Building EffEctivE intErnal audit

(1)

Building EffEctivE intErnal audit

Putting the pieces together

supported by

(2)

Foreword

In July 2013, the Institute published guidance for Effective Internal Audit in

the Financial Services Sector. This code of practice established clear and consistent principles and detailed guidance for the industry. One of the recommendations by the independent committee which we set up to produce it, responding to comments made from the industry, was that firms would benefit from additional guidance and information from the Institute as good practice became more widely established.

One year on, I am very pleased to present this report, which looks at how firms in the UK financial services sector are implementing the individual recommendations. In the report we present the results of interviews with a number of Heads of Internal Audit (HIAs) from different parts of the financial services sector, and from different sizes of institution. You will see that HIAs are approaching the task in very different ways. I hope you will agree that, collectively, our interviewees outline a range of actions that offer valuable examples of different, successful approaches to the challenges posed by the code. We offer these as a menu of options, and hope that other HIAs will be able to identify solutions that will work for them.

We also took the opportunity to find out from the regulators how they were using the code in their supervisory work, as that was one of the areas of uncertainty on the part of HIAs. Their responses are also outlined in the report.

While our report is set in the context of the financial services sector, most of the code’s recommendations, and the responses to them, may be equally valid for other sectors. We therefore hope all organisations will consider the changes that are being implemented, and the value they are yielding in improving the effectiveness of internal audit.

I should like to express my gratitude to all those who agreed to be interviewed for this report and thank EY for their support in compiling the responses and disseminating the results.

dr ian Peters Chief Executive

Chartered Institute of Internal Auditors August 2014

resources; strategic events; and quality assurance. It was prepared after in-depth interviews with selected HIAs to give a menu of options based on real-life experience. We also discussed implementation of the Code with the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), and are able to give an indication of the way they are looking at the Code in their regulatory work on internal audit.

While the good practice identified here relates to the recommendations in the Code, which was directed at the financial services sector, most of it is equally valid for internal audit in other sectors, and we hope that HIAs across all organisations will get value from it.

The report was produced with support from EY. We are grateful to them, and to all those who took part.

The Chartered Institute of Internal Auditors (IIA) launched its Financial Services Code Effective Internal Audit in the Financial Services Sector (the Code) in July 2013. This followed an extensive consultation across the financial services sector conducted by an independent committee under the leadership of Roger Marshall, Chairman of the Audit Committee of Old Mutual, the London based insurer. It consists of 29 recommendations identifying best practice for organisations and their internal audit departments to provide the necessary degree of independence, objective oversight, challenge and assurance to enable boards and senior management to make better informed strategic and operational decisions.

An additional recommendation in the Code was that the IIA should provide guidance on its application and implementation. In this context Roger Marshall suggested that a compendium of good practice should be prepared, covering how organisations of different sizes and in different parts of the sector were doing this. In this way firms could see what was working for others and choose measures appropriate to their own circumstances to enable them to meet the terms of the Code.

Introduction

The Code was prepared at the suggestion of the financial regulators, who welcomed it and indicated that, “In exercising their supervisory judgement, the regulators will consider the nature and extent of compliance with the guidance in any assessment of internal audit effectiveness within regulated firms.”

Good internal audit looks a lot different to two years ago

Dominic Clarke, Group Head of Internal Audit, AIB

1 Published by the Chartered Institute of Internal Auditors, July 2013, www.iia.org.uk/policy/financial-services-initiative/guidance/

(4)

1. general approach

HIAs who were interviewed welcomed the Code as “eminently sensible” and a “valuable driver for change”. One HIA, who had been appointed shortly before the Code was issued, used it to support an incoming reform agenda. “As a newcomer I was able to use the Code as an additional lever to change internal audit practices”. Another HIA had already been involved in raising the profile and role of internal audit across the organisation

“but the Code gave it additional impetus”.

All respondents had conducted a formal gap analysis, either internal or external, of their internal audit function’s performance against the Code and the results had been discussed with audit committees.

“Overall there was lots of discussion, support and acknowledgement from the audit committee – the Code has been fantastic for us as it really is a benchmark for us to measure ourselves against.”

Results

“Our progress against the Code is monitored in monthly one-to-ones with the audit committee chair, and we present a formal quarterly report to the committee.” For several however, the response of their committees was disappointing despite their approval of reforms. “We had passive support from the NEDs and executives for enhancing internal audit, but are not being challenged on our role.”

“More guidance or insight is needed for audit committee chairmen to help them understand the heightened expectations on them personally. The onus is too much on the HIA taking the initiative.”

Engaging with regulators

One area where there was disappointment was with the engagement of the regulators. Some

respondents had tried to discuss their implementation plans, based on a gap analysis, with the regulators.

“There has been no increased interaction following the launch of the Code, nor any feedback on the questions we have asked. There is a danger that the Code will simply become a tick-box exercise.”

“We have spoken to our supervisors in the PRA and FCA about our response to the Code, but it has largely been a one-way information flow”. The IIA has also raised concerns with the regulators, in particular on the need for audit committees to get engaged rather than leaving it to their HIAs.

The PRA has held a meeting with a number of audit committee chairs at which they explained their approach to the Code. Internal Audit specialists at the PRA have begun to sit in on audit committee meetings to observe how internal audit is dealt with in practice, looking for example at the amount of time spent and the seriousness with which the committee regards issues raised. They see compliance with the Code as one indicator

Reporting to the CEO has had an impact on internal audit’s standing in the Society. Doors are more easily opened and internal audit has risen up management’s agenda. The challenge for me now as an HIA is that I need to play a more strategic and political role in the organisation

Chris Field, Group Head of Internal Audit, Yorkshire Building Society

• Hias have used the code as an additional driver for change in the position and role of internal audit and for increasing its effectiveness

• getting engagement with audit committees right is crucial. But while support for introducing the right

structures is important, audit committees also need to be continually engaged on issues around internal audit effectiveness.

• Hias believe that the regulators need to engage more on how organisations are implementing the code, offering more feedback and support.

• in response the Pra has said it is prepared to discuss exceptions, where firms believe an approach that is not in line with the code is right for them. But it regards the code as a benchmark.

• the fca says it does not look to supervise firms against the requirements of the code. rather, it considers the effectiveness of internal audit functions, including how they engage with the board and executive as an important indicator of effective decision-making within firms, and will look to engage with internal audit where appropriate. Where the fca considers the ia function effective it will also place reliance on the outputs of its own work when drawing conclusions, and use it to undertake reviews within firms.

(5)

of effective internal audit. It will not be used as a tick-box exercise but as a measure of how audit committees and executive management are moving towards a culture of challenge and improvement.

The FCA regards the effectiveness of the Internal Audit function as an indicator of how the firm runs its business and its culture towards managing risks to customers and markets. It sees internal audit as a vital player in assisting the board and executive to make effective decisions, and in alerting the board to potential conduct and reputational risks.

Where the FCA believes a firm has a robust internal audit function it will look to place greater reliance on its findings and use it to undertake reviews within firms. Whilst the FCA does not supervise firms against their delivery of the IIA Code, it sees it as a benchmark for internal audit, alongside the other tools that exist to the industry in providing guidance, e.g. the Corporate Governance Code.

2. access, standing and reporting lines

All of those we interviewed had had their access, standing or reporting lines enhanced in some way since the introduction of the Code. While most reported to the audit committee chair beforehand, all do so now. Many are now playing a much more active and influential role on the executive committee.

While the HIAs we spoke to saw this new role as strengthening their ability to challenge on risk management, control and governance and to support the audit committee at a strategic level, they very aware of the dangers of compromising their independence and objectivity. Dominic Clark at AIB was offered a full voting role but declined in order to preserve his independence. Others

I have private sessions with the audit committee away from the formal meeting as well as one-to-ones with the chairman.

They are a useful supplement to structured meetings and have been incredibly valuable in giving Audit Committee members greater insight into the organisation and background on the risks around change initiatives.

Hilary Weaver, Head of Internal Audit, Lloyds of London

• Having a functional reporting line to the audit committee chairman, supported by an administrative line to the cEO, can transform internal audit’s influence and effectiveness.

• the Pra and fca regard the reporting structure as an important indicator of how independent internal audit is of the executive and therefore how effectively it can support the board’s role in challenging management.

• in organisations where the structure is not in line with the code they will need to explain their reasoning to the regulator, showing why they believe that it is right for their particular circumstances.

• Many find that attendance at executive committee meetings by the Hia can be valuable in supporting unrestricted scope and access and allowing internal audit to play its enhanced role in supporting the challenge of strategic decisions.

• Just as important is advance access to documentation for the executive committee and audit committee.

• But Hias need to find a way to preserve their independence and objectivity in the executive committee in order to be able to support the board’s challenge of the executive.

• informal sessions with the chairman and members of the audit committee away from formal meetings can be valuable.

(6)

excuse themselves from discussions where they feel participation would be inappropriate. At Virgin Money, Nick Collins, Head of Internal Audit says “I recognise the risks over independence with this new level of access. But we are robust and have used the Code to strengthen the audit charter, giving more confidence to internal audit team members. I have resisted being drawn into decisions in certain areas to help keep a true barrier in place.”

Access to real-time information is another area where the Code has improved practices and allowed HIAs to strengthen their role in the challenge of strategic and other decisions, either directly or supporting the audit committee. Rob Lucas, Group Head of Internal Audit at NFU Mutual receives board papers in advance as well as minutes, and has access to executive committee papers on request. Nick Collins at Virgin Money sees board papers on request and has never been denied access to any papers. “I have good visibility of the strategic decisions made at executive level and have observed more willingness from the executive committee to ask us questions, seeing us as a trusted adviser.” Scott Strachan, Global Head of Internal Audit at Aberdeen Asset Management comments “I now have fuller access to Exco and continue to network with the non executives and executive helped by an increased focus on Internal Audit. I hold plenty of one-to-one discussions that act as a continuous monitoring tool.”

Strengthening relationships

The Code also appears to have strengthened the relationship between the HIA and the audit committee chairman, including getting more meeting time. Sally Clark, Chief Internal Auditor at Barclays has regular interactions with the audit committee chair, and the chair’s involvement has increased to include informal meetings with the whole audit management team. In one case the HIA’s reporting line still

includes the finance director, following an external

review. All parties have agreed that this works best in their particular governance structure, and they are prepared to defend it if questioned by the regulator.

But the HIA now has one-to-one informal meetings with the chairman as well as his structured meetings with the audit committee. Hilary Weaver, Head of Internal Audit at Lloyds of London says “I always had a reporting line to the audit committee chairman and CEO, but now the emphasis has changed. The chairman agrees my objectives and conducts my appraisal in liaison with the CEO.” The HIA of a privately-owned bank also values the regular meetings outside the formal timetable not only with the audit committee chairman but also the risk and compliance chairman and the partners (owners), noting that “the time I get outside of structured meetings is key”.

The PRA and FCA regard access, standing and reporting lines as vital indicators of how effective an internal audit function can be. Ragveer Brar, Manager, Risk Specialists Division of the PRA says “Whatever the quality of the work it undertakes, if internal audit is not being appropriately supported by the audit committee, or if its findings are not being adequately addressed by the executive, its strength will be undermined and the governance of the organisation weakened.” The FCA also regards the way internal audit is involved and listened to in decision-making as an indicator of the health of corporate culture, and may look at the function’s position in governance structures in its deep dive supervisory work.

I am an active, non-voting participant of the executive

committee. It is great to have this role endorsed by the Code. I feel much more comfortable discussing our viewpoint on key issues as a result of the regulator backing the IIA Code

Nick Collins, Head of Internal Audit, Virgin Money

It is very important to get the input of the risk management function and the executive in preparing our audit plan. This year we held a half-day planning workshop with key stakeholders to get their view of risk, share understanding of emerging issues and to align approaches while preserving our independence of assessment. This was a very valuable session.

(7)

3. risk assessment and planning

Many HIAs thought that the existing audit universe identified by their organisation was appropriate, although internal audit has been able to identify some additional risks that need to be included. IT risks and customer outcomes are examples, and some are

starting to grapple with giving a view on culture. Rupert Nottidge, Group Head of Internal Audit at Schroders says “There is a process run by our risk function to identify the key risks that impact on the organisation.

I have improved the mapping of the work of internal audit to these to provide assurance against them.”

At YBS, Chris Field, Group Head of Internal Audit says

“Internal audit has developed its own risk assessment, signed off by the audit committee and discussed with NEDs on the risk committee.” But he also fed in the views of risk and the executive in developing his assessment (see quote on page 6). Rupert Nottidge at Schroders also includes the views of compliance, co-source partners and the external auditors in his mapping. Nick Collins at Virgin Money says “I form my own view of risk whilst also reviewing the accuracy of the business’s own view of risk. My own level of access to individual functions helps me to do this.”

Donald MacKechnie, Group Audit Director at Lloyds Banking Group (LBG) includes both a bottom-up and

top-down approach to risk assessment. The bottom- up approach is based on the Control Framework Assessment process, capturing views on particular departments and functions based on audit activity, risk management activity and views captured from attendance at the various committees. Top-down involves looking at the strategy and risk drivers, such as the FCA Risk Outlook, and feeding these into the planning process.” Some internal audit functions are also carrying out a risk governance audit so that they can better judge inputs from the second line of defence.

Given the fast-moving nature of risk assessment and the need for internal audit constantly review its risk assessment, priorities and coverage, some larger internal audit functions are looking to a continuous monitoring team or a business regulatory team to examine how internal developments or new products impact on risk assessment. Smaller internal audit

functions are not able to set up special teams. Rob Lucas at NFU Mutual says that he has quarterly meetings with each of the directors and his team attend risk and governance meetings as observers. From this they keep up to date with risks facing the business in particular high risk areas. “One challenge is trying to consistently calibrate this across the organisation.”

audit Planning

Audit planning is also changing in response to the Code. Barclays has introduced a rolling “3 plus 9”

flexible planning approach. The first three months are fixed and approved with flexibility in the plan for the following nine months. Sally Clark says “We work closely with management and the first and second lines of defence throughout the planning process, pulling in information to inform the plan. We also have a defined risk framework in the bank that allows commonality of language and understanding.” She notes though that it is a challenge to balance efficiency and flexibility with

Internal audit needs to keep a firm grip on the audit universe and guard against the danger of focussing only on risk as identified by the executive. We expect internal audit to make an independent risk assessment, drawing on the executive view as well as bottom-up internal signals and external indicators.

Ragveer Brar, Manager, Risk Specialists Division, PRA

• internal audit faces increasing challenges as it engages on strategic and other business issues in a rapidly changing environment.

• it is vital for internal audit to build up networks of information that enable it to understand the internal and external factors driving risk, using its own judgement.

• larger organisations have established teams to monitor and assess risks in order to form an independent internal audit view.

• the code has greatly accelerated the move, already underway, from a cycle-based approach to risk-based internal audit, and from a focus on process to one on outcomes.

• internal audit planning is becoming more flexible.

• the culture of an organisation is an important factor, but there is no single answer to how internal audit should engage on it.

• no-one thinks any of this is easy.

(8)

the approach. At NFU Mutual Rob Lucas says “We are moving from our traditional rotational and functional model to a more risk-based planning approach, which is challenging. We introduced a 3 plus 9 month planning approach, but that is moving towards 6 plus 6 to allow for lead times in preparing our work.” Anne Obey, Divisional Director, group internal audit at Nationwide Building Society (NWBS) has monthly meetings with her senior team to discuss key risks and priorities that inform the top-down assessment of the risks driving

the plan and make adjustments accordingly. This also creates a longer-term view of the audit plan. Others are introducing more flexibility by increasing the size of the contingency buffer in the audit plan. LBG have also used a 6+6 approach but are planning to move to an annual planning process with additional contingency time to provide flexibility. Donald MacKechnie says

“This will be more efficient by reducing the overall Audit and senior management time in putting together the operating plans of the Group, which are refreshed every year.” AIB’s aim is to build some flexibility into the audit plan by holding an element of the plan in reserve.

culture

Culture is a specific area of risk that is proving

challenging. The IIA has addressed this separately with guidance² on the sort of areas that internal audit can examine, the mixture of hard and soft controls they need and illustrating these with case studies from internal audit functions that are already engaged. Some, like Aberdeen Asset Management, Virgin Money, AIB and Nationwide are gathering data from normal audit work to form an overall view of the different aspects of culture. This “gut feel” can then be discussed either formally or informally with the audit committee or its chairman. AIB has introduced at the start of each audit a questionnaire on issues such as the escalation of concerns to help generate useful information.

Culture following M&As is also an issue for some, and internal audit can have a role to play in ensuring that different cultures come together in the way the board requires. Two organisations, Barclays and Aberdeen Asset Management have introduced cultural change

programmes. That has enabled the audit function to leverage work being done in the broader firm, in the latter increasing the focus of internal audit on culture as an issue in its own right. At AIG, the IIA Code is being used to drive thinking at the global internal audit level around areas such as how to audit culture.

The PRA stress the importance of boards and audit committees ensuring that their organisational culture does not lead to decisions that are out of line with their risk appetite, values and ethics.

They say that internal audit should play a key role in supporting the board’s ability to challenge the executive on culture by using effective root cause analysis and maintaining an awareness of the cultural implications of the findings from audits conducted.

The PRA issued a Statement of Policy in June 2014

“The use of PRA powers to address serious failings in the culture of firms” detailing their approach.

The FCA follows a similar line and sees the strength of internal audit within the firm as an important factor in ensuring the firm’s culture supports delivery of fair outcomes to consumers.

Where internal audit is considered well-positioned and effective, the FCA may draw on its work on organisational culture and decision processes.

Audit planning is changing in response to the Code.

Organisations are finding

different ways to add flexibility to the planning process.

We are unlikely to undertake a separate audit of ‘culture’

in isolation. We have ‘guiding

principles’ for our staff that support the values and risk culture of our business and adherence to them by staff is monitored by management.

As a mutual, customer service is at the heart of what we do and the key thing is to ensure there is no room for complacency.

Aspects of risk culture are

considered in individual audits.

We are researching a ‘people risk thematic review’ and this will look at how the guiding principles are embedded throughout the firm.

Rob Lucas, Group Head of Internal Audit, NFU Mutual

2 Published by the Chartered Institute of Internal Auditors, July 2014, http://www.iia.org.uk/policy/culture-and-the-role-of-internal-audit/

(9)

4. resources

At Aberdeen Asset Management Scott Strachan has revisited the KPI suite in order to give the audit committee comfort that his team has the right skills.

As part of ongoing developments in the company, he is reviewing the number of staff and their skill- sets. “We are having a real look at the structure of the department”. At Virgin Money, Nick Collins has been able to increase the budget for his team, but he is still focussed on the need for efficiency. “We have to be clever in the way we make use of our co-source partner, who fills in the technical gaps in our team, and our main concern is that internal audit has genuinely assessed the risks we are looking at.”

new skills

Paul Wigham, Audit Director at AIG says that the ability to challenge the organisation’s leadership

has been made part of the job role for audit management, providing a new challenge for the team and increasing internal audit’s profile and effectiveness. At Aviva, Jonathan Chapman, Director Planning, Resources and Risk, also thought that capabilities were the greatest challenge. “We have developed and implemented a systematic approach to identify our key skill gaps and this has allowed us to begin to build programmes to address these gaps. We benchmark our people against defined standards for both capabilities and knowledge and, even before the Code, had introduced an ‘Internal Audit Performance Academy’ to support our work to improve skills. This

is supported by focused development interventions where gaps are considered more systematic across the function. For example a priority for 2014 is around developing our teams business and financial acumen.” For Aviva an on-going challenge has been acquiring specialist skills such as actuaries.

“We do not have a formal two-way talent transfer (rotation) policy in place with the business, but monitor movement, with internal audit increasingly acting as a “talent bench” for the organisation and a good career route for internal progression. The Code has highlighted the importance of proactive talent management and increased the profile of internal audit activities at senior levels in the organisation through the changes we have made.”

In the past one of the biggest issues has been with the leadership levels of internal audit functions. You can have a great internal audit team and methodology, but unless the leadership of internal audit has both the access and the will to challenge the organisation at the top of the house, the effectiveness of internal audit is really impacted.

More emphasis needs to be placed on being empowered to get out there and have an impact at the top.

Paul Wigham, Audit Director – EMEA, AIG

• internal audit functions are having to justify why they need greater or different resources. the existence of the code is not sufficient in itself.

• not all have had to increase their resources, increasing efficiency for example by greater use of analytics.

• Where there is an increased burden on internal audit due to the code it can be used to withdraw from involvement in second or third line of defence work, such as Sarbanes-Oxley.

• Most are focussing increasingly on outcomes as well as processes. this is leading to significant changes in audit tools and methods, and the requirement for different skill-sets.

• new specialist knowledge is also being required of internal audit teams, and for many this means increased co-sourcing. But co-sourcing needs to be managed properly.

• Some have up-skilled their staff, either through training or recruitment, leading to more top-heavy structures with people who can engage at a more strategic level.

• the strategic positioning of internal audit through the code is increasing the opportunities for rotation, secondments,

“guest auditors” and graduate entry as the profession becomes more central to good governance. But care is needed in balancing skills and internal audit experience.

(10)

This move to a higher proportion of senior staff with the soft skills to work at a strategic level reflects similar moves at Nationwide and Virgin Money.

LBG had reorganised the management of the function, moving from a pool system to a line management model with strategic units in each of the Group business areas. Donald MacKechnie at LBG explained that this encouraged colleagues to develop expertise in specific areas and develop greater depth of understanding of the respective businesses. This means that he can more readily access in-depth information from his colleagues on any area of business activity. He has also up-rated the role specifications for his senior staff, in order to fulfil the new strategic demands of the roles.

co-sourcing

Schroders has not increased staff numbers, but is using co-sourcing differently, enabling it to add areas into its audit plan. Schroders’ Rupert Nottidge says that he has not changed the skills coverage of his own staff but is bringing in specialist skills such as governance and culture via the co-source.

“The key objective with regard to internal staff is ensuring we have people who can effectively challenge the business and deliver a better internal audit product – maintaining the quality and balance of the team is clearly critical.” Rotation of staff from the business takes place occasionally. This provides a good source of commercial experience and brings a different perspective to an audit. Training focuses on an individual’s needs, although recent training

for the whole team has been given on report writing. Chris Field at YBS has also used co-source partners to cover technical areas where it is difficult to recruit subject matter experts. One specialist area where he has increased internal staff is in change audit. Otherwise he has recruited new experienced internal auditors, in part due to recent mergers.

In Lloyds of London most of the work is co- sourced, allowing specialists such as actuaries and claims experts to be brought in as required. Hilary Weaver says that they have a number of co-source base days and can ask the audit and executive committees on an ad hoc basis if they need more.

“This gives us absolute flexibility to tap into certain kinds of skills when we need them. But specialist auditors always work alongside core team members to ensure continuity and local knowledge.”

Co-sourcing is also the answer for the HIA of a private bank where, here too, internal staff always work with the providers, with the positive side effect of maximising learning and knowledge transfer. The HIA there thought that guest auditors (fixed short term support from other parts of the organisation for specific audit work) were a good idea in principle, but too difficult in practice for a small organisation due to potential conflicts of interest.

In large organisations subject matter experts may well be more easily recruited internally rather than co-sourced. Larger organisations are also better able to address the need for soft skills and business acumen through rotation policies. In Barclays Sally Clark has experienced a positive response to the introduction and promotion of their guest auditor programme. This programme does require

Effective leaders of large IA functions would tend to have a breadth of skillset and experience that includes internal audit

expertise and would ensure that the internal audit function has a mix of experience, again including internal audit experience, and

perspectives gained both from other organisations and from experience beyond internal audit.

Ragveer Brar, Manager, Risk Specialists Division, PRA

The new guidance in the Code has raised the bar

significantly, and has resulted in changing requirements and expectations of auditors. Some have found their new role

challenging and have departed.

The most critical skill required by the Code is the ability to

challenge the business and senior management, and it is the soft skills associated with this that have been most difficult to resource

(11)

investment to make it work but is seen as a great opportunity for the function. “We plan to ask those rotating to write blogs to describe their experience and sell the opportunity to others. We see them as ambassadors for internal audit in the wider business.” Barclays has set up an advanced academy for senior managers reflecting the demand for softer skills, which complements its existing foundation academy for new recruits. Others too are looking at more formal rotation and mentoring programme to develop talent and increase the diversity of skills within internal audit. Resources may have to be shifted and the staff mix changed to reflect the move from process-driven to outcome- driven audit, and this can only partly be achieved through training. Dominic Clark at AIB has also undergone staff changes to meet the challenges of both the Code and other changes since the banking crisis. Over 90% of his staff either have professional qualifications or are training for one. There has been increased rotation from the business and he would like to take in more graduate entrants. “We need to increase the internal audit experience pool.”

Balance of skills

The PRA say that they will be looking for the right balance of skills so that internal audit can preserve its role as the third line of defence and provide independent views to the board on key issues. HIAs will need to consider to what extent rotation of staff from other areas of the business can be pursued without undermining internal audit expertise. They also point to the danger that excessive reliance on staff from elsewhere within the organisation can lead to internal audit’s approach to its work being too collaborative.

One concern that has been voiced is possible

expectations by the regulators about which functions internal audit should be doing in-house, in particular those on the cusp of being potentially big enough to have their own special matter experts but not big enough to make it obvious that they should have.

This is another area where dialogue with the regulator will be needed to explain the approach being taken and why it is right for a particular organisation.

5. Key corporate events

In general, the HIAs we interviewed believed that internal audit should not be directly involved in strategic decisions. But they could see internal audit performing a valuable role in ensuring that the board and executive committee are getting the right information, that decision- making processes are being correctly observed, that changes resulting from decisions are being delivered appropriately, and that the board is provided with assurance at the end of the process.

At LBG, Donald MacKechnie attends board offsite strategy meetings, receiving the papers in advance, and sits as an attendee at the Group Strategy sessions. Internal audit is asked to look at controls

We have within our scope all organisational risks including strategic risk and in-flight review during major events. This

involves auditing the strategic decision making process, but not the strategy itself. Our role goes up to, but not beyond the boardroom door

Jonathan Chapman, Audit Director, Professional Practice, Risk & Resources Team | Internal Audit, Aviva

• the code has strengthened the role of internal audit in challenging, advising on and providing assurance on strategic events, in particular in advance of decisions.

• this requires more extensive real-time access to information so that internal audit is fully aware of risks around strategic decisions.

• But internal audit should not be directly involved in those decisions.

• internal audit needs to build flexibility into its planning to be able to cope with new tasks associated with strategic events.

• this is an area of particular interest to the fca who see internal audit’s role in key corporate events as key indicator of how firms prepare effectively for strategic change.

(12)

around strategic decisions, including regulatory requirements, sensitivity analysis and stress testing.

At Schroders, Rupert Nottidge said that he has increased his focus on strategic projects and developments. He highlighted that the integration of a recently acquired business is the subject of close oversight by the internal audit team, while broader work on governance arrangements is one way of assessing decision making processes.

The HIA at a private bank says that internal audit has not always been involved upfront in strategic planning but this is changing. Two examples of new involvement are a potential acquisition, where internal audit was able to point to poor project management and delivery mechanisms, and a major IT project. On the latter the HIA explains “We will target audits during key phases of the project from project development, through feasibility to delivery, advising for example whether best practice has been followed and looking at key controls. This will require new skills, and internal audit may need subject matter experts on change management.”

timely involvement

At YBS Chris Field underlines the importance of attendance at key meetings allowing internal audit to decide where and when it should get involved.

YBS has used external due diligence providers to perform many of the potential roles on mergers, but internal audit has been asked to advise on closing an overseas branch and to review internal audit functions and the wider risk environment in organisations subject to merger or acquisition. Paul Wigham at AIG says that internal audit has had significant involvement in strategic change initiatives over the last twelve months, including new global system roll-outs and regional reorganisation. One of our other respondents pointed to problems that internal audit had identified after the event following the opening of an overseas branch, since when internal audit has been fully involved from the business case stage and can voice concerns with the audit committee before, during and after delivery of such projects. Other areas where internal audit is playing

a more strategic role, drawing on experience in root cause analysis, are material outsourcing, the roll-out of new products, disposals and unexpected major events like the IT outage of services to customers.

Several HIAs were unable to say yet whether the Code had changed the way mergers and acquisitions were handled and the role of internal audit as this work was event driven. But increasingly internal audit is being seen as relevant in these discussions and is getting involved at an earlier stage where internal audit input is appropriate.” Sally Clark at Barclays said that the firm had a dedicated corporate-wide team for M&As with their own distinctive approach and methodology. Internal audit had been invited to look at various strategic issues, such as the control environment for new products. Nick Collins at Virgin Money has also had lots of work recently on strategic change and has members of his team dedicated to this area.

Building skills

Scott Strachan at Aberdeen Asset Management says that the Code has not changed internal audit’s role in M&As as integration projects already included oversight from internal audit. “Throughout the internal audit team, managers are involved in projects and integration and are approached for their views.”

Aberdeen Asset Management continues to review its project methodology and Scott Strachan and his audit team are actively engaged in auditing that change agenda. “Internal audit are involved in key projects from the first day and the business do look for our oversight and challenge as part of projects.” This however has implications for staffing. “It is fundamental that the head of audit has a history with the business and the right skills to build key relationships. This applies throughout internal audit including regional managers.” Anne Obey at Nationwide is also confident that she knows about key corporate events in the business beforehand. “As a result of being engaged in senior forums I also increasingly find myself leading a

The guidance has stretched the reach of internal audit. Board management information and strategic risk management were not out of bounds before, but now internal audit’s work in those areas is more explicitly stated

Rob Lucas, Group Head of Internal Audit, NFU Mutual

We are able to advise before the event and are deliberately pro-active in terms of our

assurance. We are not involved in

“Go, No Go” decision making but constantly provide assurance to the project steering groups.

Nick Collins, Head of Internal Audit, Virgin Money

(13)

cross-functional debate about the approach to control improvement, although I recognise I am still internal audit and need to distance myself from certain decisions. As a result my role now needs additional soft skills.” Anne says that everyone on her team at Nationwide attends training on the audit of change, which is regarded as a core audit skill.

A key aspect of the FCA’s supervisory strategy is to take a forward looking, pre-emptive approach.

Therefore it sees reviews of key corporate events, such as new strategic initiatives, changes to firm business models and new product development etc. as pivotal to delivering this. The FCA wants to see that firms have put the customer at the heart of their decision making. As noted above, internal audit’s role is one of the areas the FCA could look at in making judgements in these areas, and this area of the Code is clearly one for audit committees to take particularly seriously.

6. Quality

assessment (Qa)

The Code calls for internal audit functions “of a sufficient size” to develop their own quality assurance capability. This would normally sit within internal audit but independent of audit delivery. The Code is deliberately vague on what sufficient size means.

What this study has revealed is that, as a rule of thumb, organisations seem to be moving to a separate QA unit where size of the internal audit function means that QA effectiveness is an issue and the HIA may have concerns about losing sufficient personal oversight of the function’s work to be able to guarantee consistency and quality of outputs.

Chris Field at YBS reports that QA has changed significantly. “Before, there was little challenge of internal audit’s work by subject matter experts. I now have approval for an annual risk-based external review focussing on the high risk areas of the firm and the risks to internal audit’s successful delivery of its mandate.” Chris also uses co-source partners in a QA capacity, recognising that care must be taken over quality-assessing work that has involved co-source support. At NFU Mutual, Rob Lucas uses

The IIA Code calls for QA at three different levels:

• The periodic, independent external assessment of elements of or the overall function.

• The (at least) annual

independent evaluation of internal audit’s performance for the board or audit

committee.

• The continuous

improvement measures within internal audit

directed at performance and effectiveness.

(Recommendations 24, 25 and 28)

• the importance and scope of quality assessment have increased, and functions are not just being asked to measure themselves against iia international Standards.

• this is not just thanks to the iia code. for some, Qa also includes reference to other requirements such as those of Basel iii, the uS federal reserve and the Office of the comptroller of the currency.

• Qa takes place at various levels and is not just about a regular top-down health check.

• in the context of establishing a quality assurance capability, independent does not equate to external, although external resources may be needed at some stage.

• Methods of conducting Qa vary widely and one size does not fit all.

• Some Hias have to reconcile different national approaches to Qa, notably thanks to different regulatory regimes in the uS and uK.

• the Pra stresses that Qa is an important function, is not always of a sufficient quality, and needs to be taken more seriously.

(14)

internal peer group reviews, with audit reports being reviewed by himself and his managers and an annual report to the audit committee on internal audit’s key performance indicators. The external review takes place every five years as set out in the IIA Standards.

Nick Collins, Virgin Money, also uses a mixture of peer reviews and co-source support. His QA chain is:

1 audit methodology review for consistency 2 checkpoints

3 Peer reviews by audit managers on KPis 4 review by the Hia

5 co-sourced review of quality.

Anne Obey at Nationwide carries out internal QA, but does not yet have a dedicated function. Her senior managers conduct in-flight peer reviews, the results of which are reported to the Audit Committee, and feedback is requested from auditees on all audits, covering areas such as the understanding of risk and degree of challenge. “I have recently agreed additional resources to create a separate internal QA function, with its own access to co-source resources where additional expertise is needed.”

At the private bank, the incoming HIA carried out a full internal QA based on the IIA Standards and personal experience of best practice gained previously. This, along with the initial gap analysis against the IIA Code, informed the reforms to internal audit carried out since. The organisation is small enough for the HIA to QA audit methodology before an audit has begun, sign off the scope, access touch points as work is carried out, and get feedback from key stakeholders. However there is recognition that internal assessments should be done more rigorously in future. “The external QA is due this year, and that will look at performance against the Code as well as the Standards.”

At Lloyds of London the co-sourced internal audit provider has its own internal QA function, but the head of internal audit QAs that work as well.

An external QA by a professional firm is being carried out, comparing performance against the Standards and Code. At Schroders Rupert Nottidge does not have a separate QA function, but has integrated QA throughout internal audit’s work. “I use the co-source provider to advise on specific aspects of an audit, such as risk coverage, and use them to review a sample of audits in detail. I also have monthly meetings with the external auditors, and regular one to ones with executive management which are a good source of feedback. ” The next formal QA will go beyond the International Standards and take in the Code.

larger organisations

Turning to the larger organisations, Aviva has an independent QA function reporting to the Group

Chief Audit Officer through the Director Planning, Resources and Risk. They adopt a holistic approach to their work examining all aspects of audit risk against the functions own Internal Audit Risk Management Framework. All Audit Directors are required to provide a quarterly self-assessment of their risk and controls which forms the base for review work by the QA function. This leads to multiple types of reviews such as full scope, end to end ‘team’ reviews, thematic reviews examining a specific topic across the entire function, and special investigations examining a very specific concern alongside continual monitoring activity. This is supplemented by the required external QA which is performed every five years, and has recently been conducted including explicit consideration of Aviva’s performance against both the IIA Code and best practice across the sector.

At AIG Europe Limited, which is the UK subsidiary of US-based AIG Inc., there is a global QA function which provides significant coverage of audit files, continuous risk assessments and issues tracking

verification globally. According to Paul Wigham,

“The benchmarking was a useful challenge to our global process, and while the results were positive, it did allow us to look at ways to improve it.”

In Barclays, which has its own internal QA function, they have adopted a continuous auditing approach to their external QA. Instead of a review every five years, external QA is carried out every year with a risk-based focus on specific areas of business, audit approach, key risks, etc. Aberdeen Asset Management has appointed a quality manager as a result of the Code, and this has been a great success, building in robust monitoring and spot- checking programmes. At AIB, Dominic Clark has moved to “hot reviews” by a QA Director. This started with internal experts, but now includes some limited external help, e.g. on modelling. He has also contracted a professional firm to provide an outsourced QA function reporting to him.

QA is an area where many thought there was a need for more guidance from the regulators on whether firms have got the balance right under the Code. The PRA would like to see QA gain in status in many organisations. It needs to be staffed with experienced internal auditors working in real time with the support of HIAs.

We see QA as audit risk management

Jonathan Chapman, Audit Director, Professional Practice, Risk & Resources Team | Internal Audit, Aviva

(15)

The IIA Financial Services Code has been widely welcomed by the internal audit community across the sector. It is already starting to lead to significant change in the governance, management and

coverage of internal audit, in some cases transforming the work of those affected in the most positive way.

But all those who participated in this study see this as a long term process, and recognise that it has raised new challenges for HIAs and their staff. The real success of the Code can only be measured once the changes that have been initiated have bedded down and had their full effect. Moreover the profession will need to rise to the challenge for that success to be realised – a brave new world for internal audit.

no single best practice

The way firms are implementing the guidance in the Code varies greatly from one organisation to another.

There is no single set of best practices on the Code, and this report does not attempt to offer one. Instead organisations need to introduce structures, practices and methods that are right for them. Where these appear not to be in compliance with the terms of the Code they will need to justify them to the regulators.

The approach of the two regulators is very different.

The PRA have conducted several reviews of internal audit functions and maintained a dialogue between their internal audit experts and the industry on how different areas of the Code are being implemented. The FCA is taking a risk-based approach to the supervision cycle. Engagement with internal audit may well be one of the areas the FCA will look at to inform its judgements. While internal audit will not be the subject of continuous monitoring, audit committees will nevertheless need to ensure they are applying the spirit of the Code, if they are to demonstrate effectiveness.

While the Code is designed to establish principles rather than detailed rules, and is written “in the context of a reasonably sized company operating within the UK regulated financial services sector” it is worth noting that very few of the recommendations are size-specific, and that organisations with

their headquarters in other jurisdictions are still expected to comply with the spirit of those areas of the Code they are unable to implement fully.

Conversations with the regulators about areas where the Code is not followed are likely to be in the context of a general expectation of compliance.

Building on the code

The Code is only one contribution to improving the effectiveness of internal audit. It builds on the IIA International Professional Practices Framework, together with the associated IIA Global guidance and Practice Advisories, and has also to be seen in the context of Basel III, Solvency II, the FRC Corporate Governance Code and Guidance, and other relevant instruments. However it is unique in its level of detail and the specific nature of its recommendations for the profession, and as such should play a central role in building the relationship between internal audit staff, board members and executives, and in informing HIAs about how the effectiveness of their function can be improved. We hope that this report will contribute to these two goals.

Conclusions

(16)

www.iia.org.uk

Chartered Institute of Internal Auditors 13 Abbeville Mews 88 Clapham Park Road London SW4 7BX tel 020 7498 0101 fax 020 7978 2492 email info@iia.org.uk

About the Chartered Institute of Internal Auditors

First established in 1948, we obtained our Royal Charter in 2010. We are the only professional body dedicated exclusively to training, supporting and representing internal auditors in the UK and Ireland.

We have over 8,000 members in all sectors of the economy including private companies, government departments, utilities, voluntary sector organisations, local authorities and public service organisations such as the National Health Service.

Members of the Chartered Institute of Internal Auditors are part of a global network of 180,000 members in 190 countries. All members across the globe work to the same International Standards and Code of Ethics.

Over 2,000 members of the Institute are Chartered Internal Auditors and have earned the designation CMIIA. 800 of our members hold the position of Head of Internal Audit and most FTSE 100 companies are represented amongst the Institute’s membership.

Building EffEctivE intErnal audit