![](/media/u4pnvdq2/ciia-article-holding-image.jpg?width=160&height=160&format=webp,webp&quality=70&v=1db29293e51ae60 160w,/media/u4pnvdq2/ciia-article-holding-image.jpg?width=320&height=320&format=webp,webp&quality=70&v=1db29293e51ae60 320w,/media/u4pnvdq2/ciia-article-holding-image.jpg?width=480&height=480&format=webp,webp&quality=70&v=1db29293e51ae60 480w,/media/u4pnvdq2/ciia-article-holding-image.jpg?width=640&height=640&format=webp,webp&quality=70&v=1db29293e51ae60 640w,/media/u4pnvdq2/ciia-article-holding-image.jpg?width=800&height=800&format=webp,webp&quality=70&v=1db29293e51ae60 800w,/media/u4pnvdq2/ciia-article-holding-image.jpg?width=960&height=960&format=webp,webp&quality=70&v=1db29293e51ae60 960w,/media/u4pnvdq2/ciia-article-holding-image.jpg?width=1120&height=1120&format=webp,webp&quality=70&v=1db29293e51ae60 1120w,/media/u4pnvdq2/ciia-article-holding-image.jpg?width=1280&height=1280&format=webp,webp&quality=70&v=1db29293e51ae60 1280w,/media/u4pnvdq2/ciia-article-holding-image.jpg?width=1440&height=1440&format=webp,webp&quality=70&v=1db29293e51ae60 1440w,/media/u4pnvdq2/ciia-article-holding-image.jpg?width=1600&height=1600&format=webp,webp&quality=70&v=1db29293e51ae60 1600w,/media/u4pnvdq2/ciia-article-holding-image.jpg?width=1760&height=1760&format=webp,webp&quality=70&v=1db29293e51ae60 1760w)
Integrate, aggregate, communicate: award-winning internal audit at HMRC
Most taxpayers know what HMRC does. Very few people understand the complexities of how it does it. For a start, the numbers are huge; 65,000 staff responsible for collecting £636bn from taxpayers and for paying out £40bn each year. Its work touches the lives (and finances) of almost every working person in the UK and tax revenue pays for large amounts of what other government departments do, so everyone has an interest in how well its systems operate and how it manages its risks.
It should therefore reassure them to know that the HMRC Internal Audit Team won an Audit & Risk Award for Internal Audit Added Value in 2023.
The team, comprising 74 people based in seven sites across the UK, was recognised for implementing an ambitious and innovative programme that has greatly enhanced the support and insights it offers to HMRC executives – and demonstrating that this has increased its reputation and value within the organisation.
By collating and connecting information from multiple pieces of audit and non-audit work in different areas, it has identified disparate recurring and high-level control issues and connected these to prioritise the ten most significant overarching control themes for management attention.
These are reported to the audit committee and the executive management using a heatmap indicating the relative impact of each issue on the organisation and on the director of internal audit’s annual opinion, along with a list of the key actions needed to mitigate the risks. Each theme is subdivided, enabling actions to be allocated to the right people.
Not only has this given them better oversight of interconnected and recurring risks and control improvements, but it has also improved communication between internal audit, management and the audit committee. Better understanding of the control environment has focused management attention on the critical issues, and has led to management establishing an executive lead for each control theme who is accountable for improvements.
Within the internal audit team, better understanding of priorities and control themes led to improved understanding of integrated assurance and facilitated a process of mapping second-line assurance to the ten themes. The themes have also improved the internal audit planning process and the way in which they identify and monitor new and emerging themes.
Informed and accountable
While there are numerous ways in which this work has improved the overall controls and boosted recognition of the value of internal audit work, the key element is that it has taken communication to a new level of sophistication, according to Tim Addison, HMRC’s Director of Internal Audit.
“Conducting internal audits can be like throwing individual darts at a very large board – you find out what’s happening in that place at that time, and it depends on both skill and luck if it lands well or identifies something of real value. Larger teams simply have more darts, which increases probability, but you only really find the important and common issues if you aggregate all the findings and create a picture that develops across the year,” he says. “Identifying the top ten themes and working towards putting in place a comprehensive control framework means that I don’t go to the audit committee or the executive and discuss the findings of one or two audits. Instead, I can focus on what really matters and offer insights that inform a bigger picture conversation and help management’s decision-making.”
The themes are high-level, but they incorporate practical control elements and risk management concerns that can be progressed from the senior management team down through the organisation to create real actions at different levels. The ability to target information to the right level and create original, relevant insights has improved the general understanding of internal audit and controls, Addison says.
This shared understanding means the internal audit conversations with the audit committee and executive team become more sophisticated. They can focus on issues such as the risk tolerance and risk appetite at those levels, rather than on specific findings. Senior managers no longer rely on internal audit to drive the discussion because they have their own monitoring framework that makes individuals responsible for carrying out actions.
“Not only has this work informed a high-level conversation about risk, but it’s also helped the second-line managers to harmonise what they do with the themes, so their work has matured,” Addison explains. “The most important thing that internal audit can do is to create stimuli at the top of the organisation that encourages intellectual conversation and improves the way the organisation thinks and talks about risks and controls.”
This top-level conversation should then lead to a more advanced risk culture and understanding of controls at all levels. Everyone in the internal audit team needs to understand and develop this approach in their work.
“There are few roles outside the top team with a view across the whole organisation. This is a privileged position and we need to use it,” Addison says. “A massive part of the job is not about process and systems, but people. It sounds obvious, but it’s taken us nearly five years to get to where we are now. We constantly think about the best ways to present information, what to include and the best visuals to add at each level.”
Addison meets each new person in the team when they join, partly to get to know them and partly to ensure they understand how the team thinks and functions. “We invest heavily in our trainees. They need to understand the subtlety of our approach to auditing. The culture of our team and the training we provide is vital. The most important internal audit resource is what is in people’s heads and what they bring to the job, so spending time with trainees is a crucial part of the senior management role,” he explains.
What next?
Addison and his colleagues are now helping to configure a new IT system that they believe will enable them to integrate risk, controls, assurance and internal audit.
“I’ve never seen this work comprehensively on one system anywhere before, so I’m really ambitious for this,” Addison says. “It’s not really about the IT system, although we need to get that right, it’s about integrating risks, controls and internal audit and I think this is essential for how we’ll operate in the future.”
He adds that the management’s willingness to invest in this system indicates that the organisation has high expectations of internal audit and understands its value. “This is a tool for management, not for internal audit, but we see huge benefits for us from being part of it,” he says. “It’s crucial that we are involved in this from the beginning.”
The awards
Winning the Audit & Risk Award was “massively powerful”, Addison says. “The fact the Chartered IIA does this every year and really thinks about the categories is wonderful for the profession.”
The internal audit role is privileged, but it can also be isolating, he adds. “Being recognised formally by independent peers shows that we’re doing the right thing as a function, but also gives a huge boost to the team.”
It also gives senior management further grounds for confidence. “There’s not much else internal audit teams can draw on for an independent view apart from an external quality assessment,” Addison points out. “We all use the winners’ logos in our communications and are proud of it. This is very important to us.”
It can be hard to measure success in this kind of wide-ranging project, but Addison says there are subtle measures that demonstrate improving impact.
“Having a seat at the top table at the right time, how often you are asked to discuss things not on the audit plan and how many times you get a request to chat with a senior executive about an issue that concerns them – these all indicate that your voice is valued,” he says. “It’s hugely rewarding when you see the organisation run more effectively as a result of the insights we have provided, and that our assurance has helped management know whether their view of reality was correct.”
View from Jim Harra, HMRC Chief Executive and First Permanent Secretary
“As Chief Executive, Internal Audit is absolutely essential to give me confidence that HMRC is operating effectively. I value the positive impact that their work has on the control culture in HMRC, in particular helping the business understand and improve its control and assurance activities. Internal Audit’s assurance, guidance and professional advice are enormously helpful to our executive committee, helping HMRC’s senior leadership to understand and prioritise necessary improvements for our governance and control framework.”
View from Michael Hearty, Chair of HMRC Audit & Risk Committee
“The support my audit committee colleagues and I receive from the Department’s Internal Audit Team is first class. Taken together, the clarity of their audit reports and associated recommendations, incisiveness of thematic analysis and the overall assurance opinions of each business area allow us to pursue a forward work plan that provides real added value to the board and Accounting Officer.”
This article was published in May 2024.