The internal audit (IA) function is a largely unseen and unsung one compared to ones like sales and marketing, operations, and finance. But it is an essential one. Recently its role has been expanding beyond the traditional internal controls focus to a broader one getting into more complex issues like corporate culture. In order to do so, the IA function is adding new capabilities, such as in behavioral risk based on concepts from behavioral economics. I explore these issues in an interview with Alexandra Chesterfield, Head of Behavioural Risk and Chris Spedding, COO at NatWest Group Internal Audit.
Eccles: Hi, Alex and Chris, thanks for taking the time to talk to me. Just to get things rolling, please tell me a little bit about yourself.
Chesterfield: Hi Bob. I’ve always been curious about why people do what they do and how those insights can be used to drive positive change for individuals, organizations, and markets. I lead a team of behavioral scientists and risk specialists in NatWest Group’s Internal Audit function. I joined from the Financial Conduct Authority’s (FCA) Behavioural Economics & Data Science team and previously set up and led research teams in policy / campaigning organizations trying to change “the system.” I am co-author of Poles Apart, published by Penguin Random House, on why people divide and how to bring them back together. And co-host of the “Changed my Mind” podcast. I would love to ask you this question one day, Bob!
Spedding: I’m from a different background, having spent a decade or so in financial services risk consulting, I’ve spent the last few years working with the audit functions of two UK banks to help to transform the impact they make on their organizations, their customers, and the industry in which they operate. I’m now a COO, responsible for coordinating how our function plans, delivers, and consolidates the output of our work.
Eccles: The internal audit function isn’t something most people know a lot about. Could you please tell me what it does in general?
Spedding: Put simply—and historically this has been consistent across the profession—the internal audit function is an independent team in the organization who test key business controls to provide assurance to the organization’s Audit Committee that management is adequately controlling key risks.
Eccles: That’s helpful. It’s clearly an important function but seems to happen largely behind the scenes on purpose. Are there any major changes in how this function is done in a bank compared to non-financial institutions?
Spedding: It’s been a while since I’ve worked outside financial services, so I can’t answer this definitively. But I do know that the audit functions of heavily regulated industries such as financial services are typically much larger and better resourced, to deal with the complexity and regulatory requirements of their organisations. A major factor for audit teams in financial services is the influence of the global regulators who have issued several pieces of guidance or regulation aimed specifically at internal audit over the last decade.
Eccles: I understand that the Chartered Institute for Internal Audit issued its IA Financial Services (FS Code) in 2013. You were the secretary to the committee on this so please tell me what this was all about and why the UK regulators requested it?
Spedding: Rather than prescribe “how” to audit effectively, the FS Code defined the purpose and role of the audit function and the conditions required to be effective, such as its independence, access, and standing. It also repositioned the role of the function to help the senior leadership of the organization to protect the bank and therefore its customers. It may do this by testing controls, but this should be a tool in its kit, rather than the purpose itself.
Eccles: I’m especially intrigued by the new phrase in the 2021 revision of the FS Code that “The primary role of internal audit should be to help the board and executive management to protect the assets, reputation and sustainability of the organisation.” We’ll talk more about what is meant by “sustainability” later but I’m curious if any other internal audit code in any other country has made this type of revision.
Spedding: Not that I’m aware of. It’s interesting that you pick up on that section of the FS Code. This was important for the Committee. We felt that the challenges that audit functions faced were less about audit methodology or process, and more about the position they held in the organization and the mutual agreement on their purpose and role—moving the focus of Internal Audit to the most material risks facing the organisation.
Eccles: Thanks. Sounds like another example of how the UK is leading, as it is with your Corporate Governance Code, your Stewardship Code, and the work in general of the FCA. But let’s get into some specifics here. How does the internal audit function work at NatWest, including who it reports to?
Spedding: The Internal Audit function at NatWest has about 450 people, and our structure mirrors the wider organization with a combination of business and functional (e.g., IT, risk, and finance) lines. Our primary reporting line is to the Chair of the Group Audit Committee. This is important to ensure our independence. There is a secondary reporting line to the Group Chief Executive, key in terms of standing and access. This governance structure was established in the FS Code as previously many audit functions would report to a Financial Controller or similar.
Eccles: Well, for what is an obscure function to many you are certainly at the top of the food chain. But let me ask you about another specific issue. You like to describe your function as doing a “Purpose Led” audit. I’ve never heard that term before. What does it mean?
Chesterfield. When our new CEO, Alison Rose, was appointed in November 2019, she instigated a shift to being a purpose-led bank, with our purpose being to champion potential, helping people, families, and businesses to thrive. But this raised a big question for me. If the whole idea of WHY organizations exist was changing, then Internal Audit should consider changing too. It’s not enough to think of value through a narrow financial or compliance lens. We should also be thinking about wider value, looking at our impact on customers and wider stakeholder outcomes too, such as societal outcomes. This can be a step change for traditional audit teams, who are more accustomed to auditing processes and procedures rather than the outcomes of these processes for people and planet.
Eccles: You know I’ve written a lot about purpose, and this makes sense to me. The board should set the purpose of the company and it makes sense that internal audit should report to the board. Another specific question. At the beginning you said you oversee the Behavioural Risk team in the internal audit function. Please first explain to me what “behavioral risk” is.
Chesterfield. Sure. It’s risk caused by how we behave. So much of how organizations and markets are designed is built on the idea humans are predictable, rational actors making cost-benefit analyses about risk and reward. This is the basis for law, risk, and compliance functions. But it is a flawed theory as shown by decades of social science or when systems fail. Behavioral Risk is based on empirical evidence of how people actually behave and what drives those behaviors, rather than how we think they behave or want them to behave. So, it’s a new forward-looking, data-driven, and more human-centered approach to risk management.
Eccles: Thanks for the tutorial! Now please explain to me exactly what your team does and how it fits into the rest of the internal audit function.
Chesterfield: The purpose of the team is to reduce the risk of poor outcomes for the organization and our stakeholders arising from behavioral root causes. The value we provide is to help pre-empt future issues and support the bank’s sustainable growth. We are a team of 10 and there are really two main activities. First, horizon scanning: leveraging behavioral data science to generate unique insights and identify potential hot spots for a targeted audit. Second, doing a targeted audit to understand how aspects of the “system,”—from culture to digital interfaces—influence colleague or customer decisions and subsequent outcomes. We use a range of tools from interviews and surveys to analyze millions of data points. I’m particularly excited about some of the econometric approaches we’re using to assess the impact of a particular activity or product/service at scale.
Eccles: Well, it sounds interesting, but this could also be a little bit “Big Brother” on the behavioral dimension. How do people in the organization feel about your team? Be honest, don’t you make folks feel a little bit nervous about their behavior being observed?
Chesterfield: Great question! But whether we are crunching thousands of data points or observing a management meeting like a fly on the wall, I think quite the opposite is the case. We are giving a voice to internal and external people who often have less formal power. And putting that voice in the Boardroom to try and drive positive change. And, of course, we make sure we have all the necessary checks and balances around informed consent, confidentiality, data protection, etc.
Eccles: Okay, that helps clear things up and thanks. Makes sense. I’m now wondering if any other bank is doing “Purpose Led” audits and has a behavioral risk team.
Chesterfield: Other organizations have behavioral risk teams but I’m unaware of others doing audits in this way. They clearly should in order to identify unseen or unwanted negative impacts on different stakeholders. Getting ahead like this can also help spot potential future issues so organizations can make the necessary adjustments. As LBS Professor Alex Edmans says, poor corporate governance isn’t just about errors of commission but also errors of omission.
Eccles: Well, it’s good to hear some other organizations have followed suit on behavioral risk. Can you ever imagine an American bank having a behavioral risk team in its audit function? Why or why not?
Spedding: Recent signs are encouraging. Historically, U.S. regulators have been more prescriptive than in the UK in defining their requirements for the scope and approach of IA’s work, primarily focused more on the traditional role and process of IA. But recent publications, such as the New York Fed’s Culture Web Series, are placing an increased emphasis on corporate culture. This opens up the discussion around purpose led auditing and behavioural science.
Eccles: That is encouraging. Different question. How does internal audit and your team in particular support “the sustainability of the organization?”Chesterfield: Behavioral risk is all about pre-empting future problems and identifying blind spots that put the sustainability of the organization at risk. Examples are the risk of losing trust and integrity, which links to the wider stability of the financial system, the correlation between employee satisfaction and long-term shareholder value, and the importance of making it easier for people to make informed decisions about spending, borrowing, and saving.
Eccles: Of course, you know I think that a sustainable organization needs to focus on the material sustainability issues for its stakeholders. So how does the IA function and your team work with the sustainability group at NatWest?
Chesterfield: On multiple levels. As well as my IA colleagues auditing them more formally, my team acts like a critical friend—sharing insights from our work and also tools (e.g., on measuring impact using econometric approaches) to help drive change.
Eccles: One last question if you have the time. You know I’m a big supporter of the IFRS Foundation’s International Sustainability Standards Board (ISSB). Their general requirements and climate exposure draft are based on the framework of the Task Force on Climate-related Financial Disclosures (TCFD) of governance, strategy, risk management, and metrics and targets. It seems to me that your function and your team should play a critical role should NatWest decide to adopt these standards. Any initial insights on how this would be done?
Spedding: You’re right. Internal Audit should be heavily involved in the bank’s response to sustainability standards. We’ve already undertaken work in recent years on the bank’s TCFD reporting. More generally, It’s essential that reporting on sustainability is well controlled and based on robust data. In some cases, methodologies for calculating metrics or targets, for example, are not yet defined with recognized industry norms or standards. Therefore, a key role of Internal Audit is to ensure that the bank discloses the information these standards expect, fairly representing “the benefits, risks and assumptions associated with the strategy and corresponding business model” (as required in the FS Code), transparently and robustly for all our stakeholders.
Eccles: it does sound like you’re well-positioned to support the adoption of the ISSB’s standards should you decide to do so. But I lied and now here is the last question, two really, just so I can cheat a bit. First, does sustainability reporting according to a set of standards mean an important new role for internal audit? Second, if so, do you think all organizations will need to make their internal audit function Purpose Led and with a behavioral risk team in order to do this?
Chesterfield: Internal Audit currently audits financial and regulatory reporting. Some may see increased sustainability reporting as an additional regulatory required burden on top of this, but it is not a fundamentally new role. Arguably it’s not necessary to make IA functions purpose led and/or have a behavioral risk team to look at the processes and controls of sustainability reporting.
But is this sufficient for genuine progress? To accelerate change? To be on the front foot? I’m not so sure. Let’s set the bar higher for audit, using purpose as a north star for holding the business to account for delivering on its purpose every day, not just on reporting “as at” dates. This is where we see the power (and potential) of behavioural risk.
Eccles: Alex and Chris, thanks so much for your time. I’ve learned a lot. Down the road I may be getting back to you to talk more about IA and the ISSB.