Tag Archives: Lean & Agile Auditing

Recent interview with James Paterson

This is an interview conducted by IIA Bulgaria.

1. Mr Paterson, you have many interests in different areas – risk management, internal audit, leadership, lean auditing. Please, tell us which was the first and how you discover the next areas of interest?

My background was in tax and general finance. As I became more experienced I kept asking myself “Why don’t things work the way we expect? I became very interested in culture and behaviour and psychology and then moved to a role in Human Resources. I became interested in Internal Audit because I believed it could help make organizations better (better performance and better compliance). My interest in different topics arises because these are areas where I think we can do better as a profession: lean was about value and productivity, other areas (e.g. root cause analysis), so we can make recommendations and not have the same problems over and over!

2. How do you see the position of Chief Audit Executives in the organizations today – should he/she be one of the leaders in the organization and why?

Think about a CAE role – working across all parts of an organization, different processes, and different challenges – and trying to tell senior managers they can improve, and then managing messages to the board. It’s obviously one of the broadest roles in any organization with a huge amount of responsibility. In the UK and US it is starting to be recognized as a clearly important role, reporting to the CEO, but sadly this recognition is not as widespread as it should be.

3. You are the author of the book LEAN auditing, published in 2015. How do you get from lean management to lean auditing?

I think it is important to remember that internal audit is a relatively young profession (less than 80 years as a separate profession from external audit) and therefore we are evolving. This means we can learn from other areas. I wanted to help audit become more productive and value-adding and therefore I looked for best practices outside internal audit (e.g. lean management) for inspiration. Think of it as looking for tools and techniques from any discipline if it will help us do better auditing.

4. Is lean auditing applicable for different companies, from different industries and businesses and with different sizes?

Yes, lean can be applied across all areas (private/public), all countries (US, UK, Europe, and Australia) and all sizes of the audit team. At the moment I have a project with a large public audit team.

5. Does lean auditing make the internal audit function closer to the Board/ senior management and other stakeholders? Are then the IA using the same language as the management does?

Yes, it should do this, but do this without losing audit independence. The trick is to get closer to understanding what senior stakeholders like and don’t like and take account of this, but then also consider what would an external customer or regulator think about that? For example, senior managers may want advisory work from internal audit, whilst the audit committee might want audits. A key point is to recognize their legitimate right to feel differently about what they want and then to work with both to get a suitable balance; this means you must not be afraid to be transparent about what you are doing.

6. Creativity and innovation in internal auditing – this is a topic on which you are working on, including at the EU Audit Conference last October. Please, tell us what is your point of view on how the internal auditors could be really creative so to lead to innovations for the organization and thus to add real value for it?

Funnily I did my Master’s degree in Management on Creativity and Innovation. Creativity is all about coming up with new ideas, whereas innovation is about putting new ideas (from whatever source) into practice. Think about medicine – did we simply do the same as we ever did? Of course not, we discover new drugs, new treatments to make people live longer. Businesses need creativity and innovation to come up with new products and services or better ways of doing the same thing (perhaps cheaper as well). This is just the same for internal auditing. If we stay always the same, we will fall behind and risk becoming irrelevant.

7. Nowadays, does this require a general transformation in the internal audit function?

Audit teams can change by radical transformation or gentle evolution, It can depend on the situation which approach is best but an audit team should never be “stuck in a rut”. One good approach is to try out new ideas on a trial basis, see what works and what doesn’t and progress from there. This “continuous improvement” mindset is very much liked by lean ways of working.

8. You are a consultant and also conduct training on different topics. Could you share with our readers how you choose to present on topics such as the new IPPF and best practices?

Well, I like to come up with new things that will get the audience to think about auditing differently. The new IPPF and new ways of working / good practices are important to think about and then share ideas and practices (from me but hopefully also between the auditors attending the workshops).

9. We have heard about Auditing of corporate culture – it seems sounds interesting but time difficult to be carried out by the internal auditors. In your opinion, should the auditors be creative and innovative in order to succeed in auditing of such soft area or in present days innovation is connected only with the fast development of digital technologies?

As you may know, research after the financial crisis of 2007-2008 identified that culture was a key reason we had such big risk disappointments and collapses. This is interesting to reflect on since financial services is a sector that is highly computerized and automated. So how is this possible? Because people write decision-making models, systems and processes influenced by the culture they are a part of! And it’s also a cultural question whether people believe everything that a computer report is telling them is correct, or whether they need to check this “in the real world”. I think a big cultural issue we have to watch is that people stop thinking for themselves and just do things on “auto-pilot” – e.g. “because we have always done it that way”, “because the process or system says so” – and this is a question that is important far outside of internal audit.

10. How do you see the development of the internal audit profession in the next ten years?

I’m incredibly proud to be part of this profession – there are some really great people and we can make an important, positive, difference to the organizations we work for. It is clear that we are beginning to better understand how to audit culture and also make better use of technology as an audit tool). However, I fear that we could become complacent as a profession unless we are careful and I think there are some important areas where we have much further to go:
Audit planning – taking into account risk and assurances – we need to share our planning practices and develop more clarity what represents good practice; for example, is it really risk-based to audit to a standard cycle? Is it sensible to audit known issues, when there is a good chance we will simply confirm what is already known. How we communicate the amount of assurance we are giving when we do a piece of audit work, so we can be clear how much “reasonable assurance” we have given. There is an external audit definition about this, but little guidance or good practice sharing generally.

How we look for the root causes of issues. We have a standard that says we need to provide insight, but little formal guidance / good practice sharing on root cause analysis techniques and ways to categorize common causes. One benefit from more work on root cause analysis is that we might start to develop a better understanding of what a good action plan looks like. Too often we worry about the words in the audit report, but do we spend as much time getting a really good action plan that will make managers take actions that will fix problems for the long term.

Lean & Agile internal auditing

I was asked by one of my networks to contribute to the debate on lean/agile internal auditing, following a recent post by Norman Marks.

Here are some reflections…

First of all, agile auditing is probably a misnomer. When we are agile, the work we do may mean that we don’t do conventional audits. In fact, in the IIA standards, the word engagement is used to discuss activities carried out by audit functions. In my book “Lean auditing”, I talk about different assignments: reviews, limited scope audits, full-scope audits, and investigations, as well as advisory assignments. So, if we want to add value, we have to stop thinking about just audits. Instead, we should consider different types of assignments that will add additional value in different situations.

Second, I agree with Norman Marks that we should be looking at the risks that matter. Generally speaking, we should be looking at risk areas with a very high or high impact. That said, we should be looking at these areas where there is a good sense of the value that we can add. In particular, it often doesn’t add value to look at something that is already a known issue.

Third, I agree a lean and agile assignment can end when reaching an opinion about a specific area. However, it may equally be about highlighting that management needs more evidence or information to make a particular decision.

Fourth, I agree that lean & agile auditing is about being flexible. This means that if you come across an issue that wasn’t in scope, it might be helpful to look at it. However, the critical idea behind being lean and agile is to make sure that you can offer timely insights on key exam questions. Therefore, if a new issue arises, you need to make sure this is relevant to the key questions you are asking. After all, you can always go back and look at a new area shortly afterwards if needed.

Building on this point, I would say that being lean and agile is about being prepared to do assignments that are unusual in terms of how they are scoped. Specifically to scope assignments concerning risk areas or processes that may extend beyond individual departments or functions. That way, when you do an assignment, you have already considered key areas that might be critical to coming up with fresh insights (because issues may arise between departments or in the interactions between processes and systems etc).

Fifth, I agree that it is fundamental that auditors who work in a lean & agile way need to have a different mindset. Furthermore, not every internal auditor will find this very easy. This means that when you are allocating work between team members, it’s not simply a question of assigning work to specific subject matter expertise but also considering the auditor’s mindset versus the assignment type.

Sixth point. Norman Marks suggests we consider targeting no more than 100 hours for any assignment ( i.e. 12.5 working days). I support being careful about time, but 100 hours is very little time for many assignments (even for those who have done a lot of lean & agile work).  That said, advisory reviews of 5-10 working days are not unusual, and reviews of 10 to 20 days are quite possible and audits of 20-50 days are also feasible. If they are correctly scoped, with a clear exam question and good expectations around levels of assurance, they can deliver tremendous added value.

Seventh point. I agree that with a lean & agile mindset, you have to appreciate the importance of opportunity cost. Specifically, that more time on a current assignment means less time is available on another, which may be equally important.

Eighth point. I agree that communication is key. As readers will appreciate, IIA standards do not demand that we write audit reports. Instead, they ask that we communicate in a clear, concise, and insightful way. It’s surprising how often I read audit methodologies that don’t emphasize the importance of timely communication with staff and managers. Timely communication is important because it: i) helps us see quickly when management do you not see the importance of what we have found, and ii) allows us to adjust what we are doing to have an impact.

This means that it is crucial when delivering assignments in a lean & agile way that we pay careful attention at the beginning of an assignment in relation to:

  • Known issues and current action plans
  • The expected controls that should to be in place (so that we can think in design terms) and
  • How significant findings should be (either actually or potentially) to persuade management to take action (so we can factor in risk appetite).

Ninth point. The audit planning process needs to change:

  • With more regular changes to the plan (without seeking approval for every change);
  • But recognising the role of management and other assurance functions (e.g. co-ordinated assurance)

10. At all times, we should seek to deliver assignments in line with IIA standards, because without sufficient care around: Criteria, Condition, Cause(s), Consequences and (robust) Corrective actions, internal audit functions become consulting departments rather than value-adding internal audit departments. This means we need robust evidence in areas where we are saying things are fine. We need these things to avoid “galloping” to a conclusion that proves to be unsound.

11. Being lean & agile means that it is all the more critical that we are crystal clear about what has and what has not been looked at by the assignment. We are a function that needs to deliver reasonable assurance, and this means we need to define carefully what has and has not been looked at those in terms of breadth and depth.

12. I agree that unless we are very careful “Agile auditing” could easily become a fad, mostly focusing on sprints, scrums, and stand-ups and delivering assignments ever quicker, but not always enhancing value and insight. And not conforming to IIA standards.

In summary, as I see it, lean & agile internal auditing (small a) is about professional auditing that:

  1. Understands how internal audit adds value (e.g. via the kano framework);
  2. Is clear who internal audit is adding value to (and it should not just be the person who is being audited);
  3. Delivers assignments with less waste (e.g. muda, mura and muri), on a timely basis,
  4. Delivers insights (e.g. through root cause analysis and benchmarking good practices)
  5. Communicates with impact (e.g. killer facts)

.. All of which is set out clearly in an assignment methodology that will pass an IIA EQA..

And above everything, all techniques – lean, agile, continuous auditing, data analytics etc., etc. should be seen as simply tools and frameworks that support progressive internal auditing, and not be seen as an end in themselves. 

For more look contact: Info@RiskAI.co.uk

Lean & Agile Internal Audit Methodology toolkit for purchase

I have worked with many clients to develop a lean and agile audit methodology and up-date their audit manual.

In response to requests, I have summarised the key good practices into one manual, aligned to the IIA IPPF 2017 framework.

Key lean/agile principles are outlined:

The lean and agile internal audit methodology toolkit is written for immediate use by any internal audit team covering:

  • Assignment planning
  • Assignment execution
  • Assignment reporting
  • Follow-up and feedback

The document comprises 80+ slides explaining good practice in a granular/modular way:

The methodology toolkit also contains templates, advise on ratings, dealing with sensitive issues and how to manage advisory assignments.

It can either be used to benchmark an existing audit methodology for lean/agile ways of working or it can be used as the starting point for a new audit team that needs to write an audit manual.

The toolkit costs £500+VAT but will save those who use it many days of effort. For more information contact info@RiskAI.co.uk


Lean & Agile Auditing – delivering added value from audit in an efficient way

Lean auditing refers to the use of ‘lean’ principles, first developed in production lines, to drive value in audit work and improve efficiency and productivity.

Principles include: “listening to the voice of the customer”, doing things “right first time” and “just in time” and driving “flow”. Agile examines techniques developed in the software sector that are similar, but slightly different from lean, notably delivering a “minimum viable product” to time and using “sprints” and “scrums” to drive pace and engage stakeholders. Most important the webinar aims to see these techniques alongside compliance with IIA standards, not something separate.

Who should attend?

Heads of internal audit, internal audit managers and experienced audit staff.

What will I learn?

Upon completion you will be able to: Continue Reading

Training & development online/ webinars

As we adjust to new ways of working I have been working with my friends in the IIA across Europe to deliver engaging webinars on a range of key topics.

Details of internal audit webinars are as follows:


  • Auditing culture – 9 June
  • Root cause analysis – 10 June
  • Lean and agile audit in the COVID era – 15 June
  • Urgent responses to Covid 19 – 16 June
  • Managing yourself and others in challenging times – 18 June
  • Assurance mapping – 23 June
  • Heads of internal audit – induction masterclass – 24-25 June


  • Assurance over GRC – PM 26th May and AM 27th May
  • Lean and Agile Auditing – PM 27th May and AM 28th May
  • Root Cause Analysis – PM 28th May and AM 29th May

IIA Finland:

  • Auditing Culture – PM 1st June and AM 2nd June
  • Assurance Mapping – PM 11th June and AM 12th June

IIA Norway:

  • Lean and Agile Audit in the Covid Era – PM 2nd June and AM 3rd June
  • Assurance Mapping – PM 3rd June and AM 4th June

Timings for split sessions are as follows:
Morning sessions are 09.00 to 12.15 local time
Afternoon sessions are 13.00 to 16.30 local time

E-mail info@RiskAI.co.uk for more information, including tailored training on other topics.

Hope you can join me…

Join our mailing list

We will keep you updated with news and events.


Contact and appointments:

Risk & Assurance Insights
T: +44 (0)7802 868914

Please also use our contact form