Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors

Page created by Allan Schultz
 
CONTINUE READING
Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors
Issue 46 March/April 2019

The magazine of the Chartered Institute of Internal Auditors

                                                                      01R8
              Raising the bar                                        2 & ds
                                                                        A ar rs
                                                                        Awinne
                                                                        w
              New developments in
              corporate governance
              Plus: project management risk; mental health at work
Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors
Contents
                                                                          32
                     12
                     22 30

                     28

                                                                                       Published for the Chartered Institute
                                                                                               of Internal Auditors
                            Alun Milford, general counsel at the Serious
                            Fraud Office, will address heads of internal                              Editor
                            audit at this month’s IIA Leaders’ Conference.                         Ruth Prickett
                            On page 30 he explains what internal audit                       ruth.prickett@iia.org.uk
                            needs to know about SFO investigations.                               07766 280 221

                                                                                               Chartered Institute
                                                                                               of Internal Auditors
Front                       Features                       Member                                info@iia.org.uk

                                                           matters
                                                                                                 www.iia.org.uk
3 The institute view        12 Audit & Risk                                                       020 7498 0101
From the chief executive,                                  36 Q&A
Ian Peters.                 Awards 2018                                                         Subscriptions
                                                           Your questions answered.
                            The winners of the 2018                                          membership@iia.org.uk
5 World view                                               39 Student                           020 7498 0101
From Richard F Chambers,    A&R Awards and what the
                                                           noticeboard
IIA Global president.       judges said about them.                                             Creative director
                                                           Essential information for               Nick Dixon
6 View from the top         22 Raising the bar             exam candidates.
From Margaret Stephens,                                    40 Training &
                            What do the Wates
chair of the audit                                         professional
committee, Department       Principles and the
                                                           development
for Exiting the European    Kingman Report tell us         The courses and
Union (DExEU).              about the future of            information you need to
8 Update                    corporate governance?          hone your skills.
The latest news affecting                                  42 Events
the profession.             28 Grey matters                What’s on across the UK.
10 Reportage                How companies are
Key findings from the       improving the way they
Cambridge Global Risk
                            deal with mental health.
Index 2019.                                                                            Opinions expressed by contributors
                            32 Solid foundations?                                        are their own. Reproduction in
                                                                                        whole or in part without written
                            Too many projects still fail
                                                                                        permission is strictly prohibited.
                            – what can internal audit
                                                                                                 ISSN 2048-8408
                            do to keep them on track?

We post more news and articles online every week.
To access these, visit www.auditandrisk.org.uk
Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors
View from the institute

Power source strengthening internal audit
“The success of any internal audit function relies upon having an
excellent relationship and strong partnership with the audit
committee, non-executive directors and senior management.”
Ian Peters, chief executive of the Chartered IIA.

If recent corporate failures have taught us        have heated discussions about                                    recent years the scope of
anything, it is that getting corporate             Brexit, we instead had a great                                   internal audit has continued to
governance right is fundamental to the             roundtable discussion on the                                     change, expand and develop
long-term success and sustainability of            future role of internal audit in                                  rapidly – with far greater focus
organisations. That is true in the case of         promoting good corporate                                          on auditing a broader range of
Carillion, of BHS before it and, more              governance. One of the main                                         risks such as cyber security,
recently, of Patisserie Valerie. The failures of   messages from the audit                                                 workplace culture, political
all these companies revealed serious               committee chairs who                                                     uncertainty and
corporate governance deficiencies.                 attended was that what they                                             communications risk –
     The presence of a strong internal audit       would value most highly is                                            all of which featured
function can play a pivotal role in ensuring       guidance on best practice, along                                 prominently in “Risk in
                                                                                                                                                          3
organisations have a robust corporate              with resources to help them get                                   Focus 2019”.
governance framework. But as readers of            the most out of their internal                                        In particular, audit
this column will know all too well, the            audit functions.                                                committees and senior
success of any internal audit function relies          We see it as vital to promote                              management need to recognise
upon having an excellent relationship and          internal audit best practice, not                             that the days when internal audit
strong partnership with the audit                  just among those in the                                   functions merely audited bread-and-
committee, non-executive directors and             profession, but also among business               butter risk areas such as financial controls,
senior management.                                 leaders such as the ones who attended the         compliance and governance are long gone.
     That is why at the institute we are           Presidents’ Dinner in December. We are            Modern internal audit functions can play a
committed to doing all we can to support           therefore delighted that, in partnership with     far greater role in providing assurance on a
internal auditors in fostering strong working      the Institute of Directors, we have launched      plethora of new and emerging risks – indeed
relationships with their audit committees,         a new guide on how boards and audit               it is vital that they do so if the potential of
along with executive and non-executive             committees can optimise their relationship        internal audit is to be maximised.
directors. Engaging audit committee chairs         with internal audit: “Harnessing the power             I urge you to read “Harnessing the power
and helping them to better understand how          of internal audit: a guide for audit              of internal audit”, which is now available on
they can get the most from their internal          committees, non-executive directors and           the institute’s website. Then share it
audit functions and strengthen their               senior management”.                               with your audit committee and
corporate governance is therefore now a top            This provides food for thought and            senior management.
priority for us.                                   guidance on how directors can enhance the         “Harnessing the power of internal audit:
     One means by which we hope to increase        role of their internal audit function in order    A guide for audit committees, non-executive
our engagement with audit committee                to strengthen their corporate governance          directors and senior management” is
chairs is our new series of Presidents’            framework and mitigate the risk of                available at iia.org.uk/HPIA
Dinners. The first of these was held in            corporate failures. It takes into account
December in Westminster and was attended           recent corporate governance upgrades,
by audit committee chairs from FTSE 100            including the new UK Corporate                          HAVE YOUR SAY
companies. The next is scheduled to take           Governance Code which came into effect                 Post your comments about this
place at the end of March. While over the          on 1 January 2019.                                article or any of the issues raised
road in Parliament our MPs continued to                It also takes into account the fact that in   at auditandrisk.org.uk
Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors
View from IIA Global

Be prepared mastering the art of conflict
“Handled poorly, even a minor conflict can escalate into a fight, and
nobody wins when auditors battle with their clients.”
Richard F Chambers, president and CEO of IIA Global.

For most internal auditors, the odds are high   help if you identify points of                         many cases, an even better solution
that there will be a disagreement with          agreement in advance, while                             might be identified during an
management. This can be a career-defining       preparing for your client                                objective and collaborative
moment: when disagreements are handled          meeting. After all, your goal                            discussion of alternatives.
well, auditors often bring about positive       should be to have your                                   • Accentuate the positive.
change and enhance their reputations as         recommendations accepted, not                           Enthusiasm matters, and it’s
trusted advisers. But, handled poorly, even a   to prove your client wrong.                               important to maintain a positive
minor conflict can escalate into a fight,       • Ask questions.                                               tone if you want to sell your
and nobody wins when auditors battle with       Asking informed, intelligent                                           ideas.Try to make it clear
their clients.                                  questions is a great way to                                             that your suggestions
    At the best of times, it takes courage to   demonstrate that you’re                                                 are intended to achieve
disagree with senior executives, but audit      aiming for a                                                           what your client wants.
disagreements can be particularly               collaborative                                                       • Don’t go it alone.
challenging. Even before the discussion         discussion, not a                                               If you know a client meeting is
                                                                                                                                                    5
begins, audit clients often feel threatened     conflict. It shows that                                      likely to be contentious, talk the
or defensive. It’s a situation that demands     you want your client                                         issue over with your supervisor
considerable sensitivity.                       to share their                                         or team.This is particularly important
    Fortunately, there are several effective    thoughts and feelings with                      for new auditors.Too many of us hesitate to
ways to keep client meetings on track even      you. Questions can clarify divergent            bring up disagreements with management
amid conflict.The following tips can help to    viewpoints, and they can help your client to    until a problem has escalated, but if you talk
ensure that audit disagreements are handled     take “ownership” of your suggestions.           about potential problems, they can help you
smoothly and that clients see the internal      • Do your homework.                             to deal with the problem before it grows.
auditor as a valued partner.                    If you know you need to discuss a                   Disagreeing with senior management is
• Keep it cordial.                              controversial issue with management, be         never easy. It requires us to plan our actions,
We don’t always have to be in agreement to      prepared to support your case with clear,       watch our words and maintain emotional
respect each other. In fact, it’s when we       compelling data and examples. If you are        control. Some auditors might be tempted to
disagree that we particularly need to show      suggesting a change that has been               avoid conflicts. But if we automatically agree
that we respect our clients. We all tend to     implemented elsewhere in the organisation,      with management, much of the value of
accept advice more readily when it comes        be sure you know how well it’s working.         internal audit’s independent viewpoint is
from people we know and trust, and who we       Numbers can speak louder than words, and if     lost.To become trusted advisers, we need to
believe genuinely understand us. It’s never     other organisations have made similar           recognise when it’s important to disagree
appropriate to show anger or shout during a     changes, benchmarking might make your           and how to do it in a strategic way. We must
client meeting, so keep your emotions in        case more convincing. Bottom line: have all     also strive to master the gentle art of
check and choose tact over temper.              the facts before the client meeting.            disagreeing without being disagreeable.
• Seek common ground.                           • Keep an open mind.
Even when we disagree with our clients,         If you’ve never changed your mind during              For further information
there is always something we can agree on.      client meetings, you probably weren’t                 Richard F Chambers writes a blog at
Perhaps a portion of an existing process is     listening objectively. Keep in mind that your   iaonline.theiia.org/Richard-Chambers and
already working quite well, for example. Let    clients probably have more familiarity with     tweets at twitter.com/rfchambers. His
your client know when you agree, and you        their processes than you do.The best            book, Trusted Advisors: Key Attributes of
will be one step closer to solving              solution might be the one you proposed, or it   Outstanding Internal Auditors, is available
disagreements on other issues. Often, it can    might be one proposed by the client. But, in    at theiia.org/bookstore
Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors
View from the top

      Support stability amid rapid change
      "Civil servants are used to getting on with the job despite
      external pressures, but this has been unique in its complexity
      and the nature of its challenges."
      Margaret Stephens, chair of the audit committee, Department for Exiting the European Union.

      The Department for Exiting the European              governance in an environment                                  goodness – but Brexit has
      Union (DExEU) was created two years ago              of constant change and                                         accelerated the need for these.
      with a specific purpose to oversee                   extraordinary challenges.                                           One of the main risks DExEU
      negotiations to leave the European Union and         The rapid changes                                                faces is its people. We have a fluid
      establish the future relationship between the        happening around us make                                        workforce and the structure of
      UK and the EU. It is a fairly small department,      internal audit's work on                                        teams is regularly put under
      with under 800 staff, but it operates in an          "routine" systems and                                           review to ensure that the
      environment that is constantly changing.             processes particularly                                       department has the right capability
          I came on board in April 2017 when the           important, and it is much                                   in the right places. We have often
      Audit and Risk Assurance Committee was set           appreciated by busy managers                                needed different skills and capacity
      up and made a part of the existing formal            who need the confidence and                                    at various points in the past two
      governance structures. As chair, I had to help       stability these offer. However,                                          years.This creates risks
      establish the tone. From the start we knew it        the nature of the                                                            around information and
6
      was important that there was open and                environment also                                                               physical security
      constructive dialogue in the committee. I            means that                                                                     controls, induction
      believe we have achieved this and that the           recommendations                                                                and HR, and finance.
      committee is a place where people can raise          must be pragmatic,                                                    The department also
      their concerns frankly in a collaborative            recognising the                                                      receives a large number of
      atmosphere. It really feels as if we are all         limited lifespan of the                                        freedom of information requests
      working to the same ends.                            department, where significant                     and Parliamentary questions.
          The main purpose of the audit committee          investment in, for example, bespoke or new            One thing that this role has taught me is
      is to advise the permanent secretary, Philip         systems or accommodation would not be             never to worry about taking on ambitious
      Rycroft, that the assurance he receives is           appropriate or practical.                         projects – help will come when you need it.
      proper, complete and appropriate. He can                 Given this context, internal audit has        Who would have thought that it would be
      then be confident when he answers                    provided more of an advisory role than one        possible to produce all the documents and
      Parliamentary questions about whether the            may normally expect to see in an internal         legislation that DExEU has in such a short
      department has the resources and the                 audit plan and has had to be more fleet of foot   time? It's incredible that such a small number
      capabilities to do its job – to ensure that the UK   than in other government departments.The          of people could have produced so much of
      leaves the EU in the best possible way. In most      internal audit plan is under constant review by   such high quality. Civil servants are used to
      organisations this assurance would consider          the audit committee to ensure that it remains     getting on with the job despite external
      the risks surrounding long-term projects and         responsive and relevant. Working with DExEU       pressures, but this has been unique in its
      plans, but we've had to be more flexible. We         has given the internal audit team experiences     complexity and the nature of its challenges
      have to provide assurance on the                     that are proving valuable to support GIAA         and the DExEU team has achieved this
      department's ability to adapt and respond to         colleagues working with other departments         thoughtfully, openly and positively. I'm proud
      rapidly changing requirements and to meet            affected by Brexit. These experiences and         to have worked with them.
      any of the scenarios that might arise.               experiments with more responsive, flexible
          The department’s internal audit services         ways of working are likely to become                    Margaret Stephens is chair of the audit
      are provided by the Government Internal              increasingly important in more places after             committee at DExEU. She was formerly
      Audit Agency (GIAA), with whom I work                Brexit happens.There were already many            a partner at KPMG. For more on DExEU visit
      closely. Internal audit provides assurance on        initiatives to join up internal audit services    gov.uk/government/organisations/
      "business as usual" internal controls and            and share insight across government – thank       department-for-exiting-the-european-union
Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors
Additional news, features
                and views are posted online all the
                time. Go to auditandrisk.org.uk
                to see what’s new.

    UPDATE
                                                          We round up the latest business
                                                          and regulatory news to affect                                                                                                                                                               BSI’s three key
                                                          the internal audit profession                                                                                                                                                               cyber security
                                                                                                                                                                                                                                                      trends for 2019
                                  Extended ERM set to be
    AI and the future                                                                                                                                                                                                                                 UK standard setter BSI has forecast three
    of corporate                                                                                                                                                                                                                                      key emerging trends that it believes will
    reporting

                                  key priority for 2019
                                                                                                                                                                                                                                                      dominate cyber security in 2019.
    The Financial Reporting                                                                                                                                                                                                                              The first is e-privacy regulation
    Council’s (FRC’s) research                                                                                                                                                                                                                        and international standards. As
    arm has published the         A recent survey by professional                                                                                                                                                                                     organisations continue to grapple with
    latest in its series of       services firm Deloitte has shown that                                                                                                                                                                               implementing the GDPR, a new EU
    reports looking at how        organisations are concerned about                                                                                                                                                                                   regulation will set additional rules to
    technology might affect       several extended enterprise risks,                                                                                                                                                                                  protect privacy and confidentiality in
    the production,
    distribution and
                                  including supply chain, financial,
                                  regulatory, legal and strategic. The                                                                                CFOs in spotlight over                                                                          electronic communications.
                                                                                                                                                                                                                                                         The ePrivacy Regulation will repeal the
    consumption of
    corporate reporting.
        The report, “Artificial
                                  need for organisations to manage
                                  these areas centrally means that
                                  many are likely to make extended
                                                                                                                                                      natural disaster losses                                                                         current ePrivacy Directive and is expected to
                                                                                                                                                                                                                                                      come into force late this year. The regulation
                                                                                                                                                                                                                                                      aims to guarantee the rights laid down in
    intelligence – how does it    enterprise risk management (EERM) a                                                                                 A failure to prepare for natural hazards is leaving chief finance officers (CFOs) in the hot
    measure up?”, explains        priority in 2019.                                                                                                   seat when it comes to financial losses caused by natural disasters, according to
8                                                                                                                                                                                                                                                                                                      9
    what AI is, where its use         In addition, nearly half (47 per cent)                                                                          commercial property insurer FM Global.
    might make sense in           of respondents said that their                                                                                         In its latest white paper, “Master the disaster – why CFOs must initiate natural
    corporate reporting and       organisations had experienced some sort of risk             The poll, “Re-establishing the perimeter:               catastrophe preparedness in 2019 and beyond”, the insurer said that institutional investors
    explores some of the          incident involving the use of external entities          extending the risk management ecosystem”, can              want enhanced reporting of natural disaster risks. It warned that, if the CFO doesn’t take
    possible and current uses     in the past three years.                                 be found at bit.ly/enterpriserisk                          the lead in investing in reducing exposure to natural hazards, stakeholders will hold them
    for the technology.                                                                                                                               accountable for not properly addressing the risks. The white paper also includes the
    To read the report visit
    bit.ly/FRCAI                  Accenture puts cost of global                                                                                       viewpoints of other business risk analysts who say that the responsibilities of the CFO will
                                                                                                                                                      increase because of concerns about climate change risk and disclosure.

    three Papers on               cyber crime at US$5.2trn                                                                                            Read the paper at bit.ly/FMglobalnaturalhazards

    risk analysis                 Companies globally could incur US$5.2trn in              own. With heightened concerns about internet               Executives urged to prioritise large
                                                                                                                                                      risks and align relevant personnel
    The Society for Risk          additional costs and lost revenue over the next five     security, more than half (56 per cent) of
    Analysis (SRA) has                    years because of cyber attacks, according to     executives would welcome stricter business
    published three                           a report by consultancy Accenture.           regulations imposed by a central organisation or           Company executives are           not placing sufficient          among personnel in
    documents aimed                                   Based on a survey of more than       governing body.                                            not adequately identifying       emphasis on risks that can      managing risk.                 Article 7 of the Charter of Fundamental
    at advancing the                               1,700 CEOs and other C-suite               The rapid emergence of new technologies is              and preparing for risks that     lead to large-scale                 For example, a quarter     Rights of the EU, which guarantees the right
    science of risk                                 executives around the world, the       creating additional challenges. Four in five               can have potentially             incidents. Instead, they are    of surveyed executives felt    to a private life and private communications.
    analysis. These                                 report, “Securing the digital          respondents admitted that their organisation is            catastrophic implications        looking at the rate at which    that front-line personnel          The second trend is an upsurge in
    cover the core                                 economy: reinventing the internet for   adopting new and emerging technologies faster              on business operations,          low-level risks are dealt       are not aligned on top risks   malware. In particular, BSI identifies Linux
    subjects and key                              trust”, says that the high-tech sector   than they can address related cyber-security issues,       according to the annual          with, which is leading to a     facing the company. More       and MacOS, once considered to be more
    principles of risk                        faces the highest risk, with more than       with three-quarters noting that cyber-security issues      global survey of company         false sense of security.        than half (55 per cent) do     robust operating systems than their
    analysis and provide a                US$753bn hanging in the balance. Next at         have escaped their control because of new                  executives by consultancy            The researchers also        not feel that their senior     competitors, as another growth area for
    glossary of risk-related      risk are the life sciences and automotive industries,    technologies such as the internet of things (IoT)          DuPont Sustainable               found that executives are       executives are fully aligned   cybercrime in 2019.
    terminology to support        with US$642bn and US$505bn at risk, respectively.        and the industrial internet of things (IIoT). A majority   Solutions (DSS).                 addressing gaps in risk         about the top risks facing         Last, it warned that critical
    research and practices for        The report also found that three-quarters of         (80 per cent) also said that protecting their                 The findings of the DSS       management processes by         the organisation.              infrastructures are also likely to be
    all types of applications.    respondents believe addressing cyber security            companies from weaknesses in third parties is              2018 global operations risk      adding more processes,          Find out more at               subjected to more disruptive and offensive
    Read the documents at         challenges will require an organised group effort, as    increasingly difficult.                                    management survey                and that boards feel that       bit.ly/dupontsustainable       cyber attacks this year.
    bit.ly/SRApapers              no single organisation can solve the challenge on its    Read the report at bit.ly/accenturecyberrisk               showed that executives are       there is a “disconnect”         solutions                      Read more at bit.ly/BSIcybertrends
Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors
REPORTAGE
     Cambridge Global Risk Index 2019: The Cambridge Centre for Risk Studies’
                                                                                                                                 Financial stability
                                                                                                                                 Global financial stability is improving because of
                                                                                                                                 higher capital requirements under Basel III, but risk
                                                                                                                                 appetite has also increased because of a positive global
                                                                                                                                                                                                               infections kill 55,000 people each year in Europe and
                                                                                                                                                                                                               the US, with global deaths estimated to be 700,000.
                                                                                                                                                                                                             According to the Review on Antimicrobial Resistance,
                                                                                                                                                                                                           300 million people are expected to die prematurely
     2019 Global Risk Index quantifies the impact of future shocks to the world’s                                                                                                                         because of drug resistance over the next 35 years and the
                                                                                                                                 growth outlook coupled with a low interest rate
     economy, represented by the most prominent cities – which together account for                                              environment. Financial vulnerabilities continue to                       world’s GDP will be 2 per cent to 3.5 per cent lower than it
     41 per cent of global GDP. The index quantifies the risk to economic output from                                            accumulate owing to low interest rates and volatility.                   otherwise would be in 2050.
     22 types of threats, providing risk estimates as a standardised metric for 279                                              Leverage in the non-financial sector has risen in major
     cities. Highlights in the 2019 update include the continued rise of cyber attacks, the                                      economies. Canada, China, Sweden and Ireland have                        Natural catastrophes
                                                                                                                                 credit of more than double their GDP.                                    Natural catastrophe risks together inflict the most damage
     likelihood of continued commodity price volatility and sustained levels of high risk                                                                                                                 to the global economy, with tropical windstorms (3rd),
     from geopolitical events and financial crises. The resulting overall “GDP@Risk”
     cost for 2019 is $577bn or 1.57 per cent of the 2019 GDP. This is an increase of
                                                                                                                                 Solar storms and power outages                                           floods (5th) and earthquakes (8th) as the most financially
                                                                                                                                                                                                          damaging types. The increase year-over-year is mostly owing
                                                                                                                                 August and September 2018 were particularly active
     5.59 per cent from last year’s index. The 2019 update shows a uniform rise in                                               months for geomagnetic storms following increased                        to the growth in GDP of the cities exposed to natural
     GDP@Risk across all the 279 world cities that make up the index and more                                                    activity on the sun. The solar cycle is exiting a solar minimum          catastrophes… Natural catastrophe risk makes up 40 per
                                                                                                                                                                                                          cent of the total loss [for 2019] with man-made risks
     significant increases in risk for some urban centres.                                                                       and we are likely to see an increase in the number of
                                                                                                                                                                                                          accounting for the remaining 60 per cent.
                                                                                                                                 sunspots and consequently a higher risk of solar storms
                                                                                                                                 within the next three years.
                                                                                                                                                                                                          Climate
10
     Top three classes of threats                                            The top 15 threats                                  Cyber attacks                                                            Extreme heatwaves affected much of the northern
     by size of potential impact                                             1 Market crash                  $108.7bn            The cyber threat continues to develop at a rapid pace.                   hemisphere during the 2018 summer. In the UK, the Met
                                                                                                                                                                                                                                                                            11
                                                                             2 Interstate conflict           $83.3bn             Cyber attack loss severities are increasing with several                 Office declared it the joint hottest year on record together
     1 Natural catastrophes: GDP@Risk of $174bn
                                                                             3 Tropical windstorm            $65.6bn             recent attacks showing the potential for systemic impacts                with 1976, 2003 and 2006. This event has drawn
     2 Financial, economic and trade: GDP@Risk of $149bn                                                                                                                                                  comparison to the European heatwave of 2002, which
     3 Geopolitics and security: GDP@Risk $140bn                             4 Human pandemic                $49.9bn             with global reach… The SWIFT banking system remains
                                                                             5 Flood                         $46.5bn             vulnerable to hacks, with $13+ million stolen in                         resulted in over 70,000 deaths across the continent. Japan
                                                                             6 Cyber attack                  $39.7bn             May and again in August.                                                 also saw an unprecedented heatwave, with 35,000 people
                                                                                                                                                                                                          hospitalised following record temperatures of 41°C.
     Top ten cities by GDP@Risk and threat                                   7 Civil conflict                $39.2bn
     City                          GDP@Risk         Top threat
                                                                             8 Earthquake                    $35bn               Health and humanity                                                      Karachi, Pakistan, saw temperatures soar to
                                                                                                                                                                                                          45°C in April. If temperatures continue to
                                                                             9 Commodity price shock         $22.4bn             A challenge in the health and humanity outlook is the
     1 Tokyo		                     $26.01bn          Interstate conflict     10 Sovereign default            $18.2bn             effect of anti-microbial resistance (AMR)… AMR is a serious              rise, parts of South Asia may become
     2 New York                    $15.69bn            Market crash          11 Terrorism                    $10.6bn             threat in all parts of the world, including the developed parts          uninhabitable by the end of
     3 Manila                      $13.87bn         Tropical windstorm                                                           with otherwise strong healthcare                                          the 21st century.
                                                                             12 Drought                      $9.3bn
     4 Instanbul                   $13.35bn            Market crash          13 Plant epidemic               $8.4bn              systems. Anti-microbial
     5 Taipei                      $13.01bn         Tropical windstorm       14 Power outage                 $7.8bn
     6 Osaka                       $12.29bn          Interstate conflict
     7 Los Angeles                 $11.68bn             Earthquake
     8 Baghdad                      $9.88bn          Interstate conflict
     9 London                       $9.15bn            Market crash
     10 Shanghai                    $9.05bn         Tropical windstorm
                                                                             Cities ranked by % GDP
                                                                             change since 2018-19
     The position of cities on the risk list indicates a large annual GDP    Top 5		                   Bottom 5
     output (hence the potential, even if unlikely, for major losses), and   1 Tripoli, Libya      1   Caracas, Venezuela
     exposure to particular shocks associated with the geography             2 Bangalore, India    2   Maracay, Venezuela
     and type of economy of each city. The GDP@Risk is
                                                                             3 Hyderabad, India    3   Maracaibo, Venezuela
     mediated by each city’s ability to limit the impact (or
                                                                             4 Surat, India        4   Buenos Aires, Argentina
     to protect itself against shocks) as well as its
     ability to recover from them.                                           5 Chennai, India      5   Konya, Turkey

                                                                                                                                      The Global Risk Index 2019 is compiled by the Cambridge Centre for Risk Studies, The University of Cambridge Judge Business School.
                                                                                                                                      Visit Bit.ly/Cambridgeriskindex2019 for details
Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors
Sponsored by

         Audit
        & Risk
        Awards
          2018

13   And the                                                                                      14

     winners are...             Opposite page middle and below: Lloyds Banking Group won Best
                                Use of Technology; AIB’s Gareth Cronin won Inspirational Leader
                                This page clockwise from top left: John Lewis Partnership won

     The Audit & Risk 2018      Outstanding Team Private Sector; Daniella Cohen from RSM UK
                                was the Best Newcomer; AuditOne was highly commended for Best

     Awards winners were        Use of Technology; Quilter Plc won Outstanding Team Financial
                                Services Sector; the venue; Howdens won Best Innovation in

     announced and celebrated   Training and Development

     at an event hosted by
     PwC in London on 5
     December. The awards
     were presented by
     Paul Manning, president
     of the Chartered IIA.
Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors
Sponsored by

 Audit
& Risk
Awards
2018

         “  Through the Audit & Risk Awards,
          the institute is seeking to recognise
            the best and celebrate excellence
             throughout the profession. It is a
           key priority for us to grow a greater
              sense of professionalism within
                                                                 Congratulations to the winners of the fourth annual Audit & Risk
                                                                 Awards. The number and quality of nominations for the awards continues
                                                                 to increase and it was exciting to find out about so many innovations,
                                                                 excellent examples of best practice and inspiring teamwork. As in
                                                                 previous years, the high standard meant that the judges had long and
                                                                 interesting debates before they reached their final decisions – which was               Inspirational Leader
               internal audit and, in addition to                why they also agreed to award highly commended certificates to four
                these awards, the institute has                  teams in three categories.
                   initiatives to support internal                   The winners were revealed at an event hosted by the awards’
                  auditors at every level. These
                 include harnessing new talent
                    through our apprenticeship
                                                                 sponsors, PwC, in London. Shortlisted nominees and judges applauded
                                                                 as Paul Manning, president of the Chartered IIA, presented them with                    Winner Gareth Cronin,
           scheme, developing existing talent
               through education, and sharing
                                                                 their awards. Manning praised the high standard of this year’s
                                                                 entries and emphasised that all the shortlisted nominees had shown                      chief audit officer, Allied Irish Banks
           knowledge and thought leadership
         from experienced internal auditors.”
                                 Paul Manning,
                                                     “           exemplary performance and demonstrated talent, inspiration, hard work
                                                                 and best practice.
                                                                 Watch out for news about the 2019 awards in the May/June issue of
                                                                 Audit & Risk.
                  president of the Chartered IIA

                                                                                                                                                         What the judges said:                                                                              15
                                                                                                                                                         “I looked for the person I would most like to work for and that person was Gareth.”
                                                     The judges
                                                     Ralph Daals, group chief          Agency (GIAA). Previous roles    Geraldine Rutter,
                                                     auditor, RSA Group                included heading up internal     PwC partner                      “AIB’s ‘One Simple Thing’ initiative would be easy to implement in most organisations,
                                                     Before being appointed group      audit at the government body     Geraldine Rutter sits on the
                                                     chief auditor at RSA in 2015,     responsible for housing          PwC internal audit               but it was clearly extremely effective.”
                                                     Ralph Daals was chief auditor     association investment and       leadership team and leads
                                                     at RSA in the UK and Western      regulation, and senior manager   PwC’s commercial
                                                     Europe. He joined the             at Arthur Andersen.              internal audit service
                                                     company in 2014, after leading                                     offering in the                  “I was looking for a leader who stepped beyond the boundaries of internal audit and
                                                     Deloitte UK’s internal audit      Liz Sandwith, chief              regions. She is head of
                                                     services to the insurance         professional practice            internal audit for a number      was clearly making a difference in the broader organisation.”
                                                     company. Previous posts           adviser, the Chartered IIA       of organisations and
                                                     included senior audit positions   Liz Sandwith spent 13 years as   leads internal audit
                                                     at Aviva and Arthur Andersen.     head of internal audit at
                                                                                       Channel 5, followed by five at
                                                                                                                        co-source partnerships for
                                                                                                                        FTSE 250 companies.
                                                                                                                                                         “AIB’s ‘50 n 5’ programme is catchy and a good way to attract attention – and it clearly
                                                     Mark Ripley, risk and
                                                     assurance director,
                                                                                       BUPA as head of assurance,
                                                                                       risk and compliance              Ruth Prickett, editor,
                                                                                                                                                         has strong support from the bank’s people officer.”
                                                     Ministry of Justice               and head of internal audit       Audit & Risk
                                                     Before taking on his current      operations. She has worked       Ruth Prickett has been editor
                                                     role as the risk and assurance    with the Information             of Audit & Risk magazine         “Gareth demonstrated the way in which the independence of the internal function can
                                                     lead across central               Commissioner’s Office and        since 2010. She was
                                                     government, Mark Ripley was       the Electoral Commission and     previously editor of Financial   give a strong leader the chance to try to do things a bit differently and experiment in a
                                                     DWP group chief internal          local authorities. She was       Management, the magazine
                                                     auditor and a director in the     Chartered IIA president          for the Chartered Institute of   way that may be more difficult in other parts of the organisation.”
                                                     Government Internal Audit         in 2000-2001.                    Management Accountants.
Raising the bar New developments in corporate governance - Chartered Institute of Internal Auditors
Sponsored by

      Audit
     & Risk
     Awards
     2018

     Innovation in Training                                                                                       Best Use of Technology
     and Development                                                                                              Winner Lloyds Banking Group,
     Winner Howdens Audit & Risk Team                                                                             Data Analytics Team, Group Internal Audit

     What the judges said:
     “I liked the way in which Howdens is putting emotional intelligence centre stage.”
                                                                                                                  What the judges said:
                                                                                                                  “Lloyds is moving away from the model of having a small group of data analytics
16   “Howdens’ focus on soft skills shows that they have recognised that these are                                                                                                                                                             17
                                                                                                                  experts to rolling out training to everyone in the audit team. It’s good to see data
     going to be what sets organisations apart in the future, as robotics and computers
                                                                                                                  analytics on the way to becoming business as usual for the whole team.”
     become ever more prevalent for analysis and transactions.”
                                                                                                                  “Lloyds provided clear evidence of a culture change.”
     “This wasn’t just about getting people through their exams, but about creating
                                                                                                                  “There were a number of good examples of the increasing use of data
     better auditors.”
                                                                                                                  analytics within the shortlisted teams, but Lloyds stood out because of their
     “This sends a good message to and about the development of the profession.”
                                                                                                                  success at achieving cultural change, alongside some genuine innovation in their
                                                                                                                  use of technologies.”

                     Highly commended
                     Assurance Lincolnshire                                                                                        Highly commended
                                                                                                                                   AuditOne
                     “Assurance Lincolnshire told a great story about inspiring people and getting young people
                     interested and excited in internal audit as a career choice.”                                                 “AuditOne provided strong evidence of success – for example, the way in which they
                                                                                                                                   survived the WannaCry virus attack and cut the time taken to produce performance reports
                     Highly commended                                                                                              from five hours to 90 minutes.”
                     Barclays Internal Audit Team
                                                                                                                                   “AuditOne shows how some technological improvements can be cheap and easily replicable in
                     “It was interesting to see the way in which Barclays is going into customer organisations                     other places – it might not be cutting edge or sexy, but it’s a good example of making generic
                     and working with them, as well as just with their own business.”                                              technology work in the best way possible for their needs without breaking the budget.”
Sponsored by

      Audit
     & Risk
     Awards
     2018

     Outstanding Team                                                                  Outstanding Team
     Financial Services sector                                                         Private Sector
      Winner Quilter Plc, Group Internal Audit                                         Winner John Lewis Partnership
                                                                                       Internal Audit Team

     What the judges said:
18
     “Quilter has been through massive changes, but it was clear that the internal     What the judges said:                                                                           19

     audit team is seen as being at the forefront of change, not just servicing        “The focus on culture was clear and it was good to see an FD talking about
     changes made elsewhere because they had to.”                                      behaviour rather than financial results.”

     “Great endorsements.”                                                             “John Lewis offered clear examples of where they had made a difference – for
                                                                                       example, the work of internal audit on a sensitive issue that had required empathy
     “It was good to hear that challenges by internal audit persuaded the              and clarity of thought.”
     organisation to drop an IT initiative that wasn’t working and replace it with a
     better one, despite the cost. This was brave and demonstrated that internal       “I liked hearing management say that the auditors told them not what they wanted
     audit’s warnings are listened to and acted upon.”                                 to hear, but what they needed to hear.”
Sponsored by

      Audit
     & Risk
     Awards
     2018

     Outstanding Team                                                                            Best Newcomer
     Public Sector                                                                               Winner Daniella Cohen, RSM UK LLP
     Winner HMRC Internal Audit Team

     What the judges said:
     “In addition to continuing to develop and implement good practice processes,
     HMRC provided some very strong endorsements from their most senior
     stakeholders that demonstrate the value that the team adds to the organisation              What the judges said:
     as a whole”.                                                                                “This nomination provided clear evidence of Daniella’s initiative and
20                                                                                                                                                                                                                        21
                                                                                                 professionalism, along with good feedback from both managers
     “HMRC presented some very strong endorsements from the most senior and                      and auditees.”
     important people.”

     “It’s always good when your audit committee chair says that they have
     borrowed some of your practices and recommended them to other internal
     audit teams.”

                                                                                                                 Honorary mention
                                                                                                                 RBS Behavioural RiskTeam
                     Highly commended
                     Assurance Lincolnshire                                                                      The judges felt that the work of RBS’s Behavioural RiskTeam didn’t fit the criteria for an
                                                                                                                 internal audit team, since its members were not internal auditors – but they felt that its work
                     “I liked the focus on ethics at Assurance Lincolnshire.”                                    offered a highly innovative vision of the kind of area that internal audit could move into more
                                                                                                                 in the future.The development of this team is very experimental and, although this sits in a
                     “Assurance Lincolnshire is doing interesting things with voting software,                   large, well-funded internal audit team, smaller teams could learn from RBS’s experiences
                     visualisation and infographics.”                                                            and adopt some of the ideas.
The Business, Energy and Industrial Strategy (BEIS) Committee Future of
     Audit Inquiry, launched in November, will now assess the probable impact of
     the CMA study and the Kingman Review on improving quality and
     competition in the audit market and reducing conflicts of interest.

                                                                              T
                                                                                                  he public collapse
                                                                                                  of retailer BHS
                                                                                                  and outsourcing
                                                                                                  group Carillion
                                                                                                  two years later
                                                                                                  are held up as
                                                                                                  two of the biggest
                                                                              failings of corporate governance
                                                                              in the UK in recent memory.
                                                                              Although entirely separate, the
                                                                              incidents share similarities: many

            Raising
                                                                              commentators believed the signs of
                                                                              potential failure had been obvious
                                                                              for many months, both failures

            the bar
                                                                              saddled the pensions regulator with
                                                                              huge liabilities, and both featured
                                                                              either the gross negligence or willful
22                                                                                                                     23
                                                                              ignorance of auditors.
                                                                                  There was one major distinction
             UK corporate governance is                                       between the two cases, however.
                                                                              Carillion, a FTSE 100 company, was
             set for change: recent                                           publicly listed and therefore required
             months have seen the                                             to abide by the UK Corporate

             publication of the Wates                                         Governance Code on a comply-
                                                                              or-explain basis; BHS, a private
             Principles, which establish                                      company, had no such obligation.
             a new code for large private                                         The treatment of private

             companies, and a scathing                                        companies, as distinct from publicly
                                                                              owned companies, from a corporate
             indictment of the Financial                                      governance standpoint is beginning
             Reporting Council by                                             to change. Under the Companies

             Sir John Kingman.                                                (Miscellaneous Reporting)
                                                                              Regulations 2018, large companies,
             Further reviews of the audit                                     public or private, must now produce
             profession are in progress.                                      a Section 172 Statement in their
                                                                              annual reports outlining how
                                                                              the board is discharging its duty
             Words: Brendan Scott                                             of promoting the success of the
                                                                              company, while also respecting a
                                                                              number of wider interests.
                                                                                  These interests include having
                                                                              regard for the likely consequences
                                                                              of their decisions in the long term;
                                                                              the interests of employees; the
                                                                              need to foster relationships with
172
     suppliers, customers and            invited to contribute to last                                    the former, companies have                                                                                                                       as overseeing the Institute &
     others; and the impact of           summer. Gavin Hayes, head                                        a statutory requirement to                                                                                                                       Faculty of Actuaries and various
     operations on the community         of policy and external affairs                                   establish an audit committee                                                                                                                     chartered accountancy bodies,
     and the environment.                at the Chartered IIA, says the                                   on a comply-or-explain                                                                                                                           that the Chartered IIA advised
         BHS would have been             resulting guidance is a good                                     basis. The new rules, while                                                                                                                      should be abandoned for
     well above the regulations’         start, but he believes that in                                   mentioning in general terms                                                                                                                      greater clarity of purpose. This
     threshold – “large” companies       future it could go further.                                      that committees may be used                                                                                                                      sharpening of the FRC’s focus
     are defined as firms that meet          “In the original guidance                                    by the board for a number of                                                                                                                     is one of the Kingman Review’s
     at least two of three criteria:     consulted on over the summer,                                    reasons, including assessing                                                                                                                     key recommendations.
     turnover in excess of £200m,        it directly referenced internal                                  risk, leave this voluntary.                                                                                                                          The institute also submitted
     a balance sheet worth more          audit and talked in more detail                                      The Chartered IIA does not                                                                                                                   to the Kingman Review that
     than £2bn, and more than            about the need for internal                                      believe there should be any                                                                                                                      the FRC should be put on a
     2,000 staff. It is estimated that   control systems to manage                                        strict enforcement mechanism                                                                                                                     statutory footing, possess
     there are at least 1,700 private    risks,” says Hayes.                                              if a company does not apply                                                                                                                      greater enforcement powers
     firms in the UK today that fit          “While the final guidance                                    the new principles, as this may                                                                                                                  and take a more proactive
     this profile.                       does mention the need for                                        dissuade them from agreeing                                                                                                                      approach to its work, including
                                         robust internal processes to                                     to comply in the first place,                                                                                                                    sanctioning directors for
     A matter of principles              ensure systems and controls                                      but it raises questions about                                                                                                                    misconduct. Again, this
     In addition to their legal          are operating effectively, it is                                 the effects of a voluntary code                                                                                                                  proposal featured in the
     obligation to produce an            less detailed than it was in that                                in practice. Moreover, any                                                                                                                       independent inquiry’s final
24                                                                                                                                                                                                                                                                                               25
     annual corporate governance         respect. In an ideal world, it      Large companies, public or   debate about how the FRC                                                                                                                         report. “Such an approach
     statement, large private            would have been good to have        private, must now produce    should monitor compliance                                                                                                                        would help in terms of
     companies are now being             seen more detailed guidance         a Section 172 Statement in   may be moot, since it is not      The public collapse of retailer BHS and outsourcing group Carillion are held up as two                         identifying corporate
     encouraged to adopt the newly       in the final version in terms of    their annual reports         clear whether the watchdog will   of the biggest failings of corporate governance in the UK in recent memory.                                    governance deficiencies, the
     introduced Wates Principles         what large private companies        outlining how the board is   continue in its current form.     is time to build a new house.”       made a number of radical              currently has a number of core      whole issue being that the
     (see box on opposite page).         should be doing to ensure that
                                                                             discharging its duty of                                        Kingman recommended                  proposals in its contribution         functions including reviewing       FRC only seems to identify
     These are intended as a
                                                                             promoting the success of     “Toothless and useless”           that the FRC be replaced by          to Kingman’s public                   UK accounting standards,
                                         they have a strong corporate                                                                                                                                                                                      problems after they’ve
                                                                             the company, while also
     voluntary guide that should         governance framework –                                           In April 2018, the government     a new regulator: the Audit,          consultation, many of which           monitoring adherence with the       occurred. It’s about preventing
                                                                             respecting a number of
     help larger firms to improve        particularly more on the            wider interests.             launched a review of the          Reporting and Governance             were adopted in Kingman’s             corporate governance code and       incidents before they happen,”
     their corporate governance.         important role of internal                                       role and powers of the            Authority, or Arga.                  final recommendations.                overseeing external audit. But it   says Hayes. “There were a
     As such, they are applicable        audit functions. Nonetheless,                                    FRC, essentially seeking              The Chartered IIA                For instance, the regulator           also has extraneous roles, such     number of red flags at Carillion
     to all private companies            we believe the principles                                        an independent view on
     over a certain size (see            themselves are a positive step                                   whether the regulator was fit
     above), whereas the main UK         forwards in strengthening the                                    for purpose, after MPs on a
     corporate governance code,          framework for large private                                      select committee branded it       The Wates Principles
                                                                                                                                            James Wates CBE, author of the Wates               balance of skills, backgrounds, experience      establishing oversight for the identification
     which has been updated for          companies and we welcome                                         “toothless and useless” in the    Corporate Governance Principles for Large          and knowledge, with individual directors        and mitigation of risks.
     accounting periods after            their introduction. As when                                      wake of Carillion’s collapse.     Private Companies, has said the voluntary code     having sufficient capacity to make a            • Remuneration – a board should promote
     January 2019, covers premium        the UK Corporate Governance                                         The review, led by Sir         should be seen more as a guide than a diktat.      valuable contribution. The size of a board      executive remuneration structures aligned to
     listed companies.                   Code was first introduced,                                       John Kingman, concluded in        “[The principles] are a tool for large private     should be guided by the scale and complexity    the long-term sustainable success of a
                                                                                                                                            companies that helps them look themselves in       of the company.                                 company, taking into account pay and
         Published in December           we hope that over time the                                       December 2018 and found
                                                                                                                                            the mirror, to see where they’ve done well, and    • Board responsibilities – the board and        conditions elsewhere in the company.
     2018 by the Financial               Wates Corporate Governance                                       that the FRC is “an institution   where they can raise their corporate               individual directors should have a clear        • Stakeholder relationships and engagement
     Reporting Council (FRC),            Principles will be further                                       constructed in a different era    governance standards to a higher level,” he said   understanding of their accountability and       – directors should foster effective stakeholder
     the auditing and accounting         developed,” he says.                                             – a rather ramshackle house,      on their publication. The principles are:          responsibilities. The board’s policies and      relationships aligned to the company’s purpose.
     watchdog, the principles                One of the most notable                                      cobbled together with all sorts   • Purpose and leadership – an effective board      procedures should support effective decision-   The board is responsible for overseeing
                                                                                                                                            develops and promotes the purpose of a             making and independent challenge.               meaningful engagement with stakeholders,
     were drawn up following a           differences between the                                          of extensions over time. The      company and ensures that its values, strategy      • Opportunity and risk – a board should         including the workforce, and having regard to
     public consultation which           existing code for publicly                                       house is – just – serviceable,    and culture align with that purpose.               promote the long-term sustainable success       their views when taking decisions.
     the Chartered Institute             listed companies and the new                                     up to a point, but it leaks and   • Board composition – effective board              of the company by identifying opportunities     • Full guidance supporting the principles can
     of Internal Auditors was            Wates Principles is that, under                                  creaks, sometimes badly… It       composition requires an effective chair and a      to create and preserve value and                be found at bit.ly/Watesprinciplesguidance
2000
     that should have set alarm bells                                             “For example if one of the    recommendation that has the                                                                                                                             into account changing business
     ringing long before its collapse.                                        big four professional             full and public support of the                                                                                                                          models and new technology.
     That raises fundamental                                                  services firms is providing       Chartered IIA.                                                                                                                                              The overarching theme is
     questions about the way in                                               the external audit of a                                                                                                                                                                   that companies are being held
     which the FRC operates.”                                                 company, they cannot also         What next?                                                                                                                                              to a higher standard than ever
                                                                              then provide unlimited            The Business, Energy and                                                                                                                                before. From the soundness
     Audit vs non-audit                                                       non-audit services to the         Industrial Strategy (BEIS)                                                                                                                              of financial reporting and the
     Another of Kingman’s                                                     same company, and that            Committee Future of                                                                                                                                     auditing of those reports, to
     proposals is for the FRC to be                                           includes the provision of         Audit Inquiry, launched in                                                                                                                              the culture and values that
     given a statutory duty to keep                                           internal audit among other        November, will now assess                                                                                                                               companies live by, corporate
     the external audit market under                                          services. Nonetheless, I          the probable impact of the                                                                                                                              governance is now one of the
     review and report on pricing                                             think there could be value in     CMA study and the Kingman                                                                                                                               government’s top priorities.
     and the extent of any cross-                                             strengthening the existing        Review on improving quality                                                                                                                                 This means that internal
     subsidy from consultancy work.                                           SATCAR regulations – for          and competition in the audit                                                                                                                            audit has never been more
     This stems from the fact that                                            example one option could          market and reducing conflicts                                                                                                                           necessary as a means for
     the “big four” professional                                              be a blanket ban on all           of interest. As part of this                                                                                                                            evaluating, promoting and
     services firms – KPMG, Deloitte,                                         non-external audit                inquiry the BEIS Committee                                                                                                                              improving the effectiveness of
     EY and PwC – audit 97 per cent                                           services, including for up        requested written evidence,                                                                                                                             this governance. The institute
     of FTSE 350 companies, but                                               to two years after the            which the Chartered IIA                                                                                                                                 has to – and will continue to
26                                                                                                                                                                                                                                                                                                          27
     more than 75 per cent of                                                 external audit contract has       submitted in early January. In                                                                                                                          – drive this point home and
     their revenue comes from                                                 ended,” he suggests.              its submission, the institute                                                                                                                           shape relevant public policy at
     non-audit assignments.                                                       Mid-sized audit firms BDO     stressed the importance of                                                                                                                              every opportunity.
     This inevitably leads to these                                           and Mazars have spoken            the CMA’s and Kingman’s
     firms relying on lucrative                                               out against the limitations       proposals, highlighting where                                                                                                                           Further reading:
     work from clients whose                                                  of the SATCAR rules on the        they mirrored the institute’s                                                                                                                           The updated UK Corporate
     accounts they are meant to                                               capping of non-audit services.    own recommendations.                                                                                                                                    Governance Code, effective
     inspect independently.                                                   Certain big four firms have           In a further development,                                                                                                                           from January 2019, is at bit.ly/
         It is this perceived conflict of                                     been accused of pushing           the government announced            The review led by Sir John Kingman concluded in December 2018 and found that the                                    corporategovernanceupdate
     interest within external audit,                                          the boundaries on what is         the launch of Project Flora         FRC is “an institution constructed in a different era – a rather ramshackle house,                                  Sir John Kingman’s final
     as well as a lack of competition                                         permitted and their smaller       immediately after the               cobbled together with all sorts of extensions over time. The house is – just – serviceable,                         report and the CMA market
     in a market dominated by just                                            competitors have called for       conclusion of the Kingman and       up to a point, but it leaks and creaks, sometimes badly… It is time to build a new                                  study are available at bit.ly/
     four operators, an issue                                                 stricter limits and the           CMA inquiries in December.          house.” Kingman recommended that the FRC be replaced by a new regulator: the                                        Kingmanreportfindings
     addressed in a separate                                                  possible adoption of joint        This is a review into UK audit      Audit, Reporting and Governance Authority, or Arga.                                                                  and bit.ly/CMAmarketstudy
     but related review by the                                                audits that involve two or        standards, led by Donald
     Competition and Markets                “Large” companies are             more firms and cross-reviews      Brydon, outgoing chairman of
     Authority (CMA), that has              defined as firms that meet        of each other’s work, thereby     the London Stock Exchange.          Harnessing the power of internal audit: a guide for audit committees,
     attracted the most media               at least two of three criteria:   improving objectivity.            Its purpose is to determine
                                                                                                                                                    non-executive directors and senior management
     attention and criticism in             turnover in excess of                 Demands for a more            whether external audit              The Chartered IIA’s governance         The eight key questions are:          have the capacity to do the            regulators and audit committees.
     Parliament. “It’s certainly
     the perception that there are
                                            £200m, a balance sheet
                                            worth more than £2bn,
                                                                              competitive audit market in
                                                                              which this conflict of interest
                                                                                                                should evolve to meet the
                                                                                                                needs of investors and other
                                                                                                                                                    guide “Harnessing the power of
                                                                                                                                                    internal audit” is aimed at            1  What is internal audit’s role
                                                                                                                                                                                              and mandate?
                                                                                                                                                                                                                                 amount of work required of it?
                                                                                                                                                                                                                                 Does it have the capability to do      6  How should internal
                                                                                                                                                                                                                                                                           audit’s recommendations

     conflicts of interest, but if
     you look at the EU SATCAR
                                            and more than 2,000 staff.
                                            It is estimated that there
                                                                              is sufficiently mitigated
                                                                              may well be granted. A key
                                                                                                                stakeholders. It will examine
                                                                                                                how auditors verify the
                                                                                                                                                    non-executive directors and senior
                                                                                                                                                    managers, but it is also useful for
                                                                                                                                                    heads of internal audit. It lays out
                                                                                                                                                                                           2   What is internal audit’s scope?
                                                                                                                                                                                               This considers emerging risks
                                                                                                                                                                                           in areas such as: workplace
                                                                                                                                                                                                                                 the work well in terms of skills and
                                                                                                                                                                                                                                 knowledge? Is the audit team
                                                                                                                                                                                                                                 suitably qualified?
                                                                                                                                                                                                                                                                        be monitored?

                                                                                                                                                                                                                                                                        7  How should internal and
                                                                                                                                                                                                                                                                           external auditors work
                                            are at least 1,700 private
     Regulations which came into
     effect in 2016, the rules are
                                            firms in the UK today that fit
                                            this profile.
                                                                              proposal in the CMA’s recently
                                                                              published findings is that
                                                                                                                information they sign off, how
                                                                                                                to manage any gap between
                                                                                                                                                    eight key questions to enable
                                                                                                                                                    stakeholders to understand where
                                                                                                                                                    they need to focus their corporate
                                                                                                                                                                                           culture; data privacy and cyber
                                                                                                                                                                                           security; communications, risk and
                                                                                                                                                                                           reputation; political uncertainty;
                                                                                                                                                                                                                                 4   What is the relationship
                                                                                                                                                                                                                                     between the audit committee
                                                                                                                                                                                                                                 and internal audit?
                                                                                                                                                                                                                                                                        together?

                                                                                                                                                                                                                                                                        8  How should the quality of
                                                                                                                                                                                                                                                                           internal audit’s work be
     fairly strict in terms of helping                                        audit and non-audit services      what audit can and should
     to avoid potential conflicts of
     interest,” says Hayes.
                                                                              within professional services
                                                                              firms should be ring-fenced, a
                                                                                                                deliver, and what the public’s
                                                                                                                expectations of audit are, taking
                                                                                                                                                    governance and internal audit
                                                                                                                                                    improvement efforts so they are
                                                                                                                                                    prepared for the challenges ahead.
                                                                                                                                                                                           automation and digitalisation.

                                                                                                                                                                                           3   How should internal audit be
                                                                                                                                                                                               resourced? Does internal audit
                                                                                                                                                                                                                                 5  Are all risks being managed?
                                                                                                                                                                                                                                    This looks at assurance
                                                                                                                                                                                                                                 mapping and the relationship with
                                                                                                                                                                                                                                                                        assessed?
                                                                                                                                                                                                                                                                        “Harnessing the power of internal
                                                                                                                                                                                                                                                                        audit” is at iia.org.uk/HPIA
“Two-fifths of highly stressed workers say that
                                                                                                                                 they were disengaged in their role as a result.”

     Employee mental health problems are still not

                                                                                                                                                                      10%
     addressed as openly and supportively as
     physical ill-health issues. But more companies
     are now proactively addressing mental health at
     work, and the good news is that there are
     simple things all organisations could do.
     Words: Neil Hodge                                                                                                                                                  Recent research by professional
                                                                                                                                                                        skills provider City & Guilds
                                                                                                                                                                        Group found that just ten per

     Grey
                                                                                                                                                                        cent of businesses treat the
                                                                                                                                                                        psychological safety of their
                                                                                                                                                                        workforce as a priority, despite

     matters
                                                                                                                                                                        the fact that 94 per cent of
                                                                                                                                                                        employees regard such
                                                                                                                                                                        welfare as “important”.

     P
                           oor mental health costs employers between £33bn and £42bn
                           a year. And the problem is growing: according to the Office for
                           National Statistics’ UK Labour Force Survey, the number of sick
28                                                                                                                                                                                                         29
                           days taken because of mental health problems increased from 13
                           million days in 2010 to 15.8 million days in 2016, accounting for
                           nearly one in eight of all work days lost to ill-health. Among the
                           most common causes of stress and mental illness are financial

                                                                                                 80%
     worries, followed by job pressures, relationships and health.
         There is undoubtedly still a stigma attached to discussing mental health problems
     in the workplace, and organisations vary wildly in their response to the issue. Research
     suggests that there is a lack of practical support and understanding about how to deal
     with the issues, as well as a lack of accountability among line managers, in particular,
     who often feel that it is not their responsibility.
         Recent research by professional skills provider City & Guilds Group, called “Leading
                                                                                                 According to 80 per cent of

                                                                                                                                                              24/7
     in a digital age”, found that just ten per cent of businesses treat the psychological       employees surveyed, fostering
     safety of their workforce as a priority, despite the fact that 94 per cent of employees     an open culture would make an
     regard such welfare as “important”. The survey found that over two-fifths (43 per cent)     overwhelming difference.
     of senior management expect HR to deal with the psychological safety of employees           However, only a third of
     at work, while over half of employees (56 per cent) believe line managers and senior        management felt the same way.
     management should take the lead. The research also found that one in five firms would
     take action only once a psychological safety issue had already arisen, while a similar                                                                    Many organisations (and most
     percentage of senior management (22 per cent) said they would take action only after                                                                      large employers) have some kind
     a high-profile press incident.                                                                                                                            of wellbeing strategy in place to
         Given these findings, it is unsurprising that three-quarters of employees think it is                                                                 support employees, such as
     “uncomfortable” to talk about mental health in the workplace. According to research                                                                       confidential 24-hour phone lines
     released in January by recruitment consultancy Robert Walters, called “The importance                                                                     and counselling.
     of mental health strategies in attracting top talent”, reasons include anxiety about
     how they might be perceived by co-workers (82 per cent); concern it might harm their
     career prospects (78 per cent); embarrassment (76 per cent); and fears they would not
     be trusted with more responsibility (69 per cent). Fewer than a quarter (23 per cent)
     “strongly agree” that attitudes towards mental health at work have changed recently.
You can also read