The transformers: how do you transform the third line?

If there is one takeaway from the most recent instalment of the ongoing Global Internal Audit Common Body of Knowledge study, it is that more is expected of internal audit. Audit committee members in the study said they expect a greater focus on strategic risks, more connecting of the dots beyond the scope of individual audits, more consulting on business process improvements, a more elevated stature within the business and closer alignment with stakeholder expectations. Not all of these imperatives fall solely on the shoulders of internal audit, but it’s clear that perfunctory controls testing in isolated business silos alone isn’t going to cut it as we look ahead to a new decade.

Every chief audit executive should aspire to enhance their function regardless of how well it is currently performing. Whether it’s taking internal audit from satisfactory to good, or great to excellent, there is always room for improvement.

Kirsten Ashman knows a thing or two about this transformation. When she took the reins as Hitachi Capital UK’s group head of internal audit in early 2017, the company’s third line was little more than a Sarbanes-Oxley (SOX) compliance team assessing a limited set of financial controls for the company’s Japanese parent. But seeking regulatory approval from the Financial Conduct Authority necessitated creating a fully fledged audit function.

“It was a mixed bag. It meant that when I joined there was a team in place, but it did not have a good reputation within the business,” says Ashman. “The SOX compliance work they were doing was very much a tick-box exercise. They would go into the business and ask questions to ensure processes were being followed as expected, but it was seen as a drain on the business that wasn’t adding value.”

Ashman saw that, while she needed to hire new recruits to resource the new function, it was even more important to listen to the business to understand exactly what it wanted and needed. This involved identifying, and getting in front of, the key stakeholders.

“It was about having honest conversations and asking ‘what do you think of what we’ve got at the moment and what would help you going forward?’,” she says. Although she had a view about what a good internal audit function looks like – the basic processes and methodology – she needed their input.

“You can put together an audit plan based on the business’s key risks, but [stakeholders] have a range of needs. They have their own view of risk and their own view of what good internal audit looks like,” she says. “ You’re not going to be able to please everyone, but at least you have a starting point and can show them what your plans are, how it’s going to be different and how it will add more value. That helps to win over key people and you can build relevant feedback into internal audit’s priorities and the strategy by carefully listening to the business.”

No one transforms a SOX-focused function into a true internal audit resource overnight. In order to free up the team’s time and talents, Ashman sought first to phase the compliance work out of the third line.

“The first line is now doing most of the SOX testing and they have assistance from the risk team, the second line, and oversight from the internal audit team, the third line, ensuring a fully integrated three lines of defence model and the appropriate level of independent scrutiny. So there is still a segregation, which ensures the necessary objectivity, and the business itself has the opportunity to understand what risks and controls are, how they are documented and how and why they are tested,” she explains.  This is creating the breathing room the newly established audit team needs to attend to its priorities, such as assuring project management around Hitachi UK’s transition to an FCA-compliant entity.


Tech enabled

At Royal London, the favourable results of an external quality assessment (EQA) in 2017 confirmed that the function was already on the right track. This meant that when Chris Miller, group audit director at the mutual insurance society, joined towards the end of that year the team already had the confidence of the audit committee and the respect of the executive. “But there was no room for complacency,” he says. 

Miller first had to demonstrate that internal audit’s priorities were aligned with those of the group in order to make the case for a 25 per cent budget increase. This was approved (despite cost reductions across the rest of the business) and allowed the function to grow from 15 to 22 senior auditors and improve some of its core competencies.

“We’ve focused our efforts on mastering the foundations of data querying and visualisation, which allows us to gather and interrogate data using one tool set and approach, instead of spreading ourselves too thinly using multiple methods,” he says. “This is a basic starting point for any kind of useful analysis, whether it’s delivering assurance or extracting insights and management information to help internal audit target its efforts. Once you gather those insights, you need to be able
to visualise them in an impactful way.”

To achieve this goal, he introduced a new audit system, RSA Archer Audit Management, which integrated with the business’s existing Archer enterprise risk management system. That was then overlaid with the data visualisation platform Tableau. Miller says he focused on identifying which tools were likely to deliver the best value and return on investment and, for this reason, he decided against developing competencies in much-hyped areas such as artificial intelligence (AI), which he thinks can be more of a distraction than an enabler, depending on the organisation and the audit function in question.


Something borrowed, something new

Standard Life Aberdeen internal audit has been going through a function-wide transformation following the organisation’s £11bn merger in 2017. One key innovation has been to install a customer relationship management (CRM) system. Although these tools are more commonly associated with managing sales leads, the team found it could also serve internal audit’s engagement with the business, especially in complex organisations – and Standard Life Aberdeen is present in 40 countries and comprises  hundreds of entities.

“How do I know that we are getting adequate coverage of our full universe, and that the correct information is being shared between team A and team B, and at the right times? A CRM tool allows us to track that. So we’ve developed a beta version and will migrate to Salesforce later this year,” says Tom Lloyd, chief internal auditor at Standard Life Aberdeen.

“We’ve also developed functionality that allows us to consider impacts entity by entity, which is key in a highly regulated environment and complex operating model, whether it’s in support of the Senior Managers & Certification Regime or meeting the compliance standards set by the Indonesian financial regulator, for example.”

Integral to Standard Life Aberdeen’s ongoing internal audit transformation is a process of discovery and benchmarking. This has involved venturing out to meet peers to see how they are innovating and to develop a sense of what the future of audit might look like.

“I’ve been out to Singapore and spent time with audit teams who are making interesting use of analytics and AI in ways that you don’t see in the UK yet,” says James Bryden MBE, Standard Life Aberdeen’s chief operating officer of internal audit. “I was seeing examples of AI being used to predict cascade effects, so that if events X, Y and Z were to occur, we’d know which controls would be likely to come under stress. It really pays to listen to your peers, learn from their mistakes and their successes, integrate what works and pass it on.”

Another of the team’s initiatives is what it calls an “IA Academy”. Like their peers in the teams at Royal London and Hitachi Capital UK, they wanted to embed Agile methodologies, so they introduced the Academy to do this, expedite fieldwork and reporting and, above all else, to foster a positive and nurturing culture. The Academy is an interactive online repository that stores all of the relevant audit training, learning and development materials that have been sourced, allowing team members to understand what is required of their specific role and then to identify and access relevant materials.


New school

Training, learning, coaching, mentoring and embedding the core technical and soft skills of internal audit has always been central to creating a respected, competent profession – and these will be equally important in transforming the profession to make it fit for the future. But not all organisations have the resources of the large financial services teams. This is why the Chartered IIA has been building an academy of its own to help all its members develop best practice further. The institute can also draw on decades of experience delivering EQAs, which has given it an unrivalled perspective on what audit excellence looks like. Its new Learning Academy brings together qualifications, short courses, in-house training and online training under one umbrella. And, while training courses suit most people’s needs, there may be times when organisations want a more bespoke service to meet specific development needs.

“We’re now working with clients by going onsite, reviewing their requirements and creating a development plan to meet their needs,” says Joanne Allen, Chartered IIA training manager. “This means the business knows exactly where they are in their overall internal audit development journey, plus it’s a lot more economical because they can base their talent succession plan on their development plan and can budget across the business, instead of paying for individual auditors to attend courses in a piecemeal fashion. So the service is tailored to meet the specific needs of each organisation. The feedback so far has been extremely positive.”

Boards and stakeholders are rightly demanding ever more of internal audit and auditors need to develop and transform both themselves and their functions to add real value. The demands will not decrease, but as we move into the 2020s, it is clear that the profession is keen to adapt and improve what it can offer to business – and the institute plans to be there to help its members meet the challenges to come.

This article was first published in March 2020.