Tips from Norman on a Lean audit function
The UK’s Chartered Institute of Internal Auditors (affiliated with the global Institute of Internal Auditors) has published an interesting article by James Paterson on “Lean auditing – what, how, and why?”
James starts out well in this section, with a quote from GE:
“General Electric Corporation once described lean as “the relentless pursuit of the perfect process through waste elimination”, but in an IA context it is about ensuring that IA resources are focussed on delivering value to key customers, streamlining the processes and behaviours that support this, and eliminating those that don’t. Lean principles would define value as “any action or process that a customer would be willing to pay for”.
He goes on to explain how the internal audit team should give a priority to the voice of the audit committee, and not be pulled off track by trying to meet all the demands from management – at the expense of focusing on the needs of its primary stakeholder. That is well said, and I agree 90%.
I differ with James, though, when you move on from there. I would also like to share some tips for achieving lean auditing.
I have worked in companies where the margins were extremely low, resources were thin, and we had to make sure there was no wasted effort (muda in Japanese, the language of Lean). I have also worked at a company that used Lean Six Sigma (see here for a high level explanation) to drive efficiency in its manufacturing and other processes, and received training on the techniques and principles involved. So, I have been thinking about ‘lean auditing’ for many years and would like to share some ideas that extend beyond James’ piece.
- While we need to listen to the voice of our primary stakeholder (for most of us this is the audit committee), we also need to recognize that sometimes the audit committee’s insights into the value we can provide are limited. If they are bound by traditional experiences to believe that internal audit should focus on financial processes and compliance, together with fraud detection, we should work with them to move their expectations up the value chain. We should (IMHO) be providing them with assurance that the more significant risks are managed within acceptable limits, augmented by consulting services to enable improvements to that level. It is not sufficient to listen to the voice of the audit committee when that voice is sending an incomplete message.
- We should look very carefully at all our internal audit processes and drive out activities (muda) that are waste, because they carry cost and provide little value – relative to the cost. One technique is to capture, for a sample of audits, how long people spend on different tasks: planning (generally not enough), testing (frankly, often past the point where you know the results), documentation (see #5 below), reporting and communication (too much of the first and too little of the second), supervision and management, etc.
Here are some of the areas where I have identified muda in the past:
- As James points out, we should only be auditing what matters. If we are trying to audit a key risk to the business as a whole, the materiality for defining the scope of an audit of processes pertaining to that risk at any individual location should be based on the business as a whole, not based on the risk to the objectives of the individual location.
- Do we continue auditing after we have identified a weakness? Why? Is it so we can prove the weakness in a court of law? How likely is that? Once management has agreed to the fact that the control is ineffective, why keep auditing it?
- Do we keep auditing after it is obvious that everything is in great shape and the risk is low? Where is the value in that? (See the Tosco link later on and the reference to “stop-and-go-auditing”.) Once you know the risk is managed within acceptable limits, stop – even if you haven’t finished everything in the audit program!
- Are we auditing an area where the issues are well-known and are being addressed? It may be high risk, but an internal audit engagement would have low value.
- Do we spend too much time on working papers? Make sure you understand the value and only spend the resources appropriate to the value. For example, my approach is to review people’s work by talking to them and focusing on the report (the key end product we manufacture). The working papers are not where I spend a lot of time, especially when I know the auditor is experienced and I have no reason to suspect they didn’t perform the tests. If there is a lot of value (for example, the working papers will be re-used the next year to streamline a repeat audit, if management is expected to challenge the results, if a regulator needs to review the work, or if there is a possibility of related litigation) then there is merit in allocating scarce resources to working papers. But, if they are consigned after supervisory review to a file drawer (physical or electronic), never to be seen again, then why spend money creating them? Do enough, not more than enough. [As an aside, years ago I had a benchmarking discussion with the internal audit team at Atlantic Richfield (then a major oil company). They told me that they spent 40% of their time on documentation. How do you stack up? How much time do you spend?]
- Are you reporting issues that don’t matter (except to your pride)?
- Are your reports timely? If not, then where is the value?
- Are you driving change? If management is not accepting your points and making appropriate changes, then you are wasting resources. Something is wrong in your internal processes, and you should look in the mirror for the root cause.
- Does your audit report get to the point? Does it say more than would be required to explain the results to the CEO in 2 minutes? Say what needs to be communicated, and then stop. Anything else can be handled in memos to operating management.
- Do you have the staff to be lean? Do they have sufficient experience to perform stop-and-go auditing? Can you trust them to know when the risk is acceptable? Are your managers spending more time on reviews and training of junior staff than they would spend if they did the work themselves?
Years ago, the Journal of Accountancy published a piece about my program at Tosco. As I reread it today, I think I got it mostly right. The only point I would add for a 2012 perspective would be a focus on using the available tools to be efficient and effective. Do you agree?
What do you think of this approach? It is not the ‘traditional’ approach to internal auditing, but I think it necessary if you are to make the best use of resources.