Over the years, I have built internal audit departments from scratch. I have also re-engineered existing functions in response to requests from the board and executive level to "take internal audit to the next level."
Today, I want to share the approach I have used and ask for comments, stories, etc.
Before you take a single step, it is essential to:
- Understand the business
- Determine where the value of internal audit lies — to the board, to executive management, to operating management, and to the organization's success
- Frame a vision for the internal audit function
Even though I started each challenge with a set of experiences that tend to bias my thinking (such as a belief that the head of internal audit should provide a formal annual assessment of the condition of risk management and related internal controls), the first thing I did was listen.
I actively listened to management around the company so I could understand the business. I learned about the company's past, the environment in which it operated (regulatory, competitive, stakeholder expectations, the market for its products and services, the level of margins, its supply chain challenges, etc.), the strength of the management team, and the condition of the major assets (factories, pipelines, etc.).
I listened to people talking about their experience with internal auditing. Where there was an existing internal audit department, had it added value? Did it meet the expectations of the board and management? Was it a department of "no", or did it take a partnering approach to enhance the management of risk and operation of controls? Did it provide the assurance essential to leaders of the organization? How strong was the team and who were the stars?
I consulted with the external auditors and other assurance providers within the organization. How strong was the system of internal control? How reliable were IT processes, infrastructure, and applications?
I talked at some length to key stakeholders and management that would be key to success, especially the general counsel, the CFO, and the CIO. I learned about the corporate politics and inhibitors for success. I heard and absorbed the corporate vision and strategies, significant capital and IT projects, and more.
I asked about and probed to understand the more significant risks to the organization. What did the board and top management worry most about? (I have yet to lead an internal audit function where there was a separate, established, risk management function.)
I not only listened and learned about risks, but asked and listened to suggestions as to how the internal audit function could add value. In some cases, it was to provide consulting services around major acquisitions, capital projects, or IT developments. In others, it was to help re-engineer processes for improved efficiency and effectiveness. Sometimes, it was simply to provide assurance that certain risks (such as the use of derivatives) were appropriately managed.
Once I had listened to the board and management, I took care to listen carefully to the internal audit staff (where there was one. In one case, the function had been outsourced, so I listened to the outsourcing partner and staff instead.) Even though they were relatively young and experienced, even though they were not always highly respected within the organization, they always had invaluable views and insights.
Now was the time to frame a vision. What were the essential services, assurance and consulting, the organization needed — whether they were aware of the need or not (if not, I would have to sell the need to them)? What was the best way to deliver them?
In one case, I saw that I needed to move the internal audit function from performing a series of audits of major factories (basically one at a time) to delivering assurance on the management of risks across the enterprise. This would require changing from completing at most 15 audits each year to completing assurance engagements covering the company's more than 100 locations; a significant controls failure at perhaps 80 of the >100 could be material to the company's results, given the low operating margins.
I considered the need for changes in:
- Audit approach (as illustrated by the example above)
- Staffing: perhaps I would need more senior staff, more IT or environmental specialists, etc. Perhaps I would have to change the organization of the department or where staff were located (in two cases, I opened offices in Singapore). Often, I added training in specialized areas, such as lean manufacturing, operational auditing, data analytics, and interviewing skills
- Process: I frequently streamlined audit reporting, eliminated time reporting and other non-value-add activities, improved the efficiency of working papers, extended reliance on other assurance providers, etc
- Technology. This is one of the most important, but often overlooked, areas of opportunity. When I had to move from 15 to >100 audit engagements each year, I started the use of data analytics to monitor operational results (KPI) and risks (KRI); I used software for surveys and management self-assessment; and I limited travel by asking remote locations to scan and email me documents to support their self-assessments
Usually, the vision was not something I could make happen overnight. Several changes were needed, each of which would take time. This was especially true when it came to changing the staffing of the function.
So, not only did I frame a longer-term vision, but I identified how the department would transition over the year or two it took to make the change.
I captured the vision, the timeline for actions, and a description of what would be achieved over time (for example, moving from 15 audits in the prior year to 40 in the next, then 80, and finally to about 100 per year). This was first discussed with key stakeholders and allies (such as the CFO, CIO, general counsel and others) and modified. Then I reviewed it with the CEO and finally the board.
The completed strategy document was socialized with staff and management. I also tracked and reported progress to all key stakeholders, including the audit committee of the board.
Do you have an audit department strategy? Are you in the process of changing the function?
If not, why not?