Collaboration: A problem shared – a problem halved
When Helen Keller said: “Alone we can do so little; together we can do so much,” the deaf-blind author and disability rights activist knew much about adversity. The idea that people have more power as a collective than as individuals is not new, but it is one that has come to bear more than ever recently.
The current business climate is more volatile than most companies have ever experienced before. Even those whose revenues have surged as demand for their goods and services spiked have faced new risks associated with elevated cash flow and working capital financing, while some have struggled to meet high demand with staff at home and long supply chain delays.
For many others, the disruption has undermined their fundamental business model, closing shops and venues, cancelling events and travel and grounding aircraft. Dr Charmaine Griffiths, chief executive of the British Heart Foundation, has said the coronavirus crisis is the single biggest challenge the charity has faced in its 60-year history.
It’s good to share
In all sectors, regardless of the nature of the increased threats, internal audit has come under immense pressure to deliver on its risk assurance mandate, usually while working from home and with few, if any, extra resources. It is therefore more vital than ever that internal auditors support each other and do not work in isolation. Experiences vary, but sharing knowledge, insights and best practice within the profession can help those in every sector to meet changing and increased demand.
Some sectors already have mechanisms for gathering and sharing such information. “We adapted our annual benchmarking survey last year and focused it on charity internal auditors’ responses to COVID-19,” says Vanessa Clark, chair of the Charities Internal Audit Network (CIAN) and senior internal auditor at the Wellcome Trust.
In more stable times these surveys give CIAN’s members insights into issues such as how often their peers meet the audit committee, their resources, the key risks on their organisations’ risk registers and what they include in their audit plans. These are all issues that help them to benchmark their own performance and give them a basis on which to raise issues with their boards and audit committees.
In the past year, this method of identifying common concerns and highlighting innovative responses, emerging risks and new approaches has become even more important. It is particularly vital in a sector where many internal auditors work alone or in tiny teams and get few chances to discuss difficult decisions with peers.
“We considered things such as: Have you taken audits off your audit plan? Have you even been doing audits (because there was a period where some of what internal audit was doing was necessarily closer to second- and first-line activity)? We asked whether internal audit had been involved in plans for staff to return to the workplace and other questions about internal audit’s role during the pandemic,” Clark says.
At CIAN’s quarterly meetings, members can also share any concerns about fraud, GDPR and other “alerts” in complete confidence. “I ask at the end of the meeting whether anyone has had any incidents and we discuss these under the Chatham House Rules,” Clark explains. “People can share their experiences and that enables us all to go back and ask ourselves whether there is a risk of that happening in our own organisations, or whether there is a control in place already to address it.”
Retail therapy
The pandemic has been especially cruel to high street retailers, just at the time when many were also dealing with increased disruption and uncertainty caused by Brexit. Although businesses had years to prepare for the UK’s exit from the EU, they had only a few weeks to understand the implications of the final withdrawal agreement. Concerns included additional paperwork, delays to supply chains and stock levels. At the Retail Audit Forum (RAF), chaired by Garry Hooton, senior audit manager at the Post Office Ltd, this has been an important issue.
“Internal audit has to understand how well the business is coping with all that change now that it’s happened. It was a really short time between the flash and the bang,” he says. “The forum has been great at helping attendees to understand how to approach that from an internal audit perspective when they look at how the business is managing.”
Much of the discussion, he adds, focused on debunking common Brexit myths. “In the media a whole load of stuff is reported in very general terms. But when you start to dig into the specifics of the restrictions, there are often quite straightforward ways to overcome them.”
For those with sufficiently large budgets, the Big Four and other consultancy firms will provide expert, cross-sector risk assurance insights on critical topics. But this service comes at a price. Many forums and networks invite these professional services firms to share broad knowledge which can help internal audit teams to get started. They can then decide whether they want to delve deeper with co-sourced support.
“The RAF works with these firms and they offer the benefit of their might in a fairly top-level sense, because obviously you have to pay for proprietary advice,” Hooton says. “But it gives you enough to understand what the subject is and broadly informs an approach. Individual teams can then decide to engage a firm if necessary. Plus, if you do decide to go down that route, it informs the engagement’s terms of reference, which need to be specific to avoid scope creep.”
Maintaining the fizz
At Coca-Cola, internal auditors can draw on an inbuilt network based on the brand’s supplier-dealer franchise structure. The third line within Coca-Cola European Partners (CCEP), the London-headquartered regional bottler and distributor of the fizzy drink, can share risk concerns and solutions among its franchise partners in confidence.
“The power of the brand can only be harnessed when these franchises collaborate, otherwise they go off in their own directions and that creates an island effect, which can be dangerous,” says Charlie Miller, associate director, IT internal audit and data analytics audit at CCEP. “Without collaboration, problems can’t be solved together in the best way. So, across the Coca-Cola network we talk frequently and openly to our fellow leaders in the internal audit departments.”
This has paid dividends during the COVID-19 pandemic. The fluctuating nature of the virus and its impact on local and global risk environments has kept all the businesses on their toes. “There’s this chain effect – once one entity identifies a new and emerging risk and audits it to try to mitigate it, they can share their findings and others can turn their attention to it. Ultimately, that helps to protect the brand, because if one of us goes down then we all go down,” Miller explains.
Analyse analytics
It’s not just broad market insights and issues to do with internal audit best practice that collaboration can support, it can also highlight important new tools and provide education for internal auditors who are under pressure to do more with less. One common Achilles heel for many internal audit teams in the past has been IT security and high-tech audit approaches, including data analytics. Many of those who have the budgets have turned to consultants to plug their knowledge gaps, but this means that they do not develop internal expertise and continue to be dependent on co-sourcing. Collaboration may not eliminate this problem, but it can help.
Miller argues that one decent conversation on data analytics with peers is worth around £10,000, because that’s what it would cost to pay a consultant for the same insight. His colleague Lyubomira Shopova-Petrov, senior manager, internal audit at CCEP, says that she has stayed on top of developments in analytics using the Coca-Cola network and by attending working groups hosted by the Information Systems Audit and Control Association (ISACA). She recently got to grips with data visualisation techniques, including Sankey and Chord charts, after learning about them via ISACA. These diagrams enable her to “visualise complex multilateral relationships and correlations between data – not only one-to-end but also end-to-end”. She has put this learning to use reviewing the way documents are posted within the company in classic segregation of duties analyses. Stricter segregation and more limited user access on sensitive documents is shown by weaker links – and vice versa.
“In the past, that would have been analysed using a table format. That’s easily readable if you only have five users or ten document types. But the more users you have – and here we’re talking about around 1,000 users in the various ERP [enterprise resource planning] systems that we have and over 300 document types – the harder it is to cover that much data. You cannot easily test the full population that way, or if you do it will take significantly more time and that might not be feasible,” she says. “I don’t know whether I would have picked that up without sitting on roundtables with my peers.”
It is clearly time that more internal auditors embraced collaboration as a way to combat common threats and learn about their external environment. If every team collaborated more widely and benchmarked itself against its peers, it would not only save huge amounts of time and money, but would also help teams to achieve goals of continual improvement and individuals to develop their outlook and their skills. Individually, internal auditors can be small cogs in big wheels. Together, the profession can indeed achieve much much more.
Where can I find my peers
Heads of Internal Audit Virtual Forum: This forum was launched by the Chartered IIA when the COVID-19 crisis struck as an online place for senior audit executives to share information and concerns related to specific topics such as data analytics and Brexit.
Local Authority Internal Audit Virtual Forum: A Chartered IIA virtual forum launched in the wake of COVID-19 aimed specifically at internal auditors in local authorities.
The Retail Audit Forum: This sector-specific forum was established more than 25 years ago, more recently becoming an independent special interest group of the Chartered IIA. RAF is not exclusive to internal auditors and also welcomes stock auditors, loss prevention and risk professionals and others in similar assurance roles working in the retail industry.
The Chartered IIA Regional Network: The Chartered IIA’s regional network helps members to get involved in their institute locally across the UK and Ireland and to share ideas and insights.
Aspire Community: This community group provides support to internal auditors who are new to the profession and want to get a head-start in their career through knowledge-sharing and networking.
Women in Internal Audit: A community group of the Chartered IIA dedicated to gender equality in the internal audit profession. Its objective is to empower women internal auditors through growth and development, while also attracting women into the profession.
Charities Internal Audit Network: CIAN provides free resources, networking and benchmarking to internal auditors in the third sector. It has over 150 members and is free to join for charity and not-for-profit organisations.
This article was published in May 2021.