lean auditing - keeping it simple omer tauqir grant ... · ©2010 grant thornton uk llp. all rights...

©2010 Grant Thornton UK LLP. All rights reserved.

Lean auditing - keeping it simple

Omer Tauqir Grant Thornton October 2011

©2010 Grant Thornton UK LLP. All rights reserved. 2

What will you get out of today

• Introduction • Why does IA need to be more efficient? • what does efficiency actually mean? • what does IA have to do:

– at annual planning level – at individual assignment level – re-engineering resource allocation and quality review processes

• Close


Why more efficient?

Only 44% of respondents believe that Internal Audit is helping their organization achieve its business objectives. And fewer — 37% — say they involve Internal Audit in key business decisions and strategy. Forbes 2010 survey of 547 Global CEOs, Audit Committee Chairs etc on evolving role of IA


Why more efficient.. continued

• there is less money! • public sector and private sector cost reductions… • awareness of duplications between internal and external assurances • repeated assurances over trivial areas of control losing traction • disjointed and repeated recommendations targeting effects rather than root

cause causing "action exhaustion" what do the experts say……………………. internal audit was "part of the structure that went wrong" during the banking

crisis. Internal auditors and audit committees had focused on internal controls rather than the wider picture of risks taken within banks' business models.

IIA chief Ian Peters at House of Lords Economic Affairs Committee Dec 2010


what does efficiency actually mean in an IA context?

What to do • focus on what's really important to your customers (Audit Committee etc) and

what constitute important risks to organisation …. • focus on outputs/outcomes • do more with less…. cut out inefficient ways of

– overall audit planning (including in-year updates) – individual assignment planning & delivery (i.e. thing outside the box) – resource planning, evidence gathering and quality assurance …. we are all guilty of it!

What to avoid • duplicate assurance/advice …. • take on work we don’t have skills to do.


How to do it - annual internal audit planning and delivery


Approach….

• invest adequate time in developing annual plan. This means: – have detailed conversations with audit committee and management to

understand key risks they are concerned about and why – there is no substitute for real organisational research i.e. understand what

is changing (both in terms of organisation and its regulatory environment) and what are key risks from it

– ask searching questions of customers and yourself around • expected output/outcomes (i.e. what does success look like)? • organisational benefit from positive or negative assurance/advice

– be open minded about what assurance sources already exist (whether independent or otherwise)

– be prepared to bring your well reasoned ideas to the table!


Approach continued…….

– Be sceptical about repeat audit i.e. what is the rationale, what is the benefit, who is asking for it?

– test frequently with management and audit committee your emerging ideas as develop your annual plan

– critically evaluate whether IA has skills to deliver work effectively … – undertake meaningful assessment of how outline audit work compares to

audit resource capacity and skills


Was annual planning effective? ……Some tests….. • Convincing description of why review is on audit plan, particularly any

organisational context? – set out key questions for each review agreed with sponsor…. – does audit plan/backing documents do justice to effort expended to collect

information? – "payroll review" is just not good enough as a review description/justification

• Does the audit plan convincingly show why repeat audits are being done? • Is there evidence that other sources of assurances have been considered? • Does overall "end result (i.e. audit plan)" strike balance between

– assurance versus improvement – strategic (i.e. linked to real strategic challenges of the business),

operational, financial risks etc – mixture of senior board level sponsorship and operational sponsorship – "change programmes/projects" and "business as usual"


Was annual planning effective? ……Some tests….. • Evidence of "senior sponsor" genuine interest and agreement to

– their role – needs/outcomes required – when it will be delivered?

• Audit plan reconcile to IA staff resource planning? • Set up to "fail test"

– scope not understood – sponsor not lined up – too much, too little resource.

• (if applicable) What is rationale for a number of reviews in same risk area? Are they coherent and aligned? Have we thought about what the end results for each may look like and the risk of covering same kind of space?


How to do it - individual assignment planning and delivery


Approach….

• Keep in touch with sponsor…. don’t let them get in position where time and effort has to be exerted to get them engaged again

• similar to annual planning… engage the sponsor of an audit in what they want out of it. Practical ways of doing this include:

– set out "top 5" questions that need to be answered – what is not included – outline nature of work to be undertaken and evidence gathering approaches – nature and type of required reporting. "One size does not fit all", be clear on required

reporting and why. • Once agreed, be robust to manage scope creep from sponsor and ourselves… • Make effective use of sponsor role, make sure they understand and agree to their role to

"open doors" so that audit progresses without disruption • Plan the audit: Spend time on what information needs to be gathered and how

– do we really need to undertake significant one to one interviews or will workshops, remote surveys equally meet the need?

– are we using available tools to make data analysis more meaningful, faster and more appropriate for the purpose it is intending to deliver.


Approach continued….

• challenge any drift away from key areas of the scope document • keep asking the questions during the assignment delivery phase

– have we got enough information to answer the questions (and if we believe we do)? Have we sought the views of the sponsor?

– have we really got behind the root causes and we are not focusing on symptoms?

• Reporting: – are we answering the scope questions/review areas in a transparent way? – they are not our working papers, we don’t need to show the clients all the

work we have done (unless explicitly agreed for good reason) – is it appropriately pitched (in terms of content, style, layout, size of

document), particularly for senior stakeholders (lets face it, a significant number do not read beyond the 2nd page)?


How to do it - re-engineering resource allocation and quality review processes


Some thoughts….

• Protect credibility of internal audit function. This means – allocate staff that are most suited to requirements of each audits – source subject matter experts externally (if needed)

• Staff allocation: Make staff allocation decisions early so that: – audit leads have ownership of audits – audit leads should be part of the assignment planning process (i.e. attend

scoping/planning meeting) • Quality assurance (QA)

– critically assess nature and levels of quality reviews that are needed – assess on case by case basis – add new/different ways of QA where needed. Remove unnecessary layers

when not needed • find efficient ways of collecting and retaining evidence (automated tools)


Lean auditing - keeping it simple

Omer Tauqir Grant Thornton October 2011

lean auditing - keeping it simple omer tauqir grant ... · ©2010 grant thornton uk llp. all rights...

Documents