Many internal audit professionals are under increasing pressure to deliver improved value to their organization against a background of fixed or reduced resources. A "fit for purpose" application of Lean techniques specially adapted for internal audit can help departments add or preserve value with less work.
Born out of a range of working practices developed by the Toyota Motor Co. after World War II, Lean practices spread to, and were further developed by, other Japanese motor companies, and eventually spread across other industry sectors. The term Lean, however, was not coined until 1988, when John Krafcik wrote about the "Triumph of the Lean Production System." There has been an increasing interest around the world in applying these, and similar techniques (such as Six Sigma), across many industry sectors and business units. The powerful insights Lean offers in relation to understanding customers and what they value can help internal audit.
Stakeholders and Customers
Internal audit teams have multiple customers and stakeholders, including audit committees, the C-suite, middle managers, external auditors, and regulatory bodies (as well as from an external perspective, the public at large). Lean thinking urges auditors to consider whether all of these customers can be treated equally in terms of delivering value, especially when resources are increasingly limited, and encourages clarity around which customers are key.
Commonly, the C-suite and the audit committee are identified as "top" internal customers by chief audit executives (CAEs) and internal audit senior managers because they typically approve the internal audit strategy, plan, budget, and head count. However, it is common for more junior members of the internal audit team to regard line managers as the key customer because they come into contact with them during audit assignments and often obtain personal feedback about their performance through post-audit satisfaction surveys. This perspective is reinforced by the fact that internal audit staff may have limited contact with the audit committee and senior managers.
Risk of Misalignment
A Lean audit review may reveal a misalignment within the internal audit team concerning key customers. For example, audit staff on an assignment may feel drawn to take requests from line managers to look into a specific area of concern. Although IIA Standard 2000: Managing the Internal Audit Activity states, "The CAE must effectively manage the internal audit activity to ensure it adds value to the organization," there is limited guidance concerning how priorities among different stakeholders are to be established. Paradoxically, a desire by internal audit staff to be helpful can dilute broader organizational value adding by causing auditors to focus on, for example, efficiency opportunities (which may be of interest to the line manager) at the expense of examining the management of reputational risks — which are likely to be of greater interest to the audit committee and C-suite and more important to the organization as a whole.
A Lean internal audit function develops clear processes in relation to how requests from different stakeholders should be handled and prioritized, and pays attention to managing and communicating boundaries so that those who come into contact with internal audit have realistic expectations and understand that the Lean internal audit function may not be able to add value equally, and that key customer/stakeholder needs must be served as a priority.
These considerations will be even more important for those internal audit teams that consider external auditors or regulatory bodies to be one of their top customers. Unless care is taken, such teams can be dominated by the need to deliver control and compliance assignments, which, while satisfying the regulators and external auditors, may result in internal audit being regarded as a necessary evil, rather than a valued source of independent advice and assurance in the organization and across a wide range of performance and risk areas.
Standard 2000 also states that internal audit adds value to the organization (and its stakeholders) "when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes." While that's a helpful starting point, it leaves auditors with two key questions: 1) How do we define adding value in concrete, practical terms; and 2) How do auditors take into account actual stakeholder views around what "adding value" means, which may not align with the IIA definition?
Lean encourages a rigorous understanding of stakeholder needs, using tools such as the Kano Model for product development and customer satisfaction. Developed by Japanese professor Noriaki Kano, the model helps internal audit to clarify the areas that their customers truly value in terms of the specific outputs delivered (see "Kano Key Themes" at right). Kano also offers the important insight that specific outputs from internal audit will be valued (or disliked) differently among key customer groups, and that these differing perceptions of value will not necessarily relate directly to the effort expended by internal audit.
It is common to find that while internal audit teams informally discuss "adding value," they may not have rigorously defined and agreed on the specific outputs they should pay most attention to as a team. In addition, some internal audit teams may not have engaged their audit committees and C-suite in a Kano review (or equivalent), in which specific outputs and deliverables from internal audit are validated and prioritized. The Kano Model validates what stakeholders value, which gives CAEs a powerful mandate when seeking to lead change in internal audit. If senior managers strongly value having a balanced internal report so that audit committee members get a rounded picture of what is going on, then it could be that an existing exception-based reporting approach needs to be changed. Equally, if senior management or the audit committee does not value a detailed outline of the audit methodology in the final report, cutting this may deliver the dual benefit of increased efficiency and customer satisfaction.
Kano analysis often highlights the importance of translating findings into something meaningful in business terms, and the need to give managers notice of likely conclusions so they are not surprised. Many auditors do not fully appreciate the importance of these "softer" influencing aspects of the audit process. This analysis also can help the internal audit team realize that the commonplace practice of drafting lengthy written audit recommendations, followed by a request for management comments, resulting in a "to and fro" of correspondence, is not generally valued. Many times, management would rather have a discussion about what should be done, formalizing in writing only the agreed-upon actions.
Dialogue with stakeholders about what they value may reveal the presence of certain irrational views about the role of internal audit and what constitutes doing a good job by certain audit committee members and some C-suite executives. Misconceptions can include views that:
Internal audit should find frauds in the areas it audits, even when the scope of audit work and the resources available mean that this is not going to be possible.
Internal audit assurance ratings should normally align with stakeholder views of the adequacy of risk and control effectiveness (resulting in line management giving internal audit less positive ratings when audit finds issues, even though audit may have done a technically solid job).
Internal audit performance ratings will be reduced when there are issues with line management remedying findings, when, in fact, poor performance on remediation is essentially an indication of the line management control culture.
Internal audit's prime role is to support a particular stakeholder over and above the needs of others, resulting in a tendency to dismiss or downplay the extent to which it should accommodate other stakeholder needs. This often can be seen in tensions between key stakeholder views about the role of internal audit in terms of which risk areas the plan focuses on, and also the balance of audit time between assurance and advisory work.
It is important that CAEs identify any irrational views or misconceptions among their key customer groups and work proactively to address areas of concern through one-on-one meetings, education, and facilitated discussions. Examples may include:
Educating management and the audit committee on the extent to which internal audit can be expected to identify frauds, and the importance of ensuring that "other lines of defense" (including whistleblowing channels) are working well.
Educating senior managers and the audit committee on the importance of asking accountable managers to discuss audit reports and remediation plans with the audit committee, not just internal audit.
Spelling out, in the audit planning process, the risk areas that are not being audited as well as the true breadth and depth of the audit assignments being planned given resource and budget constraints. This can lead to excellent discussions regarding wider assurance processes in the organization.
The use of Lean techniques can provide internal audit teams important value delivery improvement opportunities. These range from the more commonly discussed areas of streamlined audit processes and reporting, to other important areas linked to the subjective (and sometimes irrational) perceptions of value add held by key stakeholders. It is often these conversations that can open up a deeper dialogue about the role and value potential of the internal audit team, for the benefit of all concerned.