models of effective internal audit - iia.org.uk · it, project management, treasury, ... networks...

Models of effective internal audit

How to organise a successful internal audit function

introductionThis report consists of a set of case

studies showing how organisations in the private and public sectors have chosen to deliver internal audit in different ways.

The individual case studies are concise, with an explanation of the main benefits

and challenges inherent in each approach. This approach aims to inform rather than

judge, and we hope they are of value to a wide audience and encourage continuous improvement. It will also be apparent in reading the individual case studies that the benefits of one approach may represent issues and challenges for another. As far as possible we have tried not to duplicate the same points, although some overlap is inevitable in the key areas highlighted; governance, engagement, quality and consistency, and independence and objectivity.

We would like to express our gratitude to those organisations and their internal audit functions who have kindly given up their time to participate. If you would like to discuss any aspect of the report please contact [email protected]

dr ian PetersChief Executive May 2015

contents3 Executive summary

and conclusions

4 Transport for London (TfL) – In house centralised team

6 BT Group – In house distributed team

8 Mid Kent Internal Audit Partnership Group – Shared services (small)

10 Department of Public Expenditure & Reform – Shared service (medium)

12 University Internal Audit Consortium (UNIAC) – Consortium (medium)

14 Mersey Internal Audit Agency (MIAA) – Consortium (large)

16 Civil Aviation Authority (CAA) – Co-sourced

18 Baker Tilly – Outsourced

There is no recommended formula within The Institute of Internal Auditors’ International Professional Practices Framework (IPPF) to draw upon to ensure an effective internal audit function and we are often asked about the pros and cons of different models. We have therefore prepared a set of case studies showing how organisations in the private and public sectors in the UK and Ireland have chosen different ways to structure and deliver effective internal audit.

Our conclusion is that there is no right or wrong way to deliver internal audit. Organisations need to be free to choose what works for them according to the nature of what they do, how the organisation is structured, the way processes operate, their financial circumstances and the risks to their strategic objectives. We believe this study will help others who are looking to set up a new internal audit function or re-engineer the one they have.

The case studies tell us that organisations care about and value internal audit. They spend valuable time considering how to develop and improve their own particular models. This is not just about keeping costs down, although that is important. It is about maximising the efficiency and effectiveness of professional practice – choosing a model that offers objective opinions, assurance and a range of experience and skills that positively impacts on the way the organisation delivers success. Our study also reveals that the profile of internal audit is being raised, creating higher expectations, new pressures and competition. It would not be surprising if new models were to emerge in future.

The case studies showcase six main delivery models:

• Centralised in-house teams • Distributed in-house teams• Shared services• Consortium arrangements• Co-sourcing agreements with external providers• Outsourcing

The organisations in the study believe in the model they have chosen and collectively they highlight attributes of an effective internal audit function that are consistent with the IPPF. The following attributes can be used to measure success in any service delivery model of internal audit operation:

attributes

• Excellent knowledge of the organisation and the sector(s) and markets it operates in

• Specialist knowledge and expertise to provide a wider range of assurance e.g. in the areas of IT, project management, treasury, customer relationships, contracts etc.

• Flexibility and responsiveness to emerging risks and issues

• Confidence and trust of senior management to be involved in major projects and change

• Independence and objectivity

• Risk based internal audit planning and an agreed audit methodology

• Providing advice and guidance to support organisational objectives through consultancy

• Consistent levels of service delivery

• Coordination and collaboration with other assurance providers

• Effective teamwork

• Career development opportunities within the internal audit function or the wider organisation

• Commitment to quality and continuous improvement

executive summary and conclusions

Models of effective internal audit – How to organise a successful internal audit function |

transport for london (tfl)

• An in-house team working in the same location makes sharing of information, ideas, issues and problems commonplace. Regular formal and informal discussion develops a better understanding of the business, improves teamwork and enhances learning to improve the overall effectiveness of the function.

• It is also possible to respond to requests and issues quickly, forming teams with the right experience and skills, and changing these if and when necessary.

• There is a unified internal audit plan and an agreed audit methodology. If need be discussions and decisions can be made quickly to adapt the plan.

• Having a large internal audit team gives internal audit a clear identity and profile. It is part of the organisation’s culture.

• Maintaining an in-house team has allowed the building and retention of knowledge relating to TfL which allows internal audit to be valued by the business areas.

• An annual budget that is part of the central management costs of TfL means people who want advice and guidance on a consultancy basis don’t have to be afraid to ask for it on cost grounds. This sends out a message that risk management and control are important.

about tflCreated in 2000 TfL is the functional body of the Greater London Authority responsible for the capital’s transport strategy.

TfL provides underground, bus, river and cycle services to a population of 8.4m people.

There were a record 1.26 billion journeys last year on the underground contributing to annual income that is close to £5bn.

To deliver all of this TfL employs over 28,000 people.

TfL has many ambitious projects most notably Crossrail, which will provide a 73 mile east west rail route in London that will be operational in 2018 at a projected cost approaching £16bn.

Clive Walker, Director of Internal Audit manages an in-house function based in TfL’s main offices in Westminster. Internal audit went through a restructuring a few years ago leading to a 25% reduction in headcount, but has since taken on more responsibilities and currently has a headcount of 58.

Restructuring has enabled TfL to consolidate its assurance services to provide a more integrated and coordinated approach. The Health, Safety, Environment & Technical team (HSE&T) now report to the director of internal audit.

This means assurance providers work more closely together to focus upon the management of risk. There are four senior audit managers who cover business processes, commercial and HSE&T, IT and security, and Crossrail.

Benefits of the internal audit model


Governance

An integrated assurance plan is compiled using workshops involving audit staff, directors and senior managers, and other assurance providers. From this an audit plan is derived that relates to the organisation’s strategic risks. The draft plan is shared with a range of boards and committees across the organisation to obtain buy-in. The plan is presented to the main Audit & Assurance Committee for discussion and approval, whilst relevant extracts are presented to the audit committees for Crossrail, London Transport Museum and the Pension fund all of which have their own priorities. The obvious challenge for the internal audit function and stakeholders is therefore balancing priorities and expectations with limited resources.

engagement

The move towards a more integrated approach has increased the need to talk to and coordinate with management functions that have an assurance role, especially as in some cases internal audit reviews and relies upon other assurance providers to maximise assurance resources. This involves understanding the nature of the assurance and when it is provided to ensure parts of the business are not overloaded with audit.

Quality and consistency

Quality in the TfL internal audit function is maintained on a day to day basis by the four senior audit managers and the audit managers who report to them. This means audit engagements can be discussed and reviewed on a one to one basis as audits progress rather than after the event. This is an established system that internal auditors are used to. In addition, a Quality Assurance and Improvement review is performed annually using IIA checklists. High staff retention provides a challenge in terms of getting new ideas into the department. To ensure that staff are abreast of current ideas training and professional development is encouraged.

independence and objectivity

Integration of assurance, bringing additional services under the director of internal audit helps TfL to avoid gaps and duplication in audit work and sends out a strong message that managing risks is very important. Internal audit has still maintained its independence and objectivity and this is respected in the business, such that internal audit often receives requests for audits and consultancy reviews.

challenges


Bt Group plc (Bt)

• The in-house team has built a comprehensive understanding of the business and the sector and has a singular focus on the strategic objectives and risks of the organisation. Their programme of work is built on a risk informed basis and ensures that all dynamic risks (strategic) and major static risks (inherent) are addressed.

• While internal audit has an independent profile the function is considered to be part of the organisation working towards shared priorities.

Senior managers and employees have confidence and trust in internal audit as they are part of the organisational structure and are tuned into the BT way whilst adhering to internationally recognised standards. Having an in-house internal audit function is a reflection of the organisation’s culture and its commitment to effective governance, risk management and control.

BT’s Director of Internal Audit & Enterprise Risk Management, James Grigor, has a team of 70 internal auditors, mostly based in the UK with the majority working from home or in local offices. Currently there are small teams established in India and Argentina but there are ambitions to grow their international reach further.

At present the in-house team cover the UK, Europe, and North America, and the regional teams cover India and Latin America. Support for work in other locations is provided by the accountancy firm Deloitte through co-sourcing agreements.

The organisational model of the internal audit team is built on three key functional sections, covering group services (including finance), technical services (including IT, networks and data), and customer services (covering all customer facing activities).

A matrix approach ensures that the audit team is also closely aligned to the business organisation with different teams being responsible for account managing every part of the business.

about BtBT is the UK’s largest communications service company. It has annual revenue of over £18bn and employs 88,000 people, with customers in over 170 countries. BT has FTSE 100 and NYSE listing. BT has five customer facing lines of business:

1. BT Global Services with more than 6,500 large corporate and public sector customers.

2. BT Business providing fixed-voice, networking and broadband to over 900,000 SME UK customers.

3. BT Consumer is the largest consumer fixed-voice and broadband provider in the UK, with a growing base of TV and BT Sport customers.

4. BT Wholesale is Europe’s largest wholesale telecoms provider.

5. BT Openreach builds the fibre broadband network which is currently available to over 19m premises, and supports fixed line and broadband services communication providers throughout Great Britain.

BT Technology, Service & Operations supports the customer facing lines of business and has 13,500 employees.



• There is an understanding and expectation that internal audit will be involved in major areas of growth and development. In practice internal audit can provide advice and support on an informal as well as formal basis.

• As BT internal audit do not charge front line areas of the business (internal audit has an agreed centralised budget) managers feel they can approach internal audit for assurance reviews, advice and guidance without being deterred by being charged.

• Internal auditors have the scope to develop their careers within the team structure and develop specialist expertise according to business need such as IT, data security, finance etc. At BT internal auditors are encouraged to go into the

business building both the risk/control culture of the organisation and awareness of the role of internal audit so that it is regarded as a key partner in change. These are important factors when teamwork is required, for example in developing assurance maps and coordinating assurance with other assurance providers.

• Having a function that is not entirely based in a single central location provides flexibility and responsiveness while keeping overhead costs down. Being able to work from home or in local BT premises is also a major factor in attracting and retaining resources, though a greater focus on coaching, formal training and quality review of work contributes to its success.

challenges

Governance

There is a Group Audit and Risk Committee who oversee the internal audit strategy, the resource model, level of resource and performance management of the internal audit function meaning governance is relatively straight forward and independence is maintained. There is a common sense of purpose with agreed priorities as reflected in their Audit Charter. The main issue for the function is coping with increasing demand for assurance and acquiring the necessary experience and skills to enable growth. This is particularly testing as each of the main business lines has an audit and risk committee with a growing appetite for assurance. Providing internal auditors in the right locations with the right skills at the right time is therefore becoming the main challenge. The business also regard internal audit as a valuable talent pool for recruitment and while a degree of churn can be a healthy thing too much can create shortages in terms of numbers and skills.

In addition to the recruitment of qualified personnel, BT internal audit has also launched an apprenticeship scheme, which is partly government funded in the first 18 months, in order to build a pipeline of new in-house internal audit talent.

engagement

There are many and varied assurance providers within BT and explaining the difference between management functions that provide assurance and the independent nature of an in-house internal audit operation is something that necessitates constant attention. This can be particularly difficult when internal audit are involved in projects and has a close working relationship with risk management. BT internal audit has tackled the issue by taking a lead in assurance mapping and the coordination of other assurance providers emphasising internal audits need to review

the effectiveness of other assurance activities while also relying on some of those assurances to maximise coverage for the Group Audit and Risk Committee.


A large and geographically spread internal audit function can develop quality issues simply because face to face contact between internal auditors and managers is not as frequent as teams who work together on a daily basis. BT has for many years operated a small Quality Assurance team within internal audit with responsibility for managing the audit methodology, reviewing audit files, sharing good practice and training. For BT distinguishing between the role of audit managers at different levels and the Quality Assurance section in the quality process has been important to avoid duplication of supervision and checking. This challenge has been greater as the function has expanded and continues to expand into new countries with locally appointed auditors.


With an active internal audit function involved in major change areas and projects the main challenge for internal audit management at BT is ensuring those internal auditors who provide consultancy do not at a later stage audit the systems and procedures they have given advice on. Establishing clear criteria to manage and limit the extent of consultancy and then separating assurance and consultancy where possible helps to combat this particular issue. However, a further independence issue may emerge where this is not possible for small country based teams of auditors. Ensuring locally based internal auditors are not too close to local managers is a risk for all internal audit functions and is something the management team and Quality Assurance pay careful attention to.


Mid-Kent internal audit Partnership

• A single employer arrangement enables greater flexibility and variety in internal audit delivery, for example, internal audit has the capacity to be involved in major projects. The employment arrangements also establish a career path for team members and in time may open commercial opportunities.

• A collaboration agreement means that if partners agree there is no requirement to place internal audit services out to competitive tender as a matter of routine. The partners benefit from scale of the internal audit operation while minimising overheads and giving employees some security of employment.

• With many years’ experience in local government the team understand the way councils are governed and the pressures facing the sector as a whole. It also means internal audit are fully aware of the specific requirements of the new Public Sector Internal Audit Standards (PSIAS).

• With a relatively small client base it is possible to maintain an internal audit presence at each of the council offices helping to build an understanding of local issues and risks. This means it is possible to contribute to areas such as risk management and counter fraud while maintaining a level of independence.

• A shared service means the internal audit function is able to offer more experience, knowledge and skills than councils who operate their own small internal audit teams. This reduces the need for co-sourcing arrangements, which is minimal at present.

• A shared service model minimises the impact of breaks in service caused by staff turnover and sickness. It also enables an increased commitment and opportunities to training (on average 8.5% of the annual time available is devoted to development), which has a positive impact on staff retention.

Rich Clarke the recently appointed Head of Internal Audit has 11 full time equivalent employees, two of whom are trainee auditors.

Apart from the trainees all the internal auditors have a minimum of three years’ experience, some have 20+ years. Working as a single team each internal auditor performs audits across the four councils.

For administrative purposes the function operates under a single employer (Maidstone) and is part of the Kent County Council pension scheme. There is scope to include other councils and public services into the partnership arrangement but this is not being actively marketed at present.

about Mid-KentThe Mid-Kent Internal Audit Partnership began life in 2005 and has developed into a shared service between four district councils – Maidstone, Ashford, Swale and Tunbridge Wells. Internal audit is part of a wider programme of shared services known as the Mid-Kent Improvement Programme.

A Shared Service Collaboration Agreement is in place that governs the audit service is reviewed every four years.

In addition there is a management board for internal audit that meets quarterly with a representative from each council.

Each council has its own audit committee.

Mid Kent Audit



Governance

The shared services model delivered by Mid-Kent has been successful as it provides a varying level of resource to each partner to satisfy assurance requirements around significant risks and key systems. While there are competing priorities to manage members of the board are generally pleased with the quality of service they receive and the flexibility it offers. However, with a small shared service arrangement of this nature consensus on the strategic direction and annual budget are needed to sustain the model. The model is therefore vulnerable to one of the partners withdrawing support or significantly varying its needs and while this is unlikely at present it is nevertheless an inherent risk. A possible solution which is currently being considered is to agree a more permanent, longer term agreement for the wider shared service programme under the leadership of a Director of Shared Services.

engagement

With four partners it is necessary to have a wider and more time consuming programme of stakeholder consultation, which can create challenges around scheduling. It also means that there is a need to regularly explain the role, responsibilities and positioning of internal audit with four sets of audit committee members, senior managers and line managers. With limited resources this communication and education predominantly rests with the head of internal audit and his two managers. The knock on effect is ensuring that sufficient internal audit time is given to each customer at the right points in the year to provide assurance on the management of significant risks. In a sector where finance is being reduced and new risks are emerging it is major challenge to carry out all the audit work that is required and priorities have to be agreed and continually reassessed.

challenges


A centralised and relatively small team that uses Teammate audit software can identify and deal with any audit methodology issues quickly. Team meetings occur five to six times per year to share good practice and refine the approach. The structure with two audit managers also enables supervision and coaching. However, the size of the team is also a limiting factor in terms of career progression and scope for developing specialist skills in response to customer demand is constrained by the need to deliver the internal audit plan and overall budgetary control.


With reporting lines to respective audit committees and the management board it is relatively straight forward for internal audit to maintain and demonstrate its independence and objectivity. However, going forward one of the key issues will considering how this will be retained should the service come under the leadership of a director of shared service where internal audit may be required to review other areas of shared service with the resulting report going to the director.


department of Public expenditure and reform (dPer), republic of ireland

• The unit comprises a professional team of experienced and qualified auditors with considerable government and public sector internal and external audit experience. The unit can offer more experience, knowledge and skills than a smaller unit in each department.

• There are synergies between the internal audit plans in the two government departments. Audits in one organisation can often inform audit plans and risk evaluations in the other and enable themed audits spanning both departments.

• The unit may contract in staff from accountancy firms or contract out audit assignments as needs arise. The shared service model allows flexibility in allocation of staff across the internal audit and ERDF audit remits.

• New public sector internal audit standards introduced by DPER in November 2012 are based on the IIA standards. They provide clear and specific requirements for the unit and promote a greater awareness of audit and risk management and its importance for the departments.

• The unit has, as ERDF Audit Authority, become a source of knowledge and expertise in relation to EU regulatory requirements.

• Staff can move to other functions within the organisation bringing their experience and skills and equally are well equipped for more senior job opportunities in the public and private sector.

Dermot Byrne, Head of Internal and EU Audit, manages an in-house shared service audit function based in DPER.

The unit provides an audit service to both DPER and the Department of Finance (DFIN) and is the European Regional Development Fund Audit Authority (ERDF AA) for Ireland.

The unit reports to audit committees in each Department/Ministry. The Unit was restructured in June 2011 to combine the internal and EU audit functions into one audit unit.

The unit has 11 full-time equivalent employees, including 10 audit staff all of whom are qualified accountants with a minimum of seven years’ experience in audit.

about dPer & dfinDPER was established in July 2011, when the former Department of Finance (DFIN), Ireland’s equivalent of the Treasury, effectively split into two. The audit unit moved into the new department (DPER).

The goal of DPER is to manage public spending at more sustainable levels in a planned, balanced and rational manner and to reform and improve public services. DPER also manages Ireland’s drawdown of European Regional Development Funds (ERDF) from the EU.

DFIN retains responsibility for economic and financial management of the State, and promotes policies to ensure that Ireland’s financial system will be able to operate on a stable, sustainable and commercial basis.



Governance

For administrative purposes the unit operates under DPER as its employer and provides internal audit services to DFIN under the terms of a service level agreement agreed annually between the two departments. Given the size of the unit, the model is vulnerable to resource constraints caused by staff mobility or additional work. The unit has contracted in staff from accountancy firms to bridge temporary staff resource deficits.

The annual internal audit plans are derived from an examination of key risks, suggestions made by the management committees in both departments and issues raised by the audit committee and the Comptroller and Auditor General. The ERDF audit function is based on a multi-annual audit strategy submitted to the European Commission at the beginning of the Structural Fund Programming Period (e.g. 2014-20).Providing a shared service to three entities, DPER, DFIN and ERDF AA, it is often necessary to manage competing priorities in terms of the timing and resourcing of audits.

engagement

Traditionally, the audit universe of internal audit in both departments was focussed mainly on corporate business areas. In recent years, both departments have embraced and supported the importance of a whole of organisation approach to audit reviews and examinations.

We view the audit committee and the audit process as the third line of defence, after individual line management and the department’s risk and control functions (DFIN Annual Review 2013).

Thus, the annual internal audit work plan agreed between senior management and the audit committee, is now targeted more strategically to areas where management anticipate that weaknesses may exist. Using a risk-based audit approach, the unit is tasked to review these business areas and make recommendations.

challenges


Three audit managers supervise the work of six Auditors in two locations, Dublin and Tullamore (midlands) to ensure consistency and quality of work across the two client departments and the ERDF audit function. In 2014 the unit conducted a self-assessment exercise using IIA checklists. This is in preparation for the mandatory external assessment planned to be undertaken by the unit in 2015, as required by internal audit standards. The unit has also engaged in mutual peer review of methodologies and audit files with the European Funds Audit Team from the Welsh European Funding Office (WEFO) in relation to the audit of the Ireland Wales Programme, a European Territorial Cooperation Programme. The European Commission also reviews the quality and consistency of the ERDF audit function by way of reviews and re-performance.


The unit mainly draws its staff from a combination of specific unit recruitment competitions as well as secondments or re-deployments from other state bodies (e.g. Office of the Comptroller and Auditor General), which contributes to independence and objectivity. The reporting line to audit committees and to the secretaries general of the departments is a key feature of the unit’s perceived independence and authority. In relation to EU audits, the designation of the unit, by the European Commission, as Ireland’s ERDF Audit Authority gives it the necessary regulatory independence and authority. The ERDF AA annually carries out up to 70 project audits in both public and private sector entities, for EU Programmes which will spend in excess of €410m during the period 2014-20.


university internal audit consortium (uniac)

• Working entirely in higher education the consortium has developed considerable sector knowledge. The size of the function has also enabled sector expertise to be taken a step further with the designation of specialists in student systems, funding council returns and estate and project management. In some cases this has resulted in temporary secondments to member universities boosting the profile of internal audit while other employees have gone on to take line management roles within higher education.

• The function also has the capacity for highly valued internal audit skills notably in IT, data protection, value for money and fraud prevention and investigation. This is underpinned by a firm commitment to training and development that extends to 5-10% of available time.

• On a day to day basis the consortium model delivered by UNIAC has provided flexibility, responsiveness and continuity to its members:

– Consortium members are able to fine tune and adjust the number of annual internal days they require based on changing risk profiles and institutional pressures. Audit plans range from 22 to 450 days per year according to need.

– Audit committees and senior managers are able to ask for additional resource at relatively short notice utilising a contingency time allocation for ad-hoc requests. This is charged at an agreed daily rate, which can deliver surpluses for reinvestment.

– The variety of clients and work has enabled staff retention with reasonable and manageable levels of turnover.

UNIAC’s Directors, Sean Ryan and Richard Young, have overseen the evolution of UNIAC since its early years. There are now 18 full time equivalent employees, including the two directors.

The focus has always been on supporting good governance through effective risk management and risk based assurance but these days their higher education customers have advanced expectations.

This means UNIAC offer a range of advisory and consultancy services in key areas such as governance, data protection, statistical returns, value for money, fraud prevention and student facing systems.

about uniacUNIAC has been operating from its base in Manchester for over 20 years. It is a consortium jointly owned by its member universities.

There are also associate members who buy assurance and advisory services on a contract basis. In total there are currently 10 higher education members and associate members ranging from Falmouth University in the south to the University of Cumbria in the north. UNIAC is governed by a member board with representatives from six of the member organisations. The board has overall responsibility for the strategic direction and financial viability of the consortium.



• A consortium of this size uniquely positions internal audit to share best practice on an informal and formal basis. This is achieved by performing similar audits in each member organisation and highlighting to line managers more effective and efficient operations. On a formal basis opportunities arise to carry out cross organisational reviews and benchmarking.

challenges

Governance

The UNIAC board and its directors meet three to four times a year to discuss and monitor progress. Priority is given to the business model and financial viability subdivided into five strands: service, staff, sustainability, infrastructure and being business-like. The challenge for the board is to agree a successful path in a relatively small but very competitive market that balances quality and cost. It is fair to say that different priorities have to be reconciled from time to time that necessitate further negotiation. The willingness of individual member universities to give and take has been an important ingredient in the consortium’s success.

So far directors have been encouraged to bid for internal audit services in higher education organisations as tender opportunities arise. Over the years the consortium has won and lost members requiring the board and directors to review budgets, daily rates and shared liabilities such as pension commitments. Internal auditors appreciate that fluctuations in the membership creates uncertainty of the consortium but staff also appreciate that there is a stable core of member institutions particularly committed to the consortium model.

engagement

Directors of UNIAC recognise the importance of regular engagement with audit committee members and senior managers. With 10 diverse organisations each operating an audit committee this is a considerable challenge but it is needed to ensure that each customer regardless of size is understood and appreciated. Engagement also enables directors to reinforce the benefits around value, flexibility and responsiveness, particularly to new audit committee members and senior managers. The success of

this model is therefore built around effective communication and interaction achieved through a series of member events, regular briefings and an annual forum. All of these are highlighted upon the UNIAC website and backed up with frequent stakeholder meetings to discuss progress of audit plans and individual audit engagements.


UNIAC’s directors recognise that in a competitive environment there is a need not only to deliver a high quality service but also to illustrate this to member organisations. As a result emphasis is placed upon reporting feedback from customers, internal assessment against the IIA’s standards and external quality assessments and any resulting actions for improvement to all the audit committees. As any internal auditor can work for any of the 10 member organisations senior audit managers have responsibility for ensuring consistent application of the audit methodology as defined in the UNIAC audit manual and applied using audit management software –MK Insight.


UNIAC offers the benefits of an in-house function by having an in-depth understanding of member universities and the higher education sector but is also sufficiently arm’s length from operations to be fully independent and objective. UNIAC directors are aware that forthright opinions are particularly valued by audit committees and are a key factor in helping to cement member institutions’ loyalty. The challenge is to main this outlook knowing that in some circumstances audit findings may not always be welcome.


Mersey internal audit agency (Miaa)

• The NHS has a number of external drivers and constant change is something that everyone in the sector has grown used to. MIAA provides continuity to customers but also has the resource base to be agile to changing demand and expectations. MIAA has the experience and capacity to research subject areas and develop expertise to respond to customer needs, including:

– Fully focused risk based internal audit plans that are regularly reassessed and amended across the customer base to acknowledge changing risk profiles.

– Satisfying wider assurance expectation around patient care, data quality, security of personal data, governance and risk management. MIAA has the time and ability to coordinate with other assurance providers to establish an assurance framework.

– The ability to accommodate significant ad-hoc reviews including investigations and fraud prevention.

– Providing an extensive events programme to customers around governance – subjects

include quality improvements, leadership and the role of trust governors.

– Corporate communications to support events including briefing notes, R&D bulletins, benchmarking, breakfast meeting and email updates.

• The size and structure of MIAA provides employees with a wide range of experiences, training and career opportunities. It can also provide a springboard for careers within customer organisations. A large consortium therefore provides stability and progression for employees depending on their ambitions and enables MIAA to plan retention and succession.

• With a large customer base it is important to maintain consistency across audit engagements but large consortium also means it is possible to dedicate part of the senior management team to quality. This enables development of the internal audit process and audit manual to a level that achieves the ISO external quality accreditation.

MIAA’s Director Tim Crowley and the corporate management team have built a large internal audit function. There are 100 full time equivalent employees supported by a network of 25 specialist associates.

This scale and diversity means MIAA can offer a wide range of assurance services. Their portfolio includes internal audit, counter fraud, healthcare quality and patient experience, information management, IT security and bespoke consultancy.

Consultancy is also broad in nature focusing upon aspects of NHS governance such as Council of Governor Support, GP Commissioning and Foundation Trust support.

about MiaaMIAA began operating from Liverpool, Merseyside in 1990 in a modest way providing an internal audit service to six NHS Trusts with six employees.

It has grown considerably in 25 years. A merger with Audit NW in 2014 has increased the customer base to 65 while creating an enhanced range of services including a Healthcare Quality Team. MIAA has also expanded in to fire, police and ambulance services and has offices throughout the north west.

MIAA is governed by a management board which originally had six members, one from each founding NHS trust. For practical purposes this has been reduced to three.



Governance

The main challenge for MIAA’s board and its corporate management team is managing growth. Competing with the accountancy firms and other large consortium arrangements means internal audit needs to be competitive in terms of price while maintaining standards for existing customers. Creating the ability to deliver consultancy to customers who have an appetite for additional value and services enables MIAA to make a modest return that is invested into the business. For example this strategy has enabled the designation of a commercial director, operations director and supporting assistant directors – quality which are critical in both ensuring the quality of existing services as well as continuing to grow the service. However, working within an NHS based consortium is not without constraints. Particularly with regard to pay which necessitates application of the NHS pay framework and restricts the use of performance and incentive payments.

Managing growth also necessitates a clear strategy to ensure there is a clear fit with the existing business and to recognise that responding to tenders is a time consuming costly business particularly as the use of procurement frameworks can involve fee payments. Decisions to bid for contracts are therefore influenced by factors such as location, length of contract, the opportunity to diversify, the likelihood for consultancy etc.

engagement

Like other consortium arrangements the success of the model is built around effective communication and the larger the customer base the more time is needed to engage with stakeholders. This goes beyond talking about internal audit plans and progress against plans. It includes maintaining the profile of internal audit, discussing how internal audit can add additional value and promoting continually explaining the benefits of a consortium arrangement.

challenges

While losing one or two customers would not impact the stability of a large consortium there is no room for complacency and the challenge is to make every customer feel valued. The event schedule and the corporate communication calendar designed and delivered by MIAA not only provides valuable information and services to customer but it is an important means of interaction.


Maintaining a consistently high level of performance across 65 customers with 100 employees is an obvious challenge. The team structure with senior manager responsibility for specific customer relationships and the establishment of a quality manager at director level provides the foundations for managing effectiveness and efficiency. Key elements of the quality process are the use of internal audit software to supervise audit engagements, specific checks by the quality manager on the application of the audit methodology, internal assessments by the quality manager on compliance the IIA’s Standards, using the staff appraisal process to identify development opportunities for auditors and a range of activities to obtain customer feedback. The MIAA has also successfully retained its external quality accreditation (ISO) for the last 20 years.


MIAA has all the qualities expected of an in-house function, particularly the depth of knowledge of the organisation and the sector. Being external they also have a distinct independence from operations. The challenge is to be wary of becoming too close to organisations through consultancy and compromising the ability to be unbiased and challenging. With a large number of internal auditors avoiding potential conflicts of interest is safeguarded through the allocation of audits supplemented by an independent pool of associates.


civil aviation authority (caa)

• The model encourages managers and employees to take an interest in internal audit from the perspective of contributors. It raises the profile of internal audit and the role it performs.

• The secondment model brings knowledge of the business and how it operates into internal audit while encouraging auditors to make new connections and provide a wider context to where they fit in.

• The audit experience encourages a culture of challenge and continuous improvement within the organisation.

• For those seconded into internal audit the model offers new skills and experience that enables development and improved job satisfaction while the organisation benefits from improved staff retention.

• The internal audit function is able to contract or expand quite easily to reflect fluctuations in demand. The partnership with KPMG particularly caters for internal audit involvement in emerging risk areas, bearing in mind there are cost implications.

• While it is possible to tap into the expertise of the external provider it also reduces the reliance and costs of this relationship. The CAA estimates a 10-15% saving on external support.

Andrew Alsop has been Head of Internal Audit (HIA) at the CAA for almost seven years providing risk based assurance audits and consultancy. Since 2009 he has been supported by the audit committee in providing an innovative approach to resourcing internal audit.

The function, including the HIA, has recently increased to 2.7 full time equivalent staff, supported by an external co-source team at KPMG and up to ten people from other CAA departments.

The CAA employees are seconded into the function for about 15 days per year (having increased from 10 days) and are at various stages of training. The model is therefore a blend of external expertise and internal knowledge of the business.

about caaThe CAA was established by Parliament in 1972 as the UK’s independent and specialist aviation regulator.

It is a public corporation entirely funded from charges to the people and organisations that are regulated.

The aim of the CAA is to enhance aviation safety, improving choice and value for aviation customers. It has a fundamental role in setting safety standards in all aspects of aviation.

This includes design, manufacture and maintenance of aircraft, air traffic control systems, and the operational environment of airports. It also regulates people in the industry – pilots, engineers, operators, ATOL holders and air traffic controllers.



Governance

A single audit committee which oversees the audit strategy, the resource model, level of resource and performance management means governance is relatively straight forward. Internal audit is regarded as a central resource and the cost of audits is not recharged to departments other than to CAA International, the aviation consultancy arm of the business. Continuous support from the audit committee and senior managers enables the sustainability resource model.

engagement

Models that rely on secondments from the business will at some stage hit problems with sustained buy-in from managers who are under pressure to deliver results. This is inevitable during periods of financial constraint when even a short and temporary transfer of resources to internal audit can cause problems. This issue is addressed through regular discussions between the head of internal audit and managers, interspersed with written feedback regarding individuals’ performance during audits to reinforce the benefits and overall value of the model to the organisation. This is especially needed, as in the case of the CAA, when some restructuring occurs and employee turnover increases.

At the CAA spending time in internal audit is linked to performance management by including specific audit objectives within individual performance plans. This helps to underline both the commitment that is being made to internal audit and the purpose of doing so; although this brings additional administrative burden.

The success of this model will largely be determined by the prevailing perception of internal audit by managers and those employees contemplating a secondment. Internal audit needs to be regarded as a valuable contributor to the organisation and thought of as a good place to gain experience and transferable skills. An internal audit function that is regarded in a negative way will find it harder to both develop and sustain this model.

challenges


The nature of the model increases the importance of training and supervision to ensure consistency between audit engagements and maintain overall quality. At the CAA seconded internal auditors receive a comprehensive induction and half-day training sessions, often delivered at KPMG offices, every six months.

Training is now based upon a competency framework built around the audit process. With the benefit of hindsight the head of internal audit, Andrew Alsop, recommends such a framework is needed from the start, as it gives secondees full visibility of the range of skills required whilst providing a training programme aligned to how audits are undertaken. Some members of the function have reached the point where they have been given responsibility for delivering an entire audit, as opposed to observing or assisting. Additionally these individuals are now involved in the training and mentoring of newer team members. The significance of training and cumulative experience in this model is such that, when considering expansion, the head of internal audit opted to increase the number of days delivered by existing auditors from 10 to 15 days rather than increase the pool of auditors.


Using employees from the business to deliver the core internal audit plan increases the likelihood that independence and objectivity may be compromised on some audit engagements. According to the head of internal audit such an issue arises whilst planning one in every five audits and teams have to be re-formed. Whilst recognising the value that pre-existing insight into business operations is valuable, care is to be taken to prevent secondees from being selected to review areas where they are working, or have previously worked.


Baker tilly

• With a large client base Baker Tilly internal auditors have a wide view of professional practice and can advise organisations on an internal audit approach that suits the prevailing circumstances. The extensive client base across a wide range of sectors allows identification and sharing of best practice as an added value contribution from internal audit.

• Accumulated wide sector knowledge and the ability to benchmark the efficiency and effectiveness of internal audit extend to providing external quality assessments.

• A risk based approach to planning and internal auditing is used, with sector and industry specialist groups also providing advice on emerging issues that may warrant internal audit coverage.

• Baker Tilly has established a risk advisory faculty created to recruit and develop internal auditors from junior positions to senior roles. Through its training programme the Faculty supports best practice and customer care and in doing so provides the basis for career progression across the network of offices. Trainees also have the opportunity to spend time in other Baker Tilly teams to develop wider experience, which aids staff retention. The critical mass of internal audit clients that Baker Tilly has achieved allows investment in technical support but also provides opportunities for internal audit staff to specialise and develop their careers in one of the largest internal audit teams in the UK.

Baker Tilly offers a complete range of governance, risk and internal audit services. This includes outsourced internal audit services as well as helping organisations to start up, transform and extend internal audit.

Baker Tilly has over 200 internal audit specialists, with a further 30 technology specialists. They are based in all the major centres of the UK providing internal audit and related services to more than 400 corporate and not for profit clients. The team also provides specialist assurance services such as Sarbanes-Oxley support, external quality assessments and third party controls assurance reports.

Within the team, many people specialise in particular areas, for example in financial services or international development. Recently, the risk advisory team has seen significant growth in the financial services and large corporate markets.

about Baker tillyBaker Tilly is a leading mid-tier provider of accountancy and business services whose clients include growing entrepreneurial companies, listed companies, the public sector and high net-worth individuals.

Baker Tilly is the 7th largest UK accountancy firm with over 3,500 partners and staff.

With offices in 35 locations across the UK the firm offers a full range of accountancy and audit services. This includes financial advisory and tax services, external audit, internal audit, and restructuring and recovery advice to organisations in both the private and public sectors.

Baker Tilly is an independent member of RSM International, the 7th largest worldwide network of independent audit, tax and advisory firms, with over 35,000 people located in 700 offices in over 100 countries.



• Baker Tilly has a technical team to support the delivery of internal audit. This team provides sector updates, induction and training on the internal audit methodology, a technical helpdesk and guidance/briefings to ensure internal auditors are up to date on professional practice. Independent quality assessment of internal audit work is provided on a cyclical basis by a quality assessment department which is separate from the client facing teams.

• The size of Baker Tilly’s operation and the degree of specialism available means the firm has the

challenges

flexibility to offer several options to clients, including a fully outsourced service, co-sourcing or specialist audit skills in areas such as IT, data security, fraud, project assurance, value for money reviews etc.

• Should a client also need advice and consultancy on aspects of governance, risk management or business service these are available from other Baker Tilly experts to ensure the independence and objectivity of internal audit.

Governance

Staffing levels and the infrastructure give Baker Tilly capability, continuity and capacity to respond to customer need and the ability to take on new customers but as with any private sector provider senior managers must balance costs and income to make a profit. The quality versus cost equation is therefore very important. Customers know they are buying into the track record, expertise and reputation of Baker Tilly but they will only do so if they feel it represents good value for money (not necessarily the cheapest) compared with competitors. For Baker Tilly it means getting the balance right between the service offering and daily rates.

engagement

Every customer wants to be the top priority so engagement levels are high, particularly with audit committee chairs and senior managers. This is essential rather than desirable to ensure the best service possible. Engagement also needs to be outward looking to have a good appreciation of what is happening in the profession and within various sectors. Baker Tilly therefore responds in a variety of ways, including webinars, audit committee training, e-newsletters, sector specific and internal audit events.


The scale of the Baker Tilly operation means the consistent application on a national basis of a proven internal audit methodology is a necessity as quality is integral to the value proposition of outsourcing or co-sourcing. This is assisted by the use of 4Audit, an internal audit working paper and reporting tool that Baker Tilly has developed as part of its wider suite of governance and risk management software.


An independent internal audit function is an important feature of good governance yet the subject will always be a matter of debate. Some argue that an in-house function is often too close to management to be truly independent while others suggest that a commercial contract for internal audit hinders forthright views from the internal auditor in fear that future contracts might be lost. Unlike internal providers, external providers also carry the risk of litigation for “getting it wrong” and hence internal quality control to minimise this risk is paramount. In practice it is down to individual auditors having an unbiased attitude and at Baker Tilly the management and quality infrastructure including independent second partner reviews has been designed to ensure opinions within internal audit reports are expressed honestly and without prejudice.


www.iia.org.ukChartered Institute of Internal Auditors

13 Abbeville Mews 88 Clapham Park Road London SW4 7BX

tel 020 7498 0101fax 020 7978 2492email [email protected]

© May 2015

about the chartered institute of internal auditors First established in 1948, the Chartered Institute of Internal Auditors (IIA) obtained its Royal Charter in 2010. It is the only professional body dedicated exclusively to training, supporting and representing internal auditors in the UK and Ireland. It has over 8,500 members in all sectors of the economy including private companies, government departments, utilities, voluntary sector organisations, local authorities and public service organisations such as the National Health Service.

Over 2,000 members of the institute are Chartered Internal Auditors and have earned the designation CMIIA. Over 800 of our members hold the position of head of internal audit and the majority of FTSE 100 companies are represented amongst the institute’s membership.

Members of the Chartered Institute of Internal Auditors are part of a global network of over 185,000 members in 190 countries. All members across the globe work to the same International Standards and Code of Ethics.

More information on the Institute is available at www.iia.org.uk

Models of effective internal audit – How to organise a successful internal audit function

models of effective internal audit - iia.org.uk · it, project management, treasury, ... networks...

Documents