Investing in investigation – inside Nationwide's Audit Investigations Team

In Spring 2021 Nationwide Building Society’s chief internal auditor announced plans to set up a new Audit Investigations Team. Under the internal audit banner, the team would be a professional investigative function equipped to respond to requests from the board and senior management to undertake serious, complex, high-profile and regulatory investigations. There is no real blueprint for a team like this, so it had to be developed from scratch. However, unexpectedly, the skills and experience necessary already existed within the internal audit function and in August 2021 I was appointed to design, build and lead the new team.

It’s a cliché, but when the opportunity came along it was as if somebody had looked at my career and written a job description for me. I’ve been an internal auditor for nearly 14 years, in the public sector and financial services, but before that I worked for seven years as an investigator and a counter-fraud specialist. I remember making all the common incorrect assumptions about what internal audit does. I wondered what auditors did that I didn’t (and, whether we really needed them!). Now of course I understand, but I still see internal auditors looking at investigators and asking the same questions. I tell them there are many similarities between internal audit and investigations – but there are also huge differences.

 

I often explain that being an investigator made me a better internal auditor and being an internal auditor has made me a better investigator. Why? Because internal audit has given me a broader understanding of governance and risk in an organisational context, which allows me to be proportionate and pragmatic in my approach and decision-making. Investigation has given me the ability to respond and think quickly, experience of asking difficult questions in challenging circumstances, and the tenacity to refuse to give up until I get where I need to be, even if it’s extremely uncomfortable. So from
the outset I believed the success of this new team would depend on a fusion of both disciplines.


The vision

I started by defining a vision. I’ve found as an internal auditor that if I can’t explain a problem in a couple of sentences it’s because I don’t fully understand it and need to do more work. I needed to identify what I wanted the team to be and capture it in a few words. This came quickly, and it remains the team’s guiding principle:

To establish a high-performing audit investigations team with the robustness, integrity and valued reputation of an effective audit function alongside the agility, diverse and rapid response capability of a specialist investigation team. To support the delivery of both internal audit’s and the society’s objectives, strategy and values.

To say this is one thing; to do it is another. I was a little daunted, but also excited to start with a great opportunity and a blank piece of paper.

I began with the role and remit of the team – what would it do and how would it do it? I was clear that, although this was an investigation team, it sat squarely within the internal audit function. I’m passionate about the power of internal audit and the ability we have as auditors to make a difference. I saw no reason why this needed to change.

A good outcome from an investigation is not to prove guilt or uphold an allegation, but to reach the right conclusion and be confident about it.

For example, if you end up sure that a person is innocent, that is a good result. However, the root cause of an allegation is often a failure of governance, risk management or internal control, so even if an investigation finds that nobody did anything wrong, the investigation journey from allegation to outcome provides an opportunity to identify these failures and to add value by raising them. That is what I wanted the team to do.

 

The people

I began with recruitment. I believed that I had the internal audit angle covered and could provide some support and coaching. First and foremost, however, we needed to deliver investigations, so I looked to recruit key investigation skills and to equip the team with some of the skills I lacked, or hadn’t used for years.

People skills are vital to the success of both internal audit and of an internal, rather than a criminal, investigations team. It’s all about developing and managing relationships with stakeholders and investigation subjects. Everything centres around gathering information and this is easier if you can communicate effectively.

Many of the external applications I received came from candidates with armed forces, law enforcement and fraud backgrounds. If I needed to kick down doors in a dawn raid, I would have been spoiled for choice. I’m sure they were great investigators, but even more than pure investigative skills, I needed the range of people skills that we rely on as internal auditors, just perhaps with a slightly harder edge.

I needed sharp minds, lateral thinkers and quick reactors, but most of all great communicators. Internal auditors speak to a vast range of people, but investigators probably deal with an even wider group. My team needed to be as comfortable and effective gathering information from nervous witnesses and confronting potentially guilty senior managers with evidence of wrongdoing, as they were explaining complex findings to the board. And it all needed to be done in alignment with Nationwide’s culture.

Another key challenge was finding recruits with the skills, knowledge, experience and confidence to make judgments. Internal auditors are used to providing opinions. We don’t pluck these from the air, we base them on evidence, but they remain opinions. Traditional investigative functions, rightly, tend to deal just with facts. Judgments are made elsewhere. In a criminal investigation environment, for example, this is an essential separation of duties, but the role of our investigation team would be more nuanced. Our findings, like those of an audit, would not be binary – “complied or not complied”, “breached or not breached”. Like internal auditors, we would sometimes need to end investigations by answering the “so what?”. How worried should we be? What do we need to do? Our stakeholders want insights, not just commentary.

People with this combination of skills were not readily available, but I could not afford to get this wrong. It took time and many CVs and interviews, but I now have a team of two. Neither had an internal audit background, but with over 20 years’ investigation experience and an unrivalled knowledge of the organisation, I believe we have all the angles covered.

 

What we do

Next, I had to design a methodology with the rigor of an internal audit process, but the flexibility to accommodate the many tangents that an investigation may throw up and the robustness to back up both the investigation findings and any audit issues that we needed to raise. This came fairly easily. We took the view that where the internal audit methodology fitted, we should use it. Where it didn’t, we would apply the principles that underpin an effective audit methodology, but in a way that supported the investigation.

This varies in each investigation and the lead investigator decides how best to deliver what needs to be done. It also creates an opportunity to step back from the process and ask “what exactly do we need to achieve?”. It means we can be agile while maintaining the required standards and, while some of our steps, such as the investigation memo, would be familiar to internal auditors, the test records and evidence, for example, differ each time.

Once the team and methodology were in place, we were ready to start receiving cases. Unfortunately, the real world is not like that – I received my first two cases on the day I took up the role, so we were already undertaking investigations while completing all of the above. However, the opportunity to “test and learn” proved fruitful and means we can keep adjusting our approach to deliver what is needed in the most efficient way.

That brings us to the nub, what does the team actually do? I get asked this a lot and it’s a standing joke that if anybody asks me anything my response is always “I can’t tell you!”. To a certain extent that is true. The nature of the team means that the work is confidential, and we can’t reveal too much about how we work. But the cases so far have varied. Some are referred to us by the whistleblowing team and these are all different ranging from alleged discrimination to deliberate non-compliance with key policies. Several requests have also come from board committees.

One thing that is becoming clear is that no matter the source of investigation, and even when a concern or allegation proves to be unfounded, we have an opportunity to add value and contribute to the overall provision of audit assurance. More often than not during the investigation we uncover some control weaknesses, process failings or opportunities to improve that we can feed back to the business with an additional audit report.

We don’t rate these reports, as we are unlikely to have undertaken a thorough test of the control environment, but we raise recommendations to deal specifically with the issues we have identified and these are reported, tracked and validated in the usual way. This potentially contributes to assurance on all aspects of the audit universe and our observations from just doing our work, particularly around culture, can feed into the annual opinion.

Nine months in and we’re still testing and learning, but we’ve the makings of a high-performing team. We’ve issued reports to a variety of stakeholders including the audit, remuneration and whistleblowing committees and received some great feedback, not least from the society chairman and the audit committee chair.

A modern audit function has to think differently, do things differently and respond to a variety of needs. I’m grateful to have had the opportunity to shape a different internal audit approach which stays true to core internal audit values and principles while meeting a specific need in an innovative way. But if you want to know any more details, I’m afraid I can’t tell you! 

This article was first published in July 2022.