Having oriented the audit plan clearly towards adding value, a fundamental question is how to ensure that the audit plan takes into account the assurance activity that is already, or should be, taking place in order to avoid waste (Muda).
IIA standard 2050 discusses the need for audit to coordinate its activities with others to ensure proper coverage and minimize the duplication of efforts. This ties very closely to lean principles. The IIA practice advisory on Assurance Mapping goes on to explain that “assurance from line management is fundamental” – which confirms and reinforces the point about the importance of having three lines of defence operating effectively in order to properly manage risks.
In the last two chapters I have explored issues around the role of internal audit and also the risk factors that should be considered when developing the audit plan (and specifically whether to focus on gross or net risks). In addition, there is an assurance perspective to consider. Here are the reflections of an experienced senior audit manager:
“If it’s transparent that the right people are making the right decisions on a problem area and there’s an action plan with a clear target date, what value are you going to add by doing an audit? They know it’s a problem!”
“If everybody acknowledges there are issues, and these are being worked on, what’s the point of going to do an audit? It would be borrowing their watch to tell them the time, to confirm what they already know and are addressing, with zero added value.”
I recall a conversation with a regional finance director about the possibility of auditing an overseas unit where there were some questions over what was going on. It was a location that was borderline for audit attention and there was no hard evidence of a problem (in fact there was no problem as far as we can tell several years on).
Wanting to be helpful, but being mindful of resources, I suggested that audit do some work jointly with a member of his finance team, leveraging their knowledge and reducing the resource from audit, and providing an assurance message together. However, the regional finance director’s response was not as appreciative as I had hoped. In fact, he said: “No, let’s leave it, it’s not important enough for me to allocate one of my staff members to look at it, they are too busy on business issues!”
This was a wake up call for me, raising the question: how often is audit doing work because it is seen to be a free resource, rather than because what it does is felt to be really valuable?!
In my experience many audit plans implicitly take into account the fact that there may be other compliance or assurance functions covering key risks when they are doing their audit planning. Thus, if there is a health and safety function, many internal audit functions will not cover this area in their audit plan. This may be a sensible judgment; however, a relatively informal approach to taking other assurances into account runs the risk of making assumptions about coverage by other functions that could lead to gaps or overlaps.
One CAE shared the following story with me:
“A few years ago we were asked to carry out a learning review of a big systems project. Several functions were involved, the business, IT and a third party outsource provider. The request came from a senior business manager who was responsible for the business end of the project. We knew he was not happy with what had happened, cost overruns and the like, which he felt was due to failings by the IT function and the third party provider.
So we did the learning review and we found that whilst there were lessons to be taken on board on the IT side of the project, there were just as many lessons for business management, including the way they had not made their expectations known, as well as the way they had not delivered what was needed to IT on time. Our report set this out, highlighting lessons for all sides, in a very measured and balanced way – we thought.
And then in the audit closing meeting and subsequent feedback process we got terrible feedback from the business manager, which I then followed up. I said: ‘What’s the problem? You wanted this review!’, and the response was: ‘Yes, I requested the review, but I was expecting you to focus on the weaknesses of the IT function, not my department!’
It struck me that we knew that there was a political angle to this assignment, using audit to ‘hit’ another department. This was the value the manager was really looking for. However, we had naively assumed that doing a balanced review, in accordance with the IIA standards, would be sufficient to make him happy.”
On hearing this story at a lean auditing workshop in Europe, one CAE confided to me that they suspected that many of the audit assignments they had recently been given by their new Chief Executive were, effectively, assignments targeted at senior leaders the Chief Executive did not rate, to see if there was anything that could be found to hasten their departure!
Again we have a dilemma for audit – at face value meeting the needs and expectations of stakeholders might be seen to add value, but if these needs and expectations are grounded on a political agenda, or some other irrational view of added value, audit will find itself in difficulty.
Taking the perspective of the external customer, lean ways of working demand disciplined co-ordination and communication between all functions, including management, risk, compliance and other assurance functions (including internal audit), since there is likely to be waste if one function looks at an area that has been recently checked by another. Indeed, taking an external customer view would go beyond that, looking to understand how much assurance has been provided, and what were the results of that work, in order to judge what additonal work (if any) should now be done.
In addition, lean also reminds us that simply carrying out assignments because some senior stakeholders want an area to be looked at may not always be in line with what the external customer would value (especially if we do not properly understand the motivations behind the request).
One CAE explains:
“If there is a known issue, it is better to require that management should put mitigating plans in place first, and then audit the area when the remediation is supposed to have been implemented.”
A fundamental mindset in progressive, value-adding auditing is to be interested in management concerns and issues, but not to volunteer an assignment without being clear what value, specifically, is going to be added.
Rania Bejjani (CAE, Colt Group) explains:
“I aim for conversation and dialogue with the business about their needs. I want to know why do they want audit to do an assignment? How come this is so important for them? How does this link to the strategic objectives and key risks of the business? What are their concerns? What is already being done? What can they do themselves? What is the impact to the business? How will this assignment add value to them and to the business as a whole?
The aim is to really understand what is going on, the linkage to the bigger picture and what is needed. As you have these conversations you can uncover the wider context and interdependencies, a root cause or explanation or rationale for either doing or not doing an assignment. You might even uncover an alternative course of action.
When you adopt this sort of approach you avoid assignments that don’t really matter or serve the business. In addition, the assignments you do take on should come up with some very interesting findings. Unless we are able to add value, there is no point in doing the work.”
Thus, if there is a known issue, audit can ask: “Given you know there is an issue, what should we really do? If you are unsure about what remediation is needed, perhaps we can offer some advice about what should be done, but we won’t audit the issue, because you know it’s a problem already.”
Of course, sometimes audit can add value by looking into known issues, perhaps by looking into root causes, the possibility of other spin off issues, or the quality of action plans underway. However audit should always be asking why management cannot do this for themselves, and be very clear what the purpose of audit’s involvement actually is.
If management suspect something might be a problem, but are not certain, then a joint audit approach can be a good option since it makes the most of management expertise and also reduces the resource audit needs to commit. Another argument for this approach was given to me by a CAE who said: “Sometimes you need to ask management to put some ‘skin in the game’ to make sure you are not being given unimportant work to do.”
If there is a general belief from management that internal audit should audit known issues, or investigate suspected issues, the CAE should consider what this signifies in cultural terms. One perspective I hear from some auditors is: “Management value us getting involved in things,” but lean encourages us to probe what sort of value this is delivering. If it is about getting a free resource, or doing their job for them, that may not increase the value add from audit in the eyes of the external customer. In addition, the greatest risk is that internal audit involvement in these sorts of issues perpetuates a culture in which internal audit takes over the monitoring role to check controls and propose improvement actions, not management.
To illustrate the importance of thinking from an assurance perspective when developing the audit plan, here is another story. One of my clients was being asked to carry out a lot of anti-fraud work in their audit plan. As we discussed this, the CAE realized that underlying this interest in lots of anti-fraud work by audit was a senior management mindset that regarded the audit function as having the prime responsibility for fraud prevention. I offered some support around the three lines of defence model and the CAE then carried out an exercise in accountability mapping for fraud, and thereafter a series of education workshops for managers.
A year later a major fraud arose and the CAE remarked to me that he was very pleased we had done what we had done the year before:
“If we hadn’t done anything to re-educate management around what it really takes to prevent frauds, I am sure that we would have got the blame for what went wrong. As it was, there was a much better debate about processes in finance and purchasing, and the lessons for them. The realization was that it has to be these first and second line functions with the prime fraud prevention role. After all, they are the ones who are most likely to be able to stop a fraudulent or duplicate payment being made, not internal audit.”
I have also heard CAEs explain that senior management or the board sometimes want them to look at an issue because: “they don’t think the manager is capable of checking this thoroughly” (either because of resource constraints or capability shortcomings) or “they don’t trust the manager of that area”. However, if any of these points is true, it reveals a much deeper problem in the overall control environment than the specific issue that was of original concern!
I hope that these stories illustrate the power of approaching the audit plan with a lean perspective, namely:
Adopting a value add, assurance mindset when developing the audit plan may rapidly result in audit having a range of challenging conversations with stakeholders. However, these conversations need to take place if audit is to start to change old-fashioned stakeholder mindsets about the role of audit. In my experience step-by-step change may be all that is possible from year to year. But by clearly communicating a desire to add value and eliminate waste, alongside an understanding of key stakeholder concerns and needs, a shift in the mindset of senior stakeholders can be achieved over a period of time, and in turn a reappraisal of the optimal role for audit.
Actions for Internal Audit to consider:
I first started working on risk assurance mapping as a CAE at AstraZeneca in 2003, so by the time we started working on lean auditing in 2005–6, we were already very mindful of the power of these techniques and integrated them into our ways of working.
In both the lean auditing and assurance mapping workshops that I run, I emphasize the benefits that can be obtained by adopting a risk assurance approach to audit planning. Indeed, this is one of the reasons my company has the name “Risk & Assurance Insights.” In 2012 the book Combined Assurance by Gerrit Sarens et al. makes the suggestion that “Combined assurance should drive the audit plan.” I fully agree with their analysis and, fortunately, there is already a growing body of practice in this field. Here are some of the advocates.
Leigh Flanigan, (CAE, CSIRO, Australia):
“I always emphasize to management that internal audit is not the only provider of assurance; there are many other parts of the organization and possible sources of assurance. I highlight that to them, but also work with management to help them better understand their role in providing assurance.”
Ivan Butler (CAE, Denbighshire County Council):
“In the past we developed a plan using the audit universe. Now our assurance framework is the number one ingredient.”
Nancy Haig (CAE, global consulting firm):
“If we are talking about lean and adding value, make sure that you’re looking at things holistically. Where are the key risks? Are they IT? Are they compliance? Are they financial? Are they environmental or health and safety?
Then consider who’s covering these risks. We may find, for example, that assurance over stock levels has been covered by external auditors. Or the IT department or tax department are performing monitoring functions. So it’s always a matter of looking at where risks are and determining if somebody else is already validating that those controls are working and if so, moving to the risks where there is no or limited coverage from elsewhere.
A big part of being lean is making sure you don’t do repetitive or redundant work without being clear as to why.”
(See Figure 10.1).
The “Taking it on trust” report by the UK Audit Commission has some excellent guidance on the attributes of robust assurance, so that over-optimistic assurances are not assumed. A case study based on work by the Plymouth Hospitals NHS Trust considers factors such as:
Other attributes of importance in my experience include the quality of planning assurance assignments, the need to focus assignments on a risk basis, the robustness of onward reporting and issue escalation and the extent of coverage compared to the relevant risk universe.
Actions for Internal Audit to consider:
Bringing together the earlier discussions about roles alongside assurance mapping, two other progressive practices are worthy of note: direct assurance or other independent assurance.
Thus, if cloud computing is raised as an issue that could be audited, a more traditional approach is simply to carry out an audit assignment to look into this area. However, a more progressive, assurance-based way of addressing the question could be to agree that the Chief Information Officer (CIO), or equivalent, should update senior management and the board on what is being done in relation to cloud computing. This can be achieved by requesting a report from the CIO, or by agreeing that the CIO should make a presentation to senior stakeholders about what is being done. Internal audit could even offer to help the CIO consider the likely risk areas and assurance questions that are likely to be of most concern to key stakeholders.
The benefits of the direct assurance approach are:
Other direct assurance alternatives include getting direct input from purchasing in relation to the screening of third party suppliers, or direct input from compliance functions in industries such as utilities, financial services and pharmaceuticals.
I have also seen third parties being brought in to provide an assurance perspective on technical and emerging risk areas where audit would have limited skill capability to look at the area.
Nancy Haig (CAE, global consulting firm) sums up the approach I am advocating:
“I think that internal audit can be the catalyst for ensuring that the appropriate amount of assurance work is being done by different functions.”
Actions for Internal Audit to consider:
The dilemma facing many audit functions during audit planning is to make the choice between looking at known issues – which have management and stakeholder support – and looking at other areas – which challenges stakeholders’ current understanding of risks. Alongside this is the need to maintain relationships and also keep the audit team busy!
It is understandable, therefore, that audit should be sympathetic about looking at areas management are concerned about; auditors need to be pragmatic and flexible about the needs of internal stakeholders. However, a lean audit mindset challenges any cosy status quo in which audit is guaranteed work by doing essentially management’s routine monitoring or checking. The danger is this approach does not really offer that much value add to the organization overall, and also prevents audit from looking at the most important value issues in the organization.
Fortunately, I am seeing increasing signs that the old ways are starting to change, supported by an increasing awareness of the IIA guidance on the three lines of defence and the latest guidance for UK financial services internal auditing. Of course, there is a place for looking at traditional areas, such as financial controls and compliance. However, thinking about assurance roles and responsibilities encourages others to take up their roles in routine monitoring and, hopefully, to increasingly be seen to be providing reliable assurance. The result of a greater assurance role from management and other functions is that internal audit is able to work across a range of non-standard risk areas, making a greater contribution to the larger risk assurance picture where much more value is at stake. Phil Gerrard (CAE, Rolls-Royce) offers this final reflection:
“Risk assurance based planning is key in allocating your resources. It’s key as a CAE to understand your positioning in the three lines of defence model, and to challenge and debate this with the respective management teams.
To allocate resources where assurance is limited and risk is highest.”