In the last three chapters I have outlined some of the key principles and practices required to create a risk and assurance based audit plan that aims to deliver the maximum value. However, before considering how to plan specific audit assignments, there is an important interim step to consider: how to schedule and resource the audit plan in a way that maximizes added value and minimizes waste. Key points to manage include:
Common practice is to determine the amount of resource that will be needed to deliver each assignment. This is often based on a standard assignment resourcing allocation (often within a particular range for each individual audit function, which can be anywhere from 5, 10, 20, 40 or even 80+ days).
The current IIA standard (IIAS) 2010 states that the “CAEs must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programmes, systems, and controls.” In my experience, CAEs deal with this requirement differently, some filling their plan with assignments up to the resource limit they have, and then notifying stakeholders when changes are needed, whilst others leave a resource buffer so that new and ad hoc assignments can be automatically accommodated.
IIAS 1220 also requires internal auditors to weigh up the costs of assurance and advisory assignments in relation to potential benefits – very much in line with lean principles.
From numerous workshops and consulting assignments, the main challenges and dilemmas in relation to scheduling the audit plan appear to be:
When discussing flexibility within the audit plan, some CAEs explain that they have very little, since their plan is dominated by a number of standard “required” assignments, each of which is supposed to follow a standard approach with a set amount of resource expected. For example: each year six key financial systems must be reviewed, comprising 40 days each, amounting to 240 days each year. As a result, some CAEs explain there is only limited capacity to take on board new assignments.
Inevitably, some audit assignments require a greater resource allocation than others, particularly when the assignment is new or is looking at a common theme across a number of different parts of the organization. However, some CAEs have explained to me that these larger assignments (often 40, 60 or 80 days, sometimes more), can be something of a “black hole”, which are hard to track, and that may deliver comparatively poor value for the resource allocated to them.
For some audit functions, developing the audit plan can take a number of months and will usually require formal sign-off by senior management and the board. Since these meetings are relatively infrequent, it is not unusual to find that the audit plan is not formally approved until just before, or even just after, the audit year starts. Some CAEs explain to me that they would like the audit plan to get off to a quicker start, but their team is often busy around the end of the audit year finishing off assignments that need to be completed for the previous year’s plan. The peak in the number of assignments that need to be completed arises for a range of reasons, including “slippage” of assignment delivery (which will be discussed in a later chapter) or because of the postponement of assignments earlier in the year (e.g. managers saying: “We are very busy right now, can you come back to do your audit later on?”).
The pattern of delays in starting the plan, rescheduling assignments during the year and a peak towards the end of the year has a degree of circularity about it, because a delay in starting assignments at the beginning of the year, can delay what gets done, resulting in the same rush to catch up later on in the year!
This pattern is normally not good for the morale of the audit function, since the working day can be extended and training and holidays can be cancelled towards the end of each year. It can also adversely impact audit quality, since the priority is often to “get the report issued”, over and above the delivery of a valuable and insightful report.
Some CAEs explain that over the course of the year they receive a number of ad hoc and special requests, which can include working on fraud investigations or looking into other pressing matters. If the resource required for special requests or investigations exceeds the resource budgeted, delivery of the rest of the audit plan can be affected.
I have already noted the link between lean and the IIA requirement to weigh up the cost/benefit of audit and advisory assignments. In addition, the challenges outlined above are good examples of the kinds of waste that lean is concerned about:
Specific principles and practices that reflect a progressive way of working, incorporating lean techniques, are summarized below.
The first key point to make is that the resource allocated to any assignment should be proportionate, as far as possible, to the value that will be gained from the work. As a result, the notion that the resource allocated to audit assignments should be determined by custom and practice, or the amount of time taken in the past, is something that a lean audit approach would challenge.
As a starting point, it can be useful to calculate how much assignments cost, not just in terms of travel and co-source support, but in terms of audit staff and supervision time, and then the time of all of the managers and other staff in the organization who must support and respond to auditor demands. Often it is possible to see that 10 days of auditing field work requires another five days of preparation, five days for reporting and another 10 days of time from management and staff, amounting to 30 man days in total. With this sort of analysis it rapidly becomes clear that focusing on minor issues in the assignment could result in a net loss of value.
Jonathan Kidd (CAE, UK Met Office) describes the changes he saw on moving into a lean auditing mindset:
“In relation to scheduling the audit plan, the number of days we scheduled for an assignment has changed a lot. It used to be done through a range of standard types, for example a 15 day audit, 25 day audit, 35 day audit and so on.
As we adopted lean ways of working it became more dynamic so, where before it would have been 20 days, now it’s going to be 16 or 17.
As a result the number of audits that were able to be done went up quite dramatically. So dramatic that I had questions from management. I had a senior manager saying to me ‘Are you driving your team too hard?’ However, they were working the same hours, nobody was doing overtime, they were able to do more audits. The stuff that was not worthwhile and taking up time was not being done any more.”
Karen Dignan (CAE, Group Head Office, OMG) explains the progressive “fit for purpose” approach to assignment resourcing and scoping:
“We are being more flexible but also more challenging on the amount of time we spend on assignments. We will accept a more diverse range of how much time we will spend, the aim being to more closely match assignment lengths to the likely value add.”
Richard Young, (Director, UNIAC) explains the approach of his audit function:
“If we’ve completed reviews on creditor payments for the last five years and found very little, why don’t we just approach it differently? If we have to do a review, then let’s do it in less days, but be more concentrated.”
In addition to having a strong sense of the cost of assignments and the need to resource these proportionately to added value, it is important to recognize that the timing of when an assignment should be delivered can impact its value. Norman Marks (GRC thought leader) provides an important insight:
“I talk about providing assurance at the speed of the business. It really comes back down to, what is it we need to deliver and when? It’s not just the assurance that is valuable, but how quickly that assurance is delivered and how it is packaged.”
Karen Dignan (CAE, Group Head Office, OMG) has put this way of working into practice:
“Some of the big things we’re doing relate to strategic changes. If you’re going through a big outsourcing or an acquisition or disposal there would be little value approaching these assignments in a conventional way. Instead we work out – quite quickly – what time frame we need to operate within and therefore how we should best use that time efficiently and effectively to look at the key things and then slick ways of reporting onwards without delay.”
Actions for Internal Audit to consider:
At AstraZeneca one of the changes we implemented when we adopted lean principles was to recognize more clearly that there should not be just one type of assignment. Two key choices we considered included:
Beyond this there were other choices such as:
These choices should be driven by the value that the assignment is intended to deliver.
Even if an assignment of a particular type has been decided, lean principles demand that we consider carefully how it is best organized to deliver value efficiently. In AstraZeneca we began to split up some assignments into two stages. The first stage might be a “risk framework review” or “high level review” that would examine management’s understanding of the key risk areas and how these were being controlled (often from a design perspective).
Then, depending on what was found, there might be a follow-on assignment three or six months later probing specific key risks and controls from an operational perspective. This approach reduced the number of longer assignments that sometimes had a less favourable cost/benefit balance. In addition, this approach delivered the added benefits of: i) being able to stop work after the first high level review, if that provided sufficient assurance, and: ii) enabling much more focused follow-on assignments, based on insights gained from the first assignment.
This approach can also be used to examine issues in selected locations or departments, but not necessarily all, sharing the key themes with all areas, and then doing selected follow-up assignments.
Richard Young (Director, UNIAC) pursues this way of working further:
“In some instances, the best scenario may be three short assignments in a year. Your first piece of work is understanding key risks, controls and accountabilities. The next piece of work examines in more detail the quality of management monitoring routines and their disciplines around following up anomalies and issues. Finally, you can drill down into the detail of controls and the data if you have concerns about that. It’s a staggered approach that takes management along the way and is much leaner with its use of time.
Of course there are logistical challenges, but the problem with blasting through assignments is that audit clients aren’t always getting the value from audit that they could be.”
Actions for Internal Audit to consider:
In order to generate a smooth flow of assignments throughout the year, the audit planning process needs to be mindful of the scheduling of assignments. Key points and areas for consideration are outlined in the following actions for internal audit to consider:
There seems to be a range of practice in relation to how much of the total available resource of the internal audit function should be planned. One senior audit manager in the UK explained:
“Somewhere between 70–80% of our originally planned audit plan usually gets delivered. Lesser assignments will roll off and something else will roll on, not because of any weakness in our planning process, but simply because things can change. However, if the business is going through more changes we are prepared to be more flexible so that we can address the new issues that really matter. We then just explain the changes we have had to make at intervals.”
The process of “roll-on/roll-off” is something I see quite a lot, especially where a greater portion of the total audit resource is budgeted. Progressive ways of working try to identify these assignments up front and recognize that the assignments with a likely lower added value should not normally be completed in the first three or six months of the year, so that they can “roll off” the plan later in the audit year if needed.
Phil Gerrard (CAE, Rolls-Royce) highlights the importance of having some flexibility in the audit plan:
“To me delivery of 100% of the audit plan I put to the audit committee earlier in the year would be a dire indictment of my function.
Stand back and think what you are saying. 100% completion of an audit plan means that the risk environment has changed not one iota in the last 12 months. It’s nuts. Yet there are people putting this down as a good KPI.”
Given that the audit plan rarely goes to plan it is important to find an efficient way of rescheduling assignments. Jonathan Kidd (CAE, UK Met Office) outlines how he manages the plan on a quarterly basis, detailing a practice which an increasing number of audit functions adopt:
“We follow a very tailored project management approach. We have the overall requirements for each quarter and then as a team we draw out the assignments on a whiteboard, taking a Gantt chart perspective. We factor in holidays, training days, business events and the timing sensitivities of the assignments.
We then map out staff time and key milestones for each assignment. These include not just fieldwork milestones, but when the closing meeting is planned for, when we will issue a draft report, when we expect final comments on the report and when we plan to issue the report with agreed actions.
Of course it changes, but it’s a very good way to start each quarter, with everybody having a responsibility to manage their own portfolio. They all know that I expect those audits to be done by the end of the quarter, but there are tolerances and if there is an issue then I expect them to come and speak to me and we’ll work through how we might do that.”
This just-in-time approach to scheduling assignments exemplifies lean in action.
Another practical way to manage the impact of ad hoc work is to consider specifically how to resource fraud and other ad hoc investigations (e.g. as a result of whistleblowing calls). In some organizations, stakeholders agree that whistleblowing investigations should be investigated by finance or legal or compliance (or HR for employee related matters). The argument is that this is a second line of defence activity and should be dealt with by second line functions. As a result, audit provides a small amount of advice and oversight (in its third line of defence role) if needed. Other audit functions sometimes take the lead role in investigations, but to avoid investigations derailing the delivery of the plan, they will agree a limit of the resource they will use, expecting management to provide support over and above that which was budgeted, or obtaining funds for additional co-source support as needed.
Actions for Internal Audit to consider:
Again, the dilemma facing many audit functions is how to balance between tried and tested assignment types, using standard ways of working compared to a more tailored approach based on a more tailored cost benefit assessment.
Lean auditing also recognizes that a value adding plan is not just about the content of the assignments proposed, but it is also about delivering these in the form and at the time that the key stakeholders will value. As a result, some audit functions do not plan ahead for the next 12 months, but simply plan on a rolling three- or six-month basis. Lean ways of working may support this approach, but the risk is that stakeholders and audit get locked into a pattern of what is urgent, rather than what is important. As a result I personally prefer a 12-month plan that is updated routinely every three or six months and then by exception as needed.
Lean auditing encourages audit functions to have a relatively smooth schedule of assignments, phased in a way that avoids excessive bunching, and ensuring the plan gets off to a good start and does not rush at the end. Needless to say, in lean progressive audit functions, the vast majority of auditors should have a reasonably clear view what work they have coming up over the next month or so, so they can make use of any spare time to get going with assignment preparations.
However, even if an audit plan is scheduled appropriately, this does not guarantee that the execution of each assignment will deliver the maximum added value. The next chapters explain how to drive added value in each audit assignment, so that the potential value adding contribution of each assignment identified at the planning stage is actually delivered in practice.