How to successfully launch an outcome and risk based internal audit service
Outcome and risk based internal audit is a novel approach to effective assurance being used by a number of private and public sector organisations to achieve the holy grail of assuring business success, writes Neville de Spretter. Note: An outcome is defined as the result and benefit of achieving an objective, a desired future state – what an organisation wants to achieve. Outcomes are permanent, long-term and independent of organisational structure; objectives are temporary, short-term and specific to a particular organisational structure.
A CEO with whom I worked in the late 1990s frequently quoted ‘make certain to apply the “7 Ps” – proper planning and preparation prevents very poor performance’ in encouraging the business to deliver projects effectively. It has lodged in my mind ever since…!
In my role as an independent consultant I’m frequently asked to facilitate and lead on building, revitalising or modernising internal audit services. Over a number of years ACCA’s technical activities and advice, research and insights, together with the IIA’s standards and guidance, have effectively guided and supported the projects.
Recently I’ve been asked by boards and senior management to establish internal audit that is aligned with – and integral to – strategic and operational outcomes, is collaborative, pragmatic, and predictive in assuring outcome delivery. They want to know that outcome risk connectivity and interdependencies, both vertically and horizontally, at all levels, are understood, visible and transparent, and that the risks are being robustly managed. They want internal audit that is forward looking, solutions based, agile, adaptive, enabling and commercially focused.
It means an internal audit focus on outcomes (and their measures and targets), risk and controls, in contrast to the conventional internal control, retrospective, binary reporting focused approach. Accordingly, once outcomes are clarified, mapped, measured and targeted, I’ve been working with organisations to identify the risk to each outcome, aligning risks with outcomes, and giving clarity and transparency to the activities that manage and mitigate each risk – and thereby establishing the audit universe. Assurance is then provided in a non-adversarial, business-enabling way: the activities are effective to manage or mitigate each risk to a level of residual risk that’s acceptable to the business, or they’re not. If they’re not, it is relatively simple to facilitate the actions needed to do so, or directors can agree to leave the level of risk where it is, and this is visible to all stakeholders. It provides a clear and holistic picture of what’s important to the organisation with the benefits of:
Integration – everything the organisation needs to do and employ to deliver its required outcomes is linked at all levels across the whole value chain from customers through staff to suppliers.
Predictability – the probability of the required outcomes being delivered is objectively forecast, enabling risk mitigation, and providing assurance that outcomes remain on target to be delivered.
Transparency – any stakeholder is able to see what the business intends to employ, do and deliver, and the progress being made and expected.
So, while keeping in mind the ‘7 Ps’, the following summarises how planning for successful implementation has been approached, utilising ACCA’s and the IIA’s guidance.
The basis and authority of the service.
To begin, IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) provides a comprehensive blueprint. Their Establishing Authority presentation is useful to assist in discussions with management and the audit committee.
Ascertain senior management, board and audit committee expectations.
Clarify expectations and establish rapport; use, as appropriate, surveys, board minutes, group and individual meetings to help shape the service. What are board and executive strategic outcomes, the risks to their achievement, opportunities they present, and where can internal audit best help assure delivery?
Policies and procedures should define management's responsibility for governance and therefore help inform Phase 4. Include a review of the audit committee charter to ensure that it dovetails with the internal audit charter.
The internal audit charter.
There are plentiful examples, including IIA’s model charter; ensure that your charter meets the audit committee's needs and any industry requirements, and is discussed, reviewed and agreed with senior management and audit committee.
The audit universe, processes, systems and operations.
Partner with managers and teams to start to define and map their contributory outcomes (to corporate strategic outcomes), risks against those outcomes, and the activities (controls) to manage and mitigate them.
It’s a complex picture so use the right IT to support it. Get the logic sorted and it’s relatively straightforward to use open source and agile development to create a user-friendly system.
External auditors and regulators.
Build rapport, ensure outcome, risk, control and action matters are shared and ensure activities are co-ordinated.
Begin to fill gaps in the audit universe (eg if managers and teams identify a risk, facilitate their defining the outcome it relates to, and vice versa).
Priorities for review.
Partner with managers and teams to start to define priorities at the macro level for review, agreed with senior management.
Construct the budget.
Base the budget on your review priorities for the year, taking into account direct and indirect costs, eg staffing, support, travel and subsistence, training.
Develop the detailed internal audit plan.
The risk based plan will depend on the review priorities agreed and the internal audit resources and staff, but once started should continue and flex with redefined outcome / risk priorities.
Form the team.
Information obtained during Phase 6 can aid shaping the structure and team member specifications and competencies, for what (eg specialist assignments), and where to source them (eg co-sourced, outsourced, internally resourced, a mix). IIA's Position Paper Role of Internal Audit in Resourcing the Internal Audit Activity may be useful.
The team will need to cover the range of expertise required based on the outcome / risk assessment.
Plan for team training.
Ensure that the team understand and can put into practice the risk based approach. The best plans have been created and delivered with HR and specialist training and development support and guidance.
Promote a quality assured internal audit service throughout the organisation.
Ensure buy-in to the approach: the ‘message from the top’ needs to be clear and unequivocal. (The IIA has complimentary brochures, such as All in a Day's Work, Adding Value Across the Board, and Guidance for the Profession.)
Partner with managers to establish constructive and enabling reporting relationships, and develop the means to follow up on actions.
Obtain feedback on performance as part of a quality assurance programme.
Neville de Spretter FCCA
Neville is a member of ACCA UK’s Internal Audit Network Panel, an independent specialist in governance, risk management and control, principal at AdLibero2 Ltd, an associate of Perendie, a non-executive director of StyleSeeker Ltd, a steering committee member for the CRSA Forum, and a committee and drafting panel member for the British Standards Institution.
Outcome and risk based internal audit has been, and continues to be, implemented in both private and public sector organisations, in the UK and overseas.