A selection of blog posts by James Paterson.
Here are some reflections…
First of all, agile auditing is probably a misnomer. When we are agile, the work we do may mean that we don’t do conventional audits. In fact, in the IIA standards, the word engagement is used to discuss activities carried out by audit functions. In my book “Lean auditing”, I talk about different assignments: reviews, limited scope audits, full-scope audits, and investigations, as well as advisory assignments. So, if we want to add value, we have to stop thinking about just audits. Instead, we should consider different types of assignments that will add additional value in different situations.
Second, I agree with Norman Marks that we should be looking at the risks that matter. Generally speaking, we should be looking at risk areas with a very high or high impact. That said, we should be looking at these areas where there is a good sense of the value that we can add. In particular, it often doesn’t add value to look at something that is already a known issue.
Third, I agree a lean and agile assignment can end when reaching an opinion about a specific area. However, it may equally be about highlighting that management needs more evidence or information to make a particular decision.
Fourth, I agree that lean & agile auditing is about being flexible. This means that if you come across an issue that wasn’t in scope, it might be helpful to look at it. However, the critical idea behind being lean and agile is to make sure that you can offer timely insights on key exam questions. Therefore, if a new issue arises, you need to make sure this is relevant to the key questions you are asking. After all, you can always go back and look at a new area shortly afterwards if needed.
Building on this point, I would say that being lean and agile is about being prepared to do assignments that are unusual in terms of how they are scoped. Specifically to scope assignments concerning risk areas or processes that may extend beyond individual departments or functions. That way, when you do an assignment, you have already considered key areas that might be critical to coming up with fresh insights (because issues may arise between departments or in the interactions between processes and systems etc).
Fifth, I agree that it is fundamental that auditors who work in a lean & agile way need to have a different mindset. Furthermore, not every internal auditor will find this very easy. This means that when you are allocating work between team members, it’s not simply a question of assigning work to specific subject matter expertise but also considering the auditor’s mindset versus the assignment type.
Sixth point. Norman Marks suggests we consider targeting no more than 100 hours for any assignment ( i.e. 12.5 working days). I support being careful about time, but 100 hours is very little time for many assignments (even for those who have done a lot of lean & agile work). That said, advisory reviews of 5-10 working days are not unusual, and reviews of 10 to 20 days are quite possible and audits of 20-50 days are also feasible. If they are correctly scoped, with a clear exam question and good expectations around levels of assurance, they can deliver tremendous added value.
Seventh point. I agree that with a lean & agile mindset, you have to appreciate the importance of opportunity cost. Specifically, that more time on a current assignment means less time is available on another, which may be equally important.
Eighth point. I agree that communication is key. As readers will appreciate, IIA standards do not demand that we write audit reports. Instead, they ask that we communicate in a clear, concise, and insightful way. It’s surprising how often I read audit methodologies that don’t emphasize the importance of timely communication with staff and managers. Timely communication is important because it: i) helps us see quickly when management do you not see the importance of what we have found, and ii) allows us to adjust what we are doing to have an impact.
This means that it is crucial when delivering assignments in a lean & agile way that we pay careful attention at the beginning of an assignment in relation to:
Ninth point. The audit planning process needs to change:
10. At all times, we should seek to deliver assignments in line with IIA standards, because without sufficient care around: Criteria, Condition, Cause(s), Consequences and (robust) Corrective actions, internal audit functions become consulting departments rather than value-adding internal audit departments. This means we need robust evidence in areas where we are saying things are fine. We need these things to avoid “galloping” to a conclusion that proves to be unsound.
11. Being lean & agile means that it is all the more critical that we are crystal clear about what has and what has not been looked at by the assignment. We are a function that needs to deliver reasonable assurance, and this means we need to define carefully what has and has not been looked at those in terms of breadth and depth.
12. I agree that unless we are very careful “Agile auditing” could easily become a fad, mostly focusing on sprints, scrums, and stand-ups and delivering assignments ever quicker, but not always enhancing value and insight. And not conforming to IIA standards.
In summary, as I see it, lean & agile internal auditing (small a) is about professional auditing that:
.. All of which is set out clearly in an assignment methodology that will pass an IIA EQA..
And above everything, all techniques – lean, agile, continuous auditing, data analytics etc., etc. should be seen as simply tools and frameworks that support progressive internal auditing, and not be seen as an end in themselves.
For more look contact: Info@RiskAI.co.uk
They consider the time available for the assignment and then they issue a “Terms of Reference” (also known as an audit scope).
If the auditor is doing a good job they will spell out what is “in scope” and what is “out of scope”. Based on this they will develop an assignment work programme of things they are going to check.
Spelling out what’s in/out of scope is an important good practice for internal auditors because it helps to set expectations with stakeholders about what is going to be looked at, giving them an opportunity to challenge what work is going to be done and also setting their expectations.
Oftentimes, you will see terms of reference expressed in words. For example:
This assignment will look at the staff recruitment process. Key areas to be examined will include:
Outside of scope will be:
A. The engagement/recruitment of part-time staff and contractors.
B. Benchmarking the cost of recruitment.
The decision to exclude areas from an assignment may be based upon areas that are: i) less relevant to the key assurance needs and also ii) a lesser priority/risk, given the time available for the assignment.
But beyond this approach to communicate scopes, I am seeing increasing use of diagrams to explain this. Diagrams do not replace words but can complement them. Furthermore, if done well, a diagram can show more clearly some of the “hard choices” around the boundaries of an assignment that may be less obvious when simply expressed in words.
Thus, when you consider an area to be examined, it may be addressed by a process, but that process will often be underpinned by IT systems/applications and data flows. In turn, processes/systems may be managed by support functions (e.g. IT/HR) and their role may be more/less important to the key issues under consideration. Also, there may also be third-party service providers who support a process (e.g. recruitment agencies), and – again – their role may be more/less important in relation to the management of a risk.
A diagram can make it clear, in an instant, which process areas/systems/departments will and won’t be looked at. The power of a diagram is that it helps auditors, and managers, think carefully about what will/won’t be relevant to an assignment. And if issues are uncovered, it can be simple to “locate” these on the diagram. and many times it will be clear that issues arise between one part of a process and another, or between one department and another, rather than just in one area.
Finally, a diagram also provides a great way of helping an audit team understand the totality of what has and has not been looked at so that when planning future assignments it is easier to “join up the jigsaw puzzle”.
There is a whole body of practice to be shared about exactly how internal audit functions make robust choices around what is in/out of scope, but the starting point is to be crystal clear what is and is not being done – with diagrams an important tool to help do this.
In response to requests, I have summarised the key good practices into one manual, aligned to the IIA IPPF 2017 framework.
Key lean/agile principles are outlined:
The lean and agile internal audit methodology toolkit is written for immediate use by any internal audit team covering:
The document comprises 80+ slides explaining good practice in a granular/modular way:
The methodology toolkit also contains templates, advise on ratings, dealing with sensitive issues and how to manage advisory assignments.
It can either be used to benchmark an existing audit methodology for lean/agile ways of working or it can be used as the starting point for a new audit team that needs to write an audit manual.
The toolkit costs £500+VAT but will save those who use it many days of effort. For more information contact info@RiskAI.co.uk
Principles include: “listening to the voice of the customer”, doing things “right first time” and “just in time” and driving “flow”. Agile examines techniques developed in the software sector that are similar, but slightly different from lean, notably delivering a “minimum viable product” to time and using “sprints” and “scrums” to drive pace and engage stakeholders. Most important the webinar aims to see these techniques alongside compliance with IIA standards, not something separate.
Who should attend?
Heads of internal audit, internal audit managers and experienced audit staff.
What will I learn?
Upon completion you will be able to: Continue Reading
This area is especially highlighted because of its key role in helping internal audit to be independent and objective.
To date, there has been a lot of training on “the basics” of ethics. However, “Ethics in the Real world” moves beyond the straight-forward aspects of ethics and considers the real-world challenges that might face auditors and how they might decide what to do. It also looks at the “real world” challenges and pressures that managers face and will help auditors to look at these issues in an insightful and value-adding way.
Internal audit challenges
Assignment planning:
“It’s a bad time for you to audit this area right now, can you come back later”?
“Rather than audit us, can you do some advisory work instead”?
Assignment reporting
“This is a really sensitive issue, do you really have to write it down? Or can you write it differently”?
“Can we have a less harsh audit rating, otherwise the rating will cause a lot of issues”.
“Can you give us more time to fix that issue, we are really busy at the moment”. Continue Reading
Contact and appointments:
Risk & Assurance Insights
T: +44 (0)7802 868914
Email
Please also use our contact form