LEAN & AGILE AUDITING · 2020. 10. 26. · Webinar: Chartered Institute of Internal Auditors James...
Transcript of LEAN & AGILE AUDITING · 2020. 10. 26. · Webinar: Chartered Institute of Internal Auditors James...
www.RiskAI.co.uk
Webinar: Chartered Institute of Internal Auditors
James C Paterson,
Risk & Assurance Insights Ltd
LEAN & AGILE AUDITING
26th October 2020
This is a one-hour, very brief taster of the 1 day webinar and an even briefer taster of the 2-day face to face course..
2
These slides have been developed for the exclusive use of those attending the IIA UK Lean/agileauditing webinar on 26/10/20, by James Paterson, Risk & Assurance Insights Ltd.
This presentation has been prepared solely for educational and illustrative purposes.
Whilst every effort has been made to ensure the factual accuracy of the content herein, norepresentation or warranty is given as to its accuracy.
All materials copyright RiskAI unless stated otherwise.
This presentation should not be relied upon as the basis for making any investment or other decisionand it is not claimed that any of the content or views contained herein, whether expressly made orimplied, represents the views of management.
The slides should not be reproduced, or circulated by e-mail, or put into shared folders to beseen by others, without permission:
E-mail: [email protected]
LinkedIn: https://www.linkedin.com/in/james-paterson-2749b612/
www.RiskAI.co.uk
3
James C PatersonHead of Group Financial Reporting Head of Global Leadership Development programmesCAE AstraZeneca PLCConsulting , Coaching etc. since 2010
www.RiskAI.co.uk
YOUTUBE – free materials: https://www.youtube.com/watch?v=kJj9e3nCYOE
Open programmes IIA Albania, IIA Belgium, IIA Bulgaria, IIA Estonia, IIA Finland, IIA France, IIA Latvia, IIA Lithuania, IIA Netherlands, IIA Norway, IIA Spain, IIA Sweden, IIA Switzerland, IIA UK
Webinars Lean/Agile, Audit planning, Culture, Assurance Mapping, Root Cause analysis, Political savvy, HIA Induction
www.RiskAI.co.uk
Overview and some basics Context
Lean/agile – what’s the same, what’s different
Application to IA: Ø Customer and value, Ø Assignment scoping, assignment delivery, Ø Reporting
Implications for IA methodology
Back to the IIA standards
Internal Audit evolution
2017 IPPF2020 UK
2013 UK FS
Relatively young profession..Good practice still developing
Sometimes there is a legacy from external auditing > not always helpful to IA
1941 – NYC
IIA IPPF2017IA MissionIA should .. align with the strategies, objectives, andrisks of the organization, and be insightful, proactive,and future-focused.
2000: IA must ensure it adds value to the organization
2010: Establish a risk-based plan to determine thepriorities of IA, based on a documented risk assessment
2040: Establish policies and procedures to guide IAactivity
2050: Co-ordination and reliance (Assurance Maps)Co-ordinate activities and share information with otherassurance providers, … and determine a consistentprocess for the basis of reliance on others
Insight
ü Don’t just tell people what they already know
ü Don’t just reciting the rule-book
ü Understanding root causes beyond the generic
ü Connecting findings to something that could really
matter
ü Offering practical tools and templates to move
things forward (e.g. what’s working elsewhere)
Have you agreed what insight means as an IA team?
Need to watch lean/agile does not cause problems vs. IIA standards
www.RiskAI.co.uk
6
Lean evolution / Core principles
Production Line Manufacturing
Quality
TPS 1930sCars
Lean Other sectors – e.g. Pharma
Lean Other functions
Lean 6 sigma
Lean Enhancing or preserving value, with the
minimum waste
Value – any action/process an external customer
would be willing to pay for
The most dangerous waste is the waste we do not recognize
~ Shigeo Shingo
www.RiskAI.co.uk
7
“The customer is paramount and must play the key role in determining what we produce / deliver”
Value
Value stream
FlowPull
Perfection(process)
Kano ü Satisfiers ü Dissatisfiers ü Delighters
Voice of the Customer / Core principles
If it doesn’t flow, it isn’t lean
Just in time
Right first time
www.RiskAI.co.uk
Lean – a family of techniques, but not 6 sigma
Lean (Speed / Value) 6 sigma (Accuracy/error)
Focus on customer Focus on Customer
Removes waste Standard products Reduce variation
Removes non value added activities
Reduces variation in remaining steps
Fixes connections between process steps
Optimizes remaining process steps
Increases speed Improves quality
Lean is not simply six sigma
Technique Illustration of benefits
Heijunka Smoothing flow of work
Poke yoke Preventing errors from happening
Jidoka Rapid identification of errors
Just in time Avoiding work that is left “hanging”
Kanban Scheduling flow of work / sharing progress
Kaizen Improvement mindset / Importance of discipline
5 whys / Fishbone Root cause analysis techniques
Takt time Paying attention to the pace of working
Lean has created many powerful techniques
Lean Six sigma techniquesü 5Sü DMAIC ü FMEA (car production)
www.RiskAI.co.uk
9
Agile evolution / Core principles
1974ADS
1990sScrum Nonaka & Takeuchi
Agile software development – high level principlesü Individuals and interactions over processes and toolsü Working software over comprehensive documentationü Customer collaboration over contract negotiationü Responding to change vs. following a plan
2001 Agile manifesto
Agile – Adopt an iterative approachCode, Test, Accept, Launch > User storiesCode, Test, Accept, Launch > User storiesCode, Test, Accept, Launch > User stories ..
Sprint 1
Sprint 2
Sprint 3
Scrums and sprints drive pace – minimum viable productBacklogs to prioritise work – standups – Kanban boards (ex lean)Various ceremonies – plan, meet, review, retrospectiveGreenhouses – sharing Scrum masters to facilitate change
Agile Audit2016
Rick A. Wright Jr. “Agile Auditing” www.RiskAI.co.uk
Lean/agile impact on internal audit ways of working ü Customer and customer value are prime at all times
ü Timing / Timeliness / Speed
ü Communication at all times
“Be prepared to pilot things you haven’t done before”
Lean/agile as tools to do progressive internal auditing – not as an end in themselves
Integrate lean/agile alongside IIA standards & regulatory requirements
ü Transparency of progress / process / expectations / decision making
ü Clear roles and accountabilities
ü Waste elimination mindset
ü Value / effort trade offs all the time
ü Re-evaluate work to be done based on what is emerging; pragmatism/ flexibility where possible
ü New ways of working – try it it out, experiment, don’t debate; let customers tell you whether its helping/not
www.RiskAI.co.uk
11
Does your IA team have a shared view
on who are the prime customers?
Internal Audit
Board Exec
Senior Managers
Staff audited
Managers audited
ManagerØ Sometimes key in Agile Ø NOT always as important
from a lean perspective
Customer will affect what is in/out of scope / time allocation / materiality
www.RiskAI.co.uk
Senior Management
Audit Committee
Line Management
Stakeholder views of VA/NVA
Assurance on areas of interest
Support on major projects
Help with local issues of concern
Delivery of plan as stated
Identify savings
12
You shouldn’t have missed anything
Auditing areas of concern
Passing on messages to senior management
Limit advisory work
Cost of remediation must be within budget
IA as a free resource
Don’t disturb the operations
Limited assurance work
“We should never lose sight of the fact that we do not define value. It's our stakeholders who define what value is.
You must start with the stakeholders as you work through this process”
Richard Chambers (President & CEO of the IIA)
Credit for positive areas
No bad ratings
www.RiskAI.co.uk
IA
Board Exec
Senior Managers
Staff audited
Managers audited
When different customers want different things ..
Customers Regulators Stakeholders
Use lean mindset (external customer focus) to inject
some independence and objectivity into the IA work
Would those external customers want me to do this
assignment with this much resource?
What is the value add from: ü Auditing known issues?
ü Auditing suspected issues?
ü Follow-up assignments?
www.RiskAI.co.uk
Name Exam question Depth/breadth Resource PRIORITY Delivery date Sponsor
IA plan flows to assignments: “Never do an assignment just because its on the plan”
14
Process X Continuity AUDIT Focus on 3rd party workings
30 days P2 Q2
Compliance GDPR AUDIT Especially departments A & B
40 days P1 Q2
Project A Benefits realization on track
REVIEW Within $1m
20 days P1 Q2
Project B New process design REVIEW (DESIGN) Including RACI
20 days P1 Q2
Financial Anti-fraud REVIEW Including roles between Procurement and Finance
20 days P2 Q3
Project C UAT REVIEW QC of testing
20 days P2 Q3
ü Assignments typically planned to be shorter than in the past (days and elapsed time)
ü Scope tighter and depth/breadth crystal clear: advisory, design review, health-check, audit, investigation
ü Assignments managed as projects – to the final agreed report and actions, book time in diary (team and customers)
ü Fewer assignments over budget – days and elapsed time
ü more likely to stop when the exam question has been answered
www.RiskAI.co.uk
Lean/agile and the IIA standards
15
2200: Develop and document an engagement plan for each
assignment ..
2210: Establish objectives (and criteria) for each assignment
2240: Develop and document work programmes sufficient to achieve
the engagement objectives.. It must be approved
prior to implementation and adjustments approved promptly
“I think part of our problem as a profession is thatsometimes we have a tendency to over-audit.Sometimes we do things in the audit process to validatethings that aren't really going to be important”.Richard Chambers (President & CEO, IIA)
Do enough work and gather enough information andinterpret and analyze that information to form a view.That's often translated into a whole load of advice abouthow many records you need to look at and how manytests you need to do to substantiate everything, when, inpoint of fact, when we are focusing on risk and addingvalue it should be different from that.Itʼs wrong to stick to sample requirements in a rigid way”Chris Baker (former Technical Manager, UK CIIA)
2330: Auditors must document sufficient reliable and useful information to
support assignment results
2420: Communications must be accurate, objective, clear concise, constrictive,
complete and timely
2500: Establish and maintain a system to monitor the disposition of results ..
2600: Communicate the acceptance of risks
Don’t lose sight of the IIA standards – read them carefully and interpret them pragmatically, Integrate what you are doing in your methodology
www.RiskAI.co.uk
www.RiskAI.co.uk
Internal Audit Assignment Methodology (illustration)
Planning the assignment
Assignment scope & plan
Further work / testing
Determingroot cause
ClosingMeeting &
Draft report
FinalReport & follow-up
Customer Survey
Learning Review & Personal Feedback
Assignment Planning Fieldwork Reporting Feedback & MonitoringReview Phase
Process
Continuous Communication(accurate, objective, clear, concise, constructive, complete & timely)
Classic IA steps
Document & system reviews
QA
Remediation Improvement action plan
.
Planning Fieldwork Reporting & Action Plan Feedback & Quality Improvement
Lean and agile steps (sample) Planning Fieldwork
Value / cost / time clarityClear exam questionsReasonable assurance
Direct AccessLiaison contact Expected turn-around times
Milestones Known issues and actions Clarify criteria / Risk appetite
Track behaviours of all Stand ups / pit stops (QC) Never forget design before operation
HypothesisShare expected controls
Analytics / Testing as a range Know when to stop
Reporting & Action Plan Feedback & Quality Improvement
In the lean/agile webinars we work in more detail on key changes to make to the methodology and benchmark what others have done
17
Old Mindsetfor RCA
New Mindsetfor RCA
Do Audit Do RCA
Do RCA as part of the Audit
Root cause analysis, insight, reporting
Aim for: “Every Finding Only Once”
Symptoms Causes Key actions
Link to impact and cost benefit
No actions on minions
Senior managers only ..
Always more than one root cause Prevention Detection - as a minimum
www.RiskAI.co.uk
RCA – need to go beyond 5 whys – see RCA course ..
edit Master title style
18
Consequences: Killer facts etc.
Apparently no overdue complaints But this is the complaints filing cabinet
Information Security This was one desk
Regulatory fines
(e.g. UK FCA)
Different levels of consequences .. (illustration)
e.g. Purchases not tendered amounting to $3mProject benefits of $5 m not yet committed
If this error rate applied to past 12 months $5mIf cost out-turn is 5% in all areas this would amount to $10m overspend
If this process applied across all departments $2.5mIf all projects under delivered by 2% this would amount to $20m
Recent fine of $20mAdditional regulatory interest / visits amounting to Consent decree (e.g. … privacy arrangements and monitor)Increase in customer complaints – loss in net promotor rankings
Recent fines of $Fm and $Gm Collapse of … Newspaper stories about .. Senior Executive fined $H000 / Loss of FCA approval in SMR
Sensible extrapolation
Ask at the start of the assignment – if we found X would you care?
You can use this technique to focus testing
Newspaper stories
www.RiskAI.co.uk
19
Reporting innovations Process Visualisation
Audit Heat map
Ø Try things out
Ø Get feedback
Ø Try again
Project Assurance map
Project dashboard
www.RiskAI.co.uk
Also: Flash reports, Urgent Issues up-dates, Newsletters
See this as a journey …
Team awareness Champions Exam question/scoping Methodology quick fixes Pilots / quick winse.g. reporting Follow-up process
Team disciplines Seeing waste on an ongoing basis Controls library Methodology up-gradeBetter templates/tools
Stronger RCAThematic analysis Working hypothesisRisk Assurance planningMeasuring value Learning culture Methodology development Team leadership/impact/ political savvy
J C Paterson: Training with IIA UK: ü Audit planning ü Lean/agile auditingü Assurance mapping ü Root cause analysisü Influencing and political savvy
Let’s innovate in IA without forgetting our standards
www.RiskAI.co.uk
Lets address IIA standards questions as we operate in new ways .. Too often new ways of working ignore this!
21
These slides have been developed for the exclusive use of those attending the IIA UK Lean/agileauditing webinar on 26/10/20, by James Paterson, Risk & Assurance Insights Ltd.
This presentation has been prepared solely for educational and illustrative purposes.
Whilst every effort has been made to ensure the factual accuracy of the content herein, norepresentation or warranty is given as to its accuracy.
All materials copyright RiskAI unless stated otherwise.
This presentation should not be relied upon as the basis for making any investment or other decisionand it is not claimed that any of the content or views contained herein, whether expressly made orimplied, represents the views of management.
The slides should not be reproduced, or circulated by e-mail, or put into shared folders to beseen by others, without permission:
E-mail: [email protected]
LinkedIn: https://www.linkedin.com/in/james-paterson-2749b612/
www.RiskAI.co.uk