Issue 75 | January/February 2024

Count the carbon

Why internal audit must help businesses
collect auditable data

ards
A&R Aw
2024
tions
Nomina
January
close 31
FRONT F E AT U R E S

2 View from the

institute 24 A mission for more
From the Chief Executive.
Sandro Boeri, President of the
Chartered IIA, discusses his key
5 View from the top ambitions for the year ahead.
From Jason Davies,
Chief Internal Audit Officer
at NEOM.
29 Raising the bar
8 Outside the box What will the new Global Internal
If you ask one question this Audit Standards mean for you?
week, make it this one.

11 Update
The latest news affecting 35 Division vision
the profession.
Award-winning internal
audit at The Central Bank
18 Reportage of Ireland.
Key findings from the
Chartered IIA’s “Supply
Chain ESG Risks:
Harnessing the Potential of 41 Count the carbon
Internal Audit”
How internal audit can help
sustainability teams understand
21 Audit & Risk Awards auditable data.
Nominations are open –
nominate before 31 January.

47 Valued worldwide
Why governments and
organisations across the world
value internal audit skills.

Supply chain,
52 Tools for the job
outsourcing and “nth”- Why it’s time to re-examine root-cause analysis.
party risk ranked

8 th
M E M B E R M AT T E R S

58 Training 61 Q&A 64 Events

in the Your questions What’s on across
Chartered IIA’s insights
Risk in Focus 2024 What will you learn answered. the UK and Ireland?
survey 18 this year?

For support and guidance on all topics visit the Chartered IIA’s Community Hub.
 2

View from the Institute

Contents

Growth: building on strong foundations

“At the Scotland Conference last year, I saw an
apt quote by Ginni Rometty, CEO of IBM: ‘Growth
and comfort do not co-exist’. However, change
is also exciting and opens doors to new projects
and opportunities.”
Anne Kiem OBE is CEO of the Chartered IIA.

H
appy new year. It is hard to believe that I became CEO of the Chartered IIA
a full year ago. The time has flown by and I have learnt so much about the
profession and I have met many of our amazing members. It’s gratifying
to see that we have achieved many of the things we set out to do, even if some
of our progress so far has been inward-looking – a wide-ranging restructure and
establishing the foundations for better IT capability and new website. These are
the underpinnings of success that will enable everything we want to improve in
future for our members. As I have said many times, and I hope it
will be evident by what we do, our focus is our members. We
exist because of, and for, our members.

In the past year, we (the Council, the staff team and I)

have examined everything we do and asked how we
can make it better and fit for the future. This inevitably
means change, which can be uncomfortable. At the
Scotland Conference last year, I saw an apt quote by
Ginni Rometty, CEO of IBM: “Growth and comfort do
not co-exist”. However, change is also exciting and
opens doors to new projects and opportunities.

One big change this year is the introduction of the

Global Internal Audit Standards (see page 29).
These will inform and guide the direction of
internal audit and the work that internal auditors
do for many years to come. They are a key
element of keeping the profession relevant
and developing what our members offer to
the organisations they work for. Following
on from that, we are also revising our
codes of practice.
 3

View from the Institute

Contents

Behind the scenes, and importantly for our future, we have put a lot of effort
into our lobbying activities. The audit reform bill has not yet materialised, but it
is still on the agenda and it is important that the internal audit profession has a
voice that government and regulators are aware of and listen to. This has been
developing over many years, but the opinion of the internal audit profession is
now sought and really matters.

This benefits the reputation and status of the whole

Excellent work done
profession and is the main reason why I said last
by professionally
year that the institute needs to engage with – and
listen to – all our members. Among other things, we
accredited internal
are planning a membership survey to hear the views auditors gives the
of all our members. We want all our members to institute a stronger
engage with us and we want to attract more people voice at all levels
to join us.

Excellent work done by professionally accredited internal auditors gives the

institute a stronger voice at all levels. Collectively, we are much stronger than
individually – and the stronger we are, the more people will hear about us and
appreciate our value.

This is why the highlights of the past year for me personally have been the
Internal Audit Conference, the Scotland Conference, the Wales Conference
and the Ireland Conference. These were my chance to meet members from all
four nations and beyond and learn what they think about the profession and the
challenges it faces.
 4

View from the Institute

Contents

I have been particularly struck by the passion that internal auditors feel for their
work. This is wonderful and not common in all sectors. When I attended IIA Global
events, I was also delighted to discover how much respect the Chartered IIA
enjoys internationally. We are one of the largest and most active institutes and
the work done by our members in the UK and Ireland is highly regarded.

It is therefore good to see our relationship with the European institutes and with
IIA Global growing and developing. We need to work together because we all want
the same thing – a strong profession that is recognised for the value it adds.

So, as we start 2024, I would like first to thank the Council and staff and everyone
else who has supported the Chartered IIA over the past year – as well as all those
who have helped me personally to understand the profession and get a feel for
what members do and what they want from us.

In the coming year, we will build on what we have already begun. There is work to
do on the new Global Internal Audit Standards and we will continue our review of
what we do and how we work.
I am looking forward to this –
especially since so much more
will be possible once we have
the IT to support us. This is
critical. Not only will it transform
the experience of members
accessing our resources, but
we will be able to devote
more time to providing what
members want.

I am also looking forward to this

year’s conferences, beginning
with the Wales Conference this month, and to the Audit & Risk Awards event
in June. Nominations are open until 31 January, so there is still plenty of time to
celebrate excellent performance and nominate an individual or a team. We also
have two new technical reports on supply chain risk and ESG and many more
in the pipeline to address the key risks members highlighted in our annual
Risk in Focus research.

The year ahead will undoubtedly be challenging in many ways, but the stronger
foundations we have built in 2023 have put us in a better position to seize
opportunities and focus on growth. Engagement is an essential part of this. I
hope to speak to many more members this year and want you to talk to us, tell us
what you want and help us to develop and progress. We will listen.

Next View from the top

 5

View from the top

Contents

Innovation | building a new internal audit team

from scratch
“From day one, NEOM IA (NIA) was clear that its
purpose is ‘to protect NEOM’. Wherever possible, this
must be done as partners – not to catch people out.
We are there to guide and be the conscience of the
business wherever needed.”
Jason Davies is Chief Internal Audit Officer at NEOM, one of the Giga
Projects redeveloping Saudi Arabia.

T
he name NEOM is a combination of the Greek and Arabic words “NEO”
and “Mustaqabal” to form NEOM – “New Future”. When I was first
approached to take on the role of Chief Internal Audit Officer at
NEOM, the initial challenge was simply to comprehend the scale and breadth
of the ambition.

NEOM is a cornerstone of VISION 2030, which sets bold targets

and plans for the Kingdom of Saudi Arabia (KSA). The
objective is to develop a new economic and industrial
zone in an area the size of Belgium in the north west of
the Kingdom. There will be 14 industry sectors, each
developed differently – 95% of the land will be nature
reserve, all energy will be renewable and there will be
no cars. NEOM is within a four-hour flight for 40%
of the world’s population, and 13% of global trade
passes by the deep water port being developed at
Oxagon, via the Red Sea and Suez Canal.

I arrived in KSA in August 2020, in the middle of the

Covid crisis, tasked with developing the internal audit
vision, strategy and team to support this ambitious
project. The traditional internal audit playbooks
were not fit for purpose here – we had to be
bold and innovative. The opportunity to
build on the experience I had gained as
Chief Audit and Risk Officer at Tesco
and, before this, as a partner at
Deloitte, was daunting but exciting.
 6

View from the top

Contents

In 2020, NEOM already employed people from over 60 countries and this figure
has since risen to almost 100. Establishing trust with colleagues who have a
variety of perspectives on the value and role of internal audit was essential. Sir
Dave Lewis, former CEO of Tesco, had turned me into an evangelist for the power
of trust and transparency to help teams grow, prosper and deliver at speed.

And speed was vital because the ambition and pace of NEOM drives a delivery
culture. Two data points show the scale of this ambition – NEOM will source over
150 million tonnes of structural steel (enough for 221 Eiffel Towers) and, at its
peak, NEOM will employ over 300,000 construction workers.

From day one, NIA was clear that its purpose is “to protect NEOM”. Wherever
possible, this must be done as partners – not to catch people out. We are there
to guide and be the conscience of the business wherever needed. In the early
months, developing a team that listened more than it talked and focused on
helping rather than assuring was key.

This commitment to transparency was one of two pillars of success in the first
three years. The second was the prioritisation of talent development in every
decision. Vision 2030 set clear ambitions for KSA to develop young talent and it is
at the heart of the NIA strategy and vision. We are developing the next generation
of KSA business talent, not “just” internal auditors. All our strategic and
operational decisions have “skills/capability/development” as a lens to inform
the decision.
 7

View from the top

Contents

One example of this is our “wise owl” model of co-sourcing, which involves
bringing global experts into NIA on a contractual basis to help us develop our
talent rapidly. Peter Terium, former CEO of RWE leads our energy business
ENOWA. I also brought in a retired head of programme assurance at EY (then
PwC), who had extensive experience in the energy sector, for a set number of
days. The business benefited and it had an immense impact on the development
of young KSA talent.

In 2023 we were shortlisted in both the Outstanding Apprentice and Best

Innovation in Training and Development categories of the Audit & Risk Awards
and we attended the Chartered IIA’s Awards event in London. In both categories,
we were runners up to Lloyds Banking Group, which was established 300 years
ago. This was an incredibly proud moment for NEOM and for NIA. It shows how
much progress and value can be delivered at speed with the right approach.

Our nominee for Outstanding Apprentice, Omar Almoallim, is now on

secondment to McLaren in its Technology and Analytics team. This year we will
also begin developing a Center of Excellence for Data Analytics with NEOM GRC.

NIA has grown from one to 80 people in three years, and 30 of these are KSA
graduates. Almost half (46%) of the team are women and we have developed
resilience and wellbeing programmes to drive both psychological safety and
performance. We are on track to support our first 60 qualified professionals
and have identified our first KSA Head of Audit for a trading subsidiary – Saiel
AlMutari at Tonomus.

We have come such a long way already, but, with the launch of the NEOM
Investment Fund (NIF) and new offices opening in London and New York, there is
still much more to look forward to.

Next Outside the box

 8

Outside the box

Contents

New year focus

If you ask one question this week, make it this one:
where do I want to go, what do I want to do (and how
can I get there)?

J
anuary is a traditional time for reassessing your life and your future.
Whether you make New Year’s resolutions or have taken time over the
winter holidays to think about what you have to offer and what you find
most rewarding, it’s an opportunity to look further ahead and remind yourself of
your options.

Internal auditors are already in a strong position

when it comes to a variety of career choices.
Do you want a job that adds real, tangible
value and is appreciated worldwide and
in every sector? Do you have skills that
are easily transferable and equally
applicable to different regulatory
regimes, cultures and national
governments? Then you’re already in
the right profession. But how you use
these capabilities is up to you.

There’s nothing that says that an internal

auditor with experience in one sector or one
country needs to stay there, or that you need
to remain in internal audit throughout your career
– the skills you acquire in an internal audit role, and the
over-arching insights you have across all parts of the organisation, make internal
auditors an asset in a wide range of roles.

The value of good internal auditing lies in its ability to increase transparency,
improve processes and offer assurance that things are done in the way
management believes and states that they are done. Increased knowledge can
lead to ideas for further improvements, prevent unforeseen problems (and enable
organisations to react swiftly when issues occur), increase resilience and enable
managers to spot and benefit from opportunities. These are the bigger picture and
are the reasons why many internal auditors find their role so rewarding.
 9

Outside the box

Contents

However, it is easy to lose sight of this bigger picture. People get used to working in
one type of organisation or sector and see a direct career path laid out like stepping
stones. Recognising the broad benefits of good internal auditing practice and skills
is useful if you want to assess all your opportunities.

Similar questions can also be asked of the whole internal audit function particularly
at a time when IIA Global is publishing its new Global Internal Audit Standards.

A step back

Before deciding where you want to go, it is useful to take a step back and evaluate
where you are now, what you already have to offer, and what tools you have at
your disposal.

Ask yourself some basic questions (be honest):

What part of my role do I most enjoy?

What do I do best?
What is my dream job?
Is my current role putting me on track to get this?
Is something stopping me from aspiring to get my dream job – and,
if so, what?
Who could help me to progress or gain skills?
Could I ask more of/offer more to my current employers?
Where can I find out more about what I need to get my dream role?

The answers to such basic questions can be surprising. People who have spent
years working their way up to senior management may realise that they find
managing people stressful and frustrating and decide to become an expert in a
specialist audit area or a consultant.
 10

Outside the box

Contents

Others may discover that they most enjoy making people and processes work
more efficiently and decide to look for a role in the business or elsewhere where
they can develop this further – perhaps to return to internal audit with a different
perspective in future.

Three steps forward

Knowing where you want to go is usually the hardest thing to establish. Once
you have an objective, things become more straightforward. The economic
environment has become tougher and is unpredictable, but internal audit skills are
diverse and most internal auditors have been exposed to experiences and people
that give them multiple options. Skills are still in short
supply, so the jobs market is open to people who wish
to move sideways or take an alternative path. Knowing where you
Bear in mind that internal audit skills are common want to go is
across sectors and the IIA Global designations are just usually the hardest
that – global. If you decide to move sector or continent,
thing to establish
much of what you know and do now will be relevant. You
may just need to do additional research.

Familiarity with another organisation or

sector is itself an asset if you have been
involved in projects that are unfamiliar
to those where you wish to work. If you
lack some of the experience in the job
description, try pointing out alternative
skills that you can bring to the role. Even
if you don’t fit the job advertised, there
may be other opportunities that would
suit you.

It also pays to think ahead. Plan how

you will get the experiences or skills you
need to achieve what you want. Courses,
mentoring and job shadowing are all
useful. Ask to be part of a team tackling
a new kind of audit work, or volunteer to
do presentations or workshops sharing
the skills you have and learning new ones
in the process.
 11

Outside the box

Contents

Use your membership

1
Look at the courses, forums and conferences hosted by the
Chartered IIA and use these to make contacts in the sectors you’re
interested in, or to boost the skills you want to develop.

2
Join a special interest group and look for sessions that will help you
build a better understanding of best practice in important areas such as
data analytics or fraud.

3
If you want to move sector, look at the institute’s sectoral groups, for
example, those for insurance, retail and construction.

4
Keep an eye on the jobs advertised on the institute’s Jobs Board and
note what skills are in demand and what is expected of applicants in your
target sector or to progress to the next level. They may be evolving rapidly in
some areas, so it’s easy to be out of date.

If your ambitions are for your team, the same applies. Once you know
where you want to get to, you can identify the skills and resources you lack
and plan to acquire them. Again, the Chartered IIA is a good place to start –
especially given the forthcoming changes to the IPPF.

1
New reports and guidance are published regularly and offer an excellent
starting point for work on topics from geopolitical risk and data analytics to
fraud and supply chain resilience.
2
Communities and forums will provide contacts who may be able to help
you by sharing skills and experiences.
3
If you and your team have already achieved great work, don’t wait
for others to recognise this and offer you promotion or new challenges.
Nominate for the A&R Awards and tell everyone about it. Publicising and
sharing good work benefits everybody and may also advance your career in
the process.

Next Update
 12

Update
Contents

We round up the latest business and regulatory news

to affect the internal audit profession.

Consultation seeks members’ views on revisions to the

Chartered IIA’s Internal Audit Codes of Practice
The Chartered IIA is reviewing and updating its two codes of practice: The
Financial Services Code of Practice and The Code of Practice for Private and Third
Sectors. These provide an industry benchmark for best practice internal audit
in these sectors, as well as a gauge by which stakeholders
Additional news, (including regulators and audit committees) can assess the
features and views role, function and effectiveness of internal audit functions.
are posted online. For
The aim of the review is to reflect evolving practice, including
guidance and support
on current emerging the new Global Internal Audit Standards and developments
issues, visit the in the UK Corporate Governance Code, and to correct any
Chartered IIA unintended consequences that may have arisen in the
Community hub application of the codes. Members will also be consulted on
whether the two codes should be combined.

The review will be overseen by an Internal Audit Codes of Practice Independent

Review Committee, chaired by Sally Clark, Audit Committee Chair at Citibank.

Members are invited to respond to an eight-week consultation on the

codes, which will begin in February. Responses to the consultation will be
used alongside analyses of external quality assessment reviews, evidence from
stakeholders, including the regulators, and discussions at roundtable events with
chief audit executives, audit committee chairs and other stakeholders.

The revised codes will be published by June.

FRC proposals increase external audit duties

over financial compliance
The Financial Reporting Council (FRC), the UK’s corporate
governance regulator, has proposed changes that would
extend external auditors’ obligations to detect and report
non-compliance when reviewing company financial statements.

The proposals are similar to those put forward by the US accounting watchdog,
the Public Company Accounting Oversight Board (PCAOB), in June 2023. The
 13

Update
Contents

changes would require external auditors to obtain reasonable assurance that

financial reports are free from material mis-statements, and to report breaches
of laws or regulations that come to their attention “even where law, regulation, or
relevant ethical requirements do not require it”.

The FRC’s consultation will close this month. If adopted, the changes will come
into force for audits of financial statements for periods beginning on or after
15 December this year.

Companies House gains powers to combat money laundering

As part of the UK’s plan to tackle money laundering, the Economic Crime and
Corporate Transparency Act (ECCTA) has given Companies House, the registrar of
corporate information, a new objective of checking and improving the transparency
and accuracy of the information that companies provide for its registers. In
addition, Companies House can now share its data with other regulators.

The legislation, which came into force in October, also makes it an offence to
provide a false statement to the register. The UK government says the new powers
are the most important changes to the agency in its 180-year history.

Further provisions in the Act include the creation of a criminal offence of failing
to prevent fraud, which makes organisations liable if they benefit from a fraud
committed by employees. The National Crime Agency (NCA) gains new powers
to force businesses to hand over information that it suspects relates to money
laundering or terrorist financing, while the NCA and law enforcement agencies have
greater authority to seize, freeze and recover crypto assets.
 14

Update
Contents

Regulators intensify focus on cyber security and data protection

Banks and other financial institutions should prepare for increased regulatory
scrutiny, while companies in every sector should expect more questions about
how they oversee cyber security and data protection, according to a report on
regulatory challenges by professional services firm KPMG.

It predicts that in the next six months financial services regulators will focus more
intensely on firms’ risk management and controls, data quality and processes,
and management/board accountability. Specifically, KPMG expects regulators
to scrutinise financial risks and broad risk-management practices, including
leverage ratios, liquidity risk and maturity, and operational risks.

Companies advised to disclose sanctions breaches

Since February 2022, 127 UK companies have voluntarily disclosed breaching the
sanctions imposed on Russia for invading Ukraine, according to international law
firm Pinsent Masons.

One reason for non-compliance is that Russia was more closely integrated into the
global economy than other countries subject to sanctions regimes, such as Iran,
Syria and North Korea. Another
is that it can be hard to identify
the true beneficial owners of
sanctioned companies.

There are 1,637 individuals and 239

companies on the UK’s sanctions
list for Russia, the law firm said. It
advised companies that identify
breaches to consider disclosing
these to the Office of Financial
Sanctions Implementation (OFSI)
or to HMRC if they wish to be
treated leniently.

If a breach is identified, the authorities may take no action, or they may issue a
warning letter or a civil penalty, or start a criminal prosecution. These actions can
be taken against bodies and individuals and can lead to prison sentences. The
highest financial penalty issued to date was a £20.5m fine imposed on Standard
Chartered Bank in 2020.
 15

Update
Contents

ICO updates guidance on

employee monitoring
The Information Commissioner’s Office (ICO)
has updated its guidance on employee
monitoring to reflect new types of work,
working from home, and the use of more
sophisticated monitoring technologies.
The UK data regulator said workers’
expectations of privacy are significantly
higher at home or outside the workplace, and
this should be reflected in any data protection
impact assessment.

Monitoring can include tracking calls, messages and keystrokes, taking

screenshots, webcam footage or audio recordings, or using specialist monitoring
software to track activity. The ICO warned that employers who use automated
decision-making for monitoring must inform workers of this.

Organisations must give workers “meaningful information about the logic

involved, as well as the significance and the envisaged consequences” of the
processing. This information must also be included if employees submit Subject
Access Requests.

The ICO’s research found that 70% of people would find it intrusive to be
monitored by an employer in any way. Monitoring personal devices was considered
the most intrusive practice (83%), followed by recording audio and video (78%) and
taking screenshots or webcam footage (77%). Monitoring timekeeping and access
was considered the least intrusive practice.

Global payments system cyber attack could cost trillions

A major cyber attack on a financial services payments system could lead to
global losses of US$3.5trn – much of this not covered by insurance – according to
Lloyd’s of London. According to a systemic risk scenario developed by Lloyd’s
and the Cambridge Centre for Risk Studies, the US would suffer losses of
US$1.1trn over a five-year period after this kind of attack, while China would lose
US$470bn and Japan US$200bn.

Cyber insurance is becoming more common, but many companies see it as

expensive and are sceptical that it would provide adequate cover.
 16

Update
Contents

Message overload increases cyber security risk

More than half of employees admit they ignore cyber security alerts because
of “information overload”. In a survey by cyber security firm CybSafe, 47% of
respondents said they believed an influx of messages on laptops, tablets, PCs and
smartphones reduced their ability to identify threats such as suspicious emails.

In addition, 36% of respondents said they have “cut corners” on cyber security
practices, while 7% said they often skip steps such as using safe networks or
setting strong passwords to save time.

Compliance and tech top agenda for risk managers

Tech innovation and compliance requirements are two of the main concerns for risk
functions, according to research by KPMG and Forbes Insight. Chief risk officers
(CROs) said de-risking, growth and strategy, regulatory compliance, effectiveness
and efficiency, and costs are all high on their agenda as organisations strive to grow
in difficult economic circumstances.

CROs also said the risk function is expanding beyond traditional risk management
into the area of threat management, while resources are being cut. Compliance and
regulation were the most significant risk management issues they expected to face
in the next two to five years. However, 80% of CROs said they were confident about
their organisation’s ability to deal with cyber security threats and data breaches,
while 70% felt well prepared to tackle disruptions from new technologies, such as
generative artificial intelligence (AI).

Finance slower to adopt AI than other functions

Most finance departments have yet to adopt AI, despite optimistic leadership
views of the technology, according to a survey by consultancy Gartner.

The survey revealed that 61% of respondent finance functions either have no plans
for AI implementation or are still in the initial planning phase.

Gartner’s research also shows that finance is currently well behind most other
business functions when it comes to investments in AI by the organisation: just 1%
of finance functions have adopted or intend to invest in the technology.

The lag is blamed on other priorities, lack of technical capabilities, low-quality data,
and insufficient use cases.

Next Reportage
17

Early bird
tickets
now on
sale

London | Digital
2-3 OCTOBER
2024
 18

Reportage
Contents

Supply Chain ESG Risks: Harnessing the Potential of Internal Audit

Sustainability, ethical practices and transparency have become integral components of
responsible business – making the intersection of environmental, social and governance (ESG)
issues in supply chain management a critical risk area. Organisations must try to align their
supply chain operations with their ESG values, targets and ambitions as stakeholders demand
greater transparency over, and accountability for, ESG practices. Due diligence when engaging
and selecting suppliers is vital – and internal audit has an important role to play.
This report dives into the relationship between ESG risks and due diligence activities in the
supply chain. However, supply chain expertise is in short supply, particularly within internal
audit functions, which need to be able to provide assurance, scrutinise compliance, conduct
risk assessments and provide recommendations for improvement. The Chartered IIA is urging
company directors to work in partnership with their internal audit functions to ensure they are
fully equipped to deal with ESG-related supply chain risks.

Supply chain priorities Supply chain,

outsourcing and “nth”-
party risk ranked

8
of annual internal

<5% th
audit time is spent
on supply chain
risks, according
to roundtable
participants and
interviewees for in the Chartered IIA’s Risk in Focus 2024
this report. survey. However, respondents predicted it
would fall to 9th place by 2027.

Environmental

3 scopes
The Green House Gas (GHG) Protocol is the standard for GHG
accounting and has three defining scopes:
Scope 1 – direct emissions.
Scope 2 – indirect emissions including those from purchased energy.
Scope 3 – indirect emissions from upstream and downstream
activities in the supply chain including: raw material extraction,
transportation, product and service use, and waste disposal.

Scope 3 emissions are often more difficult to measure and manage, as

they occur outside of the organisation’s direct control.

For organisations operating in the UK and Europe, the most important

environmental regulations that must be followed within their supply
chains include:
• EU Timber Regulation “Scope 1 and 2 emissions are easier
• The Waste (England and Wales) Regulations 2011 to manage, and we are auditing this
• The Packaging (Essential Requirements) Regulations 2015 data. Scope 3 emissions, however,
• The Eco-design for Energy-Related Products and Energy that come from the supply chain, is
Information Regulations 2021 (UK) a difficult area to deal with”.
• German Supply Chain Act
• Critical Raw Materials Act Director of Group Assurance –
• Corporate Sustainability Reporting Directive (CSRD) Automotive Company
 19

Reportage
Contents

Environmental (continued)
Actions for internal audit Sustainability plans – audit and provide assurance;
question whether environmental targets are achievable,
Compliance and regulation – understand the realistic and measurable; look for evidence.
regulatory landscape, review the supplier code of Sustainability practices – make recommendations
conduct, audit contracts, evaluate compliance, for improvements in the supply chain.
monitor changes. Roles and responsibilities – ensure these are clear
Business continuity – assess the effectiveness of and allocated to supply chain and those overseeing
business continuity plans for supply chain disruption. risks in the first, second and third lines.
Environmental risk assessment and mitigation Supplier risk management – assess the organisation’s
strategies – assess risks of potential extreme understanding of supplier challenges and monitoring
weather events, test resilience of supply chains; to detect problems. Ensure contracts are robust
identify vulnerabilities; question relevant processes and organisations know if, where and why
and measures. standards cannot be met.

Social and governance

Legislation and
Actions for internal audit Recommendations – identify
improvements to supplier
initiatives relevant
Supplier compliance audits – evaluate management, process improvement
for organisations
the code of conduct; ensure due and risk mitigation.
operating in the UK
diligence is adequate; work with Policy development and compliance –
and Europe include:
procurement and supply chain teams contribute to the development of
2015 UK Modern anti-corruption policies, supplier
to ensure codes are up to date.
Slavery Act codes of conduct, and ethical sourcing
Risk assessments – identify
UK Ethical Trading vulnerabilities and recommend guidelines. Ensure these are
Initiative understood and adherence monitored.
mitigation strategies.
EU Conflict Monitoring systems – collaborate Relationships – build relationships
Minerals with other departments to provide in the first and second line to improve
Regulation assurance. Use technology and understanding of supply chain risk
data analytics. and provide assurance on risk
mitigation processes, potential flaws
and culture.

Measuring the effectiveness of ESG risk management programmes

Actions for internal audit Risk assessments with a supply-chain lens – use
Organisations are adopting innovative methods and advanced risk-assessment tools and methodologies to
technology to enhance their ability to evaluate ESG risk evaluate ESG risks in the supply chain, including
management in supply chains. Internal audit can assess the scenario-based simulations, and risk-modelling and
existence of these programmes and their integration into simulation technology.
supply chain strategies. Supply chain data analytics – analyse data on
supplier performance, environmental impact, and
KPIs and metrics – assess KPIs and metrics labour practices.
related to reducing carbon emissions, ensuring ethical Supplier audits and evaluations – use techniques
sourcing, promoting diversity among suppliers, and including on-site inspections and digital supply chain
improving compliance with labour and human tracking to verify supplier compliance.
rights standards. Telematics and blockchain – use real-time data to make
Supply chain compliance audits – ensure the supply supply chains transparent and traceable, and blockchain
chain adheres to ESG regulations and standards. to verify authenticity.
AI machine-learning – use algorithms to predict future
ESG risks in supply chains.
Cyber security and data protection – evaluate
measures to safeguard ESG data in the supply chain.

Next Awards update

20

Purchase up to
38 hours of
CPE content

PURCHASE
ON-DEMAND
CONTENT
Six keynote speakers |
40 sessions

DISCOVER
 21

Audit & Risk Awards

Contents

Last call – nominations close on 31 January

It’s not too late to enter the Audit & Risk

Awards, but you need to start now – the
nomination deadline is 31 January. Putting
together a strong nomination takes some
time. You need to put together a compelling
case within a tight wordcount and get senior
managers and/or the chair of the audit
committee to endorse you. You may also want
to include several members of the internal audit
team in the process.

However, there are also many benefits – previous nominators have found the
nomination process itself beneficial, since it made them create a concise
document stating clearly all their achievements. Being shortlisted is a huge
boost to morale and exciting for all concerned. It also demonstrates to the wider
organisation that their internal audit team has demonstrated best practice and
been recognised for it by their professional institute. This is something that can be
publicised and used to improve understanding of, and confidence in, the function
and in team members. It can lead to better cooperation, build the function’s
reputation and help to attract applications for vacant roles.

Winning, of course, is best of all. Previous winners have been amazed by

the excitement it has generated throughout their function and across their
organisation to the top levels. An A&R award demonstrates that you or your team
have been judged by their peers to be outstanding. There is no other accolade
that can match it.

The world is changing rapidly and myriad risks are

emerging as a consequence of geopolitical, political
and economic disruption worldwide. Internal
audit teams are having to develop and respond
equally fast to keep up and get ahead of the
emerging threats. There are so many stories of
outstanding practice in internal audit functions
across the UK and Ireland – but no one can win
if they haven’t been nominated. So tell us what
you’re doing, nominate today and reap the
benefits. You may or may not win the award, but
you will certainly gain from the experience.
22

Audit & Risk Awards: Nominate someone today

Contents

Categories:
Outstanding Team
Public Sector | Private Sector (non-FS) | Financial Services Sector | Third Sector

Inspirational Leader

Development of Internal Audit Best Practice

Internal Audit Rising Star

Internal Audit Advocate

Diversity, Equality and Inclusion (DEI) Champion

“What made it most exciting was the “When we won, the team was over
support we got from stakeholders. the moon, it was a real recognition
So many people said such good of all the work they had put in and we
things – I couldn’t fit them all on the all felt it was one of the best things
nomination form.” that’s happened in our careers.”
Ed Wilton, Audit Director, Kingfisher Phil Hart, Chief Internal Auditor,
ClearBank

“Winning the award opened “I would strongly recommend to

up opportunities for us to start others that they enter the Audit &
conversations about what we do Risk Awards. It’s a great opportunity
and why we do it.” to reflect on everything you’ve been
Darren Pearce, Head of Operations, doing and the difference it makes.”
BUPA Group Internal Audit Steven Welsh, Chief Internal Auditor,
Funding Circle

Book now
for the A&R Awards Event
on 20 June.

Next A mission for more

23

Do you have
what it takes
Entry deadline
31 JANUARY 2024
24
Contents

A mission for
more
Sandro Boeri was elected President
of the Chartered Institute of Internal
Auditors UK and Ireland at the AGM in
October. What does he want to achieve
in his time in office and why does he
believe it’s time for internal audit to
come out of the shadows?

Explore
25

I
nternal audit’s time has come – the turbulent, rapidly changing post-Covid
Contents

AI-enabled world is waking up to its need for assurance on topics from

sustainability to culture and diversity. Integrity and trust are increasingly valued
as fakes and misinformation become the hottest of topics. Whom you can trust
and why you should believe them is a leading issue of the day – and internal auditors
have an opportunity to raise their profile and their game, according to the new
President of the Chartered IIA, Sandro Boeri.

During his time in office, he intends to help the profession seize this opportunity
and wants internal auditors to become known for their role in promoting trust in
our society.

Boeri became President of the Chartered IIA in October, but his involvement in, and
passion for, the internal audit profession began long before this. “I have been an
internal auditor for a vast amount of my career, stretching back to 1979,” he says. “I
always had a love for, and fascination with, our profession.”

He first joined the Chartered IIA’s Council three years ago and has spent the past
year as Deputy President, so he is well aware of the challenges the institute faces.
He has been closely involved in recent efforts to build its influence.

“I stood for election because I knew that it would put me in a position to influence
the profession,” he explains. “The institute went through a difficult time during
the Covid crisis and my predecessor, Peter Elam, and the then CEO John Wood,
together with the institute’s staff, did great work stabilising its finances. I want to
help the new CEO, Anne Kiem, and the executive team to build on this and grow
both the institute and its influence more widely.”

Objectives

Boeri lists five key objectives for his time in office:

First, he wants to encourage Council to be, and do, “more” – “I believe that we
need to be more strategic and that if we provide a stronger strategic outlook for
the institute and the profession, we will support Anne and the executive team to do
their work.” This work has already begun and Council is currently changing what it
considers and how frequently it does this, he adds.

Second, he believes that the Council should meet in-person more frequently. “We
got used to operating virtually during Covid lockdowns, but I believe that in-person
work creates better understanding and builds collaboration,” he explains. “We will
meet in-person at least three times a year.”

Third, he intends to work more closely as a “critical friend” to Anne and the executive
team. “The Council isn’t there to second-guess everything the executive does, but to
support and to challenge,” he says. He is encouraging every Council member to have
their own area of focus and to meet the executive team regularly to support this.
26

Fourth, he promises to be a “cheerleader for the profession”. “I will use every

Contents

opportunity when I find myself with a microphone in my hand to remind people

that this is a profession that is good for organisations and for society.” He has
already participated in the Internal Audit Conference in London and in the Scottish
Conference and will speak at the Wales Conference on 24 January. “I am available
for bookings,” he says.

Fifth, he aims to help the profession to progress along the path to “internal audit
Nirvana” – a state where the whole profession embraces data analytics and artificial
intelligence, has a voice at the “top table” and reacts nimbly to change in the risk
landscape.

“All internal audit teams should have a full real-time view of the audit universe and
we must be agile and react to risks as they arise. We
must consign sample testing and annual planning to
the museum,” he argues. “We need a seat at the top All internal audit
table and must offer the kind of support that makes teams should have a
the people at the top seek our opinion because we are full real-time view of
objective, respected and knowledgeable.”
the audit universe
To this end, he is currently drawing up a mindmap
with the executive team that will focus actions on
encouraging the profession to move in this direction.
This will be part of every discussion and will influence the institute’s strategic
direction in the future.

Conscience

Beyond these stated objectives, Boeri is passionate about internal audit’s role in
helping organisations to understand and accept their responsibilities not only to be
honest and transparent, but to have a position on social justice issues. He believes
that staff and customers today expect organisations to have a view on key social
and moral debates and to act with integrity to back these up with actions.

This is a complex area, which carries many risks and pitfalls. Internal audit can
help organisations both to appreciate why they should state their position, and
help them to see where their actions undermine their positive words – creating
reputational and other risks.

“Internal audit is a profession with a conscience. We need to engage with the

organisations that employ us to ensure they take a role in matters of social justice
and issues of conscience, such as sustainability, because these things matter to
their employees and their customers,” Boeri explains.
27

“We can help to ensure our organisations don’t run away from the moral dilemmas
Contents

in our society, but engage with them positively. The newer generations coming into
the workplace expect this. They don’t think that profit is the only issue
that’s important.”

For example, he points to the conflicts and risks

created if a financial services firm makes
statements about its ESG credentials while
still investing in oil and gas extraction. Other
organisations may be challenged by
staff or customers who hear what they
say about equality and diversity, but
question why they continue to
work for regimes with poor human
rights records.

“People dislike hypocrisy,” Boeri

adds. “If you say you care about your
employees, stakeholders and customers,
then there is a good commercial reason
for ensuring that you do not act in a way that
directly opposes your expressed policies.”

Recognition

So, what would he like to leave as a legacy from his time as an internal auditor
and as President of the institute? “I would like to be remembered as one of a
number of people who made our profession recognised and appreciated by the
public – because we help move the dial in society,” he says. “I want more people to
understand that we are a profession that is respected and should be listened to.”

He feels strongly that internal auditors should feature more as experts and thought
leaders in discussions in mainstream media programmes. They should contribute
to national debates about social issues, business, risks and opportunities. If they
have enough interesting opinions, then people will start to ask “Who are they? What
do they do? Where do they get their information?” he adds.

In the past, internal audit has tended to stay hidden beneath the surface of
organisations – it’s not in most businesses’ interests to highlight those who
capture and mitigate risks before they become public. However, there are good
arguments for making internal audit’s role more widely known and the current
demand for integrity and trust reinforces these.

“It’s always an option not to be known, but that is the option of irrelevance,” he
says. “I only have one life, so I want to see this happen soon.”
28
Contents

Career in nutshell
2017 - today
Deutsche Bank – Group Audit Co-Head of People-Enablement and
Head of Culture Assessment.

1999 - 2017
Risk Audit – Owner

1999 - 2000
Gerrard Group – Head of Internal Audit

1996 - 1998
Sumitomo Mitsui Banking Corporation – Head of Internal Audit

1996 - 1997
Lazard – Senior Internal Auditor

1989 - 1996
Credit Agricole – Head of Audit & Compliance

1986 - 1989
Amsterdam Rotterdam Bank, London Branch – Head of Internal Audit

1985 - 1986
Manufacturers Hanover Trust – Internal Auditor

1979 - 1985
Kleinwort Benson – Internal Auditor

Next Raising the bar

29
Contents

Raising
the bar
The Global Internal Audit Standards
will become effective in January
2025. They have huge potential to
increase best practice and improve
the reputation of the profession
globally. What is changing and what
do you need to do?

Explore
30

T
he global IIA’s International Standards for the Professional Practice of Internal
Contents

Auditing are changing. This is good news for IIA members worldwide – but it
will require some attention and adaptation to meet the new requirements.
There is no immediate change to syllabi for existing students.

Billed as “an evolution”, rather than a revolution, the new Global Internal Audit
Standards build on the existing ones to clarify what good internal audit looks like
in a rapidly changing world and enhance consistency worldwide. They will support
chief audit executives (CAEs) by providing explicit guidance on the position of
internal audit within organisations and the resources it needs to perform at the
required level. They will also enable the IIA, centrally and nationally, to build the
reputation of the profession and increase understanding of its value.

Many of the changes are already common practice in mature internal audit
functions, but most CAEs will need to adapt some elements of what they do
to ensure continued conformance. However, all IIA members stand to gain in
the long term from increased consistency, clearer explicit details of roles and
responsibilities and a stated purpose that can be used to inform, educate and
influence those who need to know more about the profession. Raising the bar
for all internal audit functions strengthens the reputation of the function and the
profession everywhere.

The Chartered IIA has played an important role in shaping The Standards
and ensuring that members in the UK and Ireland have had a voice in their
development. It has been represented on the global IIA Standards Board by
Liz Sandwith, who has worked with the Chartered IIA as its Chief Professional
Practices Adviser, and, more recently, by Peter Elam, its Immediate Past
President, who will continue to be a member of the global IIA Standards Board for
the next six years.

Sandwith was involved from the beginning of the process, which began when the
global IIA surveyed members for their views of the current IPPF and what could be
improved. Her term finished last year, but she was invited to continue as a special
adviser to the project. Elam joined the board in July last year.

“The Chartered IIA is one of the biggest IIA affiliates and we have a very active
membership, so our perspective and input is highly valued,” Elam says.

The IPPF and the Standards had not been significantly overhauled for many years
and there was a consensus – backed by about 19,000 comments from members
and relevant bodies worldwide – that the world and the profession had changed.
What good looks like now is different from when they were first drafted. New
audit topics have become standard, new tools are widely used and the scope of
internal audit work has developed. Organisations need and expect more wide-
ranging support than was previously common.
 31
Contents

IIA Global’s IPPF survey in 2021 showed that

many people also perceived the existing
Standards to be fragmented and difficult to
follow. Updating them was an opportunity
to review the way they are structured.

“The Global Internal Audit Standards

document is substantial and provides
the basis for a consistent model of good
internal audit practice that should be
applicable regardless of where you are in
the world, the sector you work in and the
size of your internal audit function,” explains
Sandwith. “For me the really positive message
is that it states our purpose ( in ‘Domain’ 1). This
is key to what we do and what we are as a profession.
It’s the elevator pitch you need if you are standing in a lift with the CEO and
they ask what exactly you do. It’s a document you can discuss with the board
and the audit committee and the potential benefits are phenomenal.”

What is changing?

Many organisations with well-structured, high-performing internal audit functions

that enjoy a strong reputation and good relationship with the audit committee
and board will need to make only minor adjustments to conform with The Global
Internal Audit Standards – but they will still need to read the new document
thoroughly and understand the changes, Elam warns.

Others will need to do more, but the intention is that the revised Standards
document will provide a useful template that a CAE can use as a basis for a
conversation with their team and their stakeholders. It sets out the basis for good
internal audit practice, so those who do not currently conform in all areas will have
evidence of what needs to change and can use this to educate management and
secure any structural alterations or additional resources.

One area that CAEs should consider carefully is Domain 3 of The Global
Standards, “Governing the Internal Audit Function”, which concerns the
oversight of the internal audit function. This defines explicitly for the first time not
only the CAE’s role and responsibility to report to the audit committee and board,
but also the audit committee’s responsibilities to engage with and oversee the
internal audit function.
32

“This is important because it provides comprehensive terms of reference for

Contents

the audit committee, defining the kind of relationship it should have with internal
audit and demonstrating the strength and importance of this relationship,” says
Sandwith. “It’s a massive opportunity for CAEs who can now take it to the audit
committee and say ‘this is how we should be working together and this is what we
need to build on’.”

While neither the internal audit function nor IIA Global can dictate how boards
or audit committees respond, it is a strong indicator of what good looks like,
adds Elam. “Many board members are part-time, or come to the role with little
experience of internal audit, so this explicit description of their responsibilities will
help to educate and inform them.”

The Global Standards will be referenced in external quality assessments (EQAs),

so oversight weaknesses could be mentioned as an area for improvement in an
otherwise positive report. “It’s about creating a two-way relationship – internal
audit and the audit committee working closely together for the good of the whole
organisation, with responsibility going both ways,” Sandwith explains.

Domain 4, “Managing the Internal Audit Function”, also turns actions that
were previously good practice into requirements for a strong function. New CAEs
will therefore have guidance stating their responsibilities and what constitutes
good performance.

“It’s brilliant that this is now explicit because it can be used as a template for new
CAEs, to educate management and to support negotiations for resources, as well
as a timely reminder for those who have been in the role for some time,” Sandwith
points out.

Domain 2, “Ethics and Professionalism”, incorporates IIA Global’s Code of

Ethics, which is another important area in an increasingly complex internal audit
environment. This too should support CAEs by providing detailed guidance that
can used within the internal audit function and in the wider organisation.

The last, Domain 5 “Performing Internal Audit Services”, sets out how to plan
and conduct engagements and how to communicate findings and monitor
action plans.

New guidance on topical areas for internal audit (Topical Requirements) are also
being published to support those embarking on specific audit areas.

More information about the scope and detail of these requirements will be
provided by the Chartered and Global IIA and in future articles in Audit & Risk.
33
Contents

When will the Global Internal Audit Standards come into force?
They will become effective and replace the current Standards in 2025.

What else will change?

The global IIA certification courses and exams will be updated and EQAs will
cover the new elements introduced in The Global Standards.

What you need to do now

“Read the document, understand it and work out what it means for you and
for your internal audit function,” urges Sandwith. “It’s something that all IIA
members should focus on – if you’re complacent, you could get a surprise in
your next EQA, but the changes are overwhelmingly positive for individuals
and for the profession globally.”

There are still 12 months before The Global Internal Audit Standards become
mandatory (January 2025), so CAEs and their teams have time to assimilate and
assess them and put any necessary changes in place. IIA Global and the Chartered IIA
will be supporting members and offering advice and guidance, so watch for further
information on websites and in future issues of A&R.

Next Division vision

34

YOUR MEMBERSHIP
IS ALMOST DUE
Keep enjoying access to specialist services,
exclusive events, and big savings on your
professional development.

Renewals are due from February 2024

35
Contents

Division
vision
Over the past three years, The Central
Bank of Ireland Internal Audit Division has
restructured; developed and implemented
a new strategy and improved its
performance against a series of targets.
Its success won it the Audit & Risk Award
for Outstanding Team – Public Sector in
2023. So what did they do?

Explore
36

P
roviding internal audit services in a central bank is a challenge. It requires
Contents

internal auditors to understand macroeconomics, financial stability and the

processes of financial regulation, along with more typical public sector risks.
When the Central Bank of Ireland decided to enhance its Internal Audit Division,
which comprises 22 people, its first task was to create a framework to determine
how it was currently performing. It could then identify what it needed to improve,
and devise a strategy to achieve this.

“The Central Bank of Ireland (CBI) always has ambitions to be best in class and
our framework, the Internal Audit Capability Model for the Public Sector (IACM),
is strong at producing ideas and a roadmap to improvement, but we needed
the experience and knowledge to implement these ideas effectively,” says Paul
Wrafter, Head of Internal Audit at the CBI. “We recognised we would have to
develop our staff to get the skills we needed to reach our goals.”

Their success at setting out a framework, identifying change and developing

the skills they needed to progress won the team an Audit & Risk Award for
Outstanding Team – Public Sector in 2023. The project took three years, with an
external quality assessment (EQA) being the final measure.

Wrafter joined the CBI from Allied Irish Banks plc (AIB), where he had experience
developing teams. At the CBI, he found a function that was unaccustomed to
change, but was keen to develop. “It was essential to explain to the whole team
how improvements could help them to gain the support of auditees and improve
their outputs,” he says.

“We have four pillars in the CBI, so we needed audit teams that mapped against
these,” he explains. “We changed the team structure and each area of the
business had a point of contact, which greatly improved communications.”

A model for change

The programme was shaped by the IACM framework, which identified 41

key processes necessary for effective public-sector internal auditing. This
established five maturity levels from 1 (initial) to 5 (optimising) across six essential
areas. An early self-assessment showed that the team was operating at levels
two to three in most areas. This provided a platform for further improvement.

Four working groups, headed by Lead Auditors, were established to focus on

key areas of audit methodology, audit planning, data analytics and people. Every
member of the team had a role. This empowered junior internal auditors,
Wrafter explains.
37
Contents

The Audit Committee and the Governor fully supported the changes, he
adds. They also identified what they required from audit reports, updates and
dashboards and Wrafter began an ongoing process of actively seeking feedback
and ideas for improvements.

Strategy for the future

“We needed to re-align our resources and introduce more accountability,” he

says. “Once we knew what had to change, we started looking at the internal audit
strategy. We asked every member of the team what they thought we needed to do
externally and internally. We then worked with Gartner to create a plan separated
into key initiatives: boost stakeholder engagement and rapport; optimise and
simplify our processes in line with industry best practice; and develop staff who
are highly skilled and motivated, with opportunities for progression.

A “Strategy on one Page” detailed their mission, vision, purpose, strategic

objectives and key initiatives. They then set stretched, yet achievable, targets.
These areas were assessed as “best in class” or “outstanding” in the team’s 2022
External Quality Assessment (EQA).

Key aims included providing more assurance

advice to the organisation and creating
development opportunities to increase staff
promotions. Clarifying what people needed to do
to progress and prioritising their opportunities to
gain experience and skills saw rapid results. Three
people reporting to Wrafter were promoted, as
were five managers in the tier below.

The team also addressed internal audit processes,

asking could they be streamlined, were systems
used effectively and would they benefit from agile techniques? Considering these
in terms of strategy helped everyone to think further ahead and initiate more
changes, Wrafter says. “It led to more timely meetings and feedback and helped
to bring in stakeholders, build trust and increase transparency.”

“People can get apprehensive when you talk about agile or data analytics, but
you often find you’re already doing more than you think,” Wrafter adds. “We are
part of the Eurosystem, so we utilised our network to speak to peers, compare
practices and get new ideas, while members of the team started to sit on
more committees and working groups in the CBI so we could learn and extend
our influence. This was also great for developing internal audit managers to
collaborate more with various areas of the organisation .”
38

People
Contents

One important indication of progress was the annual CBI staff survey, as
previous feedback showed room for improvement. “We needed to identify what
we should start doing, stop doing and continue doing. We want people to enjoy
coming to work and know that they have opportunities here and elsewhere in the
organisation,” Wrafter says.

A skills assessment process was designed by the team, covering over 400
competencies. This provided invaluable insights into development needs
across both subject matter areas of the CBI and audit competencies. Training
programmes were developed to address any gaps identified. Each team member
is assessed and has a personal training plan. Consequently, the internal audit
team’s satisfaction has risen from 54% in the CBI staff survey to 75%.

The aim is to hire staff at entry level wherever possible and then train and
promote them within the division. Wrafter says he’s also happy when team
members are promoted to other roles in the CBI. The movement goes both ways.
“It’s all about getting the right balance of industry knowledge and internal audit
skills and experience in the wider team.”

Results

All this work has led to results. Against the IACM for example, the team is now
performing at level five (optimising) in the areas of services and the role of internal
audit; professional practices; performance management and accountability;
and governance structures. They have reached level four to five for people
management and organisational relationships.

A new data analytics working group is involved in more than half of all internal
audit reviews and the team’s data analytics strategy has been assessed as
excellent by Gartner. Wrafter says the quality assurance and improvement
programme (QAIP) has led to “significant improvements” in the quality of audit
outputs. They have improved relationships with, and the involvement of, business
units in the audit process, which has increased understanding of internal audit
in the organisation. A structured stakeholder engagement programme ensures
that internal audit meets managers at all levels and provides regular updates on
internal audit activity (in addition to formal executive reports).

Externally, the team has increased its contacts and influence. Wrafter now
lectures for the Chartered Accountants Ireland on its Risk Management, Internal
Audit & Compliance Diploma and chairs one of the seven sub-committees of the
Internal Audit Committee (IAC) of the European System of Central Banks. Four
other team members sit on IAC sub-committees.
39

The aim to integrate assurance has been furthered by working with the first and
Contents

second lines to improve cooperation and promote a more mature three lines
system. The team has created a risk-grading matrix to align individual business
processes in the audit universe with second-line processes, resulting in a unified
view of risk across the lines. Requests for advisory work have increased and such
work now comprises about 20% of the internal audit plan.

Looking ahead, Wrafter is keen for internal audit to highlight more emerging risks.
“Emerging risks form part of our annual planning and ongoing engagements to
ensure we help the organisation to build and maintain resilience in uncertain
times. A recent example would be our review of Environmental, Social and
Governance (ESG) aspects and the CBI’s Climate Change Division.”

The awards

“The process of nominating for the Audit & Risk Awards was straightforward,”
he adds. “The Governor and Chair of the Audit Committee, among others, were
more than happy to provide endorsements. It was a great motivator for the team
when we were shortlisted for the award and we saw it as tangible recognition for
all the hard work put in over the past few years.”

“The awards event was excellent and we received many messages congratulating
the whole division afterwards,” Wrafter adds. “It’s a huge award – internal audit
recognition doesn’t get any bigger than winning an award from the Chartered IIA.
Nothing else out there compares with it in our industry.”

m i n at i ons for
No
e n e x t Audit &
th s close
w a rd
Risk A nuary.
on 31 Ja

Next Count the carbon

40

BECOME A
CHARTERED
PROFESSIONAL

Whether you become Chartered by Learning or Chartered by

Experience, give your career the recognition it deserves.
Reach your potential, apply to become Chartered.

Chartered by Learning Chartered by Experience

Be awarded Chartered status and: Be awarded Chartered status and:

Acquire and strengthen the managerial Raise the profile and value of your
skills you need profession

Gain contemporary management Increase your professional confidence

frameworks and tools
Become a full voting member of the
Use the CMIIA designation Chartered IIA

Gain recognition for your contributions Use the CMIIA designation

to organisational success
Gain recognition for your contributions
Increase your professional confidence to organisational success

Find out more and register

today with iia.org.uk
 41
Contents

Count
the carbon
Sustainability requirements are
complex and developing fast.
Richard Brasher looks ahead to
a day when carbon accounting
is as auditable as financial
accounting. But to reach that point,
sustainability teams need internal
auditors’ skills today.

Explore
42

I
n Climate Change 2023: Synthesis Report the UN states that “The extent to
Contents

which current and future generations will experience a hotter and different
world depends on choices now and in the near term” and, according to the
Chartered IIA’s Risk in Focus 2024, “Climate Change, Biodiversity & Environmental
Sustainability” is consistently ranked in the top ten risks facing organisations
today. Rules and regulations are still evolving in different jurisdictions, but even
organisations that are not yet directly required to report sustainability performance
should expect to in future either in their own right or as part of a supply chain.

Internal auditors should therefore be asking:

What can I do today to help tomorrow?

How can I help my organisation handle this risk?

What choices can I make, as an auditor, to affect how future generations

experience tomorrow’s world?

Unfortunately, there are no complete answers. But since taking on the role of VP of
Sustainability, having until now been a chief audit executive (CAE), the lens
through which I view sustainability has changed. I now like to focus my new team
on three key areas: Commitment, Action and Reporting. But, I believe that as a
methodology for internal auditors as well, this helps to frame the challenge.

1. Commitment

In order to make a change, we must first make a

commitment. We often make commitments at the
In order to make
beginning of a new year in the form of resolutions – a change, we
for example, “I will go running five times a week” or must first make
“I will eat less chocolate”. But what if we made our
commitments public and published them to the world,
a commitment
so that everyone knew what we are striving to achieve?

This is in effect what companies are doing in their sustainability reports. And the
level of commitment is not trivial. Often, the commitments cover three areas
roughly following the environmental, social and governance acronym (ESG). For
example, an organisation might commit to reducing Scope 1 and Scope 2 carbon
emissions by 50% by 2030 and 100% by 2050, or to improve employee engagement
by a certain percentage by a certain year.

So, one important first step for internal auditors should be to consider how these
commitments were made. Are they based on scientific evidence? Are they in line
with the Paris Agreement and compatible with limiting global warming to 1.5°C?
Have they been committed with the Science Based Targets initiative (SBTi), and
43

have they been approved? One question that is often overlooked is whether they
Contents

are in line with the overall strategy of the organisation (or whether the strategy of
the organisation is in line with the sustainability commitments it is making)?

2. Action

This is where it all happens, and so should be an area of focus for internal
audit. What are the action plans for each commitment? For example, does the
organisation have a coherent, logical and scientific carbon abatement strategy
that matches the commitments made? Has the organisation developed a marginal
abatement cost curve to ensure that the actions taken reduce emissions in a way
that is most financially beneficial to the organisation, as well as its stakeholders and
society at large?

Here, it can be helpful to play the useful role of “critical friend” focusing more
on advisory rather than assurance engagements to help the sustainability team
especially at the early stage. If, for example, a plan has been agreed to move a fleet
of vehicles to BEV or PHEV by 2030, but no actions have been undertaken by the
fleet department in the given jurisdiction, then internal audit could legitimately ask
“why not?”.

Likewise, an internal audit team might help the sustainability team by double-
checking the logic behind the choice of actions taken and where these actions are
happening. For example, if management chooses to purchase electric vehicles
in a country where electricity is “dirty” (carbon intensive), this could be rightly
questioned or challenged.

3. Reporting

This is perhaps the easiest and hardest area to audit.

On one level, the audit process could be perceived to be straightforward. There

are standards, and auditing disclosures to standards is arguably fairly simple.
If, for example, the standard requires an organisation to publish the “difference
44

of average pay levels between female and male employees, expressed as a

Contents

percentage of the average pay level of male employees”, then there must be data to
support the disclosure. Obtain the data, check it and conclude on the audit step.

But there are nuances to consider as well. One of the key attributes of the new
European Sustainability Reporting Standards (ESRS), which were published so
that organisations could comply with the European Corporate Sustainability
Reporting Directive (CSRD), is the concept of double-materiality. Broadly speaking,
this requires an organisation to consider impact materiality (the impact of an
organisation on the outside world) and financial materiality (the financial impact
of the outside world on the organisation). This process is hugely important, but
also hugely subjective. Apart from mandatory disclosures, how an organisation
decides what is material and what is not and, therefore, what gets disclosed and
what doesn’t is largely up to the organisation itself to decide, as long as it is
appropriately documented.

An internal audit team considering disclosure

needs to be equipped to deal with, and challenge, An internal
this ambiguity. However, the difficulties are audit team
compounded by the fact that sustainability considering
teams are themselves still trying to understand
disclosure
all the nuances, and there are critical differences
between what is required by legislation and what
needs to be
is good corporate citizenship. Internal audit equipped to
teams can hardly be expected to be experts so deal with, and
early in the process, and so, should initially focus challenge,
on the former rather than the latter.
ambiguity
Add to these three steps the complications
around multi-jurisdictional regulations,
regulatory interoperability, differing reporting deadlines, the complications of
capturing accurate data across a wide range of activities, and the internal controls
required for each data set (not to mention the Sarbanes-Oxley controls required
for data sets that might eventually find their way into a US filing) and you have a
topic that is wide enough and broad enough to give any conscientious internal audit
department a full-blown headache.

Amid the complexity, two things are certain: sustainability cannot be ignored
by internal audit departments in any organisation, and actions taken today
will inevitably affect how effectively sustainability departments guide their
organisations to make the right choices for the future of us all. Considering
in turn each element of Commitment, Action and Reporting might therefore be
as good a place to start as any when planning the first internal audit engagement
on sustainability.
45
Contents

Back to the data – a personal perspective

Until now, many organisations based their calculations of greenhouse gas

(GHG) emissions in Scope 1 and Scope 2 (broadly speaking, those emissions
directly created by business operations or indirectly purchased as energy
to run the business) on regional managers’ estimates of the fuel used in
their parts of the business around the world. This may ultimately not be
good enough for internal or external assurance – under the CSRD, external
auditors will need to provide “limited” and then “reasonable” assurance on
sustainability disclosures, so internal audit must be confident that GHG
disclosures reported by their organisations are accurate and documented,
and can be tracked to source if necessary.

One way to provide this documentation is to go back to the original invoices.

Often, this will mean collecting thousands of fuel and energy invoices from
around the world in different formats and languages. Tabulating the data
from these can be technically difficult and time-consuming.

One solution is to ask a utility or fuel billing manager to collate the data
needed, another is to use artificial intelligence (AI) to parse the relevant
data into tables.

Once the quantities of fuel and energy used are known, these amounts
must be multiplied by the correct carbon intensity factors – eg, the amount
of carbon emitted for each litre of fuel or kWh of electricity used. This can
vary significantly, according to the distance the oil or gas travels, how it is
transported, how electricity is generated in each country etc, etc.

When complete, this process will provide figures for Scope 1 and 2 GHG
emissions that internal and external auditors can select by region and/or
year to support with relevant source data, so that disclosed figures can be
traced and verified.

Organisations will face varying sustainability reporting challenges, but

I believe that many will struggle to turn large quantities of information
into traceable, auditable data. It’s easy to believe that disclosed data is
“correct”. However, if you don’t ask the right questions about where it
comes from and what it means, you might not get the full picture. The
internal auditor mindset should add rigour to such processes and challenge
“facts” to ensure that they are supported by robust evidence.

Many sustainability teams do not include former internal or external

auditors, and can lack experience of what makes data auditable. To remedy
46
Contents

this, sustainability teams could offer experienced internal auditors career

opportunities to gain team members who understand the importance of
internal controls and audit trails.

It’s worth remembering that we have been developing processes to account

for cash for hundreds (possibly thousands) of years. Now we need to reach a
similar level of rigour and accuracy for carbon in just two or three.

I personally foresee a day when all invoices will include the carbon cost
as well as the financial cost. Sustainability-based ERP systems will
automatically collect these figures and store them. Such carbon-ERP
systems will need to be global to cover the entire organisation. For many
years, finance teams have operated “No purchase order, no pay” policies.
One day, maybe we will have “No carbon data, no pay” policies. It would
make sustainability auditing much more straightforward.

Richard Brasher is Vice-President Sustainability at LKQ Corporation. The opinions in

this article are his own and not those of his employer.

Next Valued worldwide

47
Contents

Valued
worldwide
John Chesshire explains why governments
and cross-border organisations value
Chartered IIA certification and internal
audit experience highly – and how this can
lead to a global career and opportunities to
make a real difference to governance and
peoples’ lives.

Explore
48

A
n internal audit certification, membership of the Chartered IIA and relevant
Contents

experience may lead to promotion within an organisation, which is great.

However, for those who want a different kind of career, it also provides
a valuable toolkit of skills that are desirable (and much-needed) worldwide –
and which can help to improve governance and, therefore, real lives in diverse
environments and countries.

In my career as an internal auditor, I am fortunate to have worked with many

different national Institutes of Internal Auditors, spoken at international
conferences and delivered internal audit training in Armenia, Bulgaria, Georgia,
Germany, Greece, Italy, Lithuania, Slovenia, the UAE, Ukraine and elsewhere. I got
a taste for travel early on in my internal audit career, with work trips to the United
States, and it’s been hugely interesting ever since. I’ve been to so many new
places, made lots of wonderful contacts and have helped governments and other
organisations to improve the way they do things through training delivery, advisory
work and capacity building.

Most of my engagements come from word-of-mouth recommendations, but I

originally got into doing this after training as an internal auditor with the then UK
government Civil Service College. I did well in my exams, so they invited me to
deliver training while my day job was also taking off. Around the same time, the
Chief Examiner of the Institute of Internal Auditors, UK and Ireland invited me to join
the examinations team.

My work at the Civil Service College (later

the National School of Government), led to
an interesting request to go to Northern Iraq
in the mid-2000s to train government
officials and civil servants in the Kurdish
Regional Government.

It was a culture shock – think Black Hawk

Down. The week after my first visit, a suicide
bomber detonated a device killing himself and
many Kurdish officials. It wasn’t the safest
time to be there. I went out with a fantastic
colleague every couple of months to deliver
one-week courses and on one occasion my
driver took a wrong turn and we nearly ended
up in the middle of the three-way conflict
taking place in downtown Mosul. Meanwhile, I
also began to deliver training and examination
revision courses for the then Institute of
Internal Auditors, UK and Ireland. Happy days.
49

Making connections
Contents

After a few years delivering training assignments in addition to my normal job,

contacts and clients began to approach me directly. The Ministry of Defence invited
me to deliver a programme of training after being approached by contacts in the
Georgian Ministry of Defence who wanted to upskill their internal audit team. The
Georgian internal auditors were keen to operate in line with international good
practice and I’ve been working with them ever since, sometimes in conjunction with
the MOD, sometimes with NATO, and sometimes with the OECD and the wider
Georgian public sector.

The work with the OECD has been particularly interesting. I’ve led on designing,
developing and implementing (with local experts) a National Internal Audit
Certification Programme for central and local government internal auditors in
Georgia, based on the global IIA Competency Framework. Many people there would
struggle to study for the CIA qualification in English, so we have designed and
implemented something that works locally. The first students sat the exams for the
first and second modules in November 2023. Results so far have been positive.

The UK government often contributes support globally in niche areas where we

have valued expertise – for example, in anti-fraud and anti-corruption measures,
internal audit and assurance – so internal audit skills are particularly relevant.

One thing often leads to another. After my first trip to

Georgia, colleagues in Ukraine asked me to deliver
a similar programme for the Ministry of Defence
internal audit service there. This was a much
larger commitment and also achieved real
progress and momentum over several
years, with some big successes. I was last
there in-person three weeks before Putin’s
invasion. I keep in regular contact with
my colleagues and friends there and I’ve
now embarked on a similar programme in
Armenia, which I hope to roll out further
this year.

Other jobs have arisen from my work leading

courses for the Chartered IIA. Several Institutes
of Internal Auditors across Europe and elsewhere
have invited me to run training sessions and to speak at their
conferences. I’m delivering a session at the annual conference of the Swedish
Institute of Internal Auditors this year, and I hope to add two or three more
countries as my global work expands.
50

Sharing experiences
Contents

It’s incredibly rewarding to help internal audit leaders in other regions to modernise
their teams in line with the IPPF (and its successor) and to move away from a
historical focus on inspection towards a more risk-based approach. Elements
of culture vary in different countries, but generally the problems and concerns
are the same as they are here. Often, it’s about helping teams to create a more
participative relationship with management in the first and second lines, and to
move towards adding value and improving, rather than blaming, or even punishing
wrongdoers. In the UK, we’ve been doing this for longer, so we have valuable
experience to pass on and this is hugely appreciated.

It’s also rewarding to help internal audit teams become more skilful at combating
fraud and corruption – and I’ve seen teams enjoy real successes here. There are lots
of good people doing good things, but in some places, they must deal with a long
tradition of corruption.

This means that internal audit skills are not only useful, but they are also warmly
received. I admire the courage of these internal auditors because tackling fraud and
corruption is dangerous – internal auditors have been killed for doing their jobs in
some countries. It’s a risk, but it’s also a sign that what they are doing is effective.

The new Global Internal Audit Standards include a Standard on courage and my
experiences have made me realise that this means very different things in different
places. It can have direct, personal consequences in many jurisdictions. People I’ve
worked with have spoken up despite being threatened and even fired for doing their
jobs too well.

Of course, delivering internal audit training overseas is not all glamorous travel
– I sometimes deliver live online courses for the Institute of Internal Auditors in
Australia, which means working from 2am-5am in UK time. It’s not much better
doing the same for clients in Malaysia and Singapore. When doing in-person work,
there is a lot of hanging around airports and delayed flights.

But the work is hugely varied. In addition to training, I’ve delivered many external
quality assessments overseas, worked directly with overseas government
ministers, met a president or two, and worked with a huge number of fantastic
internal audit and risk colleagues. Helping to develop the National Certification
Programme for a whole country is particularly exciting – you don’t get a chance to
do something like that very often.

John Chesshire leads Chartered IIA courses including Sanctions: It’s a World
of Pain Out There, People auditing: assurance over employee engagement, and
Environmental, Social and Governance. He also co-leads Geopolitical Risk and the
Role of the Internal Auditor. He is the owner of JC Audit Training Limited.

Next Tools for the job

51

ATTRACT
THE BEST
talent
Bringing together the latest job roles within the
internal audit, risk and corporate governance industry

Internal Audit & Risk Jobs

The official job board of the Chartered IIA

Advertise with us
jobs.iia.org.uk
52

Tools for the job

Contents

Going underground
It’s time to look again at root cause analysis, says
James C Paterson.

I
f you have been following the development of the new Global Internal Audit
Standards, you may be aware of proposals to incorporate root cause analysis
(RCA). RCA is a vital tool for delivering insight and value and is invaluable for
developing a better thematic analysis of findings (another proposed new
requirement in The Standards).

I became familiar with various RCA techniques when I was Chief Audit Executive
of AstraZeneca, but in the dozen years since I started working on this topic with
others, I have seen a range of good and less good practices. I shared some of my
research in my most recent book on the subject, Beyond the Five Whys, at IIA
Global’s international conference in Amsterdam and believe these may interest
internal audit colleagues more widely.

Seek multiple causes

First, I should point out that, while the Five Whys technique is still commonly used
by internal audit teams, it implies there will be just one root cause for a problem.
This is rarely the case.

The Bowtie diagram (Diagram 1, below) demonstrates why seeking a single root
cause is a problem. Threats and risks can result in incidents or near misses (risk
exposures) which can, in turn, result in consequences of different magnitudes. We
use detective and preventative controls to stop incidents (risk exposures) arising,
and then recovery controls to reduce the severity of the impacts if these fail.

Before After
OBJECTIVE
THREATS

Incident or
close call

Detection Prevention Recovery Adverse

consequences
1 - Bowtie diagram (illustrative) impact
53

Tools for the job

Contents

So, if something goes wrong, or a risk is out of tolerance, at least one preventative
and one detective control has let us down (and possibly the recovery measures
as well).

Typically, a range of prevent and detect controls are necessary, so a minimum

viable technique for RCA is the Five Whys Two Legs, or the Three-way Five Whys
(see Diagram 2).

Facts &
Circumstances
Immediate
cause(s)
Contributing
cause(s)

Root
cause(s)

Acting to Prevent Acting to Detect Acting to Recover etc.

2 - Five Whys Two Legs, or the Three-way Five Whys

Some audit teams may find it hard to stop seeking a single cause for an audit
observation, but sometimes we must take a step back from a simplistic approach,
to take two steps forward.

Consider cause types

Further problems with RCA stem from a failure to

recognise the differences between cause types. There
Root causes are
are immediate causes, (a spark), plus contributing
causes (dry tinder on a forest floor), and then there the underlying
are root causes (a range of other things that reduce reasons why
or increase the chances of a forest fire). Root causes problems arise
are the underlying reasons why problems arise.
Understanding root causes helps us to address classes
of problems rather than single problems or faults.
54

Tools for the job

Contents

Thus, a person who makes a mistake – or who deliberately causes harm – is not a
root cause. If we find fraud or bribery and punish the perpetrator, we still need to
ask: “Were the anti-fraud or anti-corruption arrangements adequate? Were there
shortcomings in risk assessments, processes, systems, etc, that explain why the
fraud or corrupt act was possible?” It’s not about one person’s behaviour.

Think about the whole system

It is also about systems thinking – stepping back to see the bigger picture of
connections and dependencies. When we find a fraud, or corruption, punishing the
person should not end the story. The deeper question is “What in our organisation
as a system (processes, policies, etc) made this possible?”

When you think this way, you start to question whether the organisation is serious
about addressing certain risks properly. This may extend to questioning the clarity
of roles and accountabilities, the maturity of certain processes (and the resources
invested in making them work) and the way incentives and deterrents work. There
are eight main causal factors that can explain many problems we might see,
although which of these applies in a specific situation depends on the facts and
circumstances of the case.

It’s also important to watch for repeating problems – for example, out-of-date
access rights or projects running into difficulty – which invariably indicate systemic
problems. If you recognise that “every system is set up to get the issues it currently
gets”, you will see how issues are recurring because underlying causal factors have
not been addressed or resolved.

Additional points

• Using a technique such as the fishbone diagram for RCA can help the audit
team to cluster the reasons for problems into common categories, which can
then aid thematic analysis. Remember, however, that the common categories of
“people, process and systems” do not explain why something happened. Similarly,
identifying “culture” or “tone from the top” as a root cause does not explain why
the culture or tone at the top is failing.

• Effective RCA in internal audit starts at the beginning of assignments, not at the
end. Sometimes root causes for problems lie between departments or across a
process. If you scope an assignment without thinking about possible root causes,
you may find an important cause is beyond the scope of what you planned to do. In
these circumstances you might need to extend an assignment mid-way to draw out
the causes, which can cause delays and frustration.
55

Tools for the job

Contents

• It is not true that RCA will inevitably extend internal audit assignments. Indeed,
it can be a valuable tool to help you zoom in on critical causal factors during the
execution of work programmes and speed up assignments. By the time you finish a
well-designed work programme, you should already know most of the key causes.

• RCA helps to produce better audit reports, because it can enable you to combine
observations (which may be symptoms) that highlight issues and relevant actions
at the level of more significant (and insightful) underlying problems.

• Because actions to address root causes may be more substantial than quick
fixes, the internal audit team should, obviously, consider the cost/benefit of what
they are proposing management should do. Consequently, it is essential to pay
attention to the potential impact of risk control shortcomings, not just to the
current impact of what has been found. (See Diagram 3.)

Observation(s) Recommendation(s) Agreed actions

(best discussed)
Current Potential
consequences consequences

Observation(s) Observation-based
recommendation Corrective action(s)
(condition)

Criteria Gap(s)

Cause(s)

Root cause-based Root cause-based

Root cause(s) recommendation remedial action(s)

Priorities / owner(s)
Opinion / rating
milestones

3 - Seeing root causes in context when proposing actions

Lastly, being good at RCA has benefits beyond internal audit assignments. It can
help an internal audit team to think critically about current challenges. For example,
if we look at issues such as repeated problems getting management to implement
audit actions fully and sustainably, we might find that the problems stem from
shortcomings in how actions were agreed, a failure to set interim milestones, or a
lack of clarity about verification requirements to demonstrate that a risk is now “in
control”. Put simply, RCA is a general purpose tool to help an internal audit team
think more carefully about the challenges it encounters.
56

Tools for the job

Contents

Lastly, being good at RCA also helps us to understand better some of the cultural
aspects of organisations and it is worth noting that recent research by the
Chartered IIA identified that nearly 50% of internal audit teams use RCA as a tool
for understanding organisational culture. This is another reason why it’s timely that
IIA Global is giving this important technique a new prominence.

James C Paterson is Director at Risk & Assurance Insights Ltd. He is the course
tutor on the Chartered IIA’s course on Root Cause Analysis (the next one takes
place on 6 February). He is the author of “Lean Auditing” and “Beyond the Five
Whys. Root Cause Analysis and Systems thinking,” published by Wiley.

Next Training insights

CONNECT
RISK.
CONNECT
YOUR TEAMS.
The Modern Connected Risk Platform

AuditBoard helps you bring people, risks,

and insights together to keep pace with today's
demands and improve business resilience.

• One Unified Platform

Free up audit teams to focus on the risks that matter.

• Built by Audit Experts, for Audit Experts

Break down silos and embed risk awareness into the
front lines.

• Unparalleled Collaboration
See the big picture and optimise risk/value decisions.

Top-Rated by Customers

Request a demo at auditboard.com/demo

58

Training insights
Contents

What will you learn this year?

Pondering the challenges you and your team will
face in 2024? Then it’s time to think about skills
and training.

J
anuary is the time to make new year’s resolutions and to look back at the
past year – and ahead to the new one. Many people take the time to
consider their own careers and the skills they think they will need to
progress to the next step. Chief audit executives (CAEs) may also be doing the
same for their teams.

Given the challenges in the global geopolitical and economic environment, internal
auditors need all the skills at their disposal to keep on top of both current and
emerging risks, provide meaningful assurance to the board and audit committee
and embark on new forms of audit work and advisory support. So it’s never been a
better time to think about the skills you currently lack, or areas where you may need
some inspiration.

The Chartered IIA offers a wide range of courses. At one end, there is training that
covers the basics for those new to the profession or those working in allied roles in,
for example, the second line, who need to understand key internal audit processes.
These can provide the fundamental skills and understanding that help to get new
trainees started, or enable teams elsewhere in the business to work better with their
internal audit colleagues. CAEs could benefit by suggesting that other managers
consider sending their staff on these.

At the other extreme, there are courses for those who already have internal audit
qualifications and experience, but who are embarking on audit work in unfamiliar
areas – such as geopolitical risk, people risk, sustainability or culture – and would like
some ideas and background knowledge before they start.

The Chartered IIA’s courses also offer flexibility to suit

different needs. Smaller teams or individuals can book
on scheduled live virtual courses, where they will join
people from other organisations. They may make new
contacts and are likely to find out more about the way
other organisations structure their teams and run their
audits. This makes the discussions wide-ranging and
varied. No two sessions, even on the same subject, will
be the same.
59

Training insights
Contents

For those seeking guidance on specific topics in bitesized chunks and at their own
pace, there are also online training courses. These cover a huge range of subjects,
from ethics and ethical dilemmas to interpreting financial reports, recognising
unconscious bias, quality in internal audit and fraud risk. The material remains
accessible for 90 days from purchase, so you can access it when it suits you best and
you gain continuing professional education (CPE) points when you complete it.

CAEs wanting to educate a whole team in a particular topic or get conversations

flowing about issues specific to their own organisation may prefer to opt for in-house
training. This type of course can help to bond existing teams, and tutors will work
with the manager in advance to ensure that the course is tailored to suit their needs
and to explore the real challenges they are facing so they come away with practical
support that is directly applicable in their organisation.

All live courses are taught by skilled and experienced trainers, who encourage debate
and interaction and participants often come away with new contacts (the trainer or
fellow attendees) who can offer useful insights and support when they come to put
their learning into practice.

Case study: in-house training at Cordaid International

When Frans Van Midde joined emergency relief organisation Cordaid

International, he was the only internal auditor and had a limited budget.
So, rather than hiring a single trainee, he came up with the idea of
creating a pool of internal auditors who work full-time in other parts of the
organisation, but are given time to undertake internal audit training and to
participate in specific audit projects around the world when necessary.
“I asked colleagues if they would like to join internal audit as part of this pool
and I was flooded with applicants,” Van Midde recalls. “I chose seven and
I saw this as a win-win situation. They would get a comprehensive view of
the whole organisation and learn new skills, while I got a team of internal
auditors who already had specialist knowledge of specific areas and would
carry their knowledge of good internal auditing back to their functions.”
His first task was to ensure that his new pool understood basic internal
auditing techniques and skills, so he booked them all on the Chartered IIA’s
Introduction to Professional Internal Auditing course. He chose in-house
training because of the numbers and because the team needed to get to
know each other.
60

Training insights
Contents

He also had specific requirements that he discussed in advance with

the trainer.
The following year, he followed this up with a further in-house course on The
Basics That Matter and last year they completed “Auditing Projects, Project
Management and Project Risk”.
“The people in the pool are across the globe, so they got to know each other
and became a real team during the training,” Van Midde explains. “They
found the first course quite hard, because they had to learn a new way of
thinking and understand the organisation beyond their own department.
However, this course inspired them and made them want to know more.”
Another area they found challenging was interviewing skills. Many initially
expected their role to be more confrontational, and discussions with
trainers helped them to recognise the value of working constructively with
auditees and to try out different approaches. Van Midde attends all the
training sessions with the team and then reviews what they have learned
afterwards with them, before finding ways for them to put their learning into
practice on a real engagement.
“I’ve found that the courses help to make people interested and want
to learn more. They then take what they’ve learned back into their own
departments, which makes the relationship richer,” Van Midde explains.
“We do one group training session each year and they’ve started
discussing things more and asking more questions as they’ve developed
understanding and got to know each other.”
He found the pre-course preparation particularly valuable, because he was
able to provide real documents so the team could learn using the forms
and documentation they would use in practice. The training also sparks
interesting discussions that they continue afterwards in the office.
“The most important part for me is the interaction between the trainer
and trainees,” Van Midde adds. “The discussions are essential – you need
knowledge, but it has to come alive.”

For a full list of Chartered IIA training courses, access the training brochure.

Next Q&A
 61

Q&A You asked us

Contents

Our technical helpline provides valuable

advice to members on a host of
professional issues.
Here are some of the questions
you’ve recently asked.

Q: As part of my personal development, I will be starting to

lead audits. Until now I’ve always been a support resource
and I’m feeling a bit daunted. Is there any guidance that could
help me?

A: First, congratulations on progressing your career. The responsibilities of leading

an internal audit vary in different internal audit functions. Our guidance covers a
variety of skills so you can pick those most appropriate for your needs.

Under the Resources tab on our website you will find sections for technical
skills, interpersonal skills and leadership. Within “technical”, for example, there is
guidance to help at each stage of the audit process, so, for instance, you can find
help with scoping if that is new to you. Within “interpersonal”, you will find tips to
help with difficult conversations and coaching – areas that you will find yourself
doing with team members.

Q: I am thinking about studying for a formal internal audit qualification, but I’m
not sure which one to do now that the Standards are changing. Can you help?

A: The Professional Standards are changing from the IPPF (International

Professional Practices Framework) to the new Global Internal Audit Standards,
but this should not stop you pursuing an internal audit certification. There will be
a clear transition path for students and we will keep things as simple as possible.
Take a look at our Career Pathway and talk to [email protected] for
more information.

Q: We are introducing assurance mapping and would welcome advice. One of

the areas that is challenging us is what assurance should go to the board? In
principle, is it appropriate for the first line to report directly, or should their
assurance only be to the second line?

A: An assurance map is a tool that can add real value to the board. You raise
a common challenge as the process of documenting assurance can reveal
duplication, gaps and also sources of information that were previously unknown.
62

Q&A
Contents

Helping the board to decide which assurance to receive directly is an important

part of the process. The design of the assurance map should help to identify
which assurance is key to the risks, regardless of its source. It may take a while to
achieve your goal of providing consistent and meaningful information for decision-
making. At the outset, it may be useful to report through the second line and then,
as maturity develops, the first line may be able to report directly, for example, via
integrated dashboards. We have produced a simple blog outlining five steps to
creating an assurance map and IIA Global has produced more in-depth guidance.

Q: Is there any guidance on performing change assurance? I am looking for a

framework to use to provide a consistent approach.

A: 1nternal auditors fulfil their assurance and advisory role in a variety of ways for
projects/change programmes. These may include:

validating business cases as projects begin;

determining whether projects are “set up for success”;
looking at whether project risk management and action tracking is effective;
looking at the effectiveness of project/programme management teams;
looking at project cost management;
examining the design of new processes;
being involved in user acceptance testing;
doing due diligence ahead of “go live” decisions;
validating benefits calculations;
advising on steering groups;
facilitating “lessons learned” workshops.

The Chartered IIA has published several pieces of guidance on this topic. The
relevance of these will depend on the scope of your work.

In terms of a framework, the Association for Project Management has published a

toolkit you may find useful. You could also benefit from studying the Government
Service Standard, which offers a practical guide.

Got a question? Contact the

Chartered IIA technical helpline on
0845 883 4739
or email [email protected]

Next Events
63

Get a firm grip

on your audit
Manual audit processes mean anything but
fingertip control. They slow things down and lead
to errors. Fastpath technology automates audit
controls and testing so you can work faster, easier
and smarter. Fastpath seamlessly integrates with
your IT ecosystem, allowing you to extract the
data you need across multiple tools and
applications. Strengthen your internal controls
and get a firm grip on your audit with Fastpath.

gofastpath.com
64

Key events, courses, forums & networking

Contents

Our extensive volunteer network provides local support to members

across the UK and Ireland. Each region, sector and community
organises a programme of events to help members network and stay
up to date with developments at the Chartered IIA.

January February March

16 6 7
Leading in uncertain times Transforming audit to combat Providing confidence in
Online event financial services’ heightened digital trust
risk exposure Midlands Committee and
18 ISACA UK Central Chapter
Online event with Auditboard
Environmental, social & Birmingham
governance 8
8
Live virtual course Data analytics for auditors
Women in tech
Live virtual course
23 Women in Internal Audit
IT Auditing – basecamp 8 event London
Live virtual course Inclusive recruitment in
internal audit May
24
Race and Ethnicity network
Wales Conference 2
online event
Cardiff Ireland Conference
Key event 9 Dublin
Successful influencing and Key event
24
political savvy strategies
Sanctions: It’s a world of pain
Live virtual course June
out there
Live virtual course 20 20
Auditing cash flow Audit & Risk Awards
24
management London
Geopolitical risk and the role
Live virtual course Key event
of the internal auditor
Live virtual course 22
October
The evolution of user access
26
People auditing: assurance
reviews and certification: 1-2
optional no more and why they Internal Audit Conference
over employee engagement
matter Online and London
Live virtual course
Online event with Fastpath Key event
31
26 Browse and book our full
What is internal assurance on
Auditing the treasury function programme of events.
a resilience statement and
Live virtual course View our forum sessions and
how does the new legislation
read key takeaways from
affect you? 29 past debates.
Online event with Ideagen Retail Audit Forum
See the complete list of
Birmingham
training courses and make
course bookings.