Internal Audit – Finding a better way
Jennifer Ruff is the Chief Audit Executive in the House of Commons Administration.
Audit does not need to be a scary word. Auditors have dual functions – providing process-driven assurance and offering consultation or an advisory role on elements of a corporation. In this article, the author explains how internal audits work within Parliament’s unique context and why the advisory function opens the door to collaborative efforts to improve this institution for Members of Parliament, staff and the public-at-large.
First impressions
Odds are when you hear the word audit, you cringe. At home, it definitely does not conjure up a positive image and can cause an instant headache. Similarly, in the workplace, the mention of an internal audit can cause suspicion, anxiety or concern. As a function, internal audit is often viewed as a policing activity that looks to find fault or wrongdoing, creating a sense of intrusion with little or no value for those involved. Clients of audit engagements can be left with a sense of being investigated or put under the microscope, and some even feel as if their jobs are on the line.
The discipline of internal audit has struggled with this image for years and efforts have been made to better describe and define its activities and outcomes by putting a focus on results and relevance. In the process, auditors have become trusted advisors for management in the quest for effectiveness and efficiency. But, as there is often a focus on compliance, negative feelings associated with judgment and investigation have proven difficult to overcome and they often overshadow the valuable work done under the umbrella of audit.
The audit challenge
To better understand the challenge in successfully delivering the audit function it is first important to highlight that internal audit consists of two types of activities, assurance activities and advisory activities. Assurance activities are those engagements that examine controls and processes to look for compliance with a standard or expected result in order to give assurance to management, or other stakeholders, that those controls are functioning as expected. Generally, controls exist to protect the organization from fraud or mistakes that could have a negative financial, operational or reputational impact on the organization.
Assurance activities are those for which internal audit is better known. They are the more traditional, process-driven, formal engagements that result in mandatory reporting to senior management, Boards of Directors and often outside stakeholders. These types of engagements also require that a formal action plan be developed by management to address the findings of internal audit and follow-up is conducted by audit to ensure that these action plans are implemented.
The second, and lesser recognized, set of activities that audit undertakes are consulting, or advisory, activities. These engagements are much less formal and typically only involve responding directly to the client involved. Advisory activities can include many different types of support or guidance and can range from quite informal to more standardized examinations. Advisory work can include things such as process mapping, benchmarking, risk assessments, gaps analyses, lessons learned exercises, and professional advice. Advisory work can address activities and processes other than just risk and internal controls and, in essence, can be leveraged to examine any element of the organization. The nature of these advisory activities allows us to take a more service or client-driven perspective.
While examining compliance and controls through assurance activities is important and has its place in sound management of any organization, it does not have to be the sole focus. The challenge facing our audit function is to find the best balance of assurance and advisory activities to effectively support the House of Commons Administration, but also to increase trust and impact. As we look to address this challenge and improve the delivery of our services, I feel that it is the advisory side of internal audit that offers the best value for our organization. Progress has already been made to increase the visibility and inclusion of the audit function into many organizational initiatives by embracing and focusing efforts on more advisory type activities.
Our context
The House of Commons has a context that sets it apart from other organizations, both public and private. This is due to the limited legislative framework that applies to the work and functioning of the House.
Most organizations have outside stakeholders who require or insist on assurance activities being completed. Often, certifications or verifications of specific internal controls or processes are required by law or governing bodies. In the case of the House of Commons, very few obligations for this type of validation exist, so the drive to undertake compliance comes only from an internal need to assess controls and report to senior management.
Therefore, if not driven by a need for reporting to external stakeholders or to satisfying statutory obligations, what are we really trying to achieve by having an internal audit function? For me, the purpose of the function, including assurance activities, is to continually improve: improve our controls, improve our governance and improve our risk management, and also to improve our day-to-day activities and services to the Members of Parliament whom we support. In the end, we want to use a formalized, standard, repeatable process to provide meaningful insight and analysis of what can be adjusted or changed to create a culture of continuous improvement within the organization.
Assurance engagements undertaken at the House are typically comparisons of expected activity of controls with actual practice. While this comparison is valuable, as it enhances accountability and provides insight into gaps and areas needing improvement, it can sometimes create distrust if there is a perception of looking for wrongdoing and seemingly being focused on verification or validation. Internal audit is often met with resistance and defensiveness, rather than being viewed as a tool to enable the organization to keep pace with change.
Overcoming this resistance is difficult and that is unfortunate because a strong internal audit function can demonstrate a commitment to transparency and improvement. In fact, in dealing with change, the internal audit function is well placed to enable the organization to objectively examine its activities and ensure that it is able to offer the best services to Members of Parliament.
At the House, an assurance engagement requires mandatory reporting to senior management and the development of an action plan to address the findings of the report. Raising observations and findings through an assurance audit in our context, because there is low risk of violating outside or regulatory requirements, can sometimes be perceived as overemphasizing simple issues.
The truth is, we can often arrive at the same recommendations and achieve the same impact as an assurance engagement with an advisory engagement. In an advisory engagement we can use the same elements of analysis and standardized process without creating unnecessary stress by managing the engagement in a more collaborative manner. When mandatory reporting to senior management is taken off the table, it is possible to gain better acceptance of findings and work towards solutions for improvement. In many cases, reporting to senior management collaboratively and voluntarily, as a means to gain support for possible improvements, can be much more productive and acceptable.
Our philosophy
Within our environment and context, a better way for us to have success within internal audit is to shift focus from compliance activities and emphasize and expand the advisory role, moving from process-driven examinations to service-driven or client view perspectives. This simple shift in focus has the potential to reduce distrust and eliminate the adversarial relationship between audit staff and our clients.
In emphasizing advisory work, we rely strongly on collaboration and cooperation and this is demonstrated through several key elements. These elements are instrumental in our strategy to truly become partners with management and to provide value-added lines of defence in improving controls, risk management, governance, as well as improving our internal processes and services with the goal to increase the organization’s relevance, effectiveness, efficiency, impact and overall sustainability.
Continuous improvement
The first element that has set the audit division up for success is the recent addition of a business line devoted to the provision of a specific set of advisory activities designed to offer support in the continuous improvement of services and processes. This business line is guided by, but not limited to, the key principles of the Lean philosophy. Lean is a client-centred method that focuses on providing value-added products and services as defined by the client. The objective is to improve processes by removing non-value-added activities and reducing the flow time between a client request and the delivery of the product or service. All of this is underscored by the notion that incremental changes to a process sustained over a period of time will lead to significant improvements in performance. Lean looks at processes from beginning to end from the client’s perspective, from the time a request for a product or service comes in until the time it is delivered.
Using Lean, and other client focused improvement methods, the continuous improvement team leads operational work teams in complex business process improvement projects. The team provides a central coordination point and fulfills a facilitation role in assisting business process owners in examining and, ultimately, improving their processes.
A distinctive element of these improvement engagements is that they are driven by the process owners. Managers recognize a need for improvement in their area and solicit the support and expertise of the continuous improvement team to facilitate a process review. A significant benefit to this situation, where the client is the driver, is that our involvement is viewed as an expertise to be leveraged and the assistance is welcomed and appreciated. This service offering has been quite successful within the Administration, and there has been a growth in interest and an increase in requests.
Planning engagements that are supported
Another element that is improving our success in audit is our approach to planning and implementing formal engagements. As mentioned, the philosophy of Lean is very much to be process owner driven and respond to requests from clients who recognize a need or have a desire to streamline or improve their activities. This ensures a higher level of commitment and contributes to the success and ease of the engagements. Similarly, for Internal Audit, managers within the Administration will come forward looking for advice or guidance on challenges such as policy development, designing effective controls or simply how to ensure their processes meet requirements for a sufficient audit trail. Again, these types of client-requested projects, garner an acceptance that welcomes the advice or guidance of the team.
Given that we see a shift in acceptance towards engagements based on how they are proposed, we have decided to apply this principle to defining our more formal engagements.
Traditionally, Internal Audit functions often propose projects based on an independent analysis of the environment, current activities, and risks facing the organization. This is typically done through a planning process carried out mostly within the audit function. While these processes are risk-based, and integrate information from around the organization, the emphasis can tend to be on remaining independent and free of undue influence in determining what projects would be best for the organization. But this emphasis tends to give the appearance that audit unilaterally deduces which projects are of priority. As a result audit is often met with a reluctance to participate. The process tends to create an adversarial relationship right from the outset.
To address this challenge and to reduce any defensiveness, we strive to emphasize collaboration in defining priority areas with the ultimate goal to become a trusted advisor for senior management. The most effective way to build this kind of trust is to encourage open conversations and discussions, and also to foster mutual agreement on what areas would be important to examine.
As the Chief Audit Executive, it is my role to make the connections and build trust relationships with the senior managers of the organization. To do so, I meet regularly with senior managers to better understand their service areas, their challenges, their concerns and where they would like to see improvement. By bringing experience from past engagements, and situational awareness derived from our independent perspective, we discuss what engagements could be of value and how they could assist in addressing areas of concern.
These open, honest conversations result in the pinpointing of areas of concern for senior management. They also allow me to know where there is a willingness to support a full engagement and root cause analysis. By arriving at these proposals cooperatively, the engagement sponsor is immediately onboard and significantly more supportive of the work to be undertaken.
This way of planning produces significant benefits; not only does it ease the entire process of carrying out the engagement, it also affects how the findings and results of the engagement are received and actioned. When there is support and a willingness to honestly examine the subject, there is a much higher probability of acceptance of the findings and observations, as well as a greater commitment to develop a meaningful action plan to address those findings. This planning in turn allows for adjustments and improvements to improve the services.
I genuinely think that the focus on the outcome of audit activities helps shift the perception of the function from policing, to an expertise to be leveraged for support and assistance. I also think that it demonstrates that the audit team is there to work collaboratively towards a model of continually improving as one organization, which, allows us to make required adjustments with a better level of confidence.
Small changes can have an impact
In addition to our efforts to build a more responsive and trusted audit function, other adjustments we have made in our processes also underscore the commitment to acting as a true partner in the success of our organization. In the delivery of audit and improvement projects we have begun to seek out and leverage more subject matter experts from within the organization. This has resulted in some important benefits. First and foremost, it helps improve the overall planning and implementation of the engagement; those who know the subject area can aid us in making more considered linkages. This, in turn, results in more meaningful findings and observations. Of similar importance is the contribution that these internal experts can make in adding credibility to the process within their service areas and with their management team.
We have also improved our reporting on audit engagements. Seldom have I heard that an internal audit report was a “page-turner.” Reports are often very carefully prepared, with lengthy prose that fully (and painfully) describes the situation (in detail) and context to provide observations (often somewhat obvious or self-explanatory) and recommendations to help address gaps seen through the examination. We have piloted and had some success within the Administration by striving to keep our reports to two-pages that clearly state the scope and objective, and put the main focus on the recommendations. The recommendations are presented as to tell a story by grouping elements into themes with a focus on the potential outcomes of the suggested improvements. The goal is to make it a more compelling report that clients can get through easily and quickly. Ultimately, we aim to make our reports digestible, relatable and meaningful, which can dramatically improve the chances of the recommendations being considered more thoughtfully.
To remain more agile and responsive, we have also adjusted our planning horizon. Historically, the audit function has developed a plan spanning a three-year horizon. What we noticed in this process was that often the out-year engagements were never realized. By focusing our efforts on building a strong, collaboratively derived one-year plan, we allow for the agility to introduce new engagements as the environment or risks change. This change also demonstrates a recognition that priorities can shift quickly and, as a function, we can adapt to meet the needs of the organization.
Finally, we have rebranded the function slightly. To break away from some of the traditional views and connotations associated with the “Internal Audit” label and to emphasize the true goal of the function and its activities, we have renamed our group to Audit and Improvement. By explicitly highlighting the goal of improving in our organizational name, we help clients associate the outcome of the activities with the role and puts our focus of improvement front and centre.
The emphasis on improvement, and explicit inclusion in the audit brand, demonstrates the support audit can provide as the Administration strives to be a “learning organization.” More and more, Audit takes a lead in conducting lessons learned engagements to assist the organization in improving on project and program delivery. These types of engagements can significantly contribute to organizational learning and improve overall corporate memory, another way the audit function has been able to add value and increase its impact.
The result?
The impact of the changes that we are implementing to respond more effectively to our clients has been positive. There is appreciation of taking the time to understand the challenges for the service areas and we are seeing much better uptake of planned projects when they have been developed collaboratively. There also seems to be more willingness to undertake engagements in general. The Continuous Improvement team, for example, is being brought in at the early stages of more strategic priorities to assist managers in the development of their processes. And, it seems as if the more engagements that we are involved in and the more people learn of the benefits, the more requests roll in.
We are advancing the role of the function and having success in demonstrating the value added by Audit and Improvement services. We are becoming a true partner in working to assist the House to become the best possible Administration and to provide the best possible services to Members of Parliament. By focusing on assisting the organization in continually improving we can effectively support a modern, changing parliament and maintain a sustainable audit function that works for our organization. Our focus on collaboration and trust has improved our ability to make an impact and assist the organization in meeting its objectives without being the scary monster at the door. So, the next time that audit comes knocking, don’t be afraid, we really are here to help.