Tag Archives: Internal Audit Effectiveness

Guidance on Auditing Culture and behaviour

An extract from James Paterson’s latest CPD technical article on the ACCA website. 

It’s time that GRC professionals, regulators and Internal Audit recognised the importance of auditing culture and behaviour – the “soft stuff” 

For the past six years I have been running the IIA UK training on auditing culture, I also helped write the IIA UK guidance on auditing culture. My background is worth explaining: I’m a finance professional, but did a masters’ degree in management (focusing on organisational behavior). I then left finance to work in HR (in leadership development and managing culture change). Then I became a Head of Internal Audit for AstraZeneca for seven years, and since 2010, I have been combining my passion for people and the soft stuff with my love of Internal Audit, doing training and webinars across Europe and further afield.

I am really happy that GRC professionals, regulators and Internal Audit have started to recognise the importance of the soft stuff when it comes to the effective management of risk and maintaining ethical conduct. This was caused – in a large part – by the recognition that many aspects of the financial crisis of 2007-2008 were caused by short-comings in the “bonus culture”, and underestimation of the latent risks building up. In addition, there were mis-selling scandals highlighting poor conduct in sales, which did not put the customer first.

In the UK, the importance of culture and conduct in relation to Internal Audit was formally recognised in a code of practice for Internal Audit in financial services, published in 2013, which said that Internal Audit should consider, when making audit plans: “the risk and control culture” and “the setting of, and adherence to, risk appetite” amongst other areas. In January 2020, the same points have been included in the IIA UK Code of practice for Internal Audit, applying to all sectors and not just financial services.

You can read the rest of this article on the ACCA website

Guidance on auditing planning for Internal Audit

A good audit planning process should also act as a platform to showcase what audit can do and build closer relationships with key stakeholders, writes James C Paterson on the ACCA blog. 

For the past 10 years I have been running a course on audit planning. It’s two days long and we often start with heads of audit and audit managers explaining their planning process. Common planning steps include consulting managers and the audit committee, up-dating the audit universe and considering areas of concern for Internal Audit and/or a regulator. After that, differences start to emerge, from:

  • “Cross-checking against the key risk register” to “We can’t rely on the risk register”
  • “Co-ordinating with other functions and external audit” to “We do our most of our plan independent of others”
  • “Calculating priority based on number of years since the last audit” to “We have a blend of factors we use to calculate priorities, and we adjust these if we don’t think the plan is right”.

Then greater differences emerge when we discuss the length of any audit cycle, or what items are in/out of the scope of the audit universe, and what the weighting factors are for the audit universe risk ranking.

It then dawns on many that their audit planning process is effectively a hotchpotch of historical steps, overlaid with specific priorities, where specific factors and weightings cannot be justified other than by explaining that:

  1. They were used in the past
  2. They seem to give a reasonable result that stakeholders are happy with
  3. They weren’t challenged in the last EQA.

The net result of this is that some audit functions are auditing “the risks that matter”: i.e. strategic risks, major projects and programmes and key third-party dependencies, whereas others are auditing mostly basic compliance, control and other standard processes.

We then discuss key finding areas from recent IIA External Quality Assessments and learn that many audit functions fall down against the IIA standard for planning and IIA requirements around co-ordination with others. The requirements include:

  • Audit plans should be aligned with the strategies, objectives and risks of the organisation etc. and adjusted at intervals, (IIA IPPF 2010), and
  • There should be co-ordination with other assurance functions, and reliance on others where appropriate, (with a clear process for the basis of reliance on others) (IIA IPPF 2050).

Thus the reason there are short-comings in audit plans is because they are mostly based on stakeholder opinions and an audit universe, which is then retrospectively tied back to key risks etc. Most decent EQAs nowadays can tell this is how the plan was prepared, and may have concerns about why some items are in/not in the audit plan.

Remember: You can’t get a good plan by pressing entering data into a model and pressing a compute button, and you don’t have a good audit plan just because everyone is happy with it!

You can read the rest of this article on the ACCA website

Now on YouTube

In this time of lock-down I have been working in more virtual ways with webinars, and also talking to friends and colleagues on topics that may be interesting.

The first videos are on:

Fraud and corruption risk management, with Martin Robinson:

 

Internal Auditing in BioPharma, with Jaap Van Oerle:


Introductions and series overview – what we hope you will learn Continue Reading

Training & development online/ webinars

As we adjust to new ways of working I have been working with my friends in the IIA across Europe to deliver engaging webinars on a range of key topics.

Details of internal audit webinars are as follows:

IIA UK:

  • Auditing culture – 9 June
  • Root cause analysis – 10 June
  • Lean and agile audit in the COVID era – 15 June
  • Urgent responses to Covid 19 – 16 June
  • Managing yourself and others in challenging times – 18 June
  • Assurance mapping – 23 June
  • Heads of internal audit – induction masterclass – 24-25 June

IIA BEL:

  • Assurance over GRC – PM 26th May and AM 27th May
  • Lean and Agile Auditing – PM 27th May and AM 28th May
  • Root Cause Analysis – PM 28th May and AM 29th May

IIA Finland:

  • Auditing Culture – PM 1st June and AM 2nd June
  • Assurance Mapping – PM 11th June and AM 12th June

IIA Norway:

  • Lean and Agile Audit in the Covid Era – PM 2nd June and AM 3rd June
  • Assurance Mapping – PM 3rd June and AM 4th June

Timings for split sessions are as follows:
Morning sessions are 09.00 to 12.15 local time
Afternoon sessions are 13.00 to 16.30 local time

E-mail info@RiskAI.co.uk for more information, including tailored training on other topics.

Hope you can join me…

Coronavirus: Business not as usual…

and that applies to internal audit as well…

The following article has had over 500 views in 2 days on LinkedIn, I hope you find it helpful.

I’ve just facilitated a two-day head of audit event, with only one person pulling out because of COVID19. However, it was inevitably a key topic of conversation, and here are some reflections that might be of interest:

COVID19 has reinforced, again, the problem with a “failure of imagination” in many risk management processes.

A failure of imagination was one of the key learnings from the 9/11 tragedy, and it looks like many organisations have found themselves with a similar problem with COVID19, and all its knock-on impacts. It may not be a big priority right now, but all organisations who have felt blind-sided by what has happened should be prepared, at the right time, to take a long hard look at their risk management processes.

What other risks are there where might we be thinking “that will never happen”?
How do we make sure we prioritise impact over probability? 
How good is your organisation in thinking through the knock-on consequences of one risk on other aspects of its operations?  Continue Reading

Join our mailing list

We will keep you updated with news and events.

Contact

Contact and appointments:

Risk & Assurance Insights
T: +44 (0)7802 868914
Email

Please also use our contact form