It is symbolic that a chance meeting in a lift with an internal auditor epitomises why Richard Brasher, corporate audit director at Coca-Cola Hellenic Bottling Company (CCHBC), decided to change the way the company ran its corporate audit function. When Brasher asked the auditor why she had two suitcases with her, she replied simply: “This is my life.” The team had no permanent office. They travelled constantly, setting up a desk wherever they were conducting an audit and rarely visiting the same place twice. Brasher’s brief journey between floors with this auditor emphasised for him that her life was in constant transit.
“I couldn’t see how this could work effectively,” he says. “While this can work for some organisations, for us I felt that corporate audit was more of an endurance test than a career.”
The team was young and ambitious, but the company operates in 28 countries and Brasher felt that the system was not only difficult for the auditors, but also inefficient for the organisation, since auditors were unlikely to form useful working relationships with regions or managers. “They wanted to travel,” he says. “But auditors also need to form relationships for themselves and for the company, and constant travelling is not beneficial for personal lives and families – you need to be at home somewhere.”
Brasher already knew the organisation’s business well – over the past eight years he had worked in a number of other positions, including three years as chief financial officer for its operations in Hungary. He had also been an auditee and believed the internal audit team would be stronger if the auditors had enough of a base in one area to get to know the external issues affecting the business and to understand the challenges of managers and customers in different regions. The current system was also, needless to say, expensive.
Brasher began by creating audit hubs in Russia, Bulgaria and Hungary, as well as a “one-country hub” in Nigeria, where, traditionally, audit had reported to local management – now they also report to Brasher. In addition, he felt that the organisation had an opportunity to clarify the three lines of defence. “We had local auditors who reported to local financial directors and also a ‘dotted line’ linking them to the corporate audit department,” he says. “I didn’t like this. In general I don’t like ‘dotted lines’ or ambiguous reporting.”
After a few months in the job, Brasher had turned the internal audit function, and its relationship to the organisation, upside down. On one side he was involved in the practicalities of setting up hubs with all the paraphernalia from laptops and desks to coffee machines and sofas, and on the other he was changing the structure of the audit function and explaining to management the importance of the three lines of defence model and why the organisation needed an independent corporate audit team that sat completely separately from operations.
“This new clarity was well received by senior managers, because there hadn’t been an opportunity for much discussion on this topic before and they appreciated this a lot,” he says.
The internal audit team had to change as well. Most were happy about being based at a hub and saw that it would be better for their careers. Brasher tried to be flexible about where those from the original team based themselves.
He chose to be based in Hungary because that hub is the most central for the group’s operations. “I’m not there as often as I would like,” he admits, “but it’s important to belong somewhere psychologically – I’m not a great fan of the suitcases model.”
The corporate audit transformation also closely followed the company’s listing on the London Stock Exchange (and simultaneous delisting from the NYSE) and the creation of a large new shared service centre in Bulgaria. “We had to work out how to deal with the new central processes and hubs, rather than individual countries or regions,” Brasher explains. “We also had to identify what we needed to do to continue to support compliance with evolving legislation such as the 2010 Bribery Act and more recently the 2015 Modern Slavery Act.”
The UK governance requirements were also slightly different from those in the US, where CCHBC had previously been listed. “The UK Corporate Governance Act puts a lot of emphasis on companies to interpret carefully what various financial, operational or compliance controls mean to them – the so-called ‘comply-or-explain’ approach – which was a slight change in mindset for us, coming as we were from a Sarbanes-Oxley (SOX) background” Brasher says.
Last, but not least, the team embarked on a project to change the way it documented and recorded its audits. The systems were united into one software package and the team introduced a more transparent rating methodology and an online observations tracking tool. “This means that we never lose an observation – it stays there on the system until it’s dealt with and signed off,” Brasher says. “For observation tracking, we went from relying on an Excel-based ad hoc system to one that was integrated and online.”
Brasher and his team also enhanced and structured the company’s “speak-up” line for whistleblowers. It’s now run by a third-party organisation and operates in 23 languages. Anyone – from employees to customers and suppliers – can contact it online or by phone. It has led to over 50 per cent more cases emerging in 2016 than in the previous year.
Brasher says he would warn anyone else thinking of similar action that you need to be prepared to deal with this spike in demand and allocate enough staff to investigations. “It takes a lot of manpower and emotional energy, so the team needed support – it’s tough, especially for the more difficult investigations,” he says. However, the line has given the audit team new insights into the business and its culture and, together with innovative use of IT, in particular data analytics, enabled the auditors to check whether similar problems could develop in different places and step in early to prevent this.
Another innovation was to hire a full-time quality improvement manager. This, Brasher says, has provided huge benefits. Everything that corporate audit issues gets quality reviewed, which, he says, provides good internal assurance. He also hopes that it might lead to efficiencies with external audit processes, since it guarantees clear documentation and increases the ability of external auditors to rely on the work of internal audit, where possible, in accordance with ISA 610.
Lastly, qualifications are also important to the team, which has group membership of the Chartered IIA. They all celebrate when any member of the team passes a professional exam.
The CCHBC corporate audit team has been through a whirlwind of change – physical, mental, emotional and operational. The changes worked, Brasher says, because they weren’t autocratic. “Everyone played a part in finding solutions – for example, together we came up with the idea for a new more systematic rating system almost literally on the back of an envelope just before Christmas in 2014.”
As a team, Brasher says they had a “big moment” in July 2016 when they sat down and looked at where they’d got to. Everyone could see what they had achieved and that this had led to increased respect for their work across the organisation.
However, another key issue that emerged was that too few internal auditors moved into other functions, so Brasher started to look for opportunities for the young talents in his team within CCHBC. Success here has a cost: “At least ten per cent of our team has taken an internal role since June,” he says. “It’s great news for them, and the rest of the team now sees that career development is part of the job in internal audit, but succession planning is now more challenging.”
He hopes this will also tempt the best people to move from other functions into audit and in future he’d love to see some former internal auditors returning to take on senior roles in corporate audit after being successful in other business roles. There is already a secondment programme that sees up to ten people a year coming into the corporate audit function for up to a couple of months at a time. “Secondments are a great way to help people understand what governance is and why it’s there. It also gives them a window into other parts of the business,” Brasher says.
He adds he would like to see more business managers embrace the audit mindset. “I’d like to see more managers document their thought processes when they make decisions,” he explains. “It really helps if auditors can see what auditees were thinking when they made their business decisions.”
All in all, Brasher is confident that the changes have created a better internal audit function and have enhanced the assurance he can give management and value he can add to the organisation – “that for us is the holy grail of audit.”
Click here for more about the Audit & Risk Awards
This article was first published in Audit & Risk March/April 2017.