“Home-grown” IT talent helps HMRC perform award-winning internal audit

HM Revenue & Customs (HMRC) is no stranger to winning Audit & Risk Awards. In some ways, this made entering the 2025 awards more challenging, since the team started from a high baseline. What made its nomination stand out last year, however, was the team’s focus on “growing its own” internal auditors to gain the expertise it required to upgrade its IT audit strategy.

This focus on the skills internal audit would need in the future, as well as today, won it the Chartered IIA’s award for Outstanding Team – Public Sector 2025.

As the UK tax authority, HMRC deals with revenues of over £843bn and employs 66,000 people. In addition to collecting taxes, it also provides guidance to taxpayers, has a crucial role in enforcing customs regulations, and oversees the collection of National Insurance Contributions.

Its internal audit team is therefore large for a public sector team, comprising around 80 people, and 10% of these are trainees. HMRC’s nomination said this was important “to maintain a robust pipeline of strong talent and a firm base for the future.”

“We were already well respected and had increased our funding for internal audit,” says Tim Addison, Director of Internal Audit at HMRC. “We were keen to invest this into the team, to think how we could future-proof what we do and reinvent ourselves to best meet the needs of a vast and changing department.”

A key part of this reinvention involved increasing the technological capabilities of the team. This included developing their use and understanding of AI and using technology to improve their customer journey. 

Change agenda

The changes they’ve introduced are fundamentally IT-driven, with a strong people element, he explains. These improved the way they worked while embedding all the necessary controls for increasing digital operations.

“We had to look at who we were recruiting, what we were recruiting them to do, and where we recruited them from,” Addison says.

The aim was to increase both their data analytics capability and their tech expertise. Specialist IT auditors were scarce, so they decided to become creative to get the skills they required.

The civil service is hierarchical with clearly defined grades. Addison and his team looked critically at the mix of grades they required and adapted the system to enable technology specialists to have a managerial grade, without necessarily taking on managerial responsibilities.

They also adjusted the mix of grades in the team to include more senior people. “We need people who can have credible conversations with the most senior managers on the most significant issues,” Addison says.

In addition, they looked further afield to recruit skills and developed a strong co-source relationship to gain IT security expertise.

Introducing a new category of trainee IT auditor, in addition to trainee auditor, meant they could look for people who were currently in IT roles to train as auditors. This attracted lots of interest.

“We didn’t realise how popular this option would be among IT graduates,” Addison says. “We sold the roles well. For example, we set up dial-in sessions. Our team members would answer questions honestly and explain the route to internal audit certification. We highlighted that it’s a privileged role with access to the top people in the organisation, able to influence senior decisions and with a view across every part of operations.”

The recruitment drive also increased diversity. Addison stresses this is diversity in every sense – the team is based in multiple locations and has an engagement group that focuses on understanding individual motivations and experiences. “This is not just about people’s backgrounds, but moreover about where they’ve worked in the past and what they can share with us,” he says. “We have trainee auditors who were teachers and one with a PhD in fungi!”

Skills for the future

Addison believes that the internal audit recruitment pitch will become still more attractive in the next ten years, because IT auditors will gain experience establishing controls as they develop in a rapidly changing AI world. “This is a hugely transferable skillset which will become ever more important,” he points out.

“We looked at both ends of the spectrum and thought creatively about how we could attract the people we needed for the future, what we could change to make our roles more enticing, what we could offer recruits, and how we sold the job to them,” Addison says.

The new expertise was already essential to the team’s work. “We needed to collaborate closely with HMRC operations. We can’t come in later and say ‘you got this wrong’ in the fast-moving IT environment. That’s not helpful,” Addison explains. “We must be informing controls as the systems are developed. This requires us to work faster and to collaborate more with the second line.”

The team has also used secondments into the business to develop capability.

The test of internal audit success is how often the people at the top of the organisation ask for your input, Addison adds.  “Requests for our help have increased, and we can now bring in expert skills from our own team and our co-source support to give the best advice and assurance.”

The more internal audit expertise is called upon, the more internal audit managers must think about planning and resourcing. Addison says it’s essential to keep contingency space in plans for ad hoc work and to balance teams so that specialist experts are teamed with experienced internal auditors.

IT audits and cross-departmental reviews

The HMRC team undertakes many types of audits that now have an IT element – change audits, security audits, data audits, and operational systems audits with an IT control area. “If there’s no IT angle to what we’re planning, we need to ask why not,” Addison says. “All processes are now increasingly digital.”

While non-IT auditors consider controls across the whole organisation, they can call on specialist IT auditors for support when needed. “There isn’t an endpoint – we’re all constantly moving on, changing, and developing. It’s a continuum,” Addison says. “Internal audit must embrace this.”

Every member of his team has a Copilot license, and everyone is tasked with improving efficiency. All internal auditors are encouraged to experiment and develop their understanding of how the tools could be used.

The aim is to expand their use of data analytics by 20% in 2025-26, and every auditor has an objective of increasing the use of analytics in their work. They are using the tech to explore the root cause of more issues and to conduct sentiment analysis across audit reports to identify areas that are working well and less well.

The team has also developed new tools, including a real-time Power BI reporting suite that enables audit managers to track plans and budgets, and an early warning system to alert them to audits that require intervention.

“We are a judgment profession, so AI won’t replace us, but we can do our job much more efficiently using it” Addison says. “Context is everything – for example, you can’t encourage Copilot to make a draft more positive if it puts a spin on your argument.”

He is now focusing on futureproofing his team to deal with all the tech developments that occur within internal audit and HMRC. This involves upskilling but also looking at how internal audit engages more broadly across central government and contributes to cross-departmental reviews.

“The fundamentals of the profession won’t change,” he insists. “We still need to be able to communicate, to be curious, and to exercise judgment, but we also need to think more about data and how customer journeys don’t stop and start with one department. We need to consider risks around departmental systems and joined-up risks where these cross departmental boundaries. There will be a lot more of this in future.”

We need to consider risks around departmental systems and joined-up risks where these cross departmental boundaries. There will be a lot more of this in future.”

Awards

Addison believes the Chartered IIA’s awards are massively important. “As a profession, we don’t shout loudly enough. Not having this kind of award would be unthinkable.”

He says winning gives real kudos to the team and raises both its profile and that of the profession. “It boosts recruitment and shows you’ve been judged the best,” he says. “It gives every member a boost, because it recognises that they’re doing their job well.”

Addison believes that winning the award provides rare external feedback and recognition for internal audit. While building a relationship with a new HMRC Permanent Secretary, he welcomed having this independent evidence that the team was performing to a high professional standard.

“Internal audit often struggles to get feedback, so evidence that we’re doing the right thing, whether it’s an award, positive responses to customer surveys, or an EQA are all valuable,” he explains.

The winners of the 2026 Audit & Risk Awards will be announced at the event on 11 June. Tickets are available now.