Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Issue 46 March/April 2019
The magazine of the Chartered Institute of Internal Auditors
01R8
Raising the bar 2 & ds
A ar rs
Awinne
w
New developments in
corporate governance
Plus: project management risk; mental health at work
Contents
32
12
22 30
28
Published for the Chartered Institute
of Internal Auditors
Alun Milford, general counsel at the Serious
Fraud Office, will address heads of internal Editor
audit at this month’s IIA Leaders’ Conference. Ruth Prickett
On page 30 he explains what internal audit ruth.prickett@iia.org.uk
needs to know about SFO investigations. 07766 280 221
Chartered Institute
of Internal Auditors
Front Features Member info@iia.org.uk
matters
www.iia.org.uk
3 The institute view 12 Audit & Risk 020 7498 0101
From the chief executive, 36 Q&A
Ian Peters. Awards 2018 Subscriptions
Your questions answered.
The winners of the 2018 membership@iia.org.uk
5 World view 39 Student 020 7498 0101
From Richard F Chambers, A&R Awards and what the
noticeboard
IIA Global president. judges said about them. Creative director
Essential information for Nick Dixon
6 View from the top 22 Raising the bar exam candidates.
From Margaret Stephens, 40 Training &
What do the Wates
chair of the audit professional
committee, Department Principles and the
development
for Exiting the European Kingman Report tell us The courses and
Union (DExEU). about the future of information you need to
8 Update corporate governance? hone your skills.
The latest news affecting 42 Events
the profession. 28 Grey matters What’s on across the UK.
10 Reportage How companies are
Key findings from the improving the way they
Cambridge Global Risk
deal with mental health.
Index 2019. Opinions expressed by contributors
32 Solid foundations? are their own. Reproduction in
whole or in part without written
Too many projects still fail
permission is strictly prohibited.
– what can internal audit
ISSN 2048-8408
do to keep them on track?
We post more news and articles online every week.
To access these, visit www.auditandrisk.org.uk
View from the institute
Power source strengthening internal audit
“The success of any internal audit function relies upon having an
excellent relationship and strong partnership with the audit
committee, non-executive directors and senior management.”
Ian Peters, chief executive of the Chartered IIA.
If recent corporate failures have taught us have heated discussions about recent years the scope of
anything, it is that getting corporate Brexit, we instead had a great internal audit has continued to
governance right is fundamental to the roundtable discussion on the change, expand and develop
long-term success and sustainability of future role of internal audit in rapidly – with far greater focus
organisations. That is true in the case of promoting good corporate on auditing a broader range of
Carillion, of BHS before it and, more governance. One of the main risks such as cyber security,
recently, of Patisserie Valerie. The failures of messages from the audit workplace culture, political
all these companies revealed serious committee chairs who uncertainty and
corporate governance deficiencies. attended was that what they communications risk –
The presence of a strong internal audit would value most highly is all of which featured
function can play a pivotal role in ensuring guidance on best practice, along prominently in “Risk in
3
organisations have a robust corporate with resources to help them get Focus 2019”.
governance framework. But as readers of the most out of their internal In particular, audit
this column will know all too well, the audit functions. committees and senior
success of any internal audit function relies We see it as vital to promote management need to recognise
upon having an excellent relationship and internal audit best practice, not that the days when internal audit
strong partnership with the audit just among those in the functions merely audited bread-and-
committee, non-executive directors and profession, but also among business butter risk areas such as financial controls,
senior management. leaders such as the ones who attended the compliance and governance are long gone.
That is why at the institute we are Presidents’ Dinner in December. We are Modern internal audit functions can play a
committed to doing all we can to support therefore delighted that, in partnership with far greater role in providing assurance on a
internal auditors in fostering strong working the Institute of Directors, we have launched plethora of new and emerging risks – indeed
relationships with their audit committees, a new guide on how boards and audit it is vital that they do so if the potential of
along with executive and non-executive committees can optimise their relationship internal audit is to be maximised.
directors. Engaging audit committee chairs with internal audit: “Harnessing the power I urge you to read “Harnessing the power
and helping them to better understand how of internal audit: a guide for audit of internal audit”, which is now available on
they can get the most from their internal committees, non-executive directors and the institute’s website. Then share it
audit functions and strengthen their senior management”. with your audit committee and
corporate governance is therefore now a top This provides food for thought and senior management.
priority for us. guidance on how directors can enhance the “Harnessing the power of internal audit:
One means by which we hope to increase role of their internal audit function in order A guide for audit committees, non-executive
our engagement with audit committee to strengthen their corporate governance directors and senior management” is
chairs is our new series of Presidents’ framework and mitigate the risk of available at iia.org.uk/HPIA
Dinners. The first of these was held in corporate failures. It takes into account
December in Westminster and was attended recent corporate governance upgrades,
by audit committee chairs from FTSE 100 including the new UK Corporate HAVE YOUR SAY
companies. The next is scheduled to take Governance Code which came into effect Post your comments about this
place at the end of March. While over the on 1 January 2019. article or any of the issues raised
road in Parliament our MPs continued to It also takes into account the fact that in at auditandrisk.org.uk
View from IIA Global
Be prepared mastering the art of conflict
“Handled poorly, even a minor conflict can escalate into a fight, and
nobody wins when auditors battle with their clients.”
Richard F Chambers, president and CEO of IIA Global.
For most internal auditors, the odds are high help if you identify points of many cases, an even better solution
that there will be a disagreement with agreement in advance, while might be identified during an
management. This can be a career-defining preparing for your client objective and collaborative
moment: when disagreements are handled meeting. After all, your goal discussion of alternatives.
well, auditors often bring about positive should be to have your • Accentuate the positive.
change and enhance their reputations as recommendations accepted, not Enthusiasm matters, and it’s
trusted advisers. But, handled poorly, even a to prove your client wrong. important to maintain a positive
minor conflict can escalate into a fight, • Ask questions. tone if you want to sell your
and nobody wins when auditors battle with Asking informed, intelligent ideas.Try to make it clear
their clients. questions is a great way to that your suggestions
At the best of times, it takes courage to demonstrate that you’re are intended to achieve
disagree with senior executives, but audit aiming for a what your client wants.
disagreements can be particularly collaborative • Don’t go it alone.
challenging. Even before the discussion discussion, not a If you know a client meeting is
5
begins, audit clients often feel threatened conflict. It shows that likely to be contentious, talk the
or defensive. It’s a situation that demands you want your client issue over with your supervisor
considerable sensitivity. to share their or team.This is particularly important
Fortunately, there are several effective thoughts and feelings with for new auditors.Too many of us hesitate to
ways to keep client meetings on track even you. Questions can clarify divergent bring up disagreements with management
amid conflict.The following tips can help to viewpoints, and they can help your client to until a problem has escalated, but if you talk
ensure that audit disagreements are handled take “ownership” of your suggestions. about potential problems, they can help you
smoothly and that clients see the internal • Do your homework. to deal with the problem before it grows.
auditor as a valued partner. If you know you need to discuss a Disagreeing with senior management is
• Keep it cordial. controversial issue with management, be never easy. It requires us to plan our actions,
We don’t always have to be in agreement to prepared to support your case with clear, watch our words and maintain emotional
respect each other. In fact, it’s when we compelling data and examples. If you are control. Some auditors might be tempted to
disagree that we particularly need to show suggesting a change that has been avoid conflicts. But if we automatically agree
that we respect our clients. We all tend to implemented elsewhere in the organisation, with management, much of the value of
accept advice more readily when it comes be sure you know how well it’s working. internal audit’s independent viewpoint is
from people we know and trust, and who we Numbers can speak louder than words, and if lost.To become trusted advisers, we need to
believe genuinely understand us. It’s never other organisations have made similar recognise when it’s important to disagree
appropriate to show anger or shout during a changes, benchmarking might make your and how to do it in a strategic way. We must
client meeting, so keep your emotions in case more convincing. Bottom line: have all also strive to master the gentle art of
check and choose tact over temper. the facts before the client meeting. disagreeing without being disagreeable.
• Seek common ground. • Keep an open mind.
Even when we disagree with our clients, If you’ve never changed your mind during For further information
there is always something we can agree on. client meetings, you probably weren’t Richard F Chambers writes a blog at
Perhaps a portion of an existing process is listening objectively. Keep in mind that your iaonline.theiia.org/Richard-Chambers and
already working quite well, for example. Let clients probably have more familiarity with tweets at twitter.com/rfchambers. His
your client know when you agree, and you their processes than you do.The best book, Trusted Advisors: Key Attributes of
will be one step closer to solving solution might be the one you proposed, or it Outstanding Internal Auditors, is available
disagreements on other issues. Often, it can might be one proposed by the client. But, in at theiia.org/bookstore
View from the top
Support stability amid rapid change
"Civil servants are used to getting on with the job despite
external pressures, but this has been unique in its complexity
and the nature of its challenges."
Margaret Stephens, chair of the audit committee, Department for Exiting the European Union.
The Department for Exiting the European governance in an environment goodness – but Brexit has
Union (DExEU) was created two years ago of constant change and accelerated the need for these.
with a specific purpose to oversee extraordinary challenges. One of the main risks DExEU
negotiations to leave the European Union and The rapid changes faces is its people. We have a fluid
establish the future relationship between the happening around us make workforce and the structure of
UK and the EU. It is a fairly small department, internal audit's work on teams is regularly put under
with under 800 staff, but it operates in an "routine" systems and review to ensure that the
environment that is constantly changing. processes particularly department has the right capability
I came on board in April 2017 when the important, and it is much in the right places. We have often
Audit and Risk Assurance Committee was set appreciated by busy managers needed different skills and capacity
up and made a part of the existing formal who need the confidence and at various points in the past two
governance structures. As chair, I had to help stability these offer. However, years.This creates risks
establish the tone. From the start we knew it the nature of the around information and
6
was important that there was open and environment also physical security
constructive dialogue in the committee. I means that controls, induction
believe we have achieved this and that the recommendations and HR, and finance.
committee is a place where people can raise must be pragmatic, The department also
their concerns frankly in a collaborative recognising the receives a large number of
atmosphere. It really feels as if we are all limited lifespan of the freedom of information requests
working to the same ends. department, where significant and Parliamentary questions.
The main purpose of the audit committee investment in, for example, bespoke or new One thing that this role has taught me is
is to advise the permanent secretary, Philip systems or accommodation would not be never to worry about taking on ambitious
Rycroft, that the assurance he receives is appropriate or practical. projects – help will come when you need it.
proper, complete and appropriate. He can Given this context, internal audit has Who would have thought that it would be
then be confident when he answers provided more of an advisory role than one possible to produce all the documents and
Parliamentary questions about whether the may normally expect to see in an internal legislation that DExEU has in such a short
department has the resources and the audit plan and has had to be more fleet of foot time? It's incredible that such a small number
capabilities to do its job – to ensure that the UK than in other government departments.The of people could have produced so much of
leaves the EU in the best possible way. In most internal audit plan is under constant review by such high quality. Civil servants are used to
organisations this assurance would consider the audit committee to ensure that it remains getting on with the job despite external
the risks surrounding long-term projects and responsive and relevant. Working with DExEU pressures, but this has been unique in its
plans, but we've had to be more flexible. We has given the internal audit team experiences complexity and the nature of its challenges
have to provide assurance on the that are proving valuable to support GIAA and the DExEU team has achieved this
department's ability to adapt and respond to colleagues working with other departments thoughtfully, openly and positively. I'm proud
rapidly changing requirements and to meet affected by Brexit. These experiences and to have worked with them.
any of the scenarios that might arise. experiments with more responsive, flexible
The department’s internal audit services ways of working are likely to become Margaret Stephens is chair of the audit
are provided by the Government Internal increasingly important in more places after committee at DExEU. She was formerly
Audit Agency (GIAA), with whom I work Brexit happens.There were already many a partner at KPMG. For more on DExEU visit
closely. Internal audit provides assurance on initiatives to join up internal audit services gov.uk/government/organisations/
"business as usual" internal controls and and share insight across government – thank department-for-exiting-the-european-union
Additional news, features
and views are posted online all the
time. Go to auditandrisk.org.uk
to see what’s new.
UPDATE
We round up the latest business
and regulatory news to affect BSI’s three key
the internal audit profession cyber security
trends for 2019
Extended ERM set to be
AI and the future UK standard setter BSI has forecast three
of corporate key emerging trends that it believes will
reporting
key priority for 2019
dominate cyber security in 2019.
The Financial Reporting The first is e-privacy regulation
Council’s (FRC’s) research and international standards. As
arm has published the A recent survey by professional organisations continue to grapple with
latest in its series of services firm Deloitte has shown that implementing the GDPR, a new EU
reports looking at how organisations are concerned about regulation will set additional rules to
technology might affect several extended enterprise risks, protect privacy and confidentiality in
the production,
distribution and
including supply chain, financial,
regulatory, legal and strategic. The CFOs in spotlight over electronic communications.
The ePrivacy Regulation will repeal the
consumption of
corporate reporting.
The report, “Artificial
need for organisations to manage
these areas centrally means that
many are likely to make extended
natural disaster losses current ePrivacy Directive and is expected to
come into force late this year. The regulation
aims to guarantee the rights laid down in
intelligence – how does it enterprise risk management (EERM) a A failure to prepare for natural hazards is leaving chief finance officers (CFOs) in the hot
measure up?”, explains priority in 2019. seat when it comes to financial losses caused by natural disasters, according to
8 9
what AI is, where its use In addition, nearly half (47 per cent) commercial property insurer FM Global.
might make sense in of respondents said that their In its latest white paper, “Master the disaster – why CFOs must initiate natural
corporate reporting and organisations had experienced some sort of risk The poll, “Re-establishing the perimeter: catastrophe preparedness in 2019 and beyond”, the insurer said that institutional investors
explores some of the incident involving the use of external entities extending the risk management ecosystem”, can want enhanced reporting of natural disaster risks. It warned that, if the CFO doesn’t take
possible and current uses in the past three years. be found at bit.ly/enterpriserisk the lead in investing in reducing exposure to natural hazards, stakeholders will hold them
for the technology. accountable for not properly addressing the risks. The white paper also includes the
To read the report visit
bit.ly/FRCAI Accenture puts cost of global viewpoints of other business risk analysts who say that the responsibilities of the CFO will
increase because of concerns about climate change risk and disclosure.
three Papers on cyber crime at US$5.2trn Read the paper at bit.ly/FMglobalnaturalhazards
risk analysis Companies globally could incur US$5.2trn in own. With heightened concerns about internet Executives urged to prioritise large
risks and align relevant personnel
The Society for Risk additional costs and lost revenue over the next five security, more than half (56 per cent) of
Analysis (SRA) has years because of cyber attacks, according to executives would welcome stricter business
published three a report by consultancy Accenture. regulations imposed by a central organisation or Company executives are not placing sufficient among personnel in
documents aimed Based on a survey of more than governing body. not adequately identifying emphasis on risks that can managing risk. Article 7 of the Charter of Fundamental
at advancing the 1,700 CEOs and other C-suite The rapid emergence of new technologies is and preparing for risks that lead to large-scale For example, a quarter Rights of the EU, which guarantees the right
science of risk executives around the world, the creating additional challenges. Four in five can have potentially incidents. Instead, they are of surveyed executives felt to a private life and private communications.
analysis. These report, “Securing the digital respondents admitted that their organisation is catastrophic implications looking at the rate at which that front-line personnel The second trend is an upsurge in
cover the core economy: reinventing the internet for adopting new and emerging technologies faster on business operations, low-level risks are dealt are not aligned on top risks malware. In particular, BSI identifies Linux
subjects and key trust”, says that the high-tech sector than they can address related cyber-security issues, according to the annual with, which is leading to a facing the company. More and MacOS, once considered to be more
principles of risk faces the highest risk, with more than with three-quarters noting that cyber-security issues global survey of company false sense of security. than half (55 per cent) do robust operating systems than their
analysis and provide a US$753bn hanging in the balance. Next at have escaped their control because of new executives by consultancy The researchers also not feel that their senior competitors, as another growth area for
glossary of risk-related risk are the life sciences and automotive industries, technologies such as the internet of things (IoT) DuPont Sustainable found that executives are executives are fully aligned cybercrime in 2019.
terminology to support with US$642bn and US$505bn at risk, respectively. and the industrial internet of things (IIoT). A majority Solutions (DSS). addressing gaps in risk about the top risks facing Last, it warned that critical
research and practices for The report also found that three-quarters of (80 per cent) also said that protecting their The findings of the DSS management processes by the organisation. infrastructures are also likely to be
all types of applications. respondents believe addressing cyber security companies from weaknesses in third parties is 2018 global operations risk adding more processes, Find out more at subjected to more disruptive and offensive
Read the documents at challenges will require an organised group effort, as increasingly difficult. management survey and that boards feel that bit.ly/dupontsustainable cyber attacks this year.
bit.ly/SRApapers no single organisation can solve the challenge on its Read the report at bit.ly/accenturecyberrisk showed that executives are there is a “disconnect” solutions Read more at bit.ly/BSIcybertrends
REPORTAGE
Cambridge Global Risk Index 2019: The Cambridge Centre for Risk Studies’
Financial stability
Global financial stability is improving because of
higher capital requirements under Basel III, but risk
appetite has also increased because of a positive global
infections kill 55,000 people each year in Europe and
the US, with global deaths estimated to be 700,000.
According to the Review on Antimicrobial Resistance,
300 million people are expected to die prematurely
2019 Global Risk Index quantifies the impact of future shocks to the world’s because of drug resistance over the next 35 years and the
growth outlook coupled with a low interest rate
economy, represented by the most prominent cities – which together account for environment. Financial vulnerabilities continue to world’s GDP will be 2 per cent to 3.5 per cent lower than it
41 per cent of global GDP. The index quantifies the risk to economic output from accumulate owing to low interest rates and volatility. otherwise would be in 2050.
22 types of threats, providing risk estimates as a standardised metric for 279 Leverage in the non-financial sector has risen in major
cities. Highlights in the 2019 update include the continued rise of cyber attacks, the economies. Canada, China, Sweden and Ireland have Natural catastrophes
credit of more than double their GDP. Natural catastrophe risks together inflict the most damage
likelihood of continued commodity price volatility and sustained levels of high risk to the global economy, with tropical windstorms (3rd),
from geopolitical events and financial crises. The resulting overall “GDP@Risk”
cost for 2019 is $577bn or 1.57 per cent of the 2019 GDP. This is an increase of
Solar storms and power outages floods (5th) and earthquakes (8th) as the most financially
damaging types. The increase year-over-year is mostly owing
August and September 2018 were particularly active
5.59 per cent from last year’s index. The 2019 update shows a uniform rise in months for geomagnetic storms following increased to the growth in GDP of the cities exposed to natural
GDP@Risk across all the 279 world cities that make up the index and more activity on the sun. The solar cycle is exiting a solar minimum catastrophes… Natural catastrophe risk makes up 40 per
cent of the total loss [for 2019] with man-made risks
significant increases in risk for some urban centres. and we are likely to see an increase in the number of
accounting for the remaining 60 per cent.
sunspots and consequently a higher risk of solar storms
within the next three years.
Climate
10
Top three classes of threats The top 15 threats Cyber attacks Extreme heatwaves affected much of the northern
by size of potential impact 1 Market crash $108.7bn The cyber threat continues to develop at a rapid pace. hemisphere during the 2018 summer. In the UK, the Met
11
2 Interstate conflict $83.3bn Cyber attack loss severities are increasing with several Office declared it the joint hottest year on record together
1 Natural catastrophes: GDP@Risk of $174bn
3 Tropical windstorm $65.6bn recent attacks showing the potential for systemic impacts with 1976, 2003 and 2006. This event has drawn
2 Financial, economic and trade: GDP@Risk of $149bn comparison to the European heatwave of 2002, which
3 Geopolitics and security: GDP@Risk $140bn 4 Human pandemic $49.9bn with global reach… The SWIFT banking system remains
5 Flood $46.5bn vulnerable to hacks, with $13+ million stolen in resulted in over 70,000 deaths across the continent. Japan
6 Cyber attack $39.7bn May and again in August. also saw an unprecedented heatwave, with 35,000 people
hospitalised following record temperatures of 41°C.
Top ten cities by GDP@Risk and threat 7 Civil conflict $39.2bn
City GDP@Risk Top threat
8 Earthquake $35bn Health and humanity Karachi, Pakistan, saw temperatures soar to
45°C in April. If temperatures continue to
9 Commodity price shock $22.4bn A challenge in the health and humanity outlook is the
1 Tokyo $26.01bn Interstate conflict 10 Sovereign default $18.2bn effect of anti-microbial resistance (AMR)… AMR is a serious rise, parts of South Asia may become
2 New York $15.69bn Market crash 11 Terrorism $10.6bn threat in all parts of the world, including the developed parts uninhabitable by the end of
3 Manila $13.87bn Tropical windstorm with otherwise strong healthcare the 21st century.
12 Drought $9.3bn
4 Instanbul $13.35bn Market crash 13 Plant epidemic $8.4bn systems. Anti-microbial
5 Taipei $13.01bn Tropical windstorm 14 Power outage $7.8bn
6 Osaka $12.29bn Interstate conflict
7 Los Angeles $11.68bn Earthquake
8 Baghdad $9.88bn Interstate conflict
9 London $9.15bn Market crash
10 Shanghai $9.05bn Tropical windstorm
Cities ranked by % GDP
change since 2018-19
The position of cities on the risk list indicates a large annual GDP Top 5 Bottom 5
output (hence the potential, even if unlikely, for major losses), and 1 Tripoli, Libya 1 Caracas, Venezuela
exposure to particular shocks associated with the geography 2 Bangalore, India 2 Maracay, Venezuela
and type of economy of each city. The GDP@Risk is
3 Hyderabad, India 3 Maracaibo, Venezuela
mediated by each city’s ability to limit the impact (or
4 Surat, India 4 Buenos Aires, Argentina
to protect itself against shocks) as well as its
ability to recover from them. 5 Chennai, India 5 Konya, Turkey
The Global Risk Index 2019 is compiled by the Cambridge Centre for Risk Studies, The University of Cambridge Judge Business School.
Visit Bit.ly/Cambridgeriskindex2019 for details
Sponsored by
Audit
& Risk
Awards
2018
13 And the 14
winners are... Opposite page middle and below: Lloyds Banking Group won Best
Use of Technology; AIB’s Gareth Cronin won Inspirational Leader
This page clockwise from top left: John Lewis Partnership won
The Audit & Risk 2018 Outstanding Team Private Sector; Daniella Cohen from RSM UK
was the Best Newcomer; AuditOne was highly commended for Best
Awards winners were Use of Technology; Quilter Plc won Outstanding Team Financial
Services Sector; the venue; Howdens won Best Innovation in
announced and celebrated Training and Development
at an event hosted by
PwC in London on 5
December. The awards
were presented by
Paul Manning, president
of the Chartered IIA.
Sponsored by
Audit
& Risk
Awards
2018
“ Through the Audit & Risk Awards,
the institute is seeking to recognise
the best and celebrate excellence
throughout the profession. It is a
key priority for us to grow a greater
sense of professionalism within
Congratulations to the winners of the fourth annual Audit & Risk
Awards. The number and quality of nominations for the awards continues
to increase and it was exciting to find out about so many innovations,
excellent examples of best practice and inspiring teamwork. As in
previous years, the high standard meant that the judges had long and
interesting debates before they reached their final decisions – which was Inspirational Leader
internal audit and, in addition to why they also agreed to award highly commended certificates to four
these awards, the institute has teams in three categories.
initiatives to support internal The winners were revealed at an event hosted by the awards’
auditors at every level. These
include harnessing new talent
through our apprenticeship
sponsors, PwC, in London. Shortlisted nominees and judges applauded
as Paul Manning, president of the Chartered IIA, presented them with Winner Gareth Cronin,
scheme, developing existing talent
through education, and sharing
their awards. Manning praised the high standard of this year’s
entries and emphasised that all the shortlisted nominees had shown chief audit officer, Allied Irish Banks
knowledge and thought leadership
from experienced internal auditors.”
Paul Manning,
“ exemplary performance and demonstrated talent, inspiration, hard work
and best practice.
Watch out for news about the 2019 awards in the May/June issue of
Audit & Risk.
president of the Chartered IIA
What the judges said: 15
“I looked for the person I would most like to work for and that person was Gareth.”
The judges
Ralph Daals, group chief Agency (GIAA). Previous roles Geraldine Rutter,
auditor, RSA Group included heading up internal PwC partner “AIB’s ‘One Simple Thing’ initiative would be easy to implement in most organisations,
Before being appointed group audit at the government body Geraldine Rutter sits on the
chief auditor at RSA in 2015, responsible for housing PwC internal audit but it was clearly extremely effective.”
Ralph Daals was chief auditor association investment and leadership team and leads
at RSA in the UK and Western regulation, and senior manager PwC’s commercial
Europe. He joined the at Arthur Andersen. internal audit service
company in 2014, after leading offering in the “I was looking for a leader who stepped beyond the boundaries of internal audit and
Deloitte UK’s internal audit Liz Sandwith, chief regions. She is head of
services to the insurance professional practice internal audit for a number was clearly making a difference in the broader organisation.”
company. Previous posts adviser, the Chartered IIA of organisations and
included senior audit positions Liz Sandwith spent 13 years as leads internal audit
at Aviva and Arthur Andersen. head of internal audit at
Channel 5, followed by five at
co-source partnerships for
FTSE 250 companies.
“AIB’s ‘50 n 5’ programme is catchy and a good way to attract attention – and it clearly
Mark Ripley, risk and
assurance director,
BUPA as head of assurance,
risk and compliance Ruth Prickett, editor,
has strong support from the bank’s people officer.”
Ministry of Justice and head of internal audit Audit & Risk
Before taking on his current operations. She has worked Ruth Prickett has been editor
role as the risk and assurance with the Information of Audit & Risk magazine “Gareth demonstrated the way in which the independence of the internal function can
lead across central Commissioner’s Office and since 2010. She was
government, Mark Ripley was the Electoral Commission and previously editor of Financial give a strong leader the chance to try to do things a bit differently and experiment in a
DWP group chief internal local authorities. She was Management, the magazine
auditor and a director in the Chartered IIA president for the Chartered Institute of way that may be more difficult in other parts of the organisation.”
Government Internal Audit in 2000-2001. Management Accountants.
Sponsored by
Audit
& Risk
Awards
2018
Innovation in Training Best Use of Technology
and Development Winner Lloyds Banking Group,
Winner Howdens Audit & Risk Team Data Analytics Team, Group Internal Audit
What the judges said:
“I liked the way in which Howdens is putting emotional intelligence centre stage.”
What the judges said:
“Lloyds is moving away from the model of having a small group of data analytics
16 “Howdens’ focus on soft skills shows that they have recognised that these are 17
experts to rolling out training to everyone in the audit team. It’s good to see data
going to be what sets organisations apart in the future, as robotics and computers
analytics on the way to becoming business as usual for the whole team.”
become ever more prevalent for analysis and transactions.”
“Lloyds provided clear evidence of a culture change.”
“This wasn’t just about getting people through their exams, but about creating
“There were a number of good examples of the increasing use of data
better auditors.”
analytics within the shortlisted teams, but Lloyds stood out because of their
“This sends a good message to and about the development of the profession.”
success at achieving cultural change, alongside some genuine innovation in their
use of technologies.”
Highly commended
Assurance Lincolnshire Highly commended
AuditOne
“Assurance Lincolnshire told a great story about inspiring people and getting young people
interested and excited in internal audit as a career choice.” “AuditOne provided strong evidence of success – for example, the way in which they
survived the WannaCry virus attack and cut the time taken to produce performance reports
Highly commended from five hours to 90 minutes.”
Barclays Internal Audit Team
“AuditOne shows how some technological improvements can be cheap and easily replicable in
“It was interesting to see the way in which Barclays is going into customer organisations other places – it might not be cutting edge or sexy, but it’s a good example of making generic
and working with them, as well as just with their own business.” technology work in the best way possible for their needs without breaking the budget.”Sponsored by
Audit
& Risk
Awards
2018
Outstanding Team Outstanding Team
Financial Services sector Private Sector
Winner Quilter Plc, Group Internal Audit Winner John Lewis Partnership
Internal Audit Team
What the judges said:
18
“Quilter has been through massive changes, but it was clear that the internal What the judges said: 19
audit team is seen as being at the forefront of change, not just servicing “The focus on culture was clear and it was good to see an FD talking about
changes made elsewhere because they had to.” behaviour rather than financial results.”
“Great endorsements.” “John Lewis offered clear examples of where they had made a difference – for
example, the work of internal audit on a sensitive issue that had required empathy
“It was good to hear that challenges by internal audit persuaded the and clarity of thought.”
organisation to drop an IT initiative that wasn’t working and replace it with a
better one, despite the cost. This was brave and demonstrated that internal “I liked hearing management say that the auditors told them not what they wanted
audit’s warnings are listened to and acted upon.” to hear, but what they needed to hear.”Sponsored by
Audit
& Risk
Awards
2018
Outstanding Team Best Newcomer
Public Sector Winner Daniella Cohen, RSM UK LLP
Winner HMRC Internal Audit Team
What the judges said:
“In addition to continuing to develop and implement good practice processes,
HMRC provided some very strong endorsements from their most senior
stakeholders that demonstrate the value that the team adds to the organisation What the judges said:
as a whole”. “This nomination provided clear evidence of Daniella’s initiative and
20 21
professionalism, along with good feedback from both managers
“HMRC presented some very strong endorsements from the most senior and and auditees.”
important people.”
“It’s always good when your audit committee chair says that they have
borrowed some of your practices and recommended them to other internal
audit teams.”
Honorary mention
RBS Behavioural RiskTeam
Highly commended
Assurance Lincolnshire The judges felt that the work of RBS’s Behavioural RiskTeam didn’t fit the criteria for an
internal audit team, since its members were not internal auditors – but they felt that its work
“I liked the focus on ethics at Assurance Lincolnshire.” offered a highly innovative vision of the kind of area that internal audit could move into more
in the future.The development of this team is very experimental and, although this sits in a
“Assurance Lincolnshire is doing interesting things with voting software, large, well-funded internal audit team, smaller teams could learn from RBS’s experiences
visualisation and infographics.” and adopt some of the ideas.The Business, Energy and Industrial Strategy (BEIS) Committee Future of
Audit Inquiry, launched in November, will now assess the probable impact of
the CMA study and the Kingman Review on improving quality and
competition in the audit market and reducing conflicts of interest.
T
he public collapse
of retailer BHS
and outsourcing
group Carillion
two years later
are held up as
two of the biggest
failings of corporate governance
in the UK in recent memory.
Although entirely separate, the
incidents share similarities: many
Raising
commentators believed the signs of
potential failure had been obvious
for many months, both failures
the bar
saddled the pensions regulator with
huge liabilities, and both featured
either the gross negligence or willful
22 23
ignorance of auditors.
There was one major distinction
UK corporate governance is between the two cases, however.
Carillion, a FTSE 100 company, was
set for change: recent publicly listed and therefore required
months have seen the to abide by the UK Corporate
publication of the Wates Governance Code on a comply-
or-explain basis; BHS, a private
Principles, which establish company, had no such obligation.
a new code for large private The treatment of private
companies, and a scathing companies, as distinct from publicly
owned companies, from a corporate
indictment of the Financial governance standpoint is beginning
Reporting Council by to change. Under the Companies
Sir John Kingman. (Miscellaneous Reporting)
Regulations 2018, large companies,
Further reviews of the audit public or private, must now produce
profession are in progress. a Section 172 Statement in their
annual reports outlining how
the board is discharging its duty
Words: Brendan Scott of promoting the success of the
company, while also respecting a
number of wider interests.
These interests include having
regard for the likely consequences
of their decisions in the long term;
the interests of employees; the
need to foster relationships with172
suppliers, customers and invited to contribute to last the former, companies have as overseeing the Institute &
others; and the impact of summer. Gavin Hayes, head a statutory requirement to Faculty of Actuaries and various
operations on the community of policy and external affairs establish an audit committee chartered accountancy bodies,
and the environment. at the Chartered IIA, says the on a comply-or-explain that the Chartered IIA advised
BHS would have been resulting guidance is a good basis. The new rules, while should be abandoned for
well above the regulations’ start, but he believes that in mentioning in general terms greater clarity of purpose. This
threshold – “large” companies future it could go further. that committees may be used sharpening of the FRC’s focus
are defined as firms that meet “In the original guidance by the board for a number of is one of the Kingman Review’s
at least two of three criteria: consulted on over the summer, reasons, including assessing key recommendations.
turnover in excess of £200m, it directly referenced internal risk, leave this voluntary. The institute also submitted
a balance sheet worth more audit and talked in more detail The Chartered IIA does not to the Kingman Review that
than £2bn, and more than about the need for internal believe there should be any the FRC should be put on a
2,000 staff. It is estimated that control systems to manage strict enforcement mechanism statutory footing, possess
there are at least 1,700 private risks,” says Hayes. if a company does not apply greater enforcement powers
firms in the UK today that fit “While the final guidance the new principles, as this may and take a more proactive
this profile. does mention the need for dissuade them from agreeing approach to its work, including
robust internal processes to to comply in the first place, sanctioning directors for
A matter of principles ensure systems and controls but it raises questions about misconduct. Again, this
In addition to their legal are operating effectively, it is the effects of a voluntary code proposal featured in the
obligation to produce an less detailed than it was in that in practice. Moreover, any independent inquiry’s final
24 25
annual corporate governance respect. In an ideal world, it Large companies, public or debate about how the FRC report. “Such an approach
statement, large private would have been good to have private, must now produce should monitor compliance would help in terms of
companies are now being seen more detailed guidance a Section 172 Statement in may be moot, since it is not The public collapse of retailer BHS and outsourcing group Carillion are held up as two identifying corporate
encouraged to adopt the newly in the final version in terms of their annual reports clear whether the watchdog will of the biggest failings of corporate governance in the UK in recent memory. governance deficiencies, the
introduced Wates Principles what large private companies outlining how the board is continue in its current form. is time to build a new house.” made a number of radical currently has a number of core whole issue being that the
(see box on opposite page). should be doing to ensure that
discharging its duty of Kingman recommended proposals in its contribution functions including reviewing FRC only seems to identify
These are intended as a
promoting the success of “Toothless and useless” that the FRC be replaced by to Kingman’s public UK accounting standards,
they have a strong corporate problems after they’ve
the company, while also
voluntary guide that should governance framework – In April 2018, the government a new regulator: the Audit, consultation, many of which monitoring adherence with the occurred. It’s about preventing
respecting a number of
help larger firms to improve particularly more on the wider interests. launched a review of the Reporting and Governance were adopted in Kingman’s corporate governance code and incidents before they happen,”
their corporate governance. important role of internal role and powers of the Authority, or Arga. final recommendations. overseeing external audit. But it says Hayes. “There were a
As such, they are applicable audit functions. Nonetheless, FRC, essentially seeking The Chartered IIA For instance, the regulator also has extraneous roles, such number of red flags at Carillion
to all private companies we believe the principles an independent view on
over a certain size (see themselves are a positive step whether the regulator was fit
above), whereas the main UK forwards in strengthening the for purpose, after MPs on a
corporate governance code, framework for large private select committee branded it The Wates Principles
James Wates CBE, author of the Wates balance of skills, backgrounds, experience establishing oversight for the identification
which has been updated for companies and we welcome “toothless and useless” in the Corporate Governance Principles for Large and knowledge, with individual directors and mitigation of risks.
accounting periods after their introduction. As when wake of Carillion’s collapse. Private Companies, has said the voluntary code having sufficient capacity to make a • Remuneration – a board should promote
January 2019, covers premium the UK Corporate Governance The review, led by Sir should be seen more as a guide than a diktat. valuable contribution. The size of a board executive remuneration structures aligned to
listed companies. Code was first introduced, John Kingman, concluded in “[The principles] are a tool for large private should be guided by the scale and complexity the long-term sustainable success of a
companies that helps them look themselves in of the company. company, taking into account pay and
Published in December we hope that over time the December 2018 and found
the mirror, to see where they’ve done well, and • Board responsibilities – the board and conditions elsewhere in the company.
2018 by the Financial Wates Corporate Governance that the FRC is “an institution where they can raise their corporate individual directors should have a clear • Stakeholder relationships and engagement
Reporting Council (FRC), Principles will be further constructed in a different era governance standards to a higher level,” he said understanding of their accountability and – directors should foster effective stakeholder
the auditing and accounting developed,” he says. – a rather ramshackle house, on their publication. The principles are: responsibilities. The board’s policies and relationships aligned to the company’s purpose.
watchdog, the principles One of the most notable cobbled together with all sorts • Purpose and leadership – an effective board procedures should support effective decision- The board is responsible for overseeing
develops and promotes the purpose of a making and independent challenge. meaningful engagement with stakeholders,
were drawn up following a differences between the of extensions over time. The company and ensures that its values, strategy • Opportunity and risk – a board should including the workforce, and having regard to
public consultation which existing code for publicly house is – just – serviceable, and culture align with that purpose. promote the long-term sustainable success their views when taking decisions.
the Chartered Institute listed companies and the new up to a point, but it leaks and • Board composition – effective board of the company by identifying opportunities • Full guidance supporting the principles can
of Internal Auditors was Wates Principles is that, under creaks, sometimes badly… It composition requires an effective chair and a to create and preserve value and be found at bit.ly/Watesprinciplesguidance2000
that should have set alarm bells “For example if one of the recommendation that has the into account changing business
ringing long before its collapse. big four professional full and public support of the models and new technology.
That raises fundamental services firms is providing Chartered IIA. The overarching theme is
questions about the way in the external audit of a that companies are being held
which the FRC operates.” company, they cannot also What next? to a higher standard than ever
then provide unlimited The Business, Energy and before. From the soundness
Audit vs non-audit non-audit services to the Industrial Strategy (BEIS) of financial reporting and the
Another of Kingman’s same company, and that Committee Future of auditing of those reports, to
proposals is for the FRC to be includes the provision of Audit Inquiry, launched in the culture and values that
given a statutory duty to keep internal audit among other November, will now assess companies live by, corporate
the external audit market under services. Nonetheless, I the probable impact of the governance is now one of the
review and report on pricing think there could be value in CMA study and the Kingman government’s top priorities.
and the extent of any cross- strengthening the existing Review on improving quality This means that internal
subsidy from consultancy work. SATCAR regulations – for and competition in the audit audit has never been more
This stems from the fact that example one option could market and reducing conflicts necessary as a means for
the “big four” professional be a blanket ban on all of interest. As part of this evaluating, promoting and
services firms – KPMG, Deloitte, non-external audit inquiry the BEIS Committee improving the effectiveness of
EY and PwC – audit 97 per cent services, including for up requested written evidence, this governance. The institute
of FTSE 350 companies, but to two years after the which the Chartered IIA has to – and will continue to
26 27
more than 75 per cent of external audit contract has submitted in early January. In – drive this point home and
their revenue comes from ended,” he suggests. its submission, the institute shape relevant public policy at
non-audit assignments. Mid-sized audit firms BDO stressed the importance of every opportunity.
This inevitably leads to these and Mazars have spoken the CMA’s and Kingman’s
firms relying on lucrative out against the limitations proposals, highlighting where Further reading:
work from clients whose of the SATCAR rules on the they mirrored the institute’s The updated UK Corporate
accounts they are meant to capping of non-audit services. own recommendations. Governance Code, effective
inspect independently. Certain big four firms have In a further development, from January 2019, is at bit.ly/
It is this perceived conflict of been accused of pushing the government announced The review led by Sir John Kingman concluded in December 2018 and found that the corporategovernanceupdate
interest within external audit, the boundaries on what is the launch of Project Flora FRC is “an institution constructed in a different era – a rather ramshackle house, Sir John Kingman’s final
as well as a lack of competition permitted and their smaller immediately after the cobbled together with all sorts of extensions over time. The house is – just – serviceable, report and the CMA market
in a market dominated by just competitors have called for conclusion of the Kingman and up to a point, but it leaks and creaks, sometimes badly… It is time to build a new study are available at bit.ly/
four operators, an issue stricter limits and the CMA inquiries in December. house.” Kingman recommended that the FRC be replaced by a new regulator: the Kingmanreportfindings
addressed in a separate possible adoption of joint This is a review into UK audit Audit, Reporting and Governance Authority, or Arga. and bit.ly/CMAmarketstudy
but related review by the audits that involve two or standards, led by Donald
Competition and Markets “Large” companies are more firms and cross-reviews Brydon, outgoing chairman of
Authority (CMA), that has defined as firms that meet of each other’s work, thereby the London Stock Exchange. Harnessing the power of internal audit: a guide for audit committees,
attracted the most media at least two of three criteria: improving objectivity. Its purpose is to determine
non-executive directors and senior management
attention and criticism in turnover in excess of Demands for a more whether external audit The Chartered IIA’s governance The eight key questions are: have the capacity to do the regulators and audit committees.
Parliament. “It’s certainly
the perception that there are
£200m, a balance sheet
worth more than £2bn,
competitive audit market in
which this conflict of interest
should evolve to meet the
needs of investors and other
guide “Harnessing the power of
internal audit” is aimed at 1 What is internal audit’s role
and mandate?
amount of work required of it?
Does it have the capability to do 6 How should internal
audit’s recommendations
conflicts of interest, but if
you look at the EU SATCAR
and more than 2,000 staff.
It is estimated that there
is sufficiently mitigated
may well be granted. A key
stakeholders. It will examine
how auditors verify the
non-executive directors and senior
managers, but it is also useful for
heads of internal audit. It lays out
2 What is internal audit’s scope?
This considers emerging risks
in areas such as: workplace
the work well in terms of skills and
knowledge? Is the audit team
suitably qualified?
be monitored?
7 How should internal and
external auditors work
are at least 1,700 private
Regulations which came into
effect in 2016, the rules are
firms in the UK today that fit
this profile.
proposal in the CMA’s recently
published findings is that
information they sign off, how
to manage any gap between
eight key questions to enable
stakeholders to understand where
they need to focus their corporate
culture; data privacy and cyber
security; communications, risk and
reputation; political uncertainty;
4 What is the relationship
between the audit committee
and internal audit?
together?
8 How should the quality of
internal audit’s work be
fairly strict in terms of helping audit and non-audit services what audit can and should
to avoid potential conflicts of
interest,” says Hayes.
within professional services
firms should be ring-fenced, a
deliver, and what the public’s
expectations of audit are, taking
governance and internal audit
improvement efforts so they are
prepared for the challenges ahead.
automation and digitalisation.
3 How should internal audit be
resourced? Does internal audit
5 Are all risks being managed?
This looks at assurance
mapping and the relationship with
assessed?
“Harnessing the power of internal
audit” is at iia.org.uk/HPIA“Two-fifths of highly stressed workers say that
they were disengaged in their role as a result.”
Employee mental health problems are still not
10%
addressed as openly and supportively as
physical ill-health issues. But more companies
are now proactively addressing mental health at
work, and the good news is that there are
simple things all organisations could do.
Words: Neil Hodge Recent research by professional
skills provider City & Guilds
Group found that just ten per
Grey
cent of businesses treat the
psychological safety of their
workforce as a priority, despite
matters
the fact that 94 per cent of
employees regard such
welfare as “important”.
P
oor mental health costs employers between £33bn and £42bn
a year. And the problem is growing: according to the Office for
National Statistics’ UK Labour Force Survey, the number of sick
28 29
days taken because of mental health problems increased from 13
million days in 2010 to 15.8 million days in 2016, accounting for
nearly one in eight of all work days lost to ill-health. Among the
most common causes of stress and mental illness are financial
80%
worries, followed by job pressures, relationships and health.
There is undoubtedly still a stigma attached to discussing mental health problems
in the workplace, and organisations vary wildly in their response to the issue. Research
suggests that there is a lack of practical support and understanding about how to deal
with the issues, as well as a lack of accountability among line managers, in particular,
who often feel that it is not their responsibility.
Recent research by professional skills provider City & Guilds Group, called “Leading
According to 80 per cent of
24/7
in a digital age”, found that just ten per cent of businesses treat the psychological employees surveyed, fostering
safety of their workforce as a priority, despite the fact that 94 per cent of employees an open culture would make an
regard such welfare as “important”. The survey found that over two-fifths (43 per cent) overwhelming difference.
of senior management expect HR to deal with the psychological safety of employees However, only a third of
at work, while over half of employees (56 per cent) believe line managers and senior management felt the same way.
management should take the lead. The research also found that one in five firms would
take action only once a psychological safety issue had already arisen, while a similar Many organisations (and most
percentage of senior management (22 per cent) said they would take action only after large employers) have some kind
a high-profile press incident. of wellbeing strategy in place to
Given these findings, it is unsurprising that three-quarters of employees think it is support employees, such as
“uncomfortable” to talk about mental health in the workplace. According to research confidential 24-hour phone lines
released in January by recruitment consultancy Robert Walters, called “The importance and counselling.
of mental health strategies in attracting top talent”, reasons include anxiety about
how they might be perceived by co-workers (82 per cent); concern it might harm their
career prospects (78 per cent); embarrassment (76 per cent); and fears they would not
be trusted with more responsibility (69 per cent). Fewer than a quarter (23 per cent)
“strongly agree” that attitudes towards mental health at work have changed recently.You can also read
