter to the modern employee and what drive business success.”
Authentic leaders are advocates for diversity, equity and inclusion in the workplace. According to Tavier Taylor, Chartered Management Institute, they are also open-minded, committed to positive workplace culture, celebrate differences and respect individuals regardless of differences. She challenged organisations on the authenticity of their DEI strategy – does yours create a safe space for open dialogue and discussion about sensitive topics? Check out the Everyone Economy report from CMI.
Leading in uncertain times requires new habits - wise words from Ian Moore of Potential Squared (you will recognise the name from audit leaders’ events). Develop short decision cycles, let go of yesterday and embrace rapid learning and unlearning. You will get things wrong, find safe ways to stress test yourself to build resilience for yourself and others.
Mark Babington, FRC, spoke about the challenges of delivering on the 170 recommendations of the various governance reviews over recent years. Whilst pending the necessary legislation to create ARGA the FRC has progressed a review of non-financial reporting, to reduce the burden on organisations where possible, although recognising that obligations will be extended with regards to sustainability such as ISSB.
Babington was clear that the FRC does not endorse the term ‘SOX lite’ – it is not possible to pick a top 10 of controls. The message is that a company should report on what the board considers to be material – it is in the hands of the directors to decide what stakeholders need to know about.
Technology has a clear role in the future requirements of good governance. Internal auditors know the value of automated controls but as we look ahead, the inventory of controls is becoming more important. FastTrack, one of the software vendors sponsoring the conference quoted that in the US, 63% of organisations use audit and GRC software to enable their SOX compliance programme.
Opening day two of the conference, Boeri called on all internal auditors to “adopt a data led approach and embrace new technologies. That will free us up as human beings to use our heart and creativity to really add value.”
Steven Welsh, chief internal auditor, Funding Circle, offered insight into the world of fintech. The youthful enthusiasm, entrepreneurial ethos and rapid innovation presents a maturity challenge for internal audit that will no doubt resonate across sectors. Operating at speed often with young people who move on quickly impacts resilience and corporate knowledge. Culturally it also pushes backroom tasks such as documenting processes to a low priority and can cause momentum to wane for closing agreed actions.
Welsh talked about the opportunity to rise to the challenge and how internal audit can influence culture and the control environment in a positive way. Having a clear value proposition for the function engages the audit committee and senior management. Recruiting internal auditors that understand their role, with the aptitude to offer real-time advice and deliver with gravitas is important.
The need for change within internal audit is driven by the speed of risk. Andy Boughton, TeamMate/Wolters Kluwer shared thoughts on how leaders can create a culture of innovation – fostering an open and inclusive environment, providing support and resource, encouraging a growth mindset and allowing space for error through continuous learning. A framework is a useful start point for teams that are new to innovation – could you use this with your team? An idea today could become an entry into the Audit and Risk Awards 2024!
Ineffective governance is the root cause for all organisational failure according to Erika Eliasson-Norris CEO of Beyond Governance citing examples such as the Post Office submaster prosecutions and Boeing being forced by a Presidential order to ground its 737 Max aircraft. Adding to the famous Peter Drucker quote she said that management is about doing things right – leadership is about doing the right things “and governance is the bridge between the two.”
She urged that internal audit’s role in strengthening governance is three-fold: assess and advise; provide risk assurance; and collaborate. Click here for a governance checklist designed for internal auditors.
Within financial services, it is common to have a controls office as part of the first line – maintaining a control library, recording risk event data, recording control issues and creating action plans all alongside improving the control environment and providing control testing.
A reminder of the basic risk management equation sat at the heart of a controls presentation by Johanna Sheppard, Chief Controls Officer, Barclays.
Focusing on the nature of controls and the dynamics of the risks they are designed to mitigate, emphasised the collaborative benefits of bringing together diverse skills and disciplines to manage risk.
Finding the weakest link in your organisation’s supply chain is key, according to Mark Deaville, Grant Thornton. Given the complexities and changing nature of the supply chain, breaking it down to understand it and find the weak points can be time consuming and cost prohibitive for the business. Internal audit can use a combination of data analysis, standard operating procedures, risk assessments and audit engagement insights to help identify weaknesses.
The following list are frequently noted across sectors.
All organisations are exposed to supply chain risk. Julia Ramsay, PwC shared insights from PwC’s 26th annual CEO survey where 42% expect to see climate change impact supply chains and 40% expect general disruptions to impact profitability over the next ten years. Disruptive events are increasing across the globe, impacting raw material supply, manufacture, logistics or demand.
Ramsay advised that it’s not possible to shore up the whole of the supply chain, it is about operational resilience – focusing on identifying and managing the risks that matter.
Serving high-value customers is critical with two approaches being favoured to addressing the single points of failure and/or niche suppliers are:
- Digital Enhancement, creating real time links between components, using data analytics to detect vulnerabilities, sharing disruption intelligence and planning for continuous optimisation
- Just-in-case, where the cost of disruption exceeds the cost of building a backup capability, hold buffer stock, reduce sole dependency, and consider profitable redundancy (reigning back on efficiency to secure supply during times of disruption – competitive differentiation).
Research also found that 46% of CEO’s are considering adjusting supply chains to mitigate against exposure to geopolitical conflict.
Geopolitical risk often involves moral conundrums which challenge the values and purpose of organisational decision-makers. Risk responses are not always found in data or spreadsheets. According to Peter Neville Lewis, Risk Coalition, the management of geopolitical risk requires integrated thinking and collaboration across the three lines. If you are not familiar with their website, check it out for a variety of useful tools.
Andrew Gibson and Tom Pugh, RSM, also advised internal auditors to recognise the challenges facing organisations in addressing geo-political risks. The risks are difficult to measure and quantify, there is often limited expertise, people are dealing with competing priorities and so time to dedicate to these risks is low. They encourage internal audit to collaborate with business colleagues and include assurance within broader engagements wherever possible.
Collaboration is a key component of procurement as outlined by Edward Green OBE, Cabinet Office when talking about the new Procurement Bill – a major change in how the private sector, including small businesses can tender for contracts. Check out our blogpost for more details.
The Wirecard Scandal was the subject of a presentation by Arun Chauhan, Tenet Law. The German payments company collapsed in June 2020 following a series of accounting scandals, fraud investigations and financial misconduct that included non-transparent reporting, money laundering, suspicious M&A activity and aggressive profit accounting.
Chauhan shared an alternative fraud triangle. The way people lead an organisation sets the culture. If the way employees are directed to work doesn’t match the values it gives rise to disenchantment. The risk is not about a lone wolf bad actor but employees operating collectively for their own good.
Good practice to learn from the scandal includes:
- Building policies from the ground up that allow for challenge is vital
- Make fraud a frequent agenda item at all levels – people need to understand where to find guidance and understand the subject
- Internally publicise your actions on combatting fraud
- Training on what to look for, how to monitor and how to respond
- Whistleblowing/Speak-Up – understand the process and give external parties the chance to engage
- Policies and procedures that work for your business.
Organisations across all sectors are using AI today – examples include automating IT processes, threat detection, marketing and sales, virtual assistants, business analysis, fraud detection, financial planning. Top drivers of adoption include ease of accessibility, need to reduce costs, embedded in off-the-shelf application, competitive and consumer pressures.
Deepinder Chhabra , Verizon, reminded delegates that internal audit need to engage early, be curious, understand the risks, controls and use cases for AI and have courage – because assurance needs are extensive. From to the basics of risk assessment and data governance, to ethical considerations, security and access controls and also the fundamentals of model validation and testing. AI will keep IA busy!
There are three ways data analytics add value to the internal audit product according to Oliver Riches, Data Analytics Leader, EY. It is the reward for the investment in technology and skills.
- Better quality assurance – better scope definitions, greater level of assurance, clearer findings
- More relevant audits
- Efficiency in delivery – cost saving, reusable scrips, end-to-end automated testing
We are on the cusp of a new era, that of generative AI, according to Nina Schick, author of Deep Fakes, the coming infocalypse. Systems like Stable Diffusion, text to image generation, introduces new risk to creative industries – likewise ChatGPT (large language model) creates humanlike content. It took a mere 5 days to reach 1 million users, by comparison Facebook took 75 days and Netflix 3.5 years to do the same. Since November 2022, big tech has pivoted to make generative AI part of its core functionality.
Generative AI is more than creation. It is about instruction, efficiency and insight. It is an intelligence revolution. Schick disagrees with forecasts that AI will replace 300m jobs – predicting that it will be a mixed labour model where humans work by using AI. We live at a unique juncture in history, in our lifetime we will experience more tech led change than the entirety of the human race before us. Change is inevitable. And exponential.
Information integrity is now a profound risk.
“At its heart cyber resilience is about risk management” Sarah Lyons, Deputy director, National cyber security centre. She encouraged delegates to read a recent blog post when advising that all organisations using AI need to understand the risks they present and how to mitigate them.
A session on whether AI is an internal audit partner or a threat to the profession demonstrated that it is both. It is a threat if not embraced. Internal auditors must transition from being digital sceptics to digital leaders according to Mark Burns, Excelledia. Globally there is approx. 173 zettabytes of data and growing daily. A significant proportion of any organisation’s data is unstructured which adds to complexity and limits analysis. The following maturity model sits well with internal audit as the profession moves to provide more insight and foresight it is clear that analytics sits at the heart of this capability.
Resilience is essential for survival. But internal auditors should always be alert to when survival is at risk. Frances Coulson Partner, Head of Insolvency & Restructuring, Wedlake Bell LLP summarised her experiences with typical warning signs to look out for
- Cash flow test
- Balance sheet test
- Maximum borrowing
- Declining profitability
- Delayed payments to creditors
- Demands for payment and other legal actions
Deloitte and Workiva reminded delegates that in addition to assurance and advice, internal audit is uniquely positioned to make connections and link together ESG risks and opportunities that individual departments may not be able to see themselves. Anticipating the evolving EU regulatory environment enables internal audit to help their organisations accelerate:
- Digital, a key pillar of EU policy, encompassing reporting and the digital society
- Sustainability, in particular Corporate Sustainability Reporting Directive (CSRD) and/or Task-Force on Climate Related Financial Disclosures (TCFD).
- Responsibility such as audit reform, supply chain governance and changes to the Code
ACCA author, Clive Webb, encouraged internal auditors to read Internal Control and the Transformation of Entities – a 2022 report produced with Global IIA. Finance departments are transforming – accounting for, measuring and reporting value is changing. It is a multifaceted transformation being driven by data, technology, sustainability and changing expectations.
Webb argues that “data is the way organisations will survive in the future, the smart organisation understands how to analyse and interpret it, how to control and govern that data, and uses technology to provide those insights on an ongoing basis.”
Scientist, conservationist and explorer Dr Rosa Vasquez Espinoza talked about the fragility of ecosystems but also the powerful qualities of flora and communities of people with shared values working together to thrive in hostile environments. High-performing teams, with strong relationships and trust are able to overcome difficult experiences and make tough decisions. She quoted Charles Dawin saying that “it is not the strongest of the species that survives, nor the most intelligent. It is the one that is most adaptable to change.” It is a quote that featured in many presentations across the two days.
The polycrisis of risk and near-term memory of Brexit, a pandemic, and ongoing cost of living crisis keeps resilience at the forefront of our minds. Carolyn Clarke, Brave Within LLP, shared what internal audit can be doing to maintain readiness and work with governance leaders to avoid complacency.
Delegates were reminded of what it means to have confidence and courage by Lousie Fleming, Rosewell House LLP. Being confident requires self-awareness, factfulness, mindfulness and responsiveness. She talked about the three ego states of parent, adult and child which can impact our position on the ask/tell continuum. Being assertive with courage requires showing up and responding as an adult. Collaborating with curiosity is about responding and engaging with questions.
A golden thread of communication weaved throughout the conference - from a role play emphasising the importance of questioning techniques to understand behavioural risk to talking confidently about emerging risks and lobbying government for governance reform.
Communication is essential. As the new President, Boeri asked members to advocate for the profession and share what we do. This was also the message from a future leader.
Kieren Coult, L7 apprentice, Lloyds Banking Group and winner of 2023 Outstanding Apprentice award, is part of a school outreach programme advocating for the profession - “we ask 15/16-year-olds at school if they know what internal audit is and 99% of the time they say no. I think it’s really important that we promote the profession and the real impact we can have on an organisation to the younger generation.”