I was asked by one of my networks to contribute to the debate on lean/agile internal auditing, following a recent post by Norman Marks.
Here are some reflections…
First of all, agile auditing is probably a misnomer. When we are agile, the work we do may mean that we don’t do conventional audits. In fact, in the IIA standards, the word engagement is used to discuss activities carried out by audit functions. In my book “Lean auditing”, I talk about different assignments: reviews, limited scope audits, full-scope audits, and investigations, as well as advisory assignments. So, if we want to add value, we have to stop thinking about just audits. Instead, we should consider different types of assignments that will add additional value in different situations.
Second, I agree with Norman Marks that we should be looking at the risks that matter. Generally speaking, we should be looking at risk areas with a very high or high impact. That said, we should be looking at these areas where there is a good sense of the value that we can add. In particular, it often doesn’t add value to look at something that is already a known issue.
Third, I agree a lean and agile assignment can end when reaching an opinion about a specific area. However, it may equally be about highlighting that management needs more evidence or information to make a particular decision.
Fourth, I agree that lean & agile auditing is about being flexible. This means that if you come across an issue that wasn’t in scope, it might be helpful to look at it. However, the critical idea behind being lean and agile is to make sure that you can offer timely insights on key exam questions. Therefore, if a new issue arises, you need to make sure this is relevant to the key questions you are asking. After all, you can always go back and look at a new area shortly afterwards if needed.
Building on this point, I would say that being lean and agile is about being prepared to do assignments that are unusual in terms of how they are scoped. Specifically to scope assignments concerning risk areas or processes that may extend beyond individual departments or functions. That way, when you do an assignment, you have already considered key areas that might be critical to coming up with fresh insights (because issues may arise between departments or in the interactions between processes and systems etc).
Fifth, I agree that it is fundamental that auditors who work in a lean & agile way need to have a different mindset. Furthermore, not every internal auditor will find this very easy. This means that when you are allocating work between team members, it’s not simply a question of assigning work to specific subject matter expertise but also considering the auditor’s mindset versus the assignment type.
Sixth point. Norman Marks suggests we consider targeting no more than 100 hours for any assignment ( i.e. 12.5 working days). I support being careful about time, but 100 hours is very little time for many assignments (even for those who have done a lot of lean & agile work). That said, advisory reviews of 5-10 working days are not unusual, and reviews of 10 to 20 days are quite possible and audits of 20-50 days are also feasible. If they are correctly scoped, with a clear exam question and good expectations around levels of assurance, they can deliver tremendous added value.
Seventh point. I agree that with a lean & agile mindset, you have to appreciate the importance of opportunity cost. Specifically, that more time on a current assignment means less time is available on another, which may be equally important.
Eighth point. I agree that communication is key. As readers will appreciate, IIA standards do not demand that we write audit reports. Instead, they ask that we communicate in a clear, concise, and insightful way. It’s surprising how often I read audit methodologies that don’t emphasize the importance of timely communication with staff and managers. Timely communication is important because it: i) helps us see quickly when management do you not see the importance of what we have found, and ii) allows us to adjust what we are doing to have an impact.
This means that it is crucial when delivering assignments in a lean & agile way that we pay careful attention at the beginning of an assignment in relation to:
- Known issues and current action plans
- The expected controls that should to be in place (so that we can think in design terms) and
- How significant findings should be (either actually or potentially) to persuade management to take action (so we can factor in risk appetite).
Ninth point. The audit planning process needs to change:
- With more regular changes to the plan (without seeking approval for every change);
- But recognising the role of management and other assurance functions (e.g. co-ordinated assurance)
10. At all times, we should seek to deliver assignments in line with IIA standards, because without sufficient care around: Criteria, Condition, Cause(s), Consequences and (robust) Corrective actions, internal audit functions become consulting departments rather than value-adding internal audit departments. This means we need robust evidence in areas where we are saying things are fine. We need these things to avoid “galloping” to a conclusion that proves to be unsound.
11. Being lean & agile means that it is all the more critical that we are crystal clear about what has and what has not been looked at by the assignment. We are a function that needs to deliver reasonable assurance, and this means we need to define carefully what has and has not been looked at those in terms of breadth and depth.
12. I agree that unless we are very careful “Agile auditing” could easily become a fad, mostly focusing on sprints, scrums, and stand-ups and delivering assignments ever quicker, but not always enhancing value and insight. And not conforming to IIA standards.
In summary, as I see it, lean & agile internal auditing (small a) is about professional auditing that:
- Understands how internal audit adds value (e.g. via the kano framework);
- Is clear who internal audit is adding value to (and it should not just be the person who is being audited);
- Delivers assignments with less waste (e.g. muda, mura and muri), on a timely basis,
- Delivers insights (e.g. through root cause analysis and benchmarking good practices)
- Communicates with impact (e.g. killer facts)
.. All of which is set out clearly in an assignment methodology that will pass an IIA EQA..
And above everything, all techniques – lean, agile, continuous auditing, data analytics etc., etc. should be seen as simply tools and frameworks that support progressive internal auditing, and not be seen as an end in themselves.
For more look contact: Info@RiskAI.co.uk
James has helped me and my team in a number of areas, examples being improving the way we conduct and report on our audits and helping with our assurance mapping. This has all been done in a positive and supportive manner, helping the team to embed learning from these sessions.
I contacted [James] for advice as to how Assurance Mapping techniques could be applied in my own authority. Not only were his ideas very constructive, his approach was very professional yet carried out in a friendly, easy going manner which greatly helped my understanding of the issues involved. James was then always happy to deal with any follow up queries I had and he helped to fine tune and discuss the approach with the rest of my team who similarly very quickly formed the same positive view of James’s style and manner. We have recently introduced this new approach into my authority and the results and comments to date have been very encouraging, thanks in no small way to James’s advice and assistance. I would have no hesitation recommending James to anyone.