Tag Archives: Internal Audit Effectiveness

Recent interview with James Paterson

This is an interview conducted by IIA Bulgaria.

1. Mr Paterson, you have many interests in different areas – risk management, internal audit, leadership, lean auditing. Please, tell us which was the first and how you discover the next areas of interest?

My background was in tax and general finance. As I became more experienced I kept asking myself “Why don’t things work the way we expect? I became very interested in culture and behaviour and psychology and then moved to a role in Human Resources. I became interested in Internal Audit because I believed it could help make organizations better (better performance and better compliance). My interest in different topics arises because these are areas where I think we can do better as a profession: lean was about value and productivity, other areas (e.g. root cause analysis), so we can make recommendations and not have the same problems over and over!

2. How do you see the position of Chief Audit Executives in the organizations today – should he/she be one of the leaders in the organization and why?

Think about a CAE role – working across all parts of an organization, different processes, and different challenges – and trying to tell senior managers they can improve, and then managing messages to the board. It’s obviously one of the broadest roles in any organization with a huge amount of responsibility. In the UK and US it is starting to be recognized as a clearly important role, reporting to the CEO, but sadly this recognition is not as widespread as it should be.

3. You are the author of the book LEAN auditing, published in 2015. How do you get from lean management to lean auditing?

I think it is important to remember that internal audit is a relatively young profession (less than 80 years as a separate profession from external audit) and therefore we are evolving. This means we can learn from other areas. I wanted to help audit become more productive and value-adding and therefore I looked for best practices outside internal audit (e.g. lean management) for inspiration. Think of it as looking for tools and techniques from any discipline if it will help us do better auditing.

4. Is lean auditing applicable for different companies, from different industries and businesses and with different sizes?

Yes, lean can be applied across all areas (private/public), all countries (US, UK, Europe, and Australia) and all sizes of the audit team. At the moment I have a project with a large public audit team.

5. Does lean auditing make the internal audit function closer to the Board/ senior management and other stakeholders? Are then the IA using the same language as the management does?

Yes, it should do this, but do this without losing audit independence. The trick is to get closer to understanding what senior stakeholders like and don’t like and take account of this, but then also consider what would an external customer or regulator think about that? For example, senior managers may want advisory work from internal audit, whilst the audit committee might want audits. A key point is to recognize their legitimate right to feel differently about what they want and then to work with both to get a suitable balance; this means you must not be afraid to be transparent about what you are doing.

6. Creativity and innovation in internal auditing – this is a topic on which you are working on, including at the EU Audit Conference last October. Please, tell us what is your point of view on how the internal auditors could be really creative so to lead to innovations for the organization and thus to add real value for it?

Funnily I did my Master’s degree in Management on Creativity and Innovation. Creativity is all about coming up with new ideas, whereas innovation is about putting new ideas (from whatever source) into practice. Think about medicine – did we simply do the same as we ever did? Of course not, we discover new drugs, new treatments to make people live longer. Businesses need creativity and innovation to come up with new products and services or better ways of doing the same thing (perhaps cheaper as well). This is just the same for internal auditing. If we stay always the same, we will fall behind and risk becoming irrelevant.

7. Nowadays, does this require a general transformation in the internal audit function?

Audit teams can change by radical transformation or gentle evolution, It can depend on the situation which approach is best but an audit team should never be “stuck in a rut”. One good approach is to try out new ideas on a trial basis, see what works and what doesn’t and progress from there. This “continuous improvement” mindset is very much liked by lean ways of working.

8. You are a consultant and also conduct training on different topics. Could you share with our readers how you choose to present on topics such as the new IPPF and best practices?

Well, I like to come up with new things that will get the audience to think about auditing differently. The new IPPF and new ways of working / good practices are important to think about and then share ideas and practices (from me but hopefully also between the auditors attending the workshops).

9. We have heard about Auditing of corporate culture – it seems sounds interesting but time difficult to be carried out by the internal auditors. In your opinion, should the auditors be creative and innovative in order to succeed in auditing of such soft area or in present days innovation is connected only with the fast development of digital technologies?

As you may know, research after the financial crisis of 2007-2008 identified that culture was a key reason we had such big risk disappointments and collapses. This is interesting to reflect on since financial services is a sector that is highly computerized and automated. So how is this possible? Because people write decision-making models, systems and processes influenced by the culture they are a part of! And it’s also a cultural question whether people believe everything that a computer report is telling them is correct, or whether they need to check this “in the real world”. I think a big cultural issue we have to watch is that people stop thinking for themselves and just do things on “auto-pilot” – e.g. “because we have always done it that way”, “because the process or system says so” – and this is a question that is important far outside of internal audit.

10. How do you see the development of the internal audit profession in the next ten years?

I’m incredibly proud to be part of this profession – there are some really great people and we can make an important, positive, difference to the organizations we work for. It is clear that we are beginning to better understand how to audit culture and also make better use of technology as an audit tool). However, I fear that we could become complacent as a profession unless we are careful and I think there are some important areas where we have much further to go:
Audit planning – taking into account risk and assurances – we need to share our planning practices and develop more clarity what represents good practice; for example, is it really risk-based to audit to a standard cycle? Is it sensible to audit known issues, when there is a good chance we will simply confirm what is already known. How we communicate the amount of assurance we are giving when we do a piece of audit work, so we can be clear how much “reasonable assurance” we have given. There is an external audit definition about this, but little guidance or good practice sharing generally.

How we look for the root causes of issues. We have a standard that says we need to provide insight, but little formal guidance / good practice sharing on root cause analysis techniques and ways to categorize common causes. One benefit from more work on root cause analysis is that we might start to develop a better understanding of what a good action plan looks like. Too often we worry about the words in the audit report, but do we spend as much time getting a really good action plan that will make managers take actions that will fix problems for the long term.

Covid-19 is having a big effect on internal auditing

..so it is important to go back to basics on reasonable assurance.

ACCA UK’s Internal Audit network panel regularly consults its members on topics that are of particular interest at a given point in time. At the moment, it is recognised that the impact of Covid-19 is having a big effect on internal auditing. We cannot afford gold-plated auditing or controls anymore. Also, we can’t afford to go through the motions of doing assignments that made sense at one point in time when things have changed significantly as a result of Covid-19.

I wrote an article for ACCA that looks at how to manage internal audit assignments from a practical perspective in the current context. Specifically, it looks at the work programmes required in the current environment where lean and agile auditing is increasingly expected. It also considers some fundamental questions about what we mean by reasonable assurance.

You can read it here

Internal audit assignment scoping

It’s such a basic idea. Internal auditors are asked to look at an area. They (hopefully) establish the priority areas to be looked at, liaising with a management sponsor, ideally at a level of seniority above the level of the manager of the area they are looking at.

They consider the time available for the assignment and then they issue a “Terms of Reference” (also known as an audit scope).

If the auditor is doing a good job they will spell out what is “in scope” and what is “out of scope”. Based on this they will develop an assignment work programme of things they are going to check.

Spelling out what’s in/out of scope is an important good practice for internal auditors because it helps to set expectations with stakeholders about what is going to be looked at, giving them an opportunity to challenge what work is going to be done and also setting their expectations.

Oftentimes, you will see terms of reference expressed in words. For example:

This assignment will look at the staff recruitment process. Key areas to be examined will include:

  1. Staff selection and background checks,
  2. Staff induction and on-boarding process.

Outside of scope will be:

A. The engagement/recruitment of part-time staff and contractors.

B. Benchmarking the cost of recruitment.

The decision to exclude areas from an assignment may be based upon areas that are: i) less relevant to the key assurance needs and also ii) a lesser priority/risk, given the time available for the assignment.

But beyond this approach to communicate scopes, I am seeing increasing use of diagrams to explain this. Diagrams do not replace words but can complement them. Furthermore, if done well, a diagram can show more clearly some of the “hard choices” around the boundaries of an assignment that may be less obvious when simply expressed in words.

Thus, when you consider an area to be examined, it may be addressed by a process, but that process will often be underpinned by IT systems/applications and data flows. In turn, processes/systems may be managed by support functions (e.g. IT/HR) and their role may be more/less important to the key issues under consideration. Also, there may also be third-party service providers who support a process (e.g. recruitment agencies), and – again – their role may be more/less important in relation to the management of a risk.

A diagram can make it clear, in an instant, which process areas/systems/departments will and won’t be looked at. The power of a diagram is that it helps auditors, and managers, think carefully about what will/won’t be relevant to an assignment. And if issues are uncovered, it can be simple to “locate” these on the diagram. and many times it will be clear that issues arise between one part of a process and another, or between one department and another, rather than just in one area.

Finally, a diagram also provides a great way of helping an audit team understand the totality of what has and has not been looked at so that when planning future assignments it is easier to “join up the jigsaw puzzle”.

There is a whole body of practice to be shared about exactly how internal audit functions make robust choices around what is in/out of scope, but the starting point is to be crystal clear what is and is not being done – with diagrams an important tool to help do this.

Webinar: Ethics in the Real World

Since 2017 the IIA has had a requirement for members to take a 2-hour CPE course each year on the subject of Ethics.

This area is especially highlighted because of its key role in helping internal audit to be independent and objective.

To date, there has been a lot of training on “the basics” of ethics. However, “Ethics in the Real world” moves beyond the straight-forward aspects of ethics and considers the real-world challenges that might face auditors and how they might decide what to do. It also looks at the “real world” challenges and pressures that managers face and will help auditors to look at these issues in an insightful and value-adding way.

Internal audit challenges

Assignment planning:
“It’s a bad time for you to audit this area right now, can you come back later”?
“Rather than audit us, can you do some advisory work instead”?

Assignment reporting
“This is a really sensitive issue, do you really have to write it down? Or can you write it differently”?
“Can we have a less harsh audit rating, otherwise the rating will cause a lot of issues”.
“Can you give us more time to fix that issue, we are really busy at the moment”. Continue Reading

Join our mailing list

We will keep you updated with news and events.


Contact and appointments:

Risk & Assurance Insights
T: +44 (0)7802 868914

Please also use our contact form