Tuesday, February 27, 2024
HomeMindfulnessInternal audit wastes so much time on policies, documentation, and more!

Internal audit wastes so much time on policies, documentation, and more!

For years now, I have been preaching (sorry) about the need for internal auditors to cut out any activity that doesn’t create value for its customers in management and on the board.

This is an essential element in the great discipline, originally used in manufacturing by Toyota, called Lean.

James Paterson (formerly the CAE at AstraZeneca) has written a very useful book, Lean Auditing: Driving Added Value and Efficiency in Internal Audit. (Richard Chambers and I both contributed our thoughts.)

Paterson explains some of the principles in an article for the ACCA:

THE OVERALL AIM OF LEAN IS TO MAXIMISE CUSTOMER VALUE WHILE MINIMISING WASTE.

…KEY POINTS INCLUDE:

specify value from the perspective of the end customer and always ask: would a customer pay for what is being done?
pay careful attention to what really happens in an organisation (called Gemba or Go Look See)
aim for a flow of valuable work and a greater understanding of waste (Muda) such as waiting, rework, duplication etc., as well as unevenness of workloads (creating lulls) as well as points of overburden (that create bottlenecks)
create a culture of discipline to perfect and streamline processes and drive constant improvement through clear measures and other techniques (eg just in time, automation and error proofing).
Let’s think about this great Japanese word, “muda”.

The Lean Enterprise (and others) define it as: “Any activity that consumes resources without creating value for the customer”.

Applying the concept of muda to internal auditing can help eliminate “wasteful practices”: practices that consume our scarce time and resources without creating equivalent value for our customers.

So let’s consider practices that seem to be ingrained into internal auditors around the world.

Some of these may be challenging and cause outrage.

I will start with one of the first requirements in the IIA’s draft Global Internal Auditing Standards (GIAS)[1]:

Annually, internal auditors should obtain at least two hours of continuing professional education on ethics to enhance their awareness and understanding of their ethical responsibilities.

Why?

Do we really believe our CAE and staff need this? If so, we have a major problem.

This is muda. Wasted time and effort that could be spent on delivering real value.

GIAS also says in Standard 1.3:

THE CHIEF AUDIT EXECUTIVE SHOULD DEVELOP AND IMPLEMENT A METHODOLOGY TO ENSURE THAT INTERNAL AUDITORS ABIDE BY LAWS AND REGULATIONS RELEVANT TO THE INDUSTRY AND JURISDICTIONS IN WHICH THE ORGANIZATION OPERATES.

Evidence of conformance can be found, according to the draft GIAS:

Documented methodologies for handling illegal or discreditable behavior among internal auditors and legal or regulatory violations by individuals within the organization.
Supervisory review notes in workpapers or documentation of conversations between internal auditors and their supervisors that address concerns about illegal or unprofessional actions.
Why?

If the company doesn’t already have a Code of Conduct or similar, we have a problem. Demanding that the CAE develop a formal methodology is a waste of time.

Standard 2.1 says:

THE CHIEF AUDIT EXECUTIVE MUST PROVIDE POLICIES, PROCEDURES, AND TRAINING TO SUPPORT AND PROMOTE OBJECTIVITY.

OK, I think I have said enough about GIAS (some will say it’s more than enough).

So let’s turn our attention now to audit working papers, a favorite target of mine. They are required by the draft GIAS (Standard 12.3 and elsewhere) which also dictates that the working papers must be reviewed and approved.

Why?

Where is the value?

That is the key question.

There are some organizations where working papers are required by regulators. There are some projects, such as investigations, that may be subject to litigation and need to be carefully documented. And there are some audits that are relied upon by the external auditors, especially for SOX compliance.

OK.

But for the majority of organizations and audit projects, they should be considered an optional practice and not mandatory.

Do them if and when there is value, and only to the extent that there is value.

If you think you need them to help you perform the next audit, think again. Are you really repeating the same audit every year? Won’t the risks, processes, and perhaps the controls have changed by the time you return to this area?

If think you need them as evidence that you did the work, answer this question: who is going to sue you?

We are not the external auditors.

If think you need them to supervise your people, there is some value. But only review the working papers to confirm they did quality work and leave aside checking that they have nice working papers that are to your standards.

Severely question the value of updating the working papers after your review if you are satisfied the work has been done, just not well documented.

Some people have a totally different view. They love their working papers!

has a beautiful graphic including a statement that if the work is not documented, it is not done.

Nonsense!

I don’t review working papers to find out whether the auditor did the work and came to an appropriate opinion.

I ask questions and listen to the answers.

If I have junior staff performing tests of controls, I may review their working papers and use that review as a training exercise. But I limit my review to what adds value.

When I have experienced staff, I rarely check their documentation. Where’s the value? If I can’t trust them, they shouldn’t be on my team.

My challenge to every CAE is to eliminate all muda – even if that means nonconformance with IIA Standards!

Would we pass an operational efficiency review?

I welcome your comments.

[1] Standard 1.1: Considerations for Implementation and Evidence of Conformance

[2] A training organization run by Leita Hart-Fanta, CPA, CGFM, CGAP

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

 

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Recent Comments