Don’t sweat the small stuff!
Are you spending most of your time, 80%, 90%, or more, on risks and issues that are not significant to the success of the organization?
I like to quote Drew Stein, a retired CEO and board member in New Zealand. He said:
Almost all of IA findings are mundane operational compliance issues.
The same criticism can be levied at many risk officers.
We should all spend as much time as possible on the risks and issues where there’s at least a reasonable possibility of something happening that would derail our strategies, seriously impacting the likelihood of achieving enterprise objectives.
We should spend as little time as possible on everything else.
We could call this Lean Risk Management and Lean Internal Auditing: eliminating the muda (wasted time and effort that adds no real value to our customers). Wikipedia tells us:
Muda (無駄, on’yomi reading, ateji) is a Japanese word meaning “futility”, “uselessness”, or “wastefulness”,[1] and is a key concept in lean process thinking such as in the Toyota Production System (TPS)
These days, top executives and boards have a great deal to worry about, including:
- Their reliance on the banking system and the availability of funds
- A potential recession
- The availability of the skilled (and unskilled) workforce they need
- Labor, energy, and material costs
- Potential weather effects on their business
- The ability of the organization to react to change with agility
Are practitioners worrying about these issues and how they can help? Are do they continue to audit payroll and look for duplicate payments?
Are we providing valuable assurance, advice, and insight on the controls over cash flow, investment of funds, the use of technology to reduce reliance on scarce labor, etc.?
This is why I have been talking about [enterprise] risk-based auditing for a long time and providing related guidance in Auditing that Matters, Auditing at the Speed of Risk with an Agile, Continuous Audit Plan, and Is your internal audit world-class? A maturity model for internal audit.
We have limited time and resources and need to make every second and every penny count.
We should examine everything we do and ask,
Is it really necessary? Or can we eliminate (or reduce it) without impacting the value we provide to our customers?
Are we auditing controls that, should they fail, would not represent a source of risk that would worry the CEO and the board? If not, why are they on the audit plan and in the scope of our engagements?
Are we talking to management about risks that might matter to a department head, but not to the achievement of corporate strategies?
This is probably the major reason I find fault with the draft update of the IIA’s Standards. They are supposed to be guidance for the “professional practice of internal auditing”. To me that implies they are guidance for effective and efficient internal auditing that delivers the value our customers need.
What can be eliminated from the IIA’s draft guidance without adversely affecting the value internal audit provides to the board and top management?
What can you eliminate from your:
- Audit plan
- Engagement scope
- Workpapers
- Audit report
- Quality assurance activities
… that wouldn’t reduce the value you deliver?
Maybe eliminating or minimizing muda here and elsewhere would free your team up to address areas of real significance and deliver more value!
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
A 2015 study by CEB (now part of Gartner) “How to live with Risks,” July-August 2015, suggested up to 96% of audit time was spent on non- value adding activities. I believe it’s true today. As a CAE years ago, I was guilty. The message is that it’s essential to “value rate” the business. Risk rate the the “things that matter”; the business activities that create value and those that deliver that value. Audit can’t add value unless it knows and goes where the value is.
With every post of yours i read I am getting more and more convinced … shifting my mindset more and more away from the low/any value-activity i had thought was Internal Auditing and towards what it is/should be, ‘a strategic’ high-value activity mattering to what matters, success at the organisational objectives, focused on what could make the difference between success and failure.
With every post of yours i read I am getting more and more convinced … shifting my mindset more and more away from the low/any value-activity i had thought was Internal Auditing and towards what it is/should be, ‘a strategic’ high-value activity mattering to what matters, success at the organisational objectives, focused on what could make the difference between success and failure.
You have made my day!
But the big issue is convincing the Board that’s where IA should be. It’s safer for them for IA to be amongst the weeds – far less challenging. Maybe a subject for a future article?
Actually, the board is better off when IA is addressing the big issues. Some members of management may feel threatened, though.
Norman, I guess Fenlandm is thinking of the cases of a weak board intimidated/dominated by the CEO ?
Isn’t that a common situation, in the real world, where instead of the Board effectively holding the power … as the party appointed by shareholders to hire/fire/control Management … it is the charismatic aggressive CEO who effectively dictates passive submissive rubber-stamping Board members to the shareholders …
Yes, that certainly is the case – that the board is unwilling or unable to challenge the CEO until the company is failing
I know it’s an extremely difficult – infinitely ‘variable’ and obviously super-sensitive/risky situation – subject to give advice on, but maybe you could consider an article, if you think, despite the extreme difficulty (uniqueness of each scenario etc), it could be usefully discussed in the context of the kind of ‘strategic’ IAg we want.
No pressure; I am myself highly doubtful if it’s an area worth venturing at this point, given the attendant sensitivity/risk.
Norman thanks for this great value adding post! I totally agree with what you say. However, I wonder your point of view regarding the responsibility of the boards and top managements in terms of internal audit teams approach. As an internal audit professional, I see that most of the boards are not asking those you mentioned and makes internal audit teams stuck on individual financial transactions. Even more than that, I believe most of the boards and top management believes that internal audit is just there to audit their financial statements. How should IA react to boards and top management like that? What are your suggestions to improve this? Thank you!
Thanks for the question.
I would recognize the board’s and top management’s priorities, but also ask them what they worry about when it comes to the performance of the business. They may not be sure how we can help, so I would show them. Once they see how ew add value, they will (in my experience) encourage and support it.