Perfectly formed: award-winning internal audit at ClearBank

Developing an internal audit function – particularly in a heavily regulated sector – has many challenges. However, there are also advantages that can be derived from a small close-knit team, the pressure to innovate and to use limited resources effectively and a lack of preconceptions about roles and internal relationships. The internal audit team at ClearBank, formed in 2017 and currently comprising six people, made the most of these opportunities to achieve an ongoing evolution that won it the Audit & Risk Award for Outstanding Team – Financial Services sector.

When ClearBank was established in 2016, it became the first new clearing bank in the UK for 250 years. It straddled both fintech and banking, so corporate governance and technology were equally crucial to the new organisation’s success.

The business required a tech-savvy internal audit team and a corporate governance structure that met stringent banking regulations and stakeholder expectations. Each member of the internal audit function needed both internal audit and relevant technical skills, as well as the soft skills to ensure their work had real impact and that they built strong relationships with senior management and the audit committee and other key stakeholders.

Meanwhile, the business itself grew and evolved rapidly, adding more risks and more complexity to the audit universe. Phil Hart joined the business as chief internal auditor in January 2021 with a remit to embark on a major transformation – which he dubbed “Internal Audit 2.0”.  This was the next development stage that would enable the function to keep up with the business and fulfil the role it needed to take on in the future. He had to help the function professionalise, mature and grow to support the changing business.

 

Internal Audit 2.0

The Internal Audit 2.0 programme, which included gaining corporate membership of the Chartered IIA, introducing fully risk-based annual planning and a combined assurance model to promote seamless and efficient work with the second line, was completed within 12 months and praised by the audit committee. Immediately, the team set its sights on a period of continuous improvement, which would encompass an “in-partner audit model” allowing it to conduct audits inside its major suppliers and customers.

“One reason I was so pleased that we won the award – apart from the obvious delight of the team and the business  – was that the institute recognised the contribution that small teams can make,” Hart says. “I’ve worked in massive internal audit teams in Barclays and Lloyds Banking Group and I know that big functions can afford to invest heavily in technology and dedicate groups of people to specialist audit areas. They can potentially risk an experiment not paying off.”

By contrast, he says, small teams have to be more thoughtful and careful about how they allocate their people and budgets – for example, weighing up the pros and cons of hiring general banking internal auditors with no IT skills compared with highly skilled technology specialists who are unfamiliar with, say, a financial audit.

“If you have a small team it’s essential to get the right balance of skills. We’ve brought in specialists in technology, financial crime and payments skills, because these are core risks in our business, but all our people also need technical audit experience and the soft skills to ensure their reports have impact,” Hart explains. “A good auditor needs all three types of skill. If you deliver a report and the recipient doesn’t say ‘wow, we need to do something about this area’ then it’s not worth the paper it’s written on. If you don’t drive transformational change, what are you there for?”

Knowledge of the business is also important, so, while the core team consists of experienced internal auditors, the function has operated an annual secondee programme to enable people from the business to gain insights into internal audit and bring their knowledge into the team.

Internal Audit 2.0 was all about putting the team on the footing required to support the business in its next stage of growth – they enhanced the quality and speed of delivery of the audit plan, developed their reporting, professionalised their audit tools and methodology and introduced fully risk-based annual planning. They focused on developing core skills and reducing their reliance on external co-source partners and established a framework for future internal audit development (all while also completing their current audit plan).

 

Combined assurance

One important element was to introduce combined assurance. The team worked closely with the second line to identify overlapping and duplicate assurance, to ensure that work was undertaken by the right team and to share the results and findings to achieve more comprehensive understanding.

“Our audit committee chair was passionate about this – we want all our assurance plans to tessellate so we can use people efficiently and gain maximum coverage,” Hart says. “We first formulate our draft plans independently and then compare them and identify where they overlap – or where there are material gaps – and agree who should do what. Then we exchange our findings.”

For example, he explains, in 2023 both the second and third lines planned work on the new consumer duty requirements for financial services organisations. They agreed that the third line would do an end-to-end audit on systems, processes and controls, while the second line would conduct outcome testing and focus on specific customers. The two reports would then be viewed together.

Their success has increased their reputation in the business and trust in their reports. This, coupled with a larger audit programme for 2023, helped to secure agreement to increase the team to nine members.

“In the last quarter of 2022 we put together our audit plan for 2023 (we do an annual plan with regular refreshes), and we realised we had to complete more audits next year – the business is expanding into Europe, the environment is becoming more complex and the regulators and payment system operators are introducing more mandatory audit requirements,” Hart explains. “It’s important to produce a risk-based audit plan before you look at your resources, because if you do it the other way around you create a plan to meet your resources rather than to meet the risks.”

 

Exerting influence

Once he had established the amount of work they would have to complete, Hart worked out what resources this would involve using an empirical data-driven model based on time taken to complete past work. He then embarked on “lobbying” the CEO and the chair of the audit committee regarding additional resources. He discussed the audit team’s needs and the nature of the risks that required their input and explained his thought processes before they met in a formal audit committee meeting.

“This is a crucial part of influencing,” he says. “You need to tell people what to expect in a meeting in advance so they understand how you are thinking and have time to think about their questions and challenges. Nobody likes surprises in a meeting and you may not have time to explain fully. I’ve found that the CEO and audit committee really appreciate being engaged proactively and upfront and given time to consider things. It makes the formal discussions at audit committee so much more productive.”

The team has now moved on to a period of continuous improvement ahead of launching Internal Audit 3.0 once ClearBank goes global. This phase has included establishing a closer relationship with major suppliers and customers. “Embedded banking” (sometimes called “banking as a service”) involves outsourcing some of the business’s controls to an embedded banking partner as part of the broader mechanics of the product. However, this outsourcing can also raise obvious questions about controls testing and quality assurance. “We need assurance that our embedded banking partner is operating controls effectively, because we are ultimately accountable for them,” Hart explains.

“Some of these partners have their own internal audit capability and share their findings with us, but we want to get in and have a look ourselves because our audits will also examine the interface between the two businesses – we have a broader lens.”

This kind of work involves close collaboration and trust and requires excellent communication skills from the internal audit team.

 

Perfect timing

Winning the A&R award was a huge achievement – “and that’s an understatement”, says Hart. “Just getting the email telling us we were shortlisted was massive and it arrived on the morning of our March audit committee meeting so it was perfect timing.”

The excitement was shared by the whole organisation, he adds. Their table at the awards event comprised not just the internal audit team, but also the CEO, the chief risk and compliance officer, the chair of the audit committee and the chair of the board, among other luminaries.

“I didn’t need to ask them to come, they asked me!” Hart adds. “ClearBank has won its share of product and service awards, but the level of excitement about the A&R award was enormous. When we won, the team was over the moon, it was a real recognition of all the work they had put in and we all felt it was one of the best things that’s happened in our careers.”

The following day, the award was the first item announced at the board meeting and it was posted on the company website and on LinkedIn as well as on the internal messaging platform. “We got lots of messages from colleagues across the firm, but it was also great publicity for the business,” Hart points out. “It indicates the quality of our corporate governance and three lines model and our clients can have faith in this. The award has built the profile and reputation of our team, but also of the wider business as well – our success was celebrated as a success for the whole firm.”

Which brings Hart back to the importance of recognising the abilities of small teams. “Obviously, small teams can and do learn from large established ones, but it can also work the other way around,” he says. “I believe many large teams could learn from innovative small teams about the value of budget management and how to identify resource needs and maximise your impact. Small teams have both the ability and the need to be more agile and innovative.” 

 

This article was published in March 2023.