Lean auditing - keeping it simple

Omer Tauqir
Grant Thornton
October 2011

2010 Grant Thornton UK LLP. All rights reserved.

What will you get out of today

Introduction
Why does IA need to be more efficient?
what does efficiency actually mean?
what does IA have to do:
at annual planning level
at individual assignment level
re-engineering resource allocation and quality review processes
Close

2010 Grant Thornton UK LLP. All rights reserved.

Why more efficient?

Only 44% of respondents believe that Internal Audit is helping

their organization achieve its business objectives. And fewer
37% say they involve Internal Audit in key business
decisions and strategy.
Forbes 2010 survey of 547 Global CEOs, Audit Committee Chairs etc
on evolving role of IA

2010 Grant Thornton UK LLP. All rights reserved.

Why more efficient.. continued

there is less money!

public sector and private sector cost reductions
awareness of duplications between internal and external assurances
repeated assurances over trivial areas of control losing traction
disjointed and repeated recommendations targeting effects rather than root
cause causing "action exhaustion"

what do the experts say.

internal audit was "part of the structure that went wrong" during the banking
crisis. Internal auditors and audit committees had focused on internal controls
rather than the wider picture of risks taken within banks' business models.
IIA chief Ian Peters at House of Lords Economic Affairs Committee Dec
2010
2010 Grant Thornton UK LLP. All rights reserved.

what does efficiency actually mean in an IA context?

What to do
focus on what's really important to your customers (Audit Committee etc) and
what constitute important risks to organisation .
focus on outputs/outcomes
do more with less. cut out inefficient ways of
overall audit planning (including in-year updates)
individual assignment planning & delivery (i.e. thing outside the box)
resource planning, evidence gathering and quality assurance
. we are all guilty of it!
What to avoid
duplicate assurance/advice .
take on work we dont have skills to do.

2010 Grant Thornton UK LLP. All rights reserved.

How to do it
- annual internal audit planning and delivery

2010 Grant Thornton UK LLP. All rights reserved.

Approach.

invest adequate time in developing annual plan. This means:

have detailed conversations with audit committee and management to
understand key risks they are concerned about and why
there is no substitute for real organisational research i.e. understand what
is changing (both in terms of organisation and its regulatory environment)
and what are key risks from it
ask searching questions of customers and yourself around
expected output/outcomes (i.e. what does success look like)?
organisational benefit from positive or negative assurance/advice
be open minded about what assurance sources already exist (whether
independent or otherwise)
be prepared to bring your well reasoned ideas to the table!

2010 Grant Thornton UK LLP. All rights reserved.

Approach continued.

Be sceptical about repeat audit i.e. what is the rationale, what is the benefit,
who is asking for it?
test frequently with management and audit committee your emerging ideas
as develop your annual plan
critically evaluate whether IA has skills to deliver work effectively
undertake meaningful assessment of how outline audit work compares to
audit resource capacity and skills

2010 Grant Thornton UK LLP. All rights reserved.

Was annual planning effective?

Some tests..

Convincing description of why review is on audit plan, particularly any

organisational context?
set out key questions for each review agreed with sponsor.
does audit plan/backing documents do justice to effort expended to collect
information?
"payroll review" is just not good enough as a review description/justification
Does the audit plan convincingly show why repeat audits are being done?
Is there evidence that other sources of assurances have been considered?
Does overall "end result (i.e. audit plan)" strike balance between
assurance versus improvement
strategic (i.e. linked to real strategic challenges of the business),
operational, financial risks etc
mixture of senior board level sponsorship and operational sponsorship
"change programmes/projects" and "business as usual"

2010 Grant Thornton UK LLP. All rights reserved.

Was annual planning effective?

Some tests..

Evidence of "senior sponsor" genuine interest and agreement to

their role
needs/outcomes required
when it will be delivered?
Audit plan reconcile to IA staff resource planning?
Set up to "fail test"
scope not understood
sponsor not lined up
too much, too little resource.
(if applicable) What is rationale for a number of reviews in same risk area? Are
they coherent and aligned? Have we thought about what the end results for
each may look like and the risk of covering same kind of space?

2010 Grant Thornton UK LLP. All rights reserved.

10

How to do it
- individual assignment planning and delivery

2010 Grant Thornton UK LLP. All rights reserved.

2010 Grant Thornton UK LLP. All rights reserved.

12

2010 Grant Thornton UK LLP. All rights reserved.

13

Approach.

Keep in touch with sponsor. dont let them get in position where time and effort has to
be exerted to get them engaged again
similar to annual planning engage the sponsor of an audit in what they want out of it.
Practical ways of doing this include:
set out "top 5" questions that need to be answered
what is not included
outline nature of work to be undertaken and evidence gathering approaches
nature and type of required reporting. "One size does not fit all", be clear on required
reporting and why.
Once agreed, be robust to manage scope creep from sponsor and ourselves
Make effective use of sponsor role, make sure they understand and agree to their role to
"open doors" so that audit progresses without disruption
Plan the audit: Spend time on what information needs to be gathered and how
do we really need to undertake significant one to one interviews or will workshops,
remote surveys equally meet the need?
are we using available tools to make data analysis more meaningful, faster and more
appropriate for the purpose it is intending to deliver.

2010 Grant Thornton UK LLP. All rights reserved.

14

Approach continued.

challenge any drift away from key areas of the scope document
keep asking the questions during the assignment delivery phase
have we got enough information to answer the questions (and if we believe
we do)? Have we sought the views of the sponsor?
have we really got behind the root causes and we are not focusing on
symptoms?
Reporting:
are we answering the scope questions/review areas in a transparent way?
they are not our working papers, we dont need to show the clients all the
work we have done (unless explicitly agreed for good reason)
is it appropriately pitched (in terms of content, style, layout, size of
document), particularly for senior stakeholders (lets face it, a significant
number do not read beyond the 2nd page)?

2010 Grant Thornton UK LLP. All rights reserved.

15

How to do it
- re-engineering resource allocation and quality
review processes

2010 Grant Thornton UK LLP. All rights reserved.

Some thoughts.

Protect credibility of internal audit function. This means

allocate staff that are most suited to requirements of each audits
source subject matter experts externally (if needed)
Staff allocation: Make staff allocation decisions early so that:
audit leads have ownership of audits
audit leads should be part of the assignment planning process (i.e. attend
scoping/planning meeting)
Quality assurance (QA)
critically assess nature and levels of quality reviews that are needed
assess on case by case basis
add new/different ways of QA where needed. Remove unnecessary layers
when not needed
find efficient ways of collecting and retaining evidence (automated tools)

2010 Grant Thornton UK LLP. All rights reserved.

17

Lean auditing - keeping it simple

Omer Tauqir
Grant Thornton
October 2011

2010 Grant Thornton UK LLP. All rights reserved.