Internal audit leaders' New Year's resolutions
After two years of unprecedented turbulence, what are internal audit leaders hoping to achieve in 2022? What do they want to see more of – and what do they want to see less of? We asked some heads of internal audit for their thoughts.
Frances Hawkins - managing director, internal audit, Goldman Sachs
Resolutions
In 2022, I'd like to achieve better engagement with all stakeholders, a closer connectivity and collaboration that is more easily achieved with face-to-face engagement.
More
I'd like to see more professional events being accessible to virtual delegates. The Chartered IIA's Internal Audit Conference last autumn worked well as a hybrid event, so I'd like more organisations to do this – it was good to be able to network again and to focus on professional development. On the work front, I'd also like the targeted deep-dive assurance reviews that many of us did during Covid to be a permanent feature in audit plans, as the reduced time to market of this kind of work can add value for our organisations.
Less
I'd like to hear less of “when we get back to normal” and instead see everyone embrace the hybrid working that has increased flexibility in our profession and, as a result, will probably increase diversity because it fits around people’s lives. I'm a fan of activity-based working and choosing the right working environment for the type of work you're doing on any given day, as I love the energy of engaging with my colleagues in the office and equally appreciate the benefit of home-working when I need to reduce interruptions.
David Hill, CEO, SWAP Internal Audit Services
Resolutions
My ambition over the next 12 months is to get rid of almost all formal audit reports and use dashboard reporting as standard.
We want our function to achieve a zero carbon footprint as soon as possible. We have reduced our emissions significantly by doing far less travelling and will continue to do more efficient remote auditing, but now we need to assess fully what our emissions are and how we can reduce these further. This is a good indicator of health for the business and should also make us a more attractive employer.
More
I’d like to see more use of data in all audits. The Chartered IIA's data analytics working group has been really useful to us. The first questions in every audit should be “what data do you hold?” and “how do you use it?”. Too often I still hear that internal auditors can’t access the right data or enough of it. We can’t give an opinion if the sample is too small, so we must educate customers about why they need to collect the right data, store it safely and dispose of the data they shouldn’t hold. Poor data management is a fundamental risk to them as well as a missed opportunity, so internal audit should be highlighting weaknesses or a lack of data wherever they find it.
We may also need to change the terminology – “data analytics” sounds technical and complicated, but it’s just about using business intelligence efficiently and safely. Internal audit shouldn’t say “we can’t get the data”. We need to educate customers and create the trusted relationship necessary for them to listen, collect and share the data we (and they) need.
We need to be more agile and do more with agile techniques. Managers rarely need a full report telling them that there are no serious issues. They need confidence that we can provide real-time assurance. We can’t expect customers to tell us what they want if they don’t know what is possible. We must show them what we can offer and why it is better for them.
We should continue to build networks across sectors. The Chartered IIA has provided fantastic support bringing together internal auditors from all sectors during the pandemic and it’s been hugely useful. We need to learn from each other and keep developing these networks further.
Less
Traditional “waterfall” internal auditing.
Fewer bottlenecks.
Presenting quantitative measures to the audit committee – it’s not about reporting how much of our plan we have completed. We need to increase understanding about what we can offer if we are to become trusted advisers and change agents, and that depends on producing more valuable qualitative reports about things that matter.
Maxine Grainger, group audit and risk director, DFS Furniture
Resolutions
To roll out the new horizon-scanning timeline to report emerging risks to management in a way that’s most relevant and timely.
To support other parts of our organisation by sharing best practices across brands – the internal audit and risk teams in Sofology and DFS merged in 2019 and we were the first teams to become a group function, so we can now share what we have learnt with other back-office teams.
Remain a critical friend to all our stakeholders across the group, ensuring we continue to build bigger, better and stronger working relationships. Stakeholder management has never been more critical, so we must support the business, while remaining independent and objective.
To develop more short, targeted assurance assessments in addition to full deep-dive internal audits where appropriate. We started doing these during the pandemic and they were very well received and can be more helpful than a full audit in some circumstances.
To set up pre-meetings with the audit committee chair – we found these helpful in the pandemic because it enabled us to have a one-to-one discussion and ensure that they are on top of the detail before the main meeting.
To develop our relationship with our external auditors. It’s important to meet at least once a quarter to find out what they are doing and looking for, and to keep them informed about what we’re seeing and doing.
More
A key focus for us is how we improve our horizon scanning, so we’re introducing a new system of banding emerging risks into red, amber and green categories to highlight to management what they need to focus on, including timelines. We are the eyes and ears of the business so they need to know we’re being proactive about emerging risks.
One of the most important emerging topics we’re working on is how internal audit can help the organisation to prepare for Sarbanes-Oxley-style (SOX)legislation. It’s important that we start now and don’t wait until time runs out. We need to understand where we may have gaps, talk to our finance director, read the proposals in the BEIS white paper, "Restoring Trust in Audit and Corporate Governance”, and really understand how this will affect our business.
Environmental, social and governance (ESG) – we’re doing lots of work on this. We consider ESG risks, controls and reporting requirements when planning each audit activity, so we can review these and provide an independent opinion of ESG control effectiveness. It’s important that each audit plan has ESG on it and that every audit links back to it. We will consider issues such as the sustainability of the materials we use, our carbon footprint and our ESG reporting. Giving important issues such as ESG, Covid and SOX their own separate section on the risk register enables easy navigation, and quick and supportive management information (MI).
Less
Rigidity – we need to keep adapting and moving forward.
James Paterson, director RiskAI
Resolutions
It takes courage in the modern world to slow down and think about what really matters. One of the commonest things that audit managers tell me is that they are so glad they took the time to think through complex issues, to focus on the details and talk to trusted peers, rather than letting all the elements circulate around inside their heads in isolation. Heads of internal audit are in a sensitive role and it’s important that they make decisions carefully with the right support, thought and time. I suggest that every head of audit should make this one of their resolutions for 2022.
Liz Sandwith, chief professional practices adviser at the Chartered IIA
Resolutions
Embrace and develop the lessons learnt in 2021.
Continue to innovate internal audit methodologies and working practices, eg, issue reports within five working days following completion of the internal audit fieldwork.
Be prepared for the level of uncertainty we are going to see in 2022.
Be more agile in terms of working practices, eg, a three- plus nine-month internal audit plan, in which three months are fixed and nine months are indicative.
Be prepared to provide assurance around new risks and risks that are rapidly emerging in severity, which may include upskilling the internal audit team and identifying external subject matter experts to support internal audit.
Appreciate that assurance doesn’t come only from a formal audit engagement, and explore the use of consultancy/advisory work to provide a rapid assurance turnaround if a new risk emerges that has a significant impact on your organisation.
Really focus on ensuring that the internal audit plan is risk-based – what are the business-critical risks facing your organisation, your market sector and/or your geographical location?
Focus on escalating climate change to a “burning platform” risk after the discussions at COP26 and the concerns highlighted in “Risk in Focus 2022”.
Push for the resources to build highly competent and relevant internal audit functions that can tackle shifting assurance needs
with confidence.
Leverage advanced analytics to ensure more real-time risk identification and timely update of audit plans and scope.
Enhance execution and accelerate reporting to reflect rapid changes in operating environments.
Explore potential efficiency initiatives and a plan to recalibrate internal audit functions for a more uncertain and complex commercial landscape.
Explore the use of an “internal audit dashboard”, which could be made available to senior management (and potentially audit committees) on a real-time basis.
More
Increase your focus on new risks, for example:
- Cyber security and data security risk
- Changes in laws and regulations
- Digital disruption, new technology and artificial intelligence
- Human capital, diversity and capital management
- Business continuity, crisis management and disasters response;
- Supply chain risks
- Fraud risk
Focus on key controls, rather than on every control – this may provide the opportunity to remove inefficient, ineffective controls from a process.
Focus on the capacity and capability of the internal audit team to deliver the internal audit risk-based programme of work.
Focus on ensuring that internal audit incorporates control monitoring of second-line functions in the scope of scheduled reviews.
Less
Less focus on the more traditional audits that stakeholders tend to expect from internal audit, eg, payroll, accounts payable, etc.
Less testing of second-line monitoring that merely replicates second-line functions.
Max Ng, managing director, global head of group audit, Deutsche Bank
Resolutions
I want to ensure we allow ourselves enough space to think broadly about what is happening elsewhere, beyond our day-to-day roles. For example, what industry developments should we be considering and how will these affect our risk profile, regulations and effectiveness? Do we have everything we need to do our job well?
Over the past year there has been too little personal interaction, so one of my priorities for 2022 will be to ensure that we find the right formats for meeting with both the immediate team and the wider internal audit team in person.
We also need to focus on our people and skills planning – we have not been affected by the predicted “great resignation” yet, but the financial services audit industry generally is growing and shortages in the jobs market may become even more acute for everyone worldwide.
I want to ensure that internal audit is on the front foot and able to focus on what really matters and how we make the workplace a better, more supportive, more diverse and more inclusive place. That means first and foremost maintaining our speak-up culture, even more so in a world where the public debate is increasingly characterised by newly created trenches and taboos. We need to focus on our culture and ensure that we have systems and management in place to stay ahead of difficult issues and know how we will respond if the debate gets overheated.
More
Time in the office.
Time in in-person meetings and talking to colleagues.
Discussion about how to fix things and improve things.
Focus on the reality of risks, rather than perception of risks that may be misleading – ie, try to think outside the box and explore views of risk that may not be commonplace (yet).
Less
Discussing audit processes and intentions.
Explaining audit findings that are generally okay.
Ian Wallace, managing director, AuditOne
Resolutions
In 2022 we are looking to rebase audit plans, teams and skill sets to make our offer relevant to the new risks and issues around data and digital. This has been made a top priority as a result of our clients’ (who are NHS bodies) response to Covid, as well as advancing technologies.
We are about to introduce a new cohort of six graduate trainees in January, so we are aiming to develop the principal auditors and managers of the future.
More and less
We have been working remotely since the first COVID-19 lockdown, so we are looking forward to more on-site delivery and less working at home – although that will have a permanent place in our blended, flexible working approach.
We are also looking forward to greater and more impactful use of data analytics and greater cross-team working between our technology auditors and our internal auditors.
Nigel Dawbney-Fisher, head of internal audit, Department for Levelling Up, Housing and Communities
Resolutions
This year, I applied for the Civil Service Future Leaders’ Scheme programme. Its aim is to develop individuals who have been identified as having the potential to reach the most senior levels in the Civil Service. My application was successful and I’m looking forward to starting the eight-month programme in February 2022. Naturally, I would like to complete the course, achieving a post-graduate certificate, but I also want to learn new skills so I can continuously improve as an audit leader and bring out the best in our great people at the Government Internal Audit Agency (GIAA).
More
Agile auditing. Brexit and the Covid pandemic have reminded us how quickly things can change. In the GIAA, we adapt our approach regularly to respond to our customers’ needs. Our fast-moving response to their pandemic-related challenges highlighted the added value of being able to work at pace. Sometimes, traditional audits can take several weeks to complete. Auditing in a more agile way can offer opportunities to share more immediate insights. I would like to explore this method further in the new year to see how we could tailor our auditing styles to match our customers’ requirements.
Less
Virtual meetings were a great help during periods of home-working, but I’d like to see less of them in future. We have a hybrid working model in the GIAA that includes a mix of home and office working. We host blended meetings where some people attend in person while others join virtually. I have enjoyed and benefited from returning to an office environment. For me, there is nothing quite like face-to-face interaction.
Louise Cobain, executive director of assurance, MIAA
Resolutions
I intend to return to more on-site/face-to-face working to support development, engagement and relationships, while harnessing many of the advantages that remote working has brought in terms of flexibility of meetings, etc – in effect, a successful hybrid approach.
More
Continue to build and develop the wider networks that the pandemic has fostered through its forums and groups. This has really supported sharing of intelligence, best practice and opportunities for joint working.
Pursue opportunities to invigorate internal audit processes to make them more agile and effective.
Less
No return to pre-Covid practices without reflecting on the opportunities and challenges the pandemic posed and how the internal audit profession responded.
Veesh Sharma, chief assurance officer, Save the Children
Resolutions
As Save the Children embarks on a new strategy period (2022-24), my goal is to continue to align our assurance/advisory work closely to the organisation’s refresh of its strategic aims. In practical terms, this means not only focusing on our most pressing operational risks (safeguarding, anti-terrorism, financial control, etc), but also conducting timely assessments on how aligned, accountable, transparent and well-positioned we are as a federated organisation to be able to execute our strategy at pace – ergo, a cross-organisational audit of our strategy execution itself.
We are also keen to further our agenda to create a “Truly Global” assurance business unit across our organisation – a single core internal audit function to audit all legal entities in our federation. Other large INGOs want to do this, but have had variable success. We want to lead the way.
More
More meaningful discussions about the “decolonising of aid” and “shifting power” to local actors – not least because humanitarian needs grow exponentially. As internal auditors, it is vital that we do deep work – examining the controls, governance and decision-gates – to gain assurance on whether the organisation is pivoting towards this commitment meaningfully. The narrative and world view around us have evolved. Our supporters look to us to act less like a large global behemoth and more like a true enabler of inclusion and local solutions. As internal auditors, a failure to go bravely into uncharted territory may mean that we fail to shine a spotlight on some of the most mission-critical risks. Excellent compliance will mean little for any organisation if it unwittingly fades into oblivion or irrelevance.
More face-to-face interactions and dialogue/debate with the business. The pandemic certainly accelerated any transformation that internal audit business units had been planning/already executing/ procrastinating on – for which I am grateful – but it has also up-ended internal audit effectiveness in more ways than one. I would like to start arresting that in 2022.
Less
Fewer virtual meetings.
Fewer meetings, period.
Less vacuous processes in the first two lines of defence.
Fewer silos.
Fewer words in audit reports.
Fewer inefficiencies.
Less obfuscation of the lines between work life and home life. All these not just in 2022 but for good.
This article was first published in January 2022.