Home > Risk > Tips from Norman on a Lean audit function

Tips from Norman on a Lean audit function

The UK’s Chartered Institute of Internal Auditors (affiliated with the global Institute of Internal Auditors) has published an interesting article by James Paterson on “Lean auditing – what, how, and why?

James starts out well in this section, with a quote from GE:

“General Electric Corporation once described lean as “the relentless pursuit of the perfect process through waste elimination”, but in an IA context it is about ensuring that IA resources are focussed on delivering value to key customers, streamlining the processes and behaviours that support this, and eliminating those that don’t. Lean principles would define value as “any action or process that a customer would be willing to pay for”.

He goes on to explain how the internal audit team should give a priority to the voice of the audit committee, and not be pulled off track by trying to meet all the demands from management – at the expense of focusing on the needs of its primary stakeholder. That is well said, and I agree 90%.

I differ with James, though, when you move on from there. I would also like to share some tips for achieving lean auditing.

I have worked in companies where the margins were extremely low, resources were thin, and we had to make sure there was no wasted effort (muda in Japanese, the language of Lean). I have also worked at a company that used Lean Six Sigma (see here for a high level explanation) to drive efficiency in its manufacturing and other processes, and received training on the techniques and principles involved. So, I have been thinking about ‘lean auditing’ for many years and would like to share some ideas that extend beyond James’ piece.

  • While we need to listen to the voice of our primary stakeholder (for most of us this is the audit committee), we also need to recognize that sometimes the audit committee’s insights into the value we can provide are limited. If they are bound by traditional experiences to believe that internal audit should focus on financial processes and compliance, together with fraud detection, we should work with them to move their expectations up the value chain. We should (IMHO) be providing them with assurance that the more significant risks are managed within acceptable limits, augmented by consulting services to enable improvements to that level. It is not sufficient to listen to the voice of the audit committee when that voice is sending an incomplete message.
  • We should look very carefully at all our internal audit processes and drive out activities (muda) that are waste, because they carry cost and provide little value – relative to the cost. One technique is to capture, for a sample of audits, how long people spend on different tasks: planning (generally not enough), testing (frankly, often past the point where you know the results), documentation (see #5 below), reporting and communication (too much of the first and too little of the second), supervision and management, etc.

Here are some of the areas where I have identified muda in the past:

  1. As James points out, we should only be auditing what matters. If we are trying to audit a key risk to the business as a whole, the materiality for defining the scope of an audit of processes pertaining to that risk at any individual location should be based on the business as a whole, not based on the risk to the objectives of the individual location.
  2. Do we continue auditing after we have identified a weakness? Why? Is it so we can prove the weakness in a court of law? How likely is that? Once management has agreed to the fact that the control is ineffective, why keep auditing it?
  3. Do we keep auditing after it is obvious that everything is in great shape and the risk is low? Where is the value in that? (See the Tosco link later on and the reference to “stop-and-go-auditing”.) Once you know the risk is managed within acceptable limits, stop – even if you haven’t finished everything in the audit program!
  4. Are we auditing an area where the issues are well-known and are being addressed? It may be high risk, but an internal audit engagement would have low value.
  5. Do we spend too much time on working papers? Make sure you understand the value and only spend the resources appropriate to the value. For example, my approach is to review people’s work by talking to them and focusing on the report (the key end product we manufacture). The working papers are not where I spend a lot of time, especially when I know the auditor is experienced and I have no reason to suspect they didn’t perform the tests. If there is a lot of value (for example, the working papers will be re-used the next year to streamline a repeat audit, if management is expected to challenge the results, if a regulator needs to review the work, or if there is a possibility of related litigation) then there is merit in allocating scarce resources to working papers. But, if they are consigned after supervisory review to a file drawer (physical or electronic), never to be seen again, then why spend money creating them? Do enough, not more than enough. [As an aside, years ago I had a benchmarking discussion with the internal audit team at Atlantic Richfield (then a major oil company). They told me that they spent 40% of their time on documentation. How do you stack up? How much time do you spend?]
  6. Are you reporting issues that don’t matter (except to your pride)?
  7. Are your reports timely? If not, then where is the value?
  8. Are you driving change? If management is not accepting your points and making appropriate changes, then you are wasting resources. Something is wrong in your internal processes, and you should look in the mirror for the root cause.
  9. Does your audit report get to the point? Does it say more than would be required to explain the results to the CEO in 2 minutes? Say what needs to be communicated, and then stop. Anything else can be handled in memos to operating management.
  10. Do you have the staff to be lean? Do they have sufficient experience to perform stop-and-go auditing? Can you trust them to know when the risk is acceptable? Are your managers spending more time on reviews and training of junior staff than they would spend if they did the work themselves?

Years ago, the Journal of Accountancy published a piece about my program at Tosco. As I reread it today, I think I got it mostly right. The only point I would add for a 2012 perspective would be a focus on using the available tools to be efficient and effective. Do you agree?

What do you think of this approach? It is not the ‘traditional’ approach to internal auditing, but I think it necessary if you are to make the best use of resources.

  1. Norman Marks
    January 6, 2012 at 7:06 AM

    Richard Chambers (on Twitter) commented that he disagrees with #2, because you should continue auditing to determine cause and effect.

    I agree that you need to continue the audit work, to determine cause, effect and the best solution. The point I am making is that you can stop testing to determine whether the control is in place.

    For example, let’s say you have tested 5 transactions out of a sample of 30 and all fail. Stop testing and talk to management. Often, they will confirm that the control is not in place (for any variety of reasons). There is no need to test the remaining 25 – although some will.

  2. January 6, 2012 at 10:47 AM

    Thanks for clarifying Norman. My concern is that too often, internal auditors DO stop audit work after identifying a weakness (and merely communicate the condition). If we are not able to articulate the cause, impact/effect and offer recommendations for corrective actions – then we merely become “inspectors.”

  3. January 28, 2012 at 3:23 AM

    I think Richard and Norman have some elements right. We, as a profession, need to get out of the linear thinking and myopia of confusing audit as the product, rather than assurance (both negative and positive). I am not in agreement that management must respond positively to audit. Often I audit in areas where the culture and organisational understanding simply is not on the page that I am. I audit ahead of the organisational curve. Thus my duty is discharged when I have reported, with a convincing narrative, the issues I see. It may be years before the organisation finally comes round. Normally when the ‘risks’ I identified have crystallised into ‘issues’. Do this often enough and a prescient reputation will develop for the IA service and then it will be more accepted to be ahead of the curve.

    I hate transaction testing examples. Very few organisations truly have systems and processes that operate like machines and database samples. The world is simply not about command and control structures, it is about people, politics, debate and judgements. Thus I would go further than a sample – I would spend more time looking at what really manages strategic risk – it is unlikely to be a process at all, far rather people making judgements that bypass or are not systematised at all.

  1. January 10, 2012 at 3:15 AM
  2. January 18, 2012 at 5:48 AM
  3. April 14, 2013 at 9:08 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

<span>%d</span> bloggers like this: