Introduction
If you are reading these words, I imagine you have some interest in lean or in audit, or both, and may be wondering how these disciplines might be combined.
This is what I wondered in 2005 when I was Chief Audit Executive (CAE) for AstraZeneca PLC. Lean was suggested to me as something that could help the audit function step up its “added value” contribution, as well as improve its productivity.
I was uncertain at first about the applicability and usefulness of lean tools and techniques to internal auditing. But, as we learned about lean, and started to apply it, we were able to create a number of best practice ways of working and also achieved significant productivity gains (of around 20%).
This book outlines what lean can offer to internal auditing. It is based on over four years' experience applying these techniques as a CAE. Thereafter, I have been running my own company and lean auditing has been one of the core areas of my training and consulting work. I have been fortunate to travel to the US, across the UK and Europe, the Middle East, the Far East and Australia to share lean auditing principles and techniques. I have been heartened by the interest in what I have had to say, and in the results that have been achieved by applying these ways of working.
As I prepared to write this book, I was keen to ensure that the efforts of other CAEs and auditors who are working to improve the impact of internal audit should also be captured. I therefore interviewed a number of CAEs from a range of organizations in the UK, US and elsewhere and their views and insights are captured throughout the book. I have also been fortunate to receive insights from other leading figures in the internal audit world, including Richard Chambers, President & CEO of the Institute of Internal Auditors (IIA), Norman Marks (a well known thought leader in Governance, Risk and Compliance (GRC)), Sarah Blackburn and Nicola Rimmer (both former Presidents of the UK Chartered Institute of Internal Auditors (IIA UK)) and Chris Baker, Technical Manager of the IIA UK. Herein are also selected board members' observations about internal audit.
Consequently, this book represents not just the best of what I managed to achieve at AstraZeneca, and with my clients. It also captures a wider range of progressive practices in internal audit as well as related good practices in the GRC arena. You only need to reflect on the devastating impact of the financial crisis of 2007 and 2008, and countless other risk and governance surprises, to recognize there is considerable room for improvement in this field!
This book addresses many efficiency opportunities through lean ways of working. However, of equal or perhaps greater importance, this book offers a range of insights into what it means to add value, and through this, to reposition the role of internal audit as a key ingredient of organizational success.
As we will see, many of the CAEs I have interviewed for this book already have a “seat at the top table”. Consequently, whilst a number of the principles, tools and techniques outlined in this book will be aspirational for some internal audit functions, they are successfully in operation for many others.
Whilst I will argue that the internal audit profession should play a more prominent, value-adding role, I do not believe that internal audit should take the lead in driving organizational performance and behavioural change. That is a role for the board and senior management. My belief is that internal audit should more clearly act in a catalyst role for organizational growth, continuous improvement and sustainability.
I hope to demonstrate that the use of lean principles and techniques can both inspire and support internal audit to take up such a role.
However, I also want to acknowledge that there can be significant barriers to achieving what I am proposing. Some of these barriers may be practical, but most come from the mindsets and preferences of board members, senior managers, and a range of others who prefer a traditional “compliance and control” role for internal audit.
In my opinion, the traditional “compliance and control” focus of audit acts like a heavy hand on the audit profession, limiting its ability to play a fuller role. The dominance of traditional ways of working partly stems from a legitimate need to gain assurance over the basics, but also from a significant inertia that has built up within the internal audit profession itself.
As this book proceeds I will try to outline how the lean audit mindset (and ways of working that flow from it) differs from the traditional internal audit mindset, and traditional ways of working. I hope to demonstrate that, if internal audit is prepared to relinquish some of its familiar work in compliance and control auditing, which may appear to offer a degree of security, it will in fact make the internal audit profession more secure in the long run. Indeed I would go so far as to say that by continuing to carry out a large portion of traditional controls and compliance work internal audit may perpetuate a range of organizational and cultural problems with Governance, Risk, Compliance and Assurance.
As a result, some of the principles and practices outlined in this book may be challenging for some of the more traditionally minded auditors, senior managers and board members. As far as possible, I will try to explain how progressive and traditional ways of working can work together side by side, but I think that truly operating with a lean frame of mind does challenge a number of long-held conventions about internal audit. To my mind being prepared to “rock the boat” is a necessity if we want to put internal audit on the right path to being properly acknowledged as a key ingredient for sustainable organizational success.
THE VALUE YOU SHOULD RECEIVE FROM READING THIS BOOK
CAEs and internal auditors should be able to use this book as a resource to:
- Benchmark current audit plans, reports and ways of working;
- Identify practical ways to increase value adding activities, and minimize non value added activities within internal audit;
- Reposition the role that audit can play in the organization and understand the wider organizational benefits that will flow from that.
Board members and senior managers should be able to use this book to:
- Identify whether internal audit is truly playing a positive role in their organization;
- Identify traditional, stale practices in Governance, Risk, Compliance and Assurance, that are not really adding anything;
- See the benefits of embracing lean principles in the arena of Governance, Risk, Compliance and Assurance, more generally.
Academics and others with an interest in sustainable organizational growth should be able to use this book to:
- Deepen their understanding of the challenges that many audit professionals face on a day to day basis;
- Consider how lean principles might offer an interesting insight into debates about what makes effective Governance, Risk, Compliance and Assurance.
Those with an interest in lean should be able to use this book to:
- Understand how lean principles, tools and techniques have been applied successfully to the world of Governance, Risk, Compliance, Audit and Assurance;
- Consider other ways in which lean approaches might be applied in these fields.
I personally have several hopes for this book:
- That it will stimulate more granular “real world” discussions about the dilemmas and challenges that auditors face;
- That lean principles, tools and techniques will enjoy a more mainstream position in the audit profession, and that we will become much more rigorous when we talk about “adding value” and efficiency;
- To open up more reflection on a range of long established ways of working within internal auditing;
- To create a greater recognition that through the development of a multi-disciplinary approach to internal audit we will enhance the reputation of our profession, and properly emphasize the importance of leadership and softer skills alongside detailed technical skills.
Overview of the Contents
This book is structured as follows:
PART 1 LEAN AND LEAN AUDITING IN OVERVIEW
1 Lean Auditing at AstraZeneca
In which I briefly explain the origins of lean auditing when I was CAE at AstraZeneca and the results it delivered.
2 A Brief History of Lean, Notable Principles and the Approach Taken by this Book
In which I discuss the origins of lean, its key principles and how it has increasingly been recognized to deliver results in a range of fields. I also outline the different sorts of lean (e.g. Lean Six Sigma and lean systems thinking) and the approach this book takes to these.
3 Key Lean Tools & Techniques
In which I outline a selection of key lean tools and techniques that have proven their worth in terms of driving greater effectiveness and efficiency and also in an internal audit context.
4 The Development of Lean Auditing and its Benefits
In which I explain how I developed lean auditing with a range of audit functions, and the benefits that have been obtained, both for internal audit and key stakeholders.
5 The Hallmarks of Lean Auditing and the Organizational Culture this can Support
In which I discuss how some conventional and traditional audit ways of working can perpetuate problems with organizations' Governance, Risk, Compliance and Assurance practices. I then go on to explain how lean progressive ways of working will not just improve the impact of audit assignments but also play a role in improving the wider organizational GRC culture.
PART 2 LOOKING AT INTERNAL AUDIT PLANNING AND ASSIGNMENT DELIVERY
6 Who are the Customers of Internal Audit?
In which I explore the question of the range of stakeholders who have an interest in audit and the benefits of having clarity about which of these stakeholders are key – if any.
7 What Really Adds Value – And What Doesn't
In which I use lean techniques to examine what we really mean by “adding value”, and – just as important – to understand what doesn't add value. This chapter also addresses the important topic of differences between stakeholder perspectives concerning what adds value (and what does not).
8 The Importance of Role Clarity in Assurance and the Insights Lean Can Offer
In which I highlight the vital importance of having clear roles and accountabilities in order to drive both effectiveness and efficiency; and some of the key tools that can be used to drive greater role clarity, both for key functions as well as internal audit.
9 The Audit Plan: Taking a Value Approach
In which I discuss the ways in which taking a lean, value-added approach to the audit plan can ensure that audit looks at the right areas, overcoming the common failing of having a disconnect between the audit plan and the key objectives and risks of the organizations they support.
10 Factoring in Risk Assurance in the Audit Plan
In which I discuss the crucial role of understanding the risk assurance picture before developing the internal audit plan. This approach challenges some common conventions in audit planning, including the way management is asked for their views on the areas that audit should look at.
11 Considering the Allocation of Resources to Optimize Value Add
In which I discuss how lean, progressive audit practices can encourage greater quality debates about the way audit resources are allocated across different risk areas in order to maximize the value derived from the plan. A number of the techniques outlined have been invaluable for a number of CAEs facing pressure on their budgets.
12 Assignments – Types, Scheduling and Resourcing
In which I highlight the need to move beyond standard assignment types and to resource and schedule assignments more flexibly, based on their value. Lean techniques help us to create a clearer flow of assignments during the year, reducing delays in starting to deliver the audit plan as well as the common problem of rushing to complete assignments towards the end of the year.
13 Using Assignment Scoping and Planning to Drive Added Value
In which I highlight the importance of properly scoping and planning assignments so that they can deliver the maximum value. This includes the important step of being clear about the key risks and controls that should be tested, and making the maximum use of intelligence so that the assignment does not simply repeat what is already known and has the maximum chance of delivering outcomes that matter.
14 Assignment Delivery – Managing What Really Goes On
Where I discuss the reality of what actually happens when audits start. I look at the many ways that time can be lost and offer a range of proven approaches to help drive audits forward in a purposeful way. In particular, I examine ways to think more carefully about what testing should be done and the challenge of knowing when to stop.
15 Using Communication and Quality Standards to Maximize the Added Value from Assignments
In which I discuss the ways in which assignments can get into difficulty in their latter stages. This can include difficulties and delays at audit closing meetings, finalizing audit reports (including agreeing actions) as well as meeting quality assurance standards. Lean, progressive ways of working help auditors drive assignments towards a value adding conclusion and overcome the many delays and distractions that are commonplace.
16 Assignment Follow-Up and Follow On
In which I show how lean principles encourage audit to take a fresh look at the process of tracking remediation of open actions and audit follow-ups. Lean ways of working can radically reduce the time and effort spent by audit doing follow up work, whilst driving greater reliance on management assurances.
PART 3 LOOKING AT KEY UNDERPINNING CAPABILITIES, PROCESSES AND WAYS OF WORKING
17 Measuring Performance and Driving Improvements in Audit Ways of Working
In which I examine the way lean encourages us to take a fresh look at the metrics and key performance indicators collected and reported by audit. I also look at ways to enhance assignment methodologies, to strengthen quality control in a streamlined way and to drive value from External Quality Assessments (EQAs).
18 Using Lean Audit Principles to Underpin Cultural Change in the Wider Organization
In which I highlight in more detail the ways in which lean ways of working can help to improve the GRC and assurance culture of an organization. Areas that can be improved include streamlining the policy and compliance landscape, strengthening the role of risk and compliance functions, and improved assurance coordination.
19 Leading the Audit Function
In which I discuss the leadership characteristics and capabilities of Chief Audit Executives (CAEs) who lead lean, progressive, value-adding audit functions. In particular I share key messages from my own experience and from other CAEs about how they retain a sense of perspective in managing the many dilemmas that CAEs have to navigate.
20 The Audit Function: Selection, Training & Development and Ways of Working
In which I examine the way that lean, progressive, audit functions approach recruitment, staff development and leverage other skills, through guest auditors, guest advisors and/or co-source providers. This chapter raises some important questions concerning the optimal balance of skills within an audit function.
PART 4 FINAL REFLECTIONS
21 Further Thoughts about Where and How to Start the Journey towards Lean Progressive Auditing
In which I examine choices around where and how to start or make further progress in relation to lean audit ways of working. A key message, based on my experience as a CAE and with clients, is that implementing lean auditing does not have to be time-consuming or expensive.
22 A Brief Look into the Future
In which I examine potential developments in audit and my hopes for the future. I also reflect further on the key dilemmas that internal auditors and CAEs face on a day-to-day basis and consider whether we can do more as a profession to support one another in this regard.