Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​​Agile Per​former

Prompted by rapid organizational change, the CAE at a multinational insurance firm adopted a radically different audit model.

Comments Views

​Ralph Daals, group chief auditor of London-based RSA Insurance, is passionate about the journey he and his team have been on over the past two years. “The seeds for the transformation were sown in October 2013 when internal audit uncovered significant irregularities during a routine review in our Irish business,” he explains. “That event was publicly reported and brought home the message that, in the end, internal audit will be judged by the things it misses.”

This clarity about internal audit’s accountability led to new, forward-looking expectations of the function. Daals recalls: “Our chairman put it nicely — ‘I would like you to be able to tell me that the building is about to catch fire, as opposed to pointing me to it after the event.’”

Meanwhile, RSA was transforming with an agenda of significant strategic rationalization, cost reduction, and operational turnaround. The company was changing rapidly with innovations around big data, robotics, and more digital and agile developments; and with these changes a new profile of risks emerged. “Typically, internal audit follows the company,” Daals says, “but we were driven to make a huge leap to get ahead and stay ahead.”

The challenges were tough. “We not only had to become more dynam​ic and forward-looking, and get on top of the new risks RSA was facing, but we also had to play our part from a cost and efficiency point of view. We had to do more with less — we’re talking about a double-digit percentage cost reduction here,” he says. “Doing this right meant reinventing ourselves and fundamentally changing our mindset, skills, and ways of working.”

Transforming Internal Audit

The ambitious changes Daals sought required the function to be inventive — particularly because, he emphasizes, it did not have deep pockets and could not hire expensive consultants. “Constraint was a key driver of innovation and, ultimately, became a real friend,” he says. 

The team started to assess the world around it, identifying and learning from cutting-edge companies regardless of industry and function. “We ended up casting the net pretty wide and then adopting and tailoring what we thought could work well for us,” Daals says. “Jim Collins’ book Good to Great provided a lot of early inspiration. It was all about starting with purpose and people — attracting and retaining the right talent, giving them freedom within a framework, and playing to their strengths.”

He was wary that, in too many cases, change programs introduced new processes that existed on paper, but didn’t lead to new ways of working in the long term. Theirs was not, he argues, a traditional transformation program — it had no project plans, no champions, and no reams of documentation. 

“We looked to make change easy and infectious, with small iterative improvements driven by obsessing over the right things: sharing successes, challenging each other, and ultimately deeply embedding practices and improvements in our behavior and culture,” he says. “At any time we have about five functionwide ‘obsessions,’ both behavioral and technical. These create a ripple-effect-based transformation — contagion can be very powerful.”

This approach allowed people to see and feel the build-up of momentum and meant that evolution could happen at an increasing — and often surprisingly rapid — pace. Daals explains that he borrowed from computer animation firm Pixar’s innovation culture and started to experiment, test, and refine ideas.

Building Blocks

The transformation rested on four main interconnected “building blocks.” The first of these was to simplify and standardize what the team did and when it did it. This was intended to minimize complexity and distractions to allow internal audit to focus all its time and efforts on what mattered most. A vital part of this process was that internal audit had to be comfortable about not doing some of the things it had taken on in the past. Daals says it started with “bonkers lists,” which evolved into a functionwide learning exercise aimed at making the function more efficient and focused.

“We also wanted to keep it simple to ensure the real value comes from our core activities,” he says. “We shouldn’t have to resort to ‘add-on’ activities, such as advisory reviews, before value is created or recognized. It would imply something is fundamentally wrong.”

The second building block involved increasing the relevance and timeliness of insights and interventions. The traditional annual planning process became a flexible six-plus-six rolling plan with a strategic three-year outlook. This allowed audits to run in parallel with changes in the business and emerging risks and to anticipate better the skills the team needed now if it was to be ready for the future.

At the same time, the team brought plan delivery in line with reporting to executives and nonexecutives, cutting the time between identifying findings and committee reporting to a minimum. “Our team now delivers 100 percent of our plan every quarter, which was unheard of in the past,” Daals says.

The third building block involved implementing an “AsOne” operating model, inspired by Daals’ past work with Deloitte. “We broke down the silos that typically exist in an international function and eliminated the traditional reporting structures and hierarchies,” he explains.

RSA internal audit consists of more than 60 people based in key cities across three regions: the U.K., Ireland, and the Middle East; Canada; and Scandinavia. Daals says that the AsOne model “facilitates a high level of connectivity and collaboration between the teams” so they can work together as if they were all in the same room. This necessitated a new digital way of working and using communication channels such as Yammer.

​To learn about RSA internal audit's recent awards for outstanding performance and innovation from the U.K.'s Chartered IIA, visit

“Building on AsOne, we advanced our way of working based on music streaming service Spotify’s agile culture. We even adopted some of their naming conventions,” Daals says. “We now structure ourselves around ‘squads’ — fluid teams that bring together the right people for an audit or other initiative, regardless of hierarchical position or location.”

For the audit function’s stakeholders, Daals says that AsOne increased the quality and consistency of output and coverage, improved the way internal audit shared best practice, and boosted efficiency by reducing duplication and, ultimately, cost.

The fourth building block was all about striving to build a high-performance culture. “This may sound clichéd — and many talk about it — but in the end we are a people business, and so building a high-performance culture was crucial,” Daals explains. “For us, this is about striving to create an environment where we can attract and retain the best.” He was inspired by Google’s approach to investing in talent and its view that hiring remarkable people is its single most important activity.

“We tailored this — only people with the passion and aptitude for it are involved in recruitment,” he says. “Our recruiters, typically our most senior people, dedicate significant time to finding the right talent. Every candidate is recruited with an international interview as standard.”

Daals and his team also looked to elite sports for ideas. “We work closely with performance company PlanetK2, which uses the same kind of performance psychology ideas with us as it uses with Olympic teams. Everybody is challenged about how to get the best out of themselves and each other.”

All these changes helped to create what Daals characterizes as an agile function. “Agility for us is about being dynamic and flexible. It is about our ability to anticipate, respond, and continuously improve.” He adds that agility needs to be embedded in the mindset, culture, and values of the team; processes and methodologies then follow naturally. “It’s about having a team that gets better and better with every challenge thrown at it,” he says.

He says that this agility has many advantages: Internal audit is now better at using the team’s full capabilities and experience, it can rapidly gather and deploy the right resources via the squads, and the rapid feedback between stakeholders and the function facilitates quick and constant improvements in what the function does and how it does it.

Accountability remained a focal point throughout the changes. “Our accountability is always front of mind,” Daals says. “We regularly ask ourselves our killer question: ‘Have we missed anything significant?’”

“To answer this,” he continues, “we perform a half yearly exercise where we look back across our business through the lenses of issues raised by others, risk incidents, and material external events. We ask, ‘Where were we?’ ‘Did we pick it up?’ and if so, ‘Did we report it appropriately?’” The lessons identified are widely discussed and fed into the continuous improvement of the function, and Daals says the results are getting better every time. He sees it as crucial to delivering against internal audit’s purpose of keeping RSA safe and improving.

Daals also takes quality assurance seriously. He employs Deloitte to review and challenge audits done in the previous quarter. The reviewers assess whether the audits focused on the right areas and identified the correct risks and issues.

Skills for the Future

The new-style internal audit team needs to attract a new type of internal auditor, with skills that will be important to the organization of the future. This means it needs to offer an exciting proposition in terms of both working environment and opportunities, Daals says. New recruits may come from other sectors or have a nonaudit background. The team currently includes nontypical members such as a web and app developer and a criminologist. “It’s important to get the balance right between maintaining their unique skills and perspectives and learning internal audit essentials,” Daals adds.

His search for innovative people who are willing to be shaken out of their comfort zone and are eager to improve constantly is making the team more distinct and adept. “We are always asking how we can break through the typical talent barriers,” he says. “We are well aware that what we are creating doesn’t suit everybody, it requires tenacity and resilience. At times we have had to make some difficult decisions, but that’s OK.”

To help team members grow to their full potential, Daals has introduced innovations such as a dedicated “Learning Friday” every other month on which everybody can choose what they learn. No work is allowed.

“We took a lot of inspiration on how to create the best workplace from an [online education] company called Mindvalley,” Daals explains. “It is important we not only bring in new skills, but make sure all our people are set up for the future. So we are investing in upskilling people in ‘new world risks’ such as cyber risks and risks arising from big data and use of robotics and artificial intelligence.” This includes teaching them the basics of coding, how to audit agile developments, and simulating mock crises such as a cyberattack. Daals expects everyone to become highly proficient with data analytics tools.

He also wanted to move away from a system where people couldn’t progress until the person above them left. The new structure has no fixed number of people per level, so if someone is ready to be promoted, they can be.

Hindsight and Innovation

So what’s next? “It has been good so far,” Daals says. “Our feedback scores have consistently gone up and our people are in high demand by the business. We have a more agile and forward-looking model that we hope will help us to deal with whatever comes our way. But it doesn’t stop here. We have identified, for example, seven ways of injecting innovation into auditing, including stress-testing the control environment and risk-event and scenario-based auditing. As long as it supports our purpose and we keep an appropriate eye on what we call ‘audit risk,’ we won’t hesitate to give it a go.”

He is keen, however, to stress that agile is not the same as chaos and needs careful management. He advises others looking at creating an agile culture to establish first a stable “backbone.” You also need to find a way to combine opposites. “Looking forward is great, but not if you don’t look backward at the same time,” he warns. “Sustainability of controls and remediation activity is as, if not more, important.” Chasing emerging risks or organizational change can be catastrophic if you don’t focus on the areas that everybody takes for granted, but can still hurt the company.

Daals concludes: “We may get it wrong sometimes; you can’t win without ever failing. But in the end, it’s fun putting yourself out there. If you fail, fail and learn fast, but never compromise on outcome.” 

A version of this article first appeared in issue 36 of Audit & Risk, the magazine of the Chartered Institute of Internal Auditors. Reproduced with permission. 

Ruth Prickett
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Ruth PrickettRuth Prickett<p>​Ruth Prickett is editor of Audit & Risk magazine.</p>


Comment on this article

comments powered by Disqus
  • IIA GRC_May 2019_Premium 1
  • IIA Awareness Month_Premium 2
  • IIA Sawyer-OrderToday Bookstore_May 2019_Premium 3