intro to blog

James Paterson's blog

A selection of blog posts by James Paterson.

Using tools – when to standardize and when not

At the moment I am working on a big GRC change project for a client and we are starting to think about software tools for control self assessments. The initial interest was to see if some of the existing in-house applications in use for other purposes, but we have discounted these because they do not adequately allow for the aggregation and analysis of results, nor do they enable effective tracking of open issues until closure (after all what is the point of reporting an area for improvement if you cannot be confident it has been dealt with?)

We are now in the process of looking for solutions that some of my other clients have used, adapted for the needs of this client. Here my advice is simple: What is the point of reinventing the wheel? Lets select something that works well elsewhere – our needs are not that different because this is about largely mechanical process of collecting a specific sort of information, categorizing it and then deciding what to do about it.

At the same time I have been working with another client on assurance mapping, focusing on several specific areas of interest to senior stakeholders. Here there was interest at first in me offering a standardized approach, standardized report – and ideally – a simple tool to use. The attraction of a standardized approach and a simple tool is clear, but my client has recognized – over the course of our work together – that force fitting a standard approach would not work for them.

In particular, my client recognized that the real purpose of asking me to work with them to map assurances was not really simply about mapping assurances, but to identify areas for improvement in areas where there had been question marks previously. Continue Reading

Lean auditing – Having the right mindset

The book ‘Lean Auditing’ was published at the beginning of January 2015 and I have been pleased to have positive feedback, including various invitations to do work in Norway and Brussels in February, Germany in March and the US in June.

Here are some high level reflections on the lean auditing mindset:

‘The most important waste is the waste we do not recognize’

This is a quote from Shingo Shigeo, who championed lean in Toyota. The mindset shift to make is to see waste is often so prevalent that it has become invisible and ordinary to the audit team. Waste (or Muda) is spelled out in lean and includes:

  • Waste from producing something that is not needed:
  • Waste caused by defects or rejects;
  • Waste caused by inappropriate processing;

Based on this list (which is just a subset of all of the Muda wastes), one can clearly see the importance of having a clear purpose to each assignment and the need to have a staggered approach to each assignment so ensure that additional work (e.g. testing) is merited. Continue Reading

Culture & Internal Auditing – part 1

I’ve had a run of requests to do speaking on Culture and Internal auditing, first for my friends at UNIAC, for about 30 Audit Committee members, then my friends at the IIA NorthWest and then CIPFA in London.

It’s a bit of a challenge trying to summarize the key headlines from the one day training workshops that I run into just an hour, but here are some key points:

My first key message is that looking at culture is an inevitable part of the development of Internal Audit as a profession, 15 years ago we started to take a greater interest in Risk management; then 5 years ago it was governance related issues, and now it is culture. To me this is just a natural part of Internal audit finding its place at the top table, since often the underlying reasons for issues that audit finds are cultural in origin (see also my blogs on Root Cause analysis).

In the UK financial services sector the need for audit to look at culture was identified in an interesting report “Effective Internal audit in the Financial services sector” issued in July 2013.

The report is short and easy to read and makes points that are pertinent to internal audit functions in the public sector and other private sector areas. I urge readers to look at the report if they are not familiar with it and to use it as a useful guide for the development of their internal audit strategy. Continue Reading

Root cause analysis – part 2

Ahead of the new course I will be running in 2015, here are some more reflections about the power of Root Cause Analysis (RCA).

In my first blog I gave a simple example of how easy it is to think that when you have arrived at a solution to an issue you have arrived at the Root Cause, when in fact the real reasons for the problem lurk below the surface.

Lets consider another example that arose during a session with a client who was looking to improve the impact of audit reports, in this instance in relation to an IS/IT audit. Continue Reading

Join our mailing list

We will keep you updated with news and events.

Contact

Contact and appointments:

Risk & Assurance Insights
T: +44 (0)7802 868914
Email

Please also use our contact form