Division vision – award-winning internal audit at the Central Bank of Ireland

Providing internal audit services in a central bank is a challenge. It requires internal auditors to understand macroeconomics, financial stability and the processes of financial regulation, along with more typical public sector risks. When the Central Bank of Ireland decided to enhance its Internal Audit Division, which comprises 22 people, its first task was to create a framework to determine how it was currently performing. It could then identify what it needed to improve, and devise a strategy to achieve this.

“The Central Bank of Ireland (CBI) always has ambitions to be best in class and our framework, the Internal Audit Capability Model for the Public Sector (IACM), is strong at producing ideas and a roadmap to improvement, but we needed the experience and knowledge to implement these ideas effectively,” says Paul Wrafter, Head of Internal Audit at the CBI. “We recognised we would have to develop our staff to get the skills we needed to reach our goals.”

Their success at setting out a framework, identifying change and developing the skills they needed to progress won the team an Audit & Risk Award for Outstanding Team – Public Sector in 2023. The project took three years, with an external quality assessment (EQA) being the final measure.

Wrafter joined the CBI from Allied Irish Banks plc (AIB), where he had experience developing teams. At the CBI, he found a function that was unaccustomed to change, but was keen to develop. “It was essential to explain to the whole team how improvements could help them to gain the support of auditees and improve their outputs,” he says.

“We have four pillars in the CBI, so we needed audit teams that mapped against these,” he explains. “We changed the team structure and each area of the business had a point of contact, which greatly improved communications.”

A model for change

The programme was shaped by the IACM framework, which identified 41 key processes necessary for effective public-sector internal auditing. This established five maturity levels from 1 (initial) to 5 (optimising) across six essential areas. An early self-assessment showed that the team was operating at levels two to three in most areas. This provided a platform for further improvement.

Four working groups, headed by Lead Auditors, were established to focus on key areas of audit methodology, audit planning, data analytics and people. Every member of the team had a role. This empowered junior internal auditors, Wrafter explains.

The Audit Committee and the Governor fully supported the changes, he adds. They also identified what they required from audit reports, updates and dashboards and Wrafter began an ongoing process of actively seeking feedback and ideas for improvements.

Strategy for the future

“We needed to re-align our resources and introduce more accountability,” he says. “Once we knew what had to change, we started looking at the internal audit  strategy. We asked every member of the team what they thought we needed to do externally and internally. We then worked with Gartner to create a plan separated into key initiatives: boost stakeholder engagement and rapport; optimise and simplify our processes in line with industry best practice; and develop staff who are highly skilled and motivated, with opportunities for progression.

A “Strategy on one Page” detailed their mission, vision, purpose, strategic objectives and key initiatives. They then set stretched, yet achievable, targets. These areas were assessed as “best in class” or “outstanding” in the team’s 2022 External Quality Assessment (EQA).

Key aims included providing more assurance advice to the organisation and creating development opportunities to increase staff promotions. Clarifying what people needed to do to progress and prioritising their opportunities to gain experience and skills saw rapid results. Three people reporting to Wrafter were promoted, as were five managers in the tier below.

The team also addressed internal audit processes, asking could they be streamlined, were systems used effectively and would they benefit from agile techniques? Considering these in terms of strategy helped everyone to think further ahead and initiate more changes, Wrafter says. “It led to more timely meetings and feedback and helped to bring in stakeholders, build trust and increase transparency.”

“People can get apprehensive when you talk about agile or data analytics, but you often find you’re already doing more than you think,” Wrafter adds. “We are part of the Eurosystem, so we utilised our network to speak to peers, compare practices and get new ideas, while members of the team started to sit on more committees and working groups in the CBI so we could learn and extend our influence. This was also great for developing internal audit managers to collaborate more with various areas of the organisation .”

People

One important indication of progress was the annual CBI staff survey, as previous feedback showed room for improvement. “We needed to identify what we should start doing, stop doing and continue doing. We want people to enjoy coming to work and know that they have opportunities here and elsewhere in the organisation,” Wrafter says.

A skills assessment process was designed by the team, covering over 400 competencies. This provided invaluable insights into development needs across both subject matter areas of the CBI and audit competencies. Training programmes were developed to address any gaps identified. Each team member is assessed and has a personal training plan. Consequently, the internal audit team’s satisfaction has risen from 54% in the CBI staff survey to 75%.

The aim is to hire staff at entry level wherever possible and then train and promote them within the division. Wrafter says he’s also happy when team members are promoted to other roles in the CBI. The movement goes both ways. “It’s all about getting the right balance of industry knowledge and internal audit skills and experience in the wider team.”

Results

All this work has led to results. Against the IACM for example, the team is now performing at level five (optimising) in the areas of services and the role of internal audit; professional practices; performance management and accountability; and governance structures. They have reached level four to five for people management and organisational relationships.

A new data analytics working group is involved in more than half of all internal audit reviews and the team’s data analytics strategy has been assessed as excellent by Gartner. Wrafter says the quality assurance and improvement programme (QAIP) has led to “significant improvements” in the quality of audit outputs. They have improved relationships with, and the involvement of, business units in the audit process, which has increased understanding of internal audit in the organisation. A structured stakeholder engagement programme ensures that internal audit meets managers at all levels and provides regular updates on internal audit activity (in addition to formal executive reports).

Externally, the team has increased its contacts and influence. Wrafter now lectures for the Chartered Accountants Ireland on its Risk Management, Internal Audit & Compliance Diploma and chairs one of the seven sub-committees of the Internal Audit Committee (IAC) of the European System of Central Banks. Four other team members sit on IAC sub-committees.

The aim to integrate assurance has been furthered by working with the first and second lines to improve cooperation and promote a more mature three lines system. The team has created a risk-grading matrix to align individual business processes in the audit universe with second-line processes, resulting in a unified view of risk across the lines. Requests for advisory work have increased and such work now comprises about 20% of the internal audit plan.

Looking ahead, Wrafter is keen for internal audit to highlight more emerging risks. “Emerging risks form part of our annual planning and ongoing engagements to ensure we help the organisation to build and maintain resilience in uncertain times. A recent example would be our review of Environmental, Social and Governance (ESG) aspects and the CBI’s Climate Change Division.”

The awards

“The process of nominating for the Audit & Risk Awards was straightforward,” he adds. “The Governor and Chair of the Audit Committee, among others, were more than happy to provide endorsements. It was a great motivator for the team when we were shortlisted for the award and we saw it as tangible recognition for all the hard work put in over the past few years.”

“The awards event was excellent and we received many messages congratulating the whole division afterwards,” Wrafter adds. “It’s a huge award – internal audit recognition doesn’t get any bigger than winning an award from the Chartered IIA. Nothing else out there compares with it in our industry.”

This article was published in January 2024.