Processes and Procedures (and Audits) Can so Often Get Lost in the Detail

After applying lean ways of working to internal audit in AstraZeneca, we started to recognize potential Muda in relation to the length and complexity of corporate policies and procedures and worked to streamline what was in place. Increasingly, I see audit functions that recognize that the length and complexity of policies, processes and procedures can actually make it harder for all staff to understand what they need to do. The root cause of this may be in part due to the complexity of regulatory requirements (e.g. financial services or pharmaceuticals), but can also be due to a “layer upon layer” growth of policies (sometimes written in haste to respond to a regulatory need), that are not fully integrated or pruned.

Phil Gerrard (CAE, Rolls-Royce) considers the shortcomings of not stepping back when looking at control and compliance procedures:

“If I look at many businesses, they have standards coming out of their ears. The standard for buying an inexpensive piece of IT kit at £5,000 can sometimes go through the same process and approvals as for investing £500,000. It’s a process. Tick, have you followed the steps? You get lost in the detail.

You need to focus on what matters and ensure everyone is clear on that and has easy-to-follow guidance.

So everyone’s signing everything. And we say, yes, that’s been done. Okay, but to what purpose?

When you look at the detail, they are only signing things because a previous person signed them. And you realize there’s no control because the first person signing a form knows other people are going to sign it after them. So no-one’s taking accountability.”

An additional dimension to this problem is a lack of agreement of what it means, in practice, to “roll-out a policy”. When issues are found, staff can often say “I didn’t realize, no one trained me” and management can respond in turn, “Well we published the requirements on the intranet.”

“Groundhog Day” is Alive and Well

One of my favourite films is called Groundhog Day, a comedy in which the lead character Phil Connors (played by Bill Murray) is destined to live the same day over and over again until… (no… I’m not going to spoil the plot if you haven’t seen the film).

I often ask auditors attending my courses and workshops whether they experience Groundhog Day in the context of their work as an auditor. This question normally gets a few smiles as auditors explain that they continue to find the same issues year in and year out, or similar issues across different departments. This picture of no, or patchy, progress in relation to risk and compliance in some organizations can be attributed to issues around “tone at the top” or a “poor risk culture”. However, where audit has been operating for a period of time, it probably says something about the difficulties there can be in identifying and naming the true root causes of control failings and compliance short-comings, and making effective inroads into an organization’s culture.

Other Lines of Defence Are Weak and Audit Has Limited Involvement with These Functions

Organizations in some sectors can have a relatively strong second line of defence (e.g. financial services, pharmaceuticals and utilities) because compliance and risk management functions have – by and large – stepped up their role in the wake of a crisis, or an extensive regulatory regime. However, as discussed earlier, it is still quite common to find organizations with a relatively weak second line of defence. Shortcomings can range from:

• Limited and/or inconsistent upward reporting by these functions in relation to risks, issues and incidents;
• Monitoring or audit programmes, that may not be risk based and with limited coverage of all key risk areas due to resource constraints;
• Weak follow-up disciplines to track remediation.

An experienced Health & Safety auditor outlined to me another weakness he/she has encountered in the past in the context of certain compliance activities:

“I’ve seen examples where organizations have said they have a compliance programme, but it’s mostly a façade. It’s a tick box, and they have not taken it to heart and really internalized what needs to be done.”

In some instances these shortcomings in other compliance functions can be invisible to the internal audit function (until, perhaps, there is work on assurance mapping and assurance co-ordination). Indeed I have seen compliance functions that gather valuable information about issues and incidents, but have not made it available to the internal audit function. There can be a range of reasons for this, including the view that the information will not be of value to internal audit (which internal auditors may think also), or a view that such information should not be shared for confidentiality reasons.

The danger of some risk and compliance functions being something of a blind spot to internal audit is that valuable intelligence may be wasted and also that potential allies in risk, control and governance are not combining their collective insights and influence. This can result in internal audit being one of the few (or even the only) independent and objective voices in the organization.

Take the Opportunity to Prune and Strengthen the Policy Compliance Landscape

After our work on lean auditing, the AstraZeneca audit function spent time with colleagues in compliance to look at the company code of conduct and a range of policy areas, with the aim of creating a clearer, more structured, set of expectations for staff and managers. My recent experience is that progressive audit functions recognize that sometimes “less is more” when it comes to the policy environment.

Alongside a streamlining of policies, it is important that any legal or compliance functions have a good understanding of what the real world is like in terms of trying to apply policies (i.e. they should have a Gemba perspective).

If there is any indifference to this question, internal audit can ask managers and staff what they (really) think of these policies and the associated training and guidance, and feed this back to the policy owners: and often there will be concerns. The key message is that policy owners must understand that the policies they issue need to be understood and applied by busy staff who have limited time to read lengthy guidance, are not super-humans with a law degree, or individuals who have nothing else to do!

As discussed in Chapter 8, the “Seven elements of an effective compliance programme” framework, which is in extensive use in the US, is an excellent way of helping organizations understand the essential ingredients to drive compliance with policies and procedures. My experience is that, if implemented on a pragmatic basis, with appropriate policies, this framework can help staff, policy owners and compliance functions to understand their roles and responsibilities, so that many of the common issues are not encountered.

Actions for Internal Audit to consider:

• Consider how many audit findings are a result of the complexity of the policy landscape and suggest a rationalization of what is in place;
• Establish whether staff “on the ground” have a voice in relation to the clarity of policies, if not encourage this, so that policies operate in the real world;
• Review the “Seven elements of an effective compliance programme” framework and consider whether it could add something to your organization.

Look to Streamline Systems, Processes and Controls Where Possible

In the same way that the policy compliance landscape can often be streamlined, this is also true of systems, processes, procedures and control activities. At AstraZeneca, we worked to develop a key set of financial and IT controls, which was invaluable in relation to our work for Sarbanes–Oxley compliance. I know many other organizations have found the same to be true. Indeed, I sometimes tell CAEs who have not had to worry about Sarbanes–Oxley compliance, that it has some very powerful and helpful ideas that can be useful to build a better control environment.

One former CAE explained what they had done to streamline controls:

“This is something which we worked on a few years ago. We had a sense that we could be smarter about what was really important in relation to financial controls. We held various meetings with key people and came up with a list of key financial controls. It focused everyone’s efforts.

I think it really helped audit, since when this approach was implemented it stopped comments that we were looking at things that were of no interest to anybody.”

Phil Gerrard (CAE, Rolls-Royce) explains a similar approach:

“Audit can work with finance to decide what a finance control framework should look like. It can create some great discussions with senior finance staff to get a shared sense of what is really important.

In fact you don’t even need to do any auditing and already finance management are getting engaged and endorsing what is really key, and we in audit are supporting the development of that. It will never be 100%, but the aim is to ensure there are no big gaps.”

This approach need not only apply to financial and IT controls. It can be applied to a range of compliance and control areas (e.g. purchasing and crisis management). Phil Gerrard (CAE, Rolls-Royce) continues:

“It’s worth spending time with the business to encourage them to develop proper frameworks to help their management manage the business. To think about how they might use the data they have. The aim is to help them manage the business better and pre-empt issues, rather than audit going in and finding problems.

I believe audit should be proactive. Go to the business and say, in this area, have you thought about this way to focus what you are doing and head off problems?”

An experienced Health & Safety auditor explains:

“You can put together relatively simple systems and processes that are extremely effective. So often it’s about leadership and commitment. If you haven’t got leadership and commitment that’s driving it through and making it the way things get done around here, you’re probably not going to have a good control environment in practice.”

This underlines one of the most fundamental points that the Sarbanes–Oxley legislation made back in 2002: it is management (starting with the CEO and CFO) that is responsible in the first instance for the risk management and control processes over disclosures and financial reporting, not the auditors.

Actions for Internal Audit to consider:

• If you are not familiar with Sarbanes–Oxley regime, talk to someone who can explain it in simple terms, and consider how it could improve financial and IT controls in your organization;
• Share the principles of key risks and key controls as a way of encouraging the organization to streamline core processes and control activities in areas such as finance, purchasing and IT systems.

Assurance Coordination and Assurance Mapping

In the earlier chapters on audit planning, I explained the importance of taking a risk and assurance approach to the audit plan. Beyond this is the wider question of how to leverage any other sources of assurance through assurance mapping and assurance coordination. This is an area I have been consulting on for a number of years and it is worthy of a book in its own right, but for the purpose of this discussion about lean, progressive auditing, a few key points are worth making:

1.  Audit should clearly understand the overall assurance picture for the organization and play a role to ensure this is properly coordinated.

   Phil Gerrard (CAE, Rolls-Royce):

   “If I started driving what other assurance providers did or their relationship to the business, I think that’s going too far. However, our legitimate role is to:

   i) support the business in really understanding its assurance provision, and

   ii) help manage the impact on the business of such assurance. It’s so easy, if we don’t talk to each other, to find they’ll get an audit one week from one function and then another audit next week from internal audit. That’s not helping the business, and creates barriers.

   In trying to understand the overall assurance picture, audit should understand what it looks like because it’s a jigsaw puzzle. If there are gaps, are they gaps I want to cover or, to be frank, maybe they don’t pass the ‘So what?’ test. And then making sure that the board is aware of that.”

2.  Audit should gain a good understanding of the level of assurance being provided by other functions.

    It was a significant step along my journey as CAE when I decided to probe the effectiveness of other compliance and assurance functions, such as: health and safety, product quality etc. This is increasingly being adopted by progressive internal audit functions often yielding opportunities for improvement and, most importantly, deepening audit’s appreciation of what these functions are – and are not – doing. Phil Gerrard (CAE, Rolls-Royce) explains:

   “Audit should feel able to independently look at what the other functions are doing, for example quality and health and safety, in order to give comfort to stakeholders about how much this can be relied upon. Indeed, I think our reporting should be more holistic, and capture assurance provided by others, so that senior management and the Audit Committee understand better how risk is being mitigated.”

3.  Audit should encourage a coordinated approach in reporting to senior management and the board from a range of compliance and assurance functions

As efforts in assurance coordination progress it should be possible to pull together a risk assurance dashboard, with inputs from management and a range of risk and compliance functions. Such a dashboard, which we implemented at AstraZeneca, consolidates separate information flows from a range of functions to provide a more joined up “continuous assurance” picture to senior management and the board.

Efforts to deliver a continuous assurance dashboard require collaboration on reporting processes and reporting criteria across a range of areas. However, work in this area can deliver – sometimes for the first time – an up to date, comprehensive, consistent and concise message about the state of risk and compliance across the organization. As a result, senior management and the board can have a complete picture about all of the key issues that need to be addressed at a given point in time.

To avoid any misunderstanding, I am not recommending that internal audit take the sole lead on assurance coordination, since it could lose its ability to assess the quality of the overall risk assurance picture. However, I do believe audit should be a clear advocate and key advisor about the way this can be done properly. This leads me to a brief “side bar”: who should lead an assurance mapping process? I think there is no simple single answer, but as a rule I have found that assurance mapping needs to involve those persons in the organization who have the authority to drive forward the benefits being sought. Failure to engage the right level of sponsorship for assurance coordination efforts invariably leads to the creation of “talking shops” with little real progress.

Actions for Internal Audit to consider:

• Play a proactive role in promoting the development of an assurance map and driving improved assurance coordination;
• Be prepared to look at the work of other assurance providers;
• Examine opportunities for coordinated reporting;
• Think about the benefits to be gained and the sponsorship that will be required to deliver those benefits.

Be a Role Model for Lean and Collaborative Ways of Working

Building on the topic of assurance coordination, audit functions keen to maximize their added value in the most efficient way are not afraid to step up to facilitate cross-functional working on certain issues. Richard Young (Director, UNIAC) gives an explanation of a progressive approach:

“In the old days an auditor looking at information security would visit, perhaps, 15 departments, speaking to one person at a time, asking specific questions.

The modern auditor meets them all in a room together, makes it very clear what the purpose of the meeting is and encourages 15 people to talk about it. The auditor understands human dynamics and is experienced. When it’s done well, the managers attending the workshop will stand up and say, for example ‘This is what I do in my department on data assurance and this is what I do less well’. Before you know it, you’ve got everyone chipping in, sharing best practices and highlighting areas where a co-ordinated response may be needed.”

This dynamic approach to getting things done can always be complemented by more conventional assurance work, but is symbolic of lean ways of working: a small amount of effort and a high return for the organization.

Actions for Internal Audit to consider:

• Pilot new approaches (workshops, surveys etc.) as a way of gaining insights that can enable your organization to make progress;
• Make special efforts to bring together different parts of the organization that may have best practices to share.