Delve into the dynamic world of audit, explore the importance of transferable skills, and share insights into key risks for 2024 in the tenth episode of Inside the Auditorium with our guest, Keith Burns, Audit Director of IT Operations and Financial Crime for Santander.  

This episode explores: 

• The acceleration of data analytics: Keith shares his view on the pace of change, with organisations harnessing the power of data more efficiently in the last 18 months and the evolving landscape shaping the next 12 months. 
• Mastering risk management and control: Keith emphasises that auditors aren't expected to be experts in every facet of a bank's operations. Instead, their expertise lies in risk management and control and the symbiotic relationship auditors develop with businesses, helping them navigate risk management and enhance control environments. 
• Challenges of remote auditing: As the world adapts to virtual environments, Keith sheds light on the challenges of remote auditing, the intricacies of the internal audit process, the importance of face-to-face interactions, and how building stakeholder relationships enhances the audit experience. 

Don't miss out on this insightful conversation that promises to empower internal audit professionals with invaluable insights and foresight into key risks for 2024. 

Enjoy! 

Note: The views expressed by Keith are his own and do not necessarily reflect those of his employer. 

Welcome to Inside the Auditorium. If you could please maybe just tell us who you are and a little bit about yourself.

Yeah, so hello, nice to see you. My name is Keith Burns and I'm audit director for IT operations and financial crime within Santander uk.

And tell me your career very much started. You've been a career internal auditor. If you can just sort of elaborate on that and tell us about your career.

If we can just talk, you started on a graduate scheme then. Was that actually a graduate scheme within internal wall debt?

Yes, it was. Yeah. So at the time Abby took on, I don't know the numbers, but it was quite a large number of graduates across a lot of different disciplines across the organization, so marketing it, and I was one of two internal audits graduates. And yeah, like I said before, I came into that completely by accident. I was just applying for graduate roles across all sorts of different industries. I tried the civil service fast stream program and failed miserably in their assessment center. I was trying energy companies and really didn't have a view on any particular type of role that I wanted to do. I was just keen to get it properly into the jobs market as a graduate and see where that took me really. And that's how I ended up in internal audit.

And throughout your career, as you stated that you were doing quite a lot more of retail banking at the early stages of your career, was doing the graduate scheme, did you then decide that that was the particular product area that you wanted to get into?

I think it was just probably naturally that's where I continued my career. But I think the thing about retail banking is it affects everyone. We all have a bank account, a lot of people have a mortgage. And it's really interesting I think to see how the day-to-day running of a bank works in delivering those products to us. Millions of customers, billions of transactions processed every day, every year. And I just think it's fascinating to see how some of that actually works in practice from an operational perspective, an IT perspective, all the different elements that make a large financial services organization run day to day.

And I see that you've moved more into, you then moved into financial crime. How did that come about?

And do you think the country, in terms of fraud, it's happening more because we're becoming more digital transactions being done more on the internet. Maybe you could elaborate a little bit on that.

Yeah, exactly. So the faster payment system was implemented quite a few years ago, which was a regulatory drive to make payments better for customers. So obviously we send a payment to a friend or a family member, and it happens in most cases instantaneously, it's within their account. What that means is that is an area that fraudsters can exploit because as soon as that payment is left a customer's bank account, it's in a fraudsters bank account, and they can then do the same. And those funds are lost really, really quickly and the trail behind it becomes really complex because they can split it into smaller amounts and it's really then difficult to follow the trail. So that thing that was done in the best interest of customers to make our lives easier and making payments then has had unintended consequences. The more that we go online and the more that we rely on those types of payments to run all aspects of our lives. But then from the digital perspective as well, social media plays a big role in fraud these days. A lot of fraud starts through social media channels, people being convinced to click on things or to respond to adverts to buy things that don't exist, share their details, which they shouldn't be doing. And so there's all these different avenues that didn't exist before that fraudsters are really, really clever at exploiting unfortunately.

Yeah, yeah, sure. And now obviously you are doing financial crime and now technology. How did you get that role in terms of coming from financial crime and not having a technology background?

So within my role before the IT as well, I've got what we call operations, which is a really broad set of responsibilities related to third party risk management. A lot of the operational aspects of how we manage customers in the back office and things like that, plus branches and contact centers and everything, some of those elements form part of the core foundations of how the bank is run. And it obviously is one of those elements that supports those things really, really closely. So for example, in third party risk management, a lot of our IT infrastructure is related to third party providers and who help us with our services, software architecture, all of those different things. So there was a bit of a natural fit between how the bank runs operationally and the infrastructure that sits behind that. And so it was really trying to bring some of those core themes together and try to see how we can exploit some of those transversal themes or those cross-cutting themes like third party risk management, operational resilience. So there's the key components of how it keeps the bank running on a day-to-day basis, but then also how the operations can facilitate ensuring that that happens if we have a problem with it. So there's a lot of interrelationships between some of the topics that I was doing before plus the it. So it's trying to bring those together so we get that joined up approach.

Sure. And in terms when you're talking about operational resilience, are you talking about as well for people that probably don't know in terms of people can effectively still work from home or from anywhere and still operate at a certain level?

Okay, great. And so then being an internal auditor for so long, what's made you stay in the role or become and stayed being an internal auditor?

Well, it's that variety. So like I said, I was a generalist for quite a long time, so I saw all sorts of different processes across those different organizations, especially when I was at EY and I had lots of different clients. So you see a lot of different processes within different organizations and you can sort of join the dots around, well, they do it that way, and that's best practice and maybe you can try to help other organizations to develop that best practice as well. So that big grounding in terms of the huge variety of different things that I'd looked at then I specialized in credit risk for a little while, and one of the things that I always remember at that time is someone within the team saying that I was one of the people within the organization who really understood the end to end process because that is as auditors really what we see that some other parts of the business might not do. So we would know how a mortgage was sold in a branch or through an intermediary all the way through to how it was then drawn down by the customer and then it was serviced ongoing. Whereas quite often organizations are structured in silos. So you've got the front office, you've got the middle office, and you've got the back office, and they all do that piece, but not that many people would understand how it works from one side to the other.

So that's just an example of how as an audit function, you are the ones who often see that. And then obviously then after credit risk did the financial crime piece and then the ops piece was added into that and now it as well. So there's no other roles that can give you that variety, I don't think.

And in terms when I'm recruiting and the people are looking for a retail auditor or they want people with retail audit experience or if you've got an investment banking auditor, sometimes products in terms of foreign exchange, whatever, it always seems that are quite hard to learn. Do you feel that once you know how to do an audit of an end-to-end process, picking up the products areas is relatively quite easy?

Yeah, I mean there's some areas that are really technical, so some of those aspects that you mentioned there, but the role of an auditor is not to be the expert on every single thing that a bank does. We are experts in risk management, risk and control. And our role is to understand as much as we need to in order to understand the risks that a particular area of the business faces. And there obviously is a technical background element to some of that and then to challenge the business on how they mitigate those risks through their control environment. So it's about having that mindset to go into a part of the business that you've never been into before, but know the right questions to ask to get to the bottom of the risk and control piece. And not always people in the business are risk and control experts. They are the experts in the process. So it's that sort of symbiotic relationship that you develop with the business to try and help them to understand their risk management better and try and add value from that perspective. And obviously the benefit that you get from that is you understand a lot of these different processes that I mentioned.

Sure. And in terms of a stakeholder not pulling the wall over your eyes then because you don't know that product very well, how do you get around that?

Well, we have the term professional skepticism within internal audit, and that's the sort of mindset that you always have to go into any meeting with a stakeholder with. And it's not that you are trying to catch them out, it's not that you've got really difficult questions that you're hoping that they can't answer. It's just always being able to question that a little bit further and just making sure that you've fully satisfied yourself that whatever you've been told really stacks up.

And so if you had any advice for your younger self within internal audit, what would that be?

Actually it would've been to have done an international role. So obviously I know that you've recently come back from a long period abroad. And when I was at ey, I did do a little bit of international travel that I always found quite interesting and I've always had in the back of my mind that I would've liked to have lived in a different country for a few years and it's something that I've never actually done. I've never taken advantage of some of those global opportunities, but audit, that's probably another thing about the role is something that you can take anywhere because it is about risking and control and being able to ask those questions. So whether you're in New York, you should be able to sit down and talk about a process with a stakeholder just the same as if you are here. So it is really a transferable skill globally as well. So I wish I'd done that. There's maybe still time for me yet, but we'll see.

I've also noticed over probably since Covid really one of the roles with internal audit, you could travel quite a lot and some people really liked that and others didn't. That seems to be dropping off quite a lot. How important do you think that is to get face-to-face instead of over a VC or what have you?

Yeah, very much so. In all of my time as a more junior person, it was a lot of the time just being out in different offices, different locations with the people that you are auditing and that has a huge number of benefits. Firstly, it's just far easier to communicate with someone. If you've got a question, you just turn your chair and ask them rather than drop them a teams message and there's all the back and forth or have to wait for a meeting or something like that. You can grab them when you see them. But also part of the internal audit process is doing walkthroughs to understand how a process works, what the risks are and what the controls are in that process. And that is much easier if you are sitting side by side with someone. Obviously we can do screen sharing and things like that in this sort of environment, but it's just not the same as seeing someone do it live, especially in a lot of where they're using a lot of different systems and they're flicking between different screens or copying and pasting stuff into somewhere else. If they're doing that through screen sharing and they're swapping back and forth with the screen that they're showing you, it just doesn't have that fluidity to really understand what they're doing in real life. So it is really good to get out there and you build those stakeholder relationships and get to know people much better anyway. You can have a bit of a chat with them rather than just being in a meeting and you're just focused on what you need to get out of that.

And just going back to your time then on the graduate scheme, do you think now with this hybrid working and how people working from home, do you think the more junior auditors are losing out more and because they're not sitting having as much interaction with their colleagues that they can just pick things up and

Yeah, I think there is definitely a benefit in having that face-to-face collaboration, and even just hearing conversations going on around you, if you are with your team, you hear more about what people, what other the people are doing, the kind of things they're talking about, you get to understand someone might have just come out of a really difficult meeting and you get to know more about how things run in general and the kind of dynamics within a team. I think being face-to-face, I obviously get that in the days when I was younger, I was traveling a lot. I would travel on Sundays to different places, get back late on Fridays. It does have a big impact on your work life balance, but there's pros and cons and I learned a lot from being out on the road and being thrown into different situations. So I remember one of the scariest times that I had was when I just joined EY and I was asked if I knew something about mortgages and I said, yeah, I know a little bit. And so the next thing, or a week later, I was on a flight to Dublin working for a client or leading a mortgages audit. And I hadn't really led an audit before, so it was a huge challenge, but you're out there with the business and I learned so much being on the road, being with the stakeholders and looking at something that I hadn't learned before. And if you throw yourself into that and get the benefits from it, then you learn much faster than if you are not put in those challenges situations

And having a decent pin of Guinness as well. No doubt. Yeah,

But also as long as you've got the support team around you, so as long as you've got the manager there that you can ask questions and bounce ideas off and everyone's really supportive, then you've got that growth environment around you that will help you get through that.

Well, the economy is still a little bit uncertain. So we had the latest inflation figures just this morning and they increased a little bit unexpectedly. That's going to mean that maybe the Bank of England will be a little bit less keen to reduce interest rates in the short term. So we're still going to be bubbling along I think with that high inflation, high interest rates environment, which makes it difficult for individual customers because of the higher cost of credit. With that we're going to have a lot of mortgage customers across the UK come into the end of fixed rates, and that's going to have a big impact on their ability to afford the higher repayments. So there's the economy in general, it's still a little bit uncertain. People still talking about whether we're going to have a recession or not. The growth figures tend to be down one month and up the next.

So it's all a little bit unclear. So that causes impact obviously for small businesses. And the uncertainty is, the key thing I think for organizations, whether they're small or large, is just when is the right time to invest? What are the right decisions to make? How do we know where the economy will go in order to make those decisions? Which then obviously has a knock on impact on employment and investment and things like that. The global environment is very uncertain. So we've still got the war in Ukraine, tensions in the Middle East, and I did read somewhere, I dunno what the statistic is, but there's a lot of different countries that are going to have general elections this year. So there's a lot happening within the political sphere as well that again causes a lot of uncertainty for the financial markets and that then has downstream impacts for businesses and the decisions that they make. There's the potential that we might have Donald Trump back in the White House and all of the impacts that then has on the relationships with China and stuff. So yeah, all of these complex things that are going on

Then operating in most of these countries. How do you as an audit team then, and you may not be able to answer this, not being the chief auditor or with the audit committee, but in terms of as a bank, how would you look at the risks or where you would decide to audit first or the importance of that?

Yeah. Well we obviously take a risk-based approach in the development of our plan like all audit teams do. And we do that through our annual planning cycle. So we risk assess our audit universe and that then tells us the key areas that we think require audits to take place that's done from an inherent risk control environment and then residual risk perspective. And then that's agreed with the audit committee. We do that from a top down and a bottom up perspective. So there might be things that within your pure risk assessment might not highlight some of the things that from a top down perspective or there's going to be a regulation change in or there's something happening in the industry that might affect us. And we take those factors into account as well to make sure that we're working on the most important things and we discuss the plan with EXCO members. So if they've got any insight just to make sure that the whole organization really is aligned on the key things that we should be looking at.

Sure. And just for people that don't know, any grads looking to get into internal all debt, would you do that plan on a yearly basis or do you do that and can that be changeable?

Yeah, so we do an annual plan, we then do a quarterly refresh and then at the half year we will potentially present if there's any significant changes, present those perhaps to the board audit committee just to make sure that everyone's aligned on those changes. So yeah, we have a minimum quarterly refresh process.

Sure. And so how do you think internal audit has changed over the years then?

Well, certainly from the data analytics perspective, it's quite interesting actually because I remember even 15 years ago everyone was talking about data analytics or computer-based auditing or something it was called at the time. The concept has always been the same, that if you can test the entire population of something, it's much better than testing on a sample basis, which is the traditional way of auditing. A lot of organizations are still trying to get there in terms of data analytics because obviously we're reliant on business in having the right data and the right systems and things like that for us to then subsequently go in and exploit that data or test what they're doing or whatever.

So that's been a relatively slow journey overall of that time. But the pace of change now has picked up significantly over the last 18 months to two years where all organizations are getting better at data. The cloud is really helping to be able to exploit that data better. And there's an expectation obviously that internal audit keeps pace with that and that we do more data analytics, more digital testing, make ourselves more efficient so that over the next 12 months is definitely going to change quite rapidly. So that's something maybe if you'd asked me two years ago, I would've said, oh yeah, everyone's still talking about data analytics, but now everyone is properly talking about data analytics and are starting to see the benefits of it as well. Sure.

You've mentioned cloud as well, and one thing that I've noticed over, I dunno a few years, is that IT auditors people want people that have got cloud and very strong technical IT skills. Now, knowing that you don't come from a technical background, do you feel that there is still a massive need for somebody to be that technical within IT to do an internal audit role? And how easy has it been for you to be able to pick up the technology side to understand?

Yeah, so we definitely need those experts with the technical background. I mentioned earlier when we were talking about the different complex products and things like that that you can't be a technical expert in everything. But I think in it, it's where you do really need those deep technical skills to be able, it's a really complex topic and to be really able to understand what the business is doing and what the risks are in that, you do need those people. But everyone is trying to find those people because it's not just financial services, it's not just internal audit, it's all organizations are dealing with the cloud and dealing with new architectures, artificial intelligence and all of that kind of stuff is relevant for every single big business globally. So there's a huge competition for those skills. And internal audit isn't probably seen as the sexiest or the number one on the list of industries to go into, and it's how we as leaders make that a compelling prospect for them to want to apply for the role and see what they can then get out of it. I think it's coming back to Marion, the piece that I mentioned before around the breadth that we get within an internal audit function across the organization. If someone can bring the technical skills that we need, then they get that whole organization opened up to them for them to explore from an audit perspective. Whereas if they maybe just stay in a normal IT role, they wouldn't get that Brett,

Sure

We need to sell it.

And maybe you could elaborate a little bit more in terms of whether it may be how the roles become more consultative. Why would this role be of interest to somebody the starting out in their career to go forward?

I think internal audit, it's always been consultative and we've always had to try and strike a balance between retain and independence and providing that sort of consultancy service. So again, that's a topic that's been discussed for as long as I can remember and how we make sure that we do balance the two. And there's nothing wrong with an auditor given advice, guidance, being there to challenge that is consultation. And it doesn't necessarily mean that we hand someone a piece of paper with a title saying this is an internal audit consultation output. And then we've got a list of things those day-to-day interactions, our attendance at committees, our regular catch-ups with different stakeholders. All of that is consultation because we are talking about what is going on within the organization. And if we have a voice and we can provide input and challenge, then they are getting the benefit from that risk management expertise and hopefully helping them add value and help support the business overall.

Sure. And so what advice then would you give somebody or would you give to somebody entering into the sector of internal audit or a myth that somebody entering maybe from a big four that doesn't realize the difference of coming in as an internal auditor?

I think in terms of the advice it would be to back to the point I mentioned before around just getting stuck into all of those challenges. And it's tempting for maybe more junior people to just be given the ticking in the bastion, which we still do in some cases we have to do, but it should be on them well to own their own career and ask for more. And even if they've never done a particular thing before, they're not going to get it right first time. But that's all part of learning. And the more that you ask to get involved in things, the more people will see that you are hungry to drive your career and that you want to progress. And the more that you do those challenging things and the more things that you ask to do, the quicker you'll learn and the quicker you'll get that breadth of knowledge that I was talking about.

So it's about going and getting stuck in even if it's not your specialist area. So again, I've had experiences in the past where I've done audits where I didn't really know anything about the topic at all. And in some cases you're in front of a stakeholder and it's really scary because they're throwing these terms at you and you've got no idea what they're talking about. But the more that you interact with them, the more that you ask, the sooner you'll understand what they're talking about and then you'll be able to challenge them back from the risk and control perspective. So put yourself in those uncomfortable situations.

And do you think stakeholders are becoming more sympathetic to help younger talent in terms, I mean, how important is company culture in attracting talent into your space?

Yeah, very much so. We actually have a global young leaders program in Santander, which is just kicking off at the minute of the applications closed a couple of days ago. And that is something that Santander as a group really wants to foster and get more out of is the global talent. And coming back to my international mobility point that I've never exploited is how do we find the best person to do a particular job irrespective of where they are in the group? So over the course of a few years and within the UK a couple of years ago we implemented Workday. So that is a global platform. Everyone can have their role profile experience, their openness to international travel documented on there. So if someone in Chile is raising a particular vacancy and they want a certain skillset, they can actually find people who match that skillset irrespective of where they are within the group.

And I think that's really a good proposition for younger people who might want to get a foothold within their home country, but then really try and exploit some of those international opportunities. So we have that for young people as well. Last year we relaunched what Santander is called, its people deal, which is just really emphasizing all of the different benefits that people have from working here, whether it's simple things like the number of holidays that you get, which is really competitive, private medical insurance, all of those of things, but also people networks. So we've got something like eight to 10 or something like that, different people, networks that cover different aspects of diversity, equity and inclusion that people can join and get involved in social events and awareness raise and events and all those kinds of things. There are other development programs internally, all of the charitable stuff that the bank does.

So there's all of these different things that try and make it a really compelling place to work over and above the day job. And I think quite often people think of benefits just in terms of the monetary salary, the bonus, and maybe the days of holiday and a few of the other financial benefits, but there's so many other things that come from whatever the organization does, like DNI or some of those other aspects that make it a nice pace to work, a supportive place to work as the people policies around maternity shared parental leave, paternity, all of those different things that maybe people don't have at the forefront of their mind when they're applying for new jobs, but they should really research those kinds of things when they're looking for new roles just to see what is on offer because that might be the key thing that makes you join one organization over another.

Sure. Well, don't sell it too much wise. I'll never have any vacancies to recruit for. One thing that I have noticed being back in the UK with Santa Day, you've had a lot of people that have had quite a long career with you with the bank, especially within internal audit coming from the business and like yourself that has promoted and worked their way around the audit team. You've sort of mentioned quite a lot before, but what do you think keeps people in the internal audit function?

I think it really is that variety, to be honest. And we are a very supportive department as well. So there is a good culture just within individual teams. People get along with each other and everyone is a nice person to work with. So in that sort of environment, it's easy to stay because as well as getting the work challenges and that learning, it's within a supportive environment that helps you grow. Or like I said, if you are in any of those life-changing moments like maternity or whatever, that you've got that support as well.

Great stuff. So I'll just ask you to finish off a few quick round questions. Tell me what's the best place you visited and why

Japan probably, yeah. I went three times a few years ago and it's a country that's got so many different aspects to it. So you can go to the north of Japan and you can be skiing, and then there's Okinawa in the south, which is a tropical environment all year round. And then you've got the big cities that just blow your mind to see and hear everything that's going on. And then you get on a bullet train and you're out in the countryside with mountains and all of that kind of environment as well. So there's something for everyone and it's so different culturally from how we are in the west.

Sure. Well, I've been very lucky enough to do snowboarding in Japan, and you're right, it's amazing. And tell me what's a piece of technology you can't do without?

My AirPods pros, I have to have noise canceling headphones on the tube. I can't cope with being in the proximity of other people in this day and age with people having phone conversations on speaker or watching social media or on speaker. I get distracted by that sort of stuff. So noise canceling headphones are an essential to me.

And tell me, what company do you admire the most and why?

Well, off the back of the AirPods Pro thing, and maybe this is a bit of an easy answer, but the innovation that Apple has brought to all of our lives in a really short space of time. So I think I got my first iPhone when I joined Santander, and the way the technologies changed and the fact that most smartphones revolve around what that original design was, and they all have their different functionalities and things now, but the original was the iPhone and all those different things that Apple have brought us along that time. Apps. I mean, how could we live without apps these days? And I recently had no broadband for 24 days. It was a traumatic experience. Luckily I was away over Christmas and New Year for some of it. But you just realize how much we rely on being able to pick up the iPad and watch Netflix.

Sure, yeah. I really noticed it when I was in Singapore and Covid actually, because we had to tap in and tap out everywhere. And even for the restaurants, for anybody that didn't have a phone, you just really couldn't do anything, which in one way is a bit of a shame as well now for the older generation. Right.

And tell me, what book are you reading at the moment?

Well, I've been reading it for quite a while. And would you believe that it's Margaret Thatcher's, the Downing Street Years.

Alright.

Which is quite an old book. But it's really interesting because the parallels of what was happening when she started her career in the sixties and especially the seventies when the UK had really high inflation and was dealing with minor strikes and all of that, the parallels with what we've seen recently with high inflation train strikes and a lot of dissatisfaction across different industries and the arguments that she's talking about in her book for why she made certain decisions are all still valid today. And it just shows you that nothing changes really. We just go in cycles and people make the same decisions and similar things happened to how they did in the past.

Sure. Well look, thank you very much for coming onto the show today and thank you very much for your time.

Brilliant. Thank you. Good to see you.