Video transcript: Internal audit: A key pillar in building trust and confidence

Transcript for a video of a presentation about internal audit given at the 2019 Audit New Zealand information updates.

Title: Getting back to #1 – Internal audit: A key pillar in building trust and confidence

Bernie McKendrey

Good afternoon all. I love speaking in this session, so I won’t get you to all stand up and stretch and what have you, but hopefully I can keep you awake. And, just for reference, yes, I am CIA: I’m a Certified Internal Auditor. I love those three letters going after my name, especially when you travel internationally. First and foremost though, I am a chartered accountant, and I did an external audit with one of the big four for a number of years, so I have lots of scars on my back.

I grew up, though, as a nucleographer in Palmerston North Hospital, so now you can all go off and look up what a nucleographer does. And a couple of the examples I will give today hark back through some of my previous lives, as I would like to refer to it.

Getting back to number one. Internal audit – so you will groan – a key pillar to building trust and confidence. There are a lot of key pillars. We certainly see the role of external audit, governance, the executive, and the boards and what they do, as critical. We focus on governance, risk management and controls. And we have two wings to us. We not only provide audit, which is assurance on your control environment and processes that you have in place that says, “Yes, we can manage for the next year, 18 months, two years or whatever.” But we also consult. So sometimes you’ll go in, very quickly, when things aren’t right, and you’ll go, “Okay, not so good. Let’s be advisory.” And there’s no audit report; we just go in and say, “Let’s work with the business to get them up to speed to where they need to be.” So we have a number of roles.

I just want to point to the bottom point on this slide, which is: “Trust is not self-evident, so we must make it so.” And I want to hark back to something that John Ryan said, where he said, “Transparency is great, but it’s not the only answer,” and it’s the same with accountability. And it isn’t self-evident, and you can disclose all you like. It’s a bit like the tip of an iceberg, though; it doesn’t mean that because management believes or the board believes that everything is tickety-boo, because that’s what the information says that they had given to them… it can mean that there’s an iceberg with creaks underneath that isn’t quite doing the same thing. And, certainly, when you get into larger organisations – and I think of some of our larger government departments, ministries, etcetera – it becomes quite difficult when you’re quite removed from what I call the epicentre of control.

So yes, we just make it so. And we do want to get back to number one. And certainly our public sector frauds have had an impact. One of the other pieces of pro bono work I do, the Institute of Internal Auditors and the Board that I sit on, is a voluntary board, it’s a working board, and we have a real life on the side as well. I also do pro bono work for Transparency International New Zealand, and we have common values and common views. We are about to launch a financial integrity system assessment. You’ll be seeing more of that in the media shortly, and that’s going to come out in June. And I encourage you, even though you’re not a financial institution – which is where I’ve lived my life for the last 20 years, mainly in big banks and corporates – is that what it asks and what it challenges is going to be very pertinent to many of you in the public sector.

So who are we and what do we do? Don’t expect you to read that; the print is small; you’ll have it in your packs. Canter through it at your own pace, and it’s there for reference. But what I do want to say is we are a professional body. We are part of a global group. We have a Professional Practices Framework. In the UK, our qualification is chartered and sits alongside that of chartered accountants. As I say, I’m a CIA, I’m a Certified Internal Auditor, and that certainly helped me get my roles when I was in the UK and working across Europe. We look at risk; we are risk-driven. We are internal to the organisation. So we do get quite a good understanding of how things tick. We also provide a point of call as a sounding board for those that just want to go and check out whether things are right, and I’ll talk a little bit more about that when I get to my examples.

Because quite often, individuals who see something that just doesn’t smell right or look right but is unsure, they don’t know who to speak up to or where to go and ask that question confidentially. And a lot of the stuff that comes onto the doormat of internal audit is actually those individuals. And, in my career in audit functions, many a people have come knocking on my door and said, “Bernie, can we have a coffee? Can I run something past you?” And it’s completely confidential. And, at the end of the day, it’s not necessarily up to internal audit to do anything about it. I will help and support those that are at the front of the problem, or in operations, to go and do what they must do. Because, after all, it’s their business; they run the operation, and I certainly don’t have their budget to fix their problems. But I can be a pillar that they can rest and lean on.

Thank you to Steve for the next slide that we’ve put in. Internal audit versus external audit. A lot of people get it confused as to what we both do. We have some great analogies that we use in both when I’ve got my external audit hat on or my internal audit one. We are quite different but we’re quite aligned, and, in most organisations, we work very closely together. We try and leverage off each other’s work. Internal audit is very much focused on the processes and operations. So, again, if I think of the top tables and the boards who I’ve had to present to in both – I’ve been a chief risk officer and an audit director of large organisations – I look at the quality of the information that’s coming through and where that information has come from.

Because, invariably, when you get past the operations of an organisation, which are all your nuts, bolts, widgets and people, everything else is just moving paper and information, and its systems and its data and its analytics. And it’s the quality of that information that provides the assurance to those that go up through the organisation. So we’ve had a couple of people today talk about policies and procedures, and some of the fraud examples talk about those. But, before I get into them, I just want to ask you a couple of questions. I started out as a nucleographer. We certainly had policies and procedures. So if you imagine a surgeon is about to do some open heart surgery, you’d pretty much hope that he was actually following the book – one, two, three, four – and wasn’t going to go dust it off, “They’re just mere guidelines; I’ll do what I want to do anyway.” So when your life is at stake, following the procedures is critical.

Now, I’m a foodie, love my food. Love to cook, but I am a cook. My youngest daughter is a qualified chef and works in Melbourne at a really posh restaurant, and one of the things she always says to me – because I don’t weigh or measure anything; I use a recipe as a mere guideline – she’ll go, “Mum, the recipe is there for a reason. If I did that in the restaurant I’m working in, half my patrons would walk out the door. They come here for quality, so you have to follow the recipe. If I get it wrong and we have to throw that batch of whatever out, I’ve just cost us a lot of money.” So, again, really focused on what her policy and procedures say that she has to do. And quite often in our world, where no one’s going to take a knife to you so you’re not going to die, the policies sit on the shelf. I can’t tell you the number of organisations I’ve gone into we’ve picked them up, blowing the dust off, and found out that they’re 10 years old.

And the other way operations work – I call it Chinese whispers. You start a new role, you’re going in and you’re going to do your job, and it doesn’t matter what level you’re at. You’ll go, “How do we do it around here?” And the guy who was before you, or he might have left or she might have left, or a colleagues says, “We do it like this.” And you go, “Oh. Sounds pretty sensible. I’ll do it like that too.” And before you know it, Chinese whispers of operations has been operating for the last 10 years. And with all the good intent in the world, with all of us trying to do a fantastic job on our day-to-day basis, we actually aren’t doing the right thing. And we’ve created those gaps that those people that like to take advantage of a situation, take advantage of. And that is very much where we see where frauds are perpetrated.

And, again, you’re too busy doing the day-to-day stuff, right? So internal audit, again, is another place that you can go to, to just go and have a quick look over here and see if it makes sense. One of the things I’ve spent a lot of my life doing is – two places, actually – mopping up after something goes wrong. It was originally how I got poached from Deloitte into a large financial organisation, because the bank got sick of paying for people to come in and tell them where they went wrong, and they figured they should know anyway.

And the second one is, “I’m a new manager into this operational area. Come in, go drains up, because I want to know what I’ve come face into. Because everybody says to me, ‘It’s fantastic.’” And, of course, it is. But you just want that independent opinion that says, “Yeah, it is,” or, “Actually, here are the things that we’ve found. Your budget, your operation. You go out and work out what you’re going to tackle first.” So there is a lot of different ways that you can use internal audit to your value. Something else that’s of interest to me – and I’ll put my hand up first, so this is not the Institute of Internal Auditors’ view; this is the Bernie McKendrey view – I believe in self-regulation. I’ve had to work a lot in jurisdictions where regulation is so thick and heavy that compliance costs can absolutely cripple an organisation, and it’s compliance for compliance sake. It’s that tick-the-box stuff; doesn’t overly add value.

So I very much believe in us being self-regulating, self-disclosing, self-transparent – which is why I’m a big fan of Visa. But internal audit isn’t mandated in New Zealand. It’s one of the very few jurisdictions where it’s not mandated. Now, I’m not saying, “Write a law and say everybody has to have an internal audit shop, not by any means. But what I am saying is that, in some form or another, you need to have assurance out there. You need to have somewhere that you can go to and get that independent view where it understands your organisation, that everything is actually tickety-boo and as you think it is. It’ll be interesting to see what happens under these current State Sector Act reforms, so we’re definitely keeping an eye on it.

So fraud, recent experiences. Some of these will be familiar to you; this is not an exhaustive list. We could have gone on and on and on. There’s a load more on the list that we are compiling and keeping an eye on, because we use it in various speaking opportunities we have and in the training we do. Seems to be it’s a little bit on the rise – although, in one of the large financial institutions I worked in, internal fraud did actually report into me, so I thought everybody committed fraud. It’s a bit like thinking everybody’s sick when you start out as a nucleographer and your cancer diagnostic; you kind of think everybody’s going to die of cancer. So I have one of those in-the-environment warped views. But there is a lot of it. And certainly it’s been picked up on, because we’ve dropped from number one to number two. And I think the time is ripe to get back up to number one, and we can only help ourselves to get there. So the challenge is out there to raise the bar in what we do.

Just digging more deeply into an example – Waikato DHB – two things here that are of interest: again, what is the internal auditor’s role in alerting someone to fraud? It’s not our job to go and find it. I always say to management, “It’s your job to make sure you’ve got the right control environment to try and prevent it. However, I know for a fact that if someone wants to scant around and get in and do, there will be individuals out there that know all the tricks in the book. And those of us that are… I like to think of myself sometimes as quite naive and quite accepting, although I did have a partner say to me, “Just think nasty thoughts all the time, Bernie, and you’ll be fine in your job.” So you could say that’s the way to go. But we do things and we change for lots of reasons.

And the other thing I’ve noticed, certainly in our environment, in my years, we used to get a job and you’re there for life. We called them lifers. In a certain institution I was in, we called “The Jurassic Park List.” So anybody that had been there for 10, 20, 30, 40, 50 years, they were on this list. And to get onto the front page was an honour, in some ways, and also not in others. But now, people change roles quite quickly. We restructure all the time. Inadvertently, we create gaps in our control environment. Without even meaning to, we often throw the baby out with the bathwater. We often don’t do the right thing around the processes that we have in place. And, again, if you’ve got an internal audit function, it’s a cheap internal resource that you can get to go in and have a look at things.

Now, most internal audit functions we keep – as part of our practice, the way we do things – we keep about 30% of our capacity spare so that we can actually go in and do these quick and dirty looks and sees to help the business out. It’s just far more effective. We’d rather put the fence at the top of the hill than the ambulance at the bottom. So that’s what we’re there to do. If you look at where things occur – and the frauds I put up before, as I said to you, it’s not a limitless list. It goes on, and there’s different issues with most of them. The points I’ve pulled out there are two of the common ones that you see as threads through a lot of them. But there are little tippets within all those frauds that say to you, “How could we just check and make sure that we haven’t got those issues here?” I encourage you, even if you don’t have an internal audit function, it can be co-sourced in. It can be insourced, if you have the individuals with the right skills and capability. And you can use various models in how you do it. But you need to look to your organisations to build up some sort of independent assurance.

One of the things we talk about a lot as internal auditors is the control environment. We follow quite internationally recognised models, which is the COSO Frameworks. They’re built into how we do things and our audit process. John talked about accountability in roles. Now, that goes from the top of the organisation down. We’re all accountable. So it’s no good waving the flag and going, “It’s their responsibility.” And this is where I also talk about speaking up. If you see something that you don’t think is right, or you just think it’s odd, then call it out. And we’ve got to put mechanisms in place so that staff know how to do that, know where to go, and actually feel safe doing it.

I was at NAB when we had our rogue trader some years back. That was called out by someone who’d just joined the team – from KPMG, actually – and she was working in a middle-office function and couldn’t work out why certain standard reports weren’t being done at end-of-day. So it was a simple thing, and we all say she asked the dumb question. It was the best dumb question she ever asked. So quite often, again, the internal auditor will always ask the dumb question. I’m pretty good at asking dumb questions. But often when you ask those questions, it gets those that have to account – when you have to speak to someone and justify why you’ve done one plus one, or A plus B, or not followed the procedure, you think about it.

Your call to challenge is, “Well, is it right or is it wrong?” “Should we be doing it better? Actually, we’ve been doing it differently than the procedure says for the last 10 years. Because it is more efficient and it is more effective. But we just haven’t updated the policy and procedures manual.” You see that a lot. But the problem that then causes is, when you leave – and we’re getting a lot more tune in our organisations – those coming in don’t know. And they pick up the old thing, and the way you’re told to it and what the procedure says are different.

So challenge. Build strong control and compliance work structures. Compliance doesn’t have to come at an extra cost, either. We often find in internal audit – and I’ve seen it in many instances – there is actually a lot of inefficiency often built in, particularly in large organisations. You can leverage off something that’s been done by someone else in a lot of instances. And New Zealand is a great place for showing initiative and being inventive in the way we address issues. And over my time, I’ve seen some amazing things on the table that, from a control environment perspective, are actually really good. You don’t need to go and employ another resource. You can make your process more efficient and more effective. And that’s something that we look at too.

We do a thing called cradle-to-grave walkthrough on most processes. And, at those hand-off points and into the next area, you often find there’s duplication. People are unaware of it. And if you can get rid of some of that or combine how you do things, you’d be amazed at the efficiencies you can often get. One of the things that we’ve highlighted here is report and follow-up that we do. And, in a lot of the fraud cases, the examples up there on that list, it’s because we like to follow-up. We’re mandated to follow-up as part of our standards under our Professional Practices Framework. And it’s often been in that follow-up – because, “It’s alright, the audit report’s got issued, that’s fine. We’ve got our management letter points, that’s fine. They’re not going to come back and check up on those. That’s okay; we’re all good.”

Whereas we’re not like that. We’re like fleas in your ear, and we go, “Knock, knock. Have you done that?” “Knock, knock. Have you done that?” And it just to remind you that these things are still on your table. We see slippage. Everybody, to get across the line, will often say, “Don’t worry, Bernie. I’ll have it done in three months.” And then you go back: “Well, maybe six months is more realistic.” I get it; life gets in the road. Life certainly gets in my road. But we do follow-up. There is a reason why we often raise things. And I can also list out cases where internal audit raised the issues; business didn’t do things; it was followed up, but it still wasn’t addressed; then it manifest itself.

In a lot of larger organisations, and certainly offshore, where internal audit is mandated, we also have to do what we call value of audit findings. So every time my team delivered a piece of audit work and I had to report, I would have to then go and sit down with the GM of the area or whoever headed it up and say, “Right, how much money have we just saved you?” And generally, in other jurisdictions when the law is more rigorous, there is a huge cost to it. So some of it goes to, “Well, we kept them out of jail, didn’t we?” So it’s the finds; it’s the impact on your business. When you’re a bank, in particularly, you can lose your banking licence, as might have happened to a couple of banks I worked for up in Singapore – which has a huge financial impact on your organisation.

Invariably, though, most internal auditors can sit down and say, “If you do this, this is the cost benefit.” That’s really useful for management, because then you can decide how to prioritise that limited resource you’ve got: time, effort and money and individuals. If you don’t have the skills, you may have to buy them in. And then it’s a case of you assessing the risk and saying, “Do I need to do it today and spend the money, or can I put it off and address it at a later point without putting too much risk on the organisation?” So it just helps those balanced decisions.

So we encourage you to manage your risks and adapt as circumstances change. And just a couple of links in case you’re interested. The Institute of Internal Auditors. Being part of a global organisation, our colleagues across the globe do a lot of research, produce a lot of white papers, do a lot of benchmarking. We have access, through those networks, to a wide range of information, and also good ideas for good practice. So it never hurts to go and knock of the door of your internal auditor and ask them to go and do something for you. They’re a good resource.

For more information and to download presentations, visit auditnz.govt.nz.

Watch the original video.