Audit & Risk Award-winning work at Save the Children Global Assurance

Nowhere is the (constructive) tension between the costs of internal audit and the assurance it provides more evident than in the third sector. Strong corporate governance is essential to donors, but every penny spent on it is a penny that can’t go directly into the organisation’s programmes for communities. The scope of projects and the sums administered can be vast and, by their nature, international non-governmental organisations (NGOs) operate in complex and high-risk environments.

Save the Children’s Global Assurance (GA) team won the Audit & Risk Award for Outstanding Team – Third Sector in 2023 for the way in which it has tackled these challenges, improved its status in the organisation, and extended its remit over complex audit areas including strategy. Taking on audit work across member organisations is helping it to achieve its aim of providing global assurance by enabling the team to connect risks across entities and gain insights into how the organisation is working worldwide. In the process, it has developed the more complex audit planning and resourcing models this necessitates.

The GA team was created in 2013 to work across all the global country office operations under Save the Children International – the central implementation arm of the agency that works with 30 member organisations to deliver essential aid programmes worldwide. The federation manages $2.6bn in funds spread across national and international projects.

With just 18 people based across Europe, Africa, the Americas and Asia Pacific, the team has in recent years also taken on internal audit responsibility for some member organisations – with a vision of establishing a central internal audit unit for the entire agency. It is already helping to provide “truly global” assurance by connecting risks across entities and providing assurance on how the organisation is working worldwide, which has required more complex internal audit planning and resourcing models. GA’s core work is to deliver risk-based assurance, but increasingly it also offers a broad sweep of advisory work.


Strategic assessments

When Save the Children embarked on a new global strategy period in 2022-24, the GA team set out not only to challenge the effectiveness of the mechanisms the organisation had established to achieve its stated ambitions, but to also assess its own contribution to the strategy. This involved increasing its influence with audit committees across all Save the Children entities to gain support for new cross-entity mechanisms designed to identify and mitigate shared risks. It also enabled GA to conduct thematic and cross-organisational audits, such as strategy implementation, financial sustainability, sanctions compliance and safeguarding.

GA team members worked to improve their root-cause analysis skills to ensure the information led to useful conclusions. They continue to work with the organisation’s data and insights unit to incorporate additional data points that provide more detailed information on shared global risks as well as enhancing GA’s annual planning processes. They also reviewed their workforce planning and resource allocation models to ensure clear accountability for entities and closer collaboration and sharing of expertise between the GA “hubs”. The sharper focus on root causes has not only refocused management attention on specific mitigations, but also on making tangible progress towards addressing the root causes set out in GA’s Annual Statement on Risk and Control presented to the audit and risk committee.

Being able to demonstrate improved controls in the most challenging environments enabled the team to develop closer collaboration with the first and second lines. This provides the timely information they need to ensure their work focuses on critical risks.

To improve the way the global team worked together and developed its skills, GA introduced an annual Technical Week, 360-degree feedback on audit assignments, and appointed a wellbeing champion. Enhanced secondment and deployment opportunities have helped to improve the team’s understanding of the organisation and skills, while improvements to the performance management system captured team members’ feedback and supported continuous improvement policies.

 

Continuous improvement

The work that won GA the A&R Award took place before 2023, but did not stop there. The drive to expand the scope of audits “vertically” through the structure and programmes of Save the Children International has shifted to extending GA’s reach “horizontally” into Save the Children member organisations. This is essential, according to Veesh Sharma, Save the Children’s Chief Assurance Officer (CAO), if internal audit is to offer assurance across the most critical issues.

He has now taken on a new role as Save the Children’s Chief Risk Officer (CRO) and is temporarily leading both functions until a new CAO is appointed.

“We have recently completed a two-year global review of strategy and evolved our audit processes and planning to execute this,” he says. “We think we do small ‘a’ agile very well – our stakeholder feedback shows we are responsive to the needs of the organisation and when the business asks us to support on emerging risks we can react nimbly. However, we have struggled to introduce capital ‘A’ Agile at pace in our audit methodologies. I think we can improve this further.”

One issue here is capacity, given the size of team and resources, but Sharma believes they could learn from partnering better with other organisations using Agile techniques. “The world is increasingly more volatile, and we need to get sharper at looking externally – including within our profession,” he says.

This is why he believes that, despite gaining excellent feedback from an external quality assessment (EQA) and winning the A&R Award, they must not rest on their laurels. He recently created a new role of a Professional Practices Manager to build on past successes, and is using the new Global Standards as an opportunity to drive process improvements.

Improving internal audit processes and methodology is about finding ways to address deeper and more wide-ranging issues – efficiently and at pace. For example, Sharma points to the war in Ukraine, saying that the key questions for GA are not just how Save the Children has responded to this particular crisis, but, more interestingly, what it teaches them about the organisation’s global response mechanisms. “How can our federated entities work better together and respond better? How do we answer deeper questions about how the whole system works and how it should work, and how do we persuade the organisation to think about our findings across jurisdictions?” he asks. “We need to create a healthy tension with the rest of the organisation. We can focus on specific geopolitical risks, yes, but we must act on the understanding that volatility is constant.”


Supported by technology

The team is currently transitioning to a new internal audit IT system and seeks to do more with data in future and, potentially, utilise artificial intelligence (AI) capabilities. One advantage of having a diverse team with varied backgrounds, Sharma says, is that GA can benefit from the past experience of its staff (eg, in data science) to explore the new system’s potential.

Technology can help to provide business intelligence, but the organisation must be able to respond rapidly to this information. There is a danger that identifying more risks simply results in a “parade of the horribles” that demotivates internal auditors and management, Sharma warns. “In my new role as CRO, I am convinced that we need to galvanise people by making them excited about what the organisation can do better and how it can improve the way it copes with issues – not terrifying them about what can go wrong, but focusing them on organisational objectives.”

 

Shared learning

He also believes that internal audit teams can learn more from each other – something the awards can support. “We steal with pride,” he says. “I found my work as a judge on this year’s Audit & Risk Awards incredibly useful, particularly where the nominations were about teams using non-specialist technology creatively to achieve more with what they already have. I immediately thought ‘could we do that?’.”

As a judge, he read all the shortlisted nominations. “This was a privileged position, but I immediately wondered how can we publicise and share best practice from all these teams that are doing great work?”

Sharma says he found the nomination process straightforward and that the time spent drafting the nomination was repaid in the motivation it gave the team and the positive feedback they received. The impetus to enter came from within the team, he adds. “The endorsement from the chairs of the audit committees across our entities was hugely motivating. It brought home the message that we were valued,” he says.

He adds that the insights into what other teams are doing and the challenges they face, are as valuable as being a nominee. “You don’t need to struggle with challenges alone – others are in the same position and we should all learn more from each other,” he says. “The awards capture so much good work going on in every area from technology to diversity and training.”

Writing the nomination prompted self-reflection and gave the team a chance to think about what it had achieved and how far it had come. “Winning is great,” Sharma says, “but it mustn’t make us complacent. Complacency is a perfect recipe for obsolescence. We don’t have to constantly reinvent ourselves, but evolve we must. Reputations are written in sand, not carved in bronze.”

 

This article was published in July 2024.