How new heads of internal audit can make a successful start.
Over the past two years the IIA heads of internal audit induction master class (HIAIMC) has provided an opportunity for new heads of internal audit (HIAs) to meet others in a similar position and to reflect on how to make their start a success. James C Paterson reviews some of the themes that have emerged.
1. It is a big job – make sure your role is clear.
Whether your team is large or small, expectations on the HIA and IA team are increasing as organisations strive to do more with less.
This means that it is important to pay attention to the organisation’s understanding of the IA role (eg the balance of IA time between assurance and advisory work, and the way that the time on the IA plan is allocated between financial, compliance, operational and other risks). In this way, any misalignments in relation to how IA should be spending its time can be spotted early.
One HIA I worked with identified the need to educate senior management and the audit committee on the ‘three lines of defence’ model of roles (between line management, other functions and internal and external audit), since there were indications of unrealistic expectations of what IA could achieve with its resources and not enough emphasis on what others needed to do. The education of the stakeholders was completed just before a large fraud came to light in the organisation.
The HIA reflected afterwards that, had they not clarified the roles, it would have been easy for IA to get the blame for not preventing/spotting the fraud, rather than recognising weaknesses within management, purchasing and finance.
2. Know which of your stakeholders really call the shots
It is becoming common for the HIA and IA to receive requests to do different sorts of work (eg support for projects in relation to new controls design).
To some extent this reflects the increased value of IA in an organisation, but some HIAs are recognising that there is a risk that IA is turning into one of the few remaining 'free resources' available to management.
New HIAs recognise their most critical stakeholders are senior management and the audit committee (which will make decisions with regard to the IA budget and whether or not the service might be outsourced). Therefore, ad hoc advisory work for line management must be carefully managed in order to allow time for proper engagement with key stakeholders and delivery of key priorities endorsed by them.
3. Look at the IA plan
Almost all HIAs in the HIAIMC are looking to enhance their approach to the IA plan. This typically involves adopting a greater understanding of other assurance processes and roles, particularly to build the case to rely on other lines of defence for financial controls and compliance areas, in order to reduce the Hotel California effect in relation to the extent of IA testing of basic compliance areas: ‘You can check out any time you like, but you can never leave’.
In addition, improving the IA plan normally involves looking at the way the audit universe is constructed. This usually extends from a process/location/systems approach to explicitly include other areas such as: key risks, top business objectives, major projects, significant external disclosures and other regulatory returns – often revealing a range of high-value-added areas that may have been blind spots in the previous plan.
Two other areas also emerge: the extent to which key stakeholders understand the breadth and depth of the proposed IA plan assignments and the clarity of understanding in relation to what IA is not going to be auditing in the year.
Both of these points are important with regard to IA resource discussions, as well as heading off the commonly reported difficulty that when something does go wrong in the organisation, key stakeholders will say either: ‘Why didn’t you audit that area?’ or, if IA did look at the area: ‘Why didn’t you find the issue when you were last there?’
4. Recognise that most risk management processes have room for improvement
In the HIAIMC only a minority of HIAs are fully satisfied with the effectiveness of the risk management processes in their organisations. Concerns range from the extent to which it is a separate and tick-box exercise (rather than being actively used by management) to an over-emphasis on ‘feeding the (risk management) system’. Recently, one head of audit and risk realised that moving from a monthly to a quarterly update of the top risks was likely to increase its acceptance in the organisation, free up time in the risk and audit team and enhance the quality of the debate on the most critical risks.
Other reflections include a recognition that there may be blind spots in the risk register – typically: a reluctance to log black-swan risks (with managers often saying: ‘What’s the point of recording such risks? What could we do about them anyway?’); and risks that become accepted as part of the culture (‘They don’t want a formal process for that risk area; it would be seen to be bureaucratic’, or: ‘We’ve had some problems for years, but nothing major has gone wrong’. Up to now).
5. Articulate a clear vision of where the IA function is and where it is going – ensure that it is part of a broader conversation about risk and governance in the organisation
It is not unusual to find that a new HIA has particular ideas about strengths and areas of improvement for their function. However, it’s rarer for these ideas to have been clearly summarised in a simple ‘dashboard’ format that can engage IA staff and key stakeholders. Such a dashboard can also play a useful role when preparing for an external quality assessment (now required every five years, but a prudent thing to do in the first year or two of taking over a function).
Many HIAs also develop a vision and strategy for the IA function without articulating how this fits within the wider governance, risk and assurance picture for the organisation. This is a common trap, since many stakeholders are attracted by the idea that IA will address all of the key governance, risk and assurance issues in the organisation, whereas this is – in reality – something that the whole organisation needs to play a role in. The role of others needs to be clearly spelled out in any IA strategy.
6. Pay close attention to the understanding and efficient delivery of value-adding activities in the IA team, including the question of ‘dissatisfiers’
In the HIAIMC we review a number of lean principles and techniques. Many new HIAs recognise that, while one of their key priorities will be for the IA team to ‘add value’, there is usually a relatively informal understanding in the team of what adding value actually means in practice.
The lean Kano model emphasises the importance of understanding that things are valued differently; ranging from ‘delighters’ to ‘satisfiers’ to ‘dissatisfiers’.
Common insights from this work include opportunities to 'delight' through the streamlining of IA reports (which are actually likely to take less time to write and finalise) to the identification and communication of risk and control trends, emerging risks and lessons learned.
A common dissatisfier is the extent to which IA takes up management time, especially on routine updates or data gathering (which can be addressed through IA getting more direct access to key systems and information). Another is the many ways that management can get upset because of a perceived ‘surprise’ from IA (which often requires a revised approach to assignment supervision and review, paying more attention to the likely influencing challenges IA may have – eg where IA work has been requested in the hope it will ‘prove’ a particular point, but that is not what IA finds).
7. Take stakeholders and peers with you on the improvement journey
The temptation for the new HIA to want to make an impact in the first 12 months can lead to another risk: not keeping key stakeholders and other colleagues on board with what is being changed.
One HIA was feeling frustrated that their CFO was not being as supportive as had appeared at the time they were interviewed for the role. On reflection, we agreed that it was inevitable that the CFO would be on their ‘best behaviour’ when the HIA was being courted to join. In addition, we agreed that increasing cost pressures were going to make it difficult to give the HIA the additional staff they had originally been promised. We also recognised that some of the improvement areas identified by the new HIA would raise the question of whether the CFO could have done earlier.
As a result, the HIA worked with the CFO and other key stakeholders to make changes in line with the realities of the current business environment (and recognising some of the good aspects of what had been done in the past), leading to a more productive working relationship.
8. Focus on delivering a few key things in the first year
Many new HIAs identify a range of areas where the governance and risk processes in their organisation can be enhanced, as well as a number of areas where the impact and efficiency of the IA team can be improved.
However, with such a wide range of potential areas in which to work, it is important that the new HIA should carefully weigh up the areas that should be prioritised. This will depend on a number of factors, including the organisational context, culture and stakeholder expectations, as well as more pragmatic factors such as the amount and calibre of resource available.
I would then encourage the new HIA to focus on a selection of priority areas over the course of the first year, demonstrating ‘quick wins’ and not over-extending themselves with the risk of under-delivering.
James Paterson is director of Risk & Assurance Insights. He was HIA for AstraZeneca for seven years.
This feature was originally published in Audit & Risk, the web magazine of the Chartered Institute of Internal Auditors (IIA) in the UK and Ireland.
Find out more about the IIA.