Not every internal auditor can claim to have led a career helping to fight crime, but the Metropolitan Police Authority’s former director of internal audit, Peter Tickner, can.
Starting his professional auditing and investigating career as an external auditor in the NHS in the 1970s, Tickner switched to internal audit in the early 1980s and was one of the first tranche of auditors to take the IIA’s exams and is a CFIIA.
In 1988 he became head of internal audit at HM Treasury, a post he held for seven and a half years. During that time, Tickner produced the first audit needs assessment and risk analysis for the Treasury, as well as a risk-based rolling audit programme. He also assisted in fraud investigations and was responsible for the investigation that resulted in the conviction of a head of a government agency – still the most senior civil servant ever sent to prison as the result of an internal audit.
In 1995 Tickner became the director of internal audit for the Metropolitan Police in London. The organisation had pledged to improve its internal controls and corporate governance following a £5m, seven-year-long internal fraud committed by Anthony Williams, the deputy head of Scotland Yard’s finances, who became known as the “Laird of Tomintoul” after the money was used to buy a range of properties in the whisky-distilling town.
Early on in his tenure, Tickner discovered that the Met suffered from lax procurement procedures – so much so that a known money-launderer and a convicted armed robber were both on the list of police contractors. Such incidences focused Tickner’s work towards investigations as well as internal audit. Within a year he had set up a separate branch in the Met’s internal audit department to investigate contractor and staff fraud and corruption. At its peak, the unit was conducting between 60 and 70 internal investigations a year, saving £24m in taxpayers’ money over a decade.
Since 2009, Tickner has run his own investigative and audit business and has written two books, How to be a Successful Frauditor and The Successful Frauditor’s Casebook (John Wiley & Sons).
Here, he offers his views on working with a small team in a large organisation, fighting for more resources and working on fraud investigations.
Q What lessons did you learn from your experience as HIA at the Met?
I held the role for 14 years, prior to which I had been HIA at the Treasury for nearly eight years. The Met was a completely different animal and had a totally different organisational culture. At that time it felt closed off to non-policemen, so it was difficult to gain trust.
To get on, you needed to make sure internal audit was not regarded as an “outsider”. This meant going out into the business to see how the police work at an operational level – no one is going to pay you any attention if you can’t show any understanding of what the police do.
One tactic that paid great dividends was to bring former police officers into the team. When I started, internal audit had an image problem: it was not well regarded, was treated with suspicion and did not have credibility. By bringing ex-officers into the investigations side of the team, the police saw us as being on the same side, even though we were independent. It became a more open relationship between us and the areas we were auditing, and broke down barriers.
On the flip-side, these ex-officers knew a lot about the realities of how policing worked and how the Met operated, which gave us useful insight into how we approached our work and prioritised areas for review.
My experience at the Met also taught me the importance of having a flexible audit programme. The Met’s priorities and areas of focus can shift quickly, and what was a priority a month ago can drop down the list of key risks to review. It was important for internal audit to keep pace with changing developments and to be prepared to help management deal with risks when necessary. For example, if the organisation is undergoing a crisis, internal audit should be a tool available to management to help turn the situation around. It should not watch from the sidelines.
Q Did you feel you had sufficient resources to provide adequate assurance in such a large organisation? How did you plan the scope of your work?
When I started at the Met, it was part of the Home Office and employed 40,000 people in operational and administrative roles – that actually increased to 50,000 by the time I left. It had a gross budget of £2bn that was purely for its own running costs. The Inland Revenue (now HMRC) used to class the Met as the UK’s 21st-biggest public-sector body, which made it larger than most central government departments and the Royal Air Force. It was a massive organisation to audit.
But when I joined I had only ten staff, including a secretary. The function was also greatly demoralised after the Anthony Williams scandal – there was a lot of finger-pointing about internal audit’s inability to act on its own suspicions of fraud. Over the next four years I managed to build the department up so that it had 40 people: 24 internal auditors, 12 investigators and four support staff (two analysts, a business manager and a personal assistant to my senior team).
The trick at the start was to get senior people who could also do the basic auditing work while we built the team. They knew how to do the simple, process-driven work and they could get it done relatively quickly, even if it meant juggling their workloads around. If you hire junior people at first, they will often lack the experience and knowledge to perform effectively at a more senior level and, if they are very inexperienced, they will probably need guiding through some of the basic auditing work, which is a distraction when you have few resources.
Increasing the internal audit headcount required working more closely with management to prove the business case. The best way to convince management that internal audit should be better resourced is to show that you understand the business and that the focus of any reviews is aligned to the key risks facing it. Once internal audit and management agree on the risk framework, management can then get a better view of the scope of any review and what skills and resources that internal audit needs to provide the appropriate level of assurance.
Q How do you think the role of internal audit has developed? Do you see areas where it could be more active?
I have always been a strong control-orientated internal auditor and my position is that internal audit should have a key role in fraud detection and investigation, as well as prevention. My experience has been that leaving the responsibility for dealing with fraud risk to managers – who often have less knowledge and fewer skills to deal with it – is a big mistake.
Internal auditors are the best placed people in the organisation to stumble across signs of fraud. We have the skills and experience to understand what is happening and, as a result, the profession should be better trained to recognise the symptoms of fraudulent activity. The only real practical difference between an investigator and a qualified internal auditor is that investigators know more about how to investigate and conduct formal inquiries within the law. However, these are skills that internal auditors can readily pick up through training and experience.
Peter Tickner’s books are available at bit.ly/IIABooks for IIA members to buy at a 30 per cent discount (a member log-in is required).
>> Corporate credit cards
In 2004 Tickner’s internal audit team received a tip-off from a Spanish informant who had been working temporarily in the Met’s finance department that a police officer had been using his corporate credit card fraudulently.
Following a major review, Tickner told the Metropolitan Police Authority’s corporate governance committee in 2008 that over 300 detectives, mainly involved in counter-terrorism and specialist crime investigations, were suspected of fraud. Acting on Tickner’s evidence, the professional standards department of the Met (which investigates allegations of corruption or abuse by police officers) also wrote to nearly 1,000 detectives to warn them that their use of corporate credit cards was “inappropriate” and that any further misuse could result in disciplinary proceedings.
As a result of the joint professional standards and internal audit investigation, Met officers repaid about £180,000, although a police amnesty in 2007 ensured that none of those who returned the cash during that period were disciplined. Subsequent criminal investigations saw five ex-detectives (one of whom had withdrawn over £100,000 in cash) being sent to prison.
>> The IIA’s stance on fraud detection
It is not a primary role of internal audit to detect fraud, but it is a role that most people expect internal audit to undertake. There is, therefore, an expectations gap that needs to be managed. Internal audit has no legal responsibility for fraud but is required to give independent assurance on the effectiveness of the processes put in place by management to manage the risk of fraud. Any additional activities performed by internal audit should be in the context of, and not prejudicial to, this primary role.
As outlined in the IIA’s “Fraud position statement”, the roles that internal audit should undertake include the following:
- Investigating the causes of fraud.
- Reviewing fraud prevention controls and detection processes put in place by management.
- Making recommendations for how to improve those processes.
- Advising the audit committee on what, if any, legal advice should be sought if a criminal investigation is to proceed.
- Bringing in any specialist knowledge and skills to assist in fraud investigations, or leading investigations where appropriate and requested by management.
- Liaising with the investigation team.
- Responding to whistle-blowers.
- Considering fraud risk in every audit.
- Having sufficient knowledge to identify the indicators of fraud.
- Facilitating corporate learning.
- The IIA’s full “Fraud position statement” can be found at bit.ly/YFPdu
- Other IIA fraud-related resources that may be of use include:
- “Internal auditing and fraud practice guide”: bit.ly/JpH7f5
- “Managing the business risk of fraud”: bit.ly/KWDY7A
- “Internal audit’s role in fraud” (article): bit.ly/LMg80W
Five tips for credibility
To earn the respect of management, internal auditors need to go out into the business and be prepared to get their hands dirty once in a while, according to Peter Tickner, who offers his top tips:
- Know the business. Go out and see the operational areas and repeatedly make the effort to see senior managers as regularly as possible – they will not make the effort to see you.
- Bring people into the team with a high level of skills and experience. Internal audit needs to build trust in the organisation.
- Take a risk-based approach. Internal audit departments can struggle with credibility issues, particularly if there have been high-impact governance failings in the past, so carrying out the traditional audit by rotation work is a non-starter.
- Operate a flexible audit programme. The organisation will have a flexible approach and will shift resources and change its priorities depending on what is happening around it.
- Be prepared to help management deal with risks. If the organisation is undergoing a crisis, internal audit should be a tool available to management to help turn the situation around.