• How to prioritize the differing needs of multiple stakeholders in the audit process: the board/audit committee, senior managers and those being audited;
• How to develop an audit plan that addresses the most important risk areas when there are often strong expectations that audit should focus on financial controls and compliance testing;
• How to get a place “at the top table”, influencing senior management whilst retaining independence and objectivity;
• Managing requests to delay or cancel assignments, which can result in difficulties completing the audit plan each year;
• Getting information and data on a timely basis so that audit assignments can start without delay;
• Finding that many managers are not engaged with the audit process;
• Arguments over whether audit has enough evidence to demonstrate its findings, sometimes requiring additional testing;
• Disagreements concerning the wording of audit reports, the timescales that actions should be completed within, and the grading of reports.
The root causes for these areas of difficulty are various and may be linked to problems with communication and underlying systems. However, a number of the problems that arise are due to poor process disciplines in audit and, from my experience, questions about the role of audit, as well as the mindset of some managers and auditors.
As we will see during the course of this book, lean ways of working can help audit to navigate through many of these challenges and dilemmas, helping the internal audit function become more impactful, as well as providing a range of other benefits at an organizational level.
As I mentioned in the introduction to this book, my experience developing lean auditing techniques as the CAE of AstraZeneca provided a solid foundation to work with clients and workshop participants. However, other CAEs I have worked with have faced other areas of difficulty, which we addressed through new lean auditing approaches. In addition, other CAEs I know have developed their own good practices that further “raise the bar” on what value adding and efficient auditing can be like.
As a result, this book contains many internal audit best practices developed by, and with, other CAEs, alongside those developed during my time as the CAE of AstraZeneca.
THE KEY BENEFITS OF ADOPTING A LEAN AUDITING APPROACH
The key benefits of adopting a lean audit approach to internal audit are:
• An audit function that is oriented towards engagement with key stakeholders, with a clear value add mindset;
• An audit plan that is more closely, and demonstrably, aligned with the key value drivers of the organization on an ongoing basis;
• An audit function that plays a key role in understanding the overall Risk Assurance landscape of the organization (encouraging “joining up the assurance jigsaw”);
• An audit function that acts as a catalyst for positive change in the organization, delivered in a range of ways, not just audit assignments;
• Audit assignments that are appropriately resourced, and delivered to time and budget in the vast majority of instances;
• An overall audit plan that is scheduled and delivered with the minimum of delays or difficulties;
• Audit findings, reports and other forms of communication, that are short, insightful and recognize the wider context of the organization and the challenges it is facing;
• An audit function that is able to highlight appropriate efficiency opportunities, including instances where the streamlining of compliance and control policies and procedures would be beneficial;
• An audit function that can clearly demonstrate a positive return on its cost.
In addition, I will outline in this book how progressive, lean ways of working can act as a catalyst for driving improvements across a range of broader Governance, Risk, Compliance (GRC) and assurance activities.
A FEW WORDS ON TERMINOLOGY IN THIS BOOK
At this point it is appropriate to offer several reflections on the terms “audit”, “auditing”, “internal auditing”, “lean auditing”, and “progressive auditing” that will be used during the course of the book. To start: many internal auditors use the term audit when referring to an internal audit. In addition, lean ways of working are often applicable to other types of auditing (e.g. quality auditing, efficiency auditing, health and safety auditing), not just internal auditing. As a result the terms audit and auditing will normally refer to internal audit and internal auditing, but may also relate to other types of audit functions and other types of auditing, depending on the context.
In relation to the term “lean auditing,” I am referring to the practice of internal auditing as informed and enhanced by lean principles, tools and techniques. However, a number of progressive audit practices referred to in this book also focus on the themes of adding value and efficiency, which are central to lean ways of working. As a result, I will sometimes use the terms “lean auditing” or “lean progressive auditing” to refer to a “family” of audit practices that are judged to represent good audit practice in the eyes of leading audit practitioners, typically with a focus on delivering value and improving productivity.
My use of “progressive auditing” also reflects the fact that I am not overly concerned whether the term “lean auditing” gains strong currency within the internal audit profession. My prime interest is to stimulate some interest and offer practical insights in relation to the way the internal audit can push forward on a value adding agenda, and become recognized as an essential ingredient for organizational success. More than anything, I want to avoid the scenario in 10 years’ time where internal audit has been consigned to an eternal prison of primarily working on regulatory compliance and control issues, with key operational and strategic risks largely regarded as “off limits.”
5
The Wider Benefits of a Lean Audit Approach – and How to Use This Book
As I mentioned in the introduction, lean auditing offers much more than simply a more efficient and effective way of carrying out internal audits. Given the unique role of internal audit it is possible to see a “cascade effect” in which new ways of working by audit have a wider impact on organizations. This effect will not simply derive from more impactful audit assignments, but also from the way that audit sees its role and leads organizational changes through its influence over key stakeholders.
To explain how this cascade works, I will outline the key hallmarks of a lean progressive approach to audit. I will then describe how this approach can impact other functions, such as compliance and risk (sometimes called the “second line of defence”), as well as management and staff (sometimes called the “first line of defence”).
Key Hallmarks of a Progressive Lean Audit Approach
In my experience, these include:
• A recognition of the unique role that audit can and should play in providing an independent and objective perspective on Governance, Risk, Compliance (GRC) and the delivery of organizational performance;
• An orientation towards adding value in everything that audit does;
• Having a clear focus on ways of working that visibly and demonstrably add value, that drive out non value adding activity, and eliminate other waste (Muda);
• Discharging the internal audit role in a pragmatic, but flexible way, with a clear strategy to act as a catalyst for organizational improvement and development;
• Having a role that encourages and supports the co-ordination of Risk Assurance across the organization, so that roles and responsibilities (including those of internal audit itself) are optimized to add value, and eliminate waste;
• A recognition that the role of audit is more than just carrying out audit assignments: it is about providing valuable advice and assurance that will improve an organization over the short, medium and