Back to News

Internal audit: the long view

By Audit & Risk | 23rd March 2016

Internal audit: the long view

A thought provoking article in the Audit & Risk publication written by John Wright, an audit committee chair and the former chief executive of Clydesdale & Yorkshire Banks. The article explores how auditing has evolved from an inspection to adding value and helping to develop a better culture in the organisations concerned. 

Prior to my ostensible retirement in 2001 I had been subjected to varying degrees of inspection and audit. One goes back to the very early days in Scottish banking where “inspection” was the order of the day and every year or so the inspectors from head office would arrive minutes after the close of business, demand the keys of the branch, the safe keys and essentially take control. It was a particularly terrifying experience! The essence of the initiative was all about control and the focus was very much on finding fault, although one has to say, as my career evolved, inspectors gradually became more amenable to discussing how workflows, business processes and indeed internal controls could be improved. Therefore I think we saw, perhaps in the 60s, the beginning of “value add”. 

It was working for an American bank in Hong Kong in the 70s that I was first introduced to internal auditors, who travelled the region and whose focus was very much on ensuring that the business units were well run and properly controlled, with a very good level of engagement with the management team of the unit. 

Thereafter, internal audit in the banks for which I was responsible continued to migrate further in the direction of adding value and helping to develop a better culture in the organisations concerned. It’s worth noting that for many, many years in banking it would not be possible to get into a senior job without a stint in inspection/internal audit. This was entirely sensible, because the individuals in that function have a unique opportunity to observe all of the inner workings of the organisation, which can only be positive.

Since my supposed retirement in 2001 there’s been continuing evolution and I’ve seen this in my roles as an audit committee member in a variety of organisations in the UK and overseas, in the public and private sectors and owner-managed businesses.

It’s been interesting to observe the effectiveness of various organisational models, such as fully in-sourced, fully out-sourced, blended and so on. I have experienced all of them and without a doubt I would favour the creation and development of a fully in-house function where the individuals manning it are part of “the body o’ the kirk”, so to speak, while retaining all of their independence. In that situation it’s possible to rotate up-and-coming young managers through internal audit as part of their career development – of course this can take some selling! 

However, one of the inherent weaknesses of a fully in-sourced, fully in-house function is that it may become dated in terms of the latest IFRS requirements, methodologies, technology and so on. In such situations it’s useful perhaps to negotiate with one’s external auditor to second somebody from their internal audit team for perhaps a year to transfer knowledge. This in addition to the usual round of training, conferences and workshops. 

Certainly from my perspective the future of internal audit is to move entirely to risk-based audit to enhance shareholder value, assess the business improvement opportunities and even the earnings per share in the areas which they’re auditing - and indeed to encourage and develop awareness of the role of the function across the entirety of the business.

John Wright is a non-executive director and audit committee chair of several companies in the UK and abroad. He previously served as the chief executive of multiple banks including Clydesdale & Yorkshire Banks.