5
The Wider Benefits of a Lean Audit Approach – and How to Use This Book

As I mentioned in the introduction, lean auditing offers much more than simply a more efficient and effective way of carrying out internal audits. Given the unique role of internal audit it is possible to see a “cascade effect” in which new ways of working by audit have a wider impact on organizations. This effect will not simply derive from more impactful audit assignments, but also from the way that audit sees its role and leads organizational changes through its influence over key stakeholders.

To explain how this cascade works, I will outline the key hallmarks of a lean progressive approach to audit. I will then describe how this approach can impact other functions, such as compliance and risk (sometimes called the “second line of defence”), as well as management and staff (sometimes called the “first line of defence”).

Key Hallmarks of a Progressive Lean Audit Approach

In my experience, these include:

  • A recognition of the unique role that audit can and should play in providing an independent and objective perspective on Governance, Risk, Compliance (GRC) and the delivery of organizational performance;
  • An orientation towards adding value in everything that audit does;
  • Having a clear focus on ways of working that visibly and demonstrably add value, that drive out non value adding activity, and eliminate other waste (Muda);
  • Discharging the internal audit role in a pragmatic, but flexible way, with a clear strategy to act as a catalyst for organizational improvement and development;
  • Having a role that encourages and supports the co-ordination of Risk Assurance across the organization, so that roles and responsibilities (including those of internal audit itself) are optimized to add value, and eliminate waste;
  • A recognition that the role of audit is more than just carrying out audit assignments: it is about providing valuable advice and assurance that will improve an organization over the short, medium and longer-term;
  • Measuring audit performance in a pragmatic, efficient but rigorous way, that drives value add and continuous improvement;
  • Having clear requirements when selecting staff and developing them to ensure audit can deliver its full role and support the wider organization.

Many of these principles link to attributes and standards that have been developed by the Institute of Internal Auditors (IIA), the global professional body for the internal audit profession.

Particular IIA standards and attributes of note include statements that:

  • The CAE should manage the internal audit activity to ensure it adds value to the organization;
  • The CAE should share information and co-ordinate the work of other compliance and assurance providers with the work of internal audit;
  • Internal audit should operate with an understanding that the “Three lines of defence” framework (with management, compliance functions and audit each in separate “lines of defence”) is likely to be the most effective way to manage risks;
  • Internal audit should act as an independent and objective function to assess, amongst other things, the effectiveness and efficiency of the organization’s operations.

At face value, therefore, lean ways of working can appear to be a helpful “bolt on” to the current IIA standards, since they can support the delivery of a value adding and efficient audit service. However, as we will see later in this book, lean ways of working can question a number of commonly held perceptions about the role of internal audit, for example:

  • That the role of audit should primarily be to deliver internal audits;
  • That the audit plan should cover known risk areas of concern;
  • That auditors should strictly adhere to predetermined assignment and test plans;
  • That auditors should look for fraud in each and every assignment;
  • That audit should proactively follow up the progress of management in remediating all open points;
  • That audit should mostly be comprised of qualified finance and audit staff.

As we will see in later chapters of this book, I am not arguing that audit should ignore its role to look out for fraud, to follow up on open actions, or to have trained audit professionals, but unless care is taken there is a risk that:

  • Internal audit ceases to be a key player in visibly improving Governance, Risk, Compliance and Assurance activities and processes;
  • Internal audit is not seen to be a vital source of value add in organizations;
  • Internal audit starts to become a substitute for processes and activities that should be carried out by management, or other functions.

The Mindset of a Lean, Progressive, Auditing Approach

Underpinning a lean auditing approach is a mindset that some more traditionally minded internal auditors may find rather challenging, namely:

  • A view that stakeholders should be regularly engaged in relation to what they value from audit;
  • A view that stakeholders should also be challenged when necessary in relation to the role of audit, and the tasks it should perform;
  • A view that audit should take a proactive interest in the Risk Assurance picture for the whole organization, and work to influence the roles of key functions if there are gaps or overlaps of concern;
  • A view that audit should regard all risk areas equally in terms of their potential coverage and be careful not to favour traditional areas, such as financial controls or compliance;
  • A view that the recruitment of staff into audit should be influenced by the value needs of the wider organization as much as the need for qualified audit staff;
  • A view that audit should be just as interested in cultural and behavioural issues across the organization as straightforward audit findings;
  • A view that management risk appetite judgments should be challenged when necessary.

Whilst this lean progressive audit mindset may seem radical to some, I am heartened to note that a recent review of the role of internal audit in the UK financial services sector has identified some of these areas (e.g. risk appetite and risk culture) as both legitimate and necessary areas for audit to include within its remit.

THE WIDER ORGANIZATIONAL IMPLICATIONS OF A LEAN AUDITING APPROACH

Taking a lean progressive approach to audit can have a knock-on impact in relation to key policy and compliance functions, in the second line of defence, such as finance, legal, Health & Safety, HR and IT. Results can include:

  • Driving much greater clarity about their oversight and assurance role;
  • Enhancing the quality of risk identification and risk assessment processes;
  • Strengthening the flow of information to these functions and onward reporting to senior management and the board;
  • Providing more rigour in relation to the closure of open actions.

The typical shift in the role of policy and compliance functions is that they should take up a more robust role in both helping and challenging management to deliver and assure key compliance risks and processes on a day-to-day basis.

Taking a lean progressive approach to audit can also impact management and staff in the first line of defence. Results can include:

  • A clear understanding that staff and management should rigorously manage and monitor key risks as well as the effectiveness of core compliance and control activities as a natural part of effective business oversight;
  • An understanding that whilst judgement and trust have an important place, data and other information should be used on an ongoing basis to objectively assess risks and opportunities;
  • A greater appreciation that difficulties, issues or “near misses” should be openly acknowledged, logged and constructively discussed, so that root causes can be addressed and a learning culture developed;
  • A genuine openness towards appropriate challenge by audit and others in order to improve organizational performance.

In essence I am highlighting the important role that audit has to catalyze improvements in risk and control accountabilities, processes and culture, and not simply to feel constrained by shortcomings in this regard.

* * *

HOW TO USE THIS BOOK

The following chapters describe lean, progressive, internal auditing in more detail.

The structure of the chapters in the next section is as follows:

  • A brief summary of some common ways of working and some of the notable IIA standards;
  • Some of the common challenges and dilemmas internal audit functions face;
  • Some recommended lean ways of working that should drive improvements in added value and/or reductions in waste;
  • A summary of key points for internal audit;
  • A summary of points for senior managers and board members to consider.

Some CAEs or internal auditors may read the lean audit ways of working and find that they have much of this in place. One CAE remarked to me:

“I would say that people could be doing lean auditing without really even having identified it or labelled it as such.”

As mentioned in an earlier chapter, the use of the label “lean auditing” is not of great importance to me, compared to how the internal audit profession can better overcome areas of difficulty, and demonstrate its ability to deliver value and maximize its productivity by overcoming the things that may be holding it back.

If auditors or CAEs find they have implemented the ways of working described, this should provide a useful way of benchmarking how progressive and lean their internal audit function is (or is not). However, being a lean audit function means much more than just ticking the box around the practices in this book. It is about a culture and a capability within internal audit that is genuinely oriented towards both adding value and productivity on an ongoing basis. Chris Baker, Technical Manager of the UK Chartered Institute of Internal Auditors, explains:

“I think that there could be issues around people’s understanding of lean auditing. People can easily see it as just finding an efficient way of doing an audit. In other words, it is the methodology that is related to lean, not the focus of the audit and the outcome. They might think it’s meant to relate to cutting out unnecessary administration and trying to avoid long drawn-out audit reports and taking ages to get your audit report produced. This probably comes from the layman’s understanding of lean which is that it’s about cutting things back to their bare bones.

Of course lean has an element of this but it’s not just about cutting out unnecessary activities, it’s just as much about getting the focus of the audit right and using the time more wisely and more effectively.”

As mentioned earlier, in order to ground this book in the “Gemba” of audit practice, I have interviewed a number of CAEs and internal audit thought leaders. From these interviews I have included a selection of “war stories” in relation to common audit challenges and dilemmas. And in order to make the spirit of lean ways of working come alive, I have also included their perspectives on more progressive ways of working, and where possible, the rationale for, or benefits that arise, from this.

Consequently, I have not attempted to adopt a quantitative approach to each of the audit challenges and dilemmas described in this book along the lines of: “A recent survey by X says that Y% of auditors encounter delays in gathering evidence before fieldwork.” This is partly because survey results will depend on the sample of audit functions surveyed (which may vary between organization, sector and country), partly because the results will change from year to year, but mostly because whatever results are chosen, the actual position for a specific audit function will often be different, that is to say: some will experience the problem as described, some will not, and some will be somewhere in-between.

By adopting a qualitative approach, I hope that readers will get a grounded, unfiltered, sense of the challenges faced by auditors in line with the lean Gemba way of working. In addition, I hope that this approach will resonate with auditors’ own experience, and represent something of a contrast to more high level, statistical accounts of audit practice, which I personally feel are all too common, and not always very helpful.

However, whilst this book wants to recognize the reality of the challenges and dilemmas facing auditors, it is fundamentally intended to bring to life how lean, progressive, ways of working are in place in internal audit functions across many countries and industry sectors. The perspectives offered are not intended to represent a complete picture of every good practice that is possible, but are provided in order to illustrate specific examples that represent the spirit of lean, progressive auditing, and the leadership and team ways of working needed to deliver this. As readers will discover, not everyone quoted sees things in a similar way. Nonetheless, I hope what comes through clearly is a mindset and ways of working that demonstrate:

  • A clear orientation to understanding and managing stakeholders;
  • A constant focus on adding value;
  • A determination to drive productivity and eliminate waste;
  • A desire to play a genuine leadership role in the organization.

Advice on Reading the Following Chapters

The chapters that follow need not be read systematically in order. A reader with particular interest in a specific topic (for example, audit planning, assignment execution, or staff training and development) should be able to go directly to that chapter to consider the areas of challenge, as well as the best practice ways of addressing them.

However, I am not a believer that the only way to improve value add and productivity in internal audit is to follow each and every suggestion in this book. My advice is to consider which of the recommended practices are most likely to make a tangible difference, bearing in mind the specific context of each audit function, as well as barriers to implementing these practices.

In addition, despite the extensive research carried out to write this book, I have no doubt other progressive practices are in use, or being trialled, as I write this book. It is through the efforts and innovations of internal auditors all over the world, over the course of time, that will earn the audit profession increasing respect and recognition by senior managers, boards, other stakeholders and the general public. However, I hope that this book offers a useful distillation of a number of key principles and practical suggestions that can support this collective journey of moving the internal audit profession forward.

Some readers may feel, on reading this book, that a substantial project is needed to re-orientate internal audit towards lean, progressive ways of working. That may well be correct. However, CAEs and other stakeholders should be mindful that a large-scale change project within an audit function could sometimes impede either the delivery of the audit plan or the level of engagement between the audit function and management or both.

Personally, I have found that a step-by-step approach to implementing lean ways of working – addressing one area of difficulty, and then another – has worked quite successfully for many internal audit functions. Indeed for some functions, this has been the only practical way to move forward since they are often completely overwhelmed by their workload – which is one of the reasons they are interested in lean in the first place!

I will return to questions of where to start or continue to develop lean auditing ways of working in the penultimate chapter of this book.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset