www.RiskAI.co.uk

Webinar: Chartered Institute of Internal Auditors

James C Paterson,

Risk & Assurance Insights Ltd

LEAN & AGILE AUDITING

26th October 2020

This is a one-hour, very brief taster of the 1 day webinar and an even briefer taster of the 2-day face to face course..

2

These slides have been developed for the exclusive use of those attending the IIA UK Lean/agileauditing webinar on 26/10/20, by James Paterson, Risk & Assurance Insights Ltd.

This presentation has been prepared solely for educational and illustrative purposes.

Whilst every effort has been made to ensure the factual accuracy of the content herein, norepresentation or warranty is given as to its accuracy.

All materials copyright RiskAI unless stated otherwise.

This presentation should not be relied upon as the basis for making any investment or other decisionand it is not claimed that any of the content or views contained herein, whether expressly made orimplied, represents the views of management.

The slides should not be reproduced, or circulated by e-mail, or put into shared folders to beseen by others, without permission:

E-mail: info@riskai.co.uk

LinkedIn: https://www.linkedin.com/in/james-paterson-2749b612/

www.RiskAI.co.uk

3

James C PatersonHead of Group Financial Reporting Head of Global Leadership Development programmesCAE AstraZeneca PLCConsulting , Coaching etc. since 2010

www.RiskAI.co.uk

YOUTUBE – free materials: https://www.youtube.com/watch?v=kJj9e3nCYOE

Open programmes IIA Albania, IIA Belgium, IIA Bulgaria, IIA Estonia, IIA Finland, IIA France, IIA Latvia, IIA Lithuania, IIA Netherlands, IIA Norway, IIA Spain, IIA Sweden, IIA Switzerland, IIA UK

Webinars Lean/Agile, Audit planning, Culture, Assurance Mapping, Root Cause analysis, Political savvy, HIA Induction

www.RiskAI.co.uk

Overview and some basics Context

Lean/agile – what’s the same, what’s different

Application to IA: Ø Customer and value, Ø Assignment scoping, assignment delivery, Ø Reporting

Implications for IA methodology

Back to the IIA standards

Internal Audit evolution

2017 IPPF2020 UK

2013 UK FS

Relatively young profession..Good practice still developing

Sometimes there is a legacy from external auditing > not always helpful to IA

1941 – NYC

IIA IPPF2017IA MissionIA should .. align with the strategies, objectives, andrisks of the organization, and be insightful, proactive,and future-focused.

2000: IA must ensure it adds value to the organization

2010: Establish a risk-based plan to determine thepriorities of IA, based on a documented risk assessment

2040: Establish policies and procedures to guide IAactivity

2050: Co-ordination and reliance (Assurance Maps)Co-ordinate activities and share information with otherassurance providers, … and determine a consistentprocess for the basis of reliance on others

Insight

ü Don’t just tell people what they already know

ü Don’t just reciting the rule-book

ü Understanding root causes beyond the generic

ü Connecting findings to something that could really

matter

ü Offering practical tools and templates to move

things forward (e.g. what’s working elsewhere)

Have you agreed what insight means as an IA team?

Need to watch lean/agile does not cause problems vs. IIA standards

www.RiskAI.co.uk

6

Lean evolution / Core principles

Production Line Manufacturing

Quality

TPS 1930sCars

Lean Other sectors – e.g. Pharma

Lean Other functions

Lean 6 sigma

Lean Enhancing or preserving value, with the

minimum waste

Value – any action/process an external customer

would be willing to pay for

The most dangerous waste is the waste we do not recognize

~ Shigeo Shingo

www.RiskAI.co.uk

7

“The customer is paramount and must play the key role in determining what we produce / deliver”

Value

Value stream

FlowPull

Perfection(process)

Kano ü Satisfiers ü Dissatisfiers ü Delighters

Voice of the Customer / Core principles

If it doesn’t flow, it isn’t lean

Just in time

Right first time

www.RiskAI.co.uk

Lean – a family of techniques, but not 6 sigma

Lean (Speed / Value) 6 sigma (Accuracy/error)

Focus on customer Focus on Customer

Removes waste Standard products Reduce variation

Removes non value added activities

Reduces variation in remaining steps

Fixes connections between process steps

Optimizes remaining process steps

Increases speed Improves quality

Lean is not simply six sigma

Technique Illustration of benefits

Heijunka Smoothing flow of work

Poke yoke Preventing errors from happening

Jidoka Rapid identification of errors

Just in time Avoiding work that is left “hanging”

Kanban Scheduling flow of work / sharing progress

Kaizen Improvement mindset / Importance of discipline

5 whys / Fishbone Root cause analysis techniques

Takt time Paying attention to the pace of working

Lean has created many powerful techniques

Lean Six sigma techniquesü 5Sü DMAIC ü FMEA (car production)

www.RiskAI.co.uk

9

Agile evolution / Core principles

1974ADS

1990sScrum Nonaka & Takeuchi

Agile software development – high level principlesü Individuals and interactions over processes and toolsü Working software over comprehensive documentationü Customer collaboration over contract negotiationü Responding to change vs. following a plan

2001 Agile manifesto

Agile – Adopt an iterative approachCode, Test, Accept, Launch > User storiesCode, Test, Accept, Launch > User storiesCode, Test, Accept, Launch > User stories ..

Sprint 1

Sprint 2

Sprint 3

Scrums and sprints drive pace – minimum viable productBacklogs to prioritise work – standups – Kanban boards (ex lean)Various ceremonies – plan, meet, review, retrospectiveGreenhouses – sharing Scrum masters to facilitate change

Agile Audit2016

Rick A. Wright Jr. “Agile Auditing” www.RiskAI.co.uk

Lean/agile impact on internal audit ways of working ü Customer and customer value are prime at all times

ü Timing / Timeliness / Speed

ü Communication at all times

“Be prepared to pilot things you haven’t done before”

Lean/agile as tools to do progressive internal auditing – not as an end in themselves

Integrate lean/agile alongside IIA standards & regulatory requirements

ü Transparency of progress / process / expectations / decision making

ü Clear roles and accountabilities

ü Waste elimination mindset

ü Value / effort trade offs all the time

ü Re-evaluate work to be done based on what is emerging; pragmatism/ flexibility where possible

ü New ways of working – try it it out, experiment, don’t debate; let customers tell you whether its helping/not

www.RiskAI.co.uk

11

Does your IA team have a shared view

on who are the prime customers?

Internal Audit

Board Exec

Senior Managers

Staff audited

Managers audited

ManagerØ Sometimes key in Agile Ø NOT always as important

from a lean perspective

Customer will affect what is in/out of scope / time allocation / materiality

www.RiskAI.co.uk

Senior Management

Audit Committee

Line Management

Stakeholder views of VA/NVA

Assurance on areas of interest

Support on major projects

Help with local issues of concern

Delivery of plan as stated

Identify savings

12

You shouldn’t have missed anything

Auditing areas of concern

Passing on messages to senior management

Limit advisory work

Cost of remediation must be within budget

IA as a free resource

Don’t disturb the operations

Limited assurance work

“We should never lose sight of the fact that we do not define value. It's our stakeholders who define what value is.

You must start with the stakeholders as you work through this process”

Richard Chambers (President & CEO of the IIA)

Credit for positive areas

No bad ratings

www.RiskAI.co.uk

IA

Board Exec

Senior Managers

Staff audited

Managers audited

When different customers want different things ..

Customers Regulators Stakeholders

Use lean mindset (external customer focus) to inject

some independence and objectivity into the IA work

Would those external customers want me to do this

assignment with this much resource?

What is the value add from: ü Auditing known issues?

ü Auditing suspected issues?

ü Follow-up assignments?

www.RiskAI.co.uk

Name Exam question Depth/breadth Resource PRIORITY Delivery date Sponsor

IA plan flows to assignments: “Never do an assignment just because its on the plan”

14

Process X Continuity AUDIT Focus on 3rd party workings

30 days P2 Q2

Compliance GDPR AUDIT Especially departments A & B

40 days P1 Q2

Project A Benefits realization on track

REVIEW Within $1m

20 days P1 Q2

Project B New process design REVIEW (DESIGN) Including RACI

20 days P1 Q2

Financial Anti-fraud REVIEW Including roles between Procurement and Finance

20 days P2 Q3

Project C UAT REVIEW QC of testing

20 days P2 Q3

ü Assignments typically planned to be shorter than in the past (days and elapsed time)

ü Scope tighter and depth/breadth crystal clear: advisory, design review, health-check, audit, investigation

ü Assignments managed as projects – to the final agreed report and actions, book time in diary (team and customers)

ü Fewer assignments over budget – days and elapsed time

ü more likely to stop when the exam question has been answered

www.RiskAI.co.uk

Lean/agile and the IIA standards

15

2200: Develop and document an engagement plan for each

assignment ..

2210: Establish objectives (and criteria) for each assignment

2240: Develop and document work programmes sufficient to achieve

the engagement objectives.. It must be approved

prior to implementation and adjustments approved promptly

“I think part of our problem as a profession is thatsometimes we have a tendency to over-audit.Sometimes we do things in the audit process to validatethings that aren't really going to be important”.Richard Chambers (President & CEO, IIA)

Do enough work and gather enough information andinterpret and analyze that information to form a view.That's often translated into a whole load of advice abouthow many records you need to look at and how manytests you need to do to substantiate everything, when, inpoint of fact, when we are focusing on risk and addingvalue it should be different from that.Itʼs wrong to stick to sample requirements in a rigid way”Chris Baker (former Technical Manager, UK CIIA)

2330: Auditors must document sufficient reliable and useful information to

support assignment results

2420: Communications must be accurate, objective, clear concise, constrictive,

complete and timely

2500: Establish and maintain a system to monitor the disposition of results ..

2600: Communicate the acceptance of risks

Don’t lose sight of the IIA standards – read them carefully and interpret them pragmatically, Integrate what you are doing in your methodology

www.RiskAI.co.uk

www.RiskAI.co.uk

Internal Audit Assignment Methodology (illustration)

Planning the assignment

Assignment scope & plan

Further work / testing

Determingroot cause

ClosingMeeting &

Draft report

FinalReport & follow-up

Customer Survey

Learning Review & Personal Feedback

Assignment Planning Fieldwork Reporting Feedback & MonitoringReview Phase

Process

Continuous Communication(accurate, objective, clear, concise, constructive, complete & timely)

Classic IA steps

Document & system reviews

QA

Remediation Improvement action plan

.

Planning Fieldwork Reporting & Action Plan Feedback & Quality Improvement

Lean and agile steps (sample) Planning Fieldwork

Value / cost / time clarityClear exam questionsReasonable assurance

Direct AccessLiaison contact Expected turn-around times

Milestones Known issues and actions Clarify criteria / Risk appetite

Track behaviours of all Stand ups / pit stops (QC) Never forget design before operation

HypothesisShare expected controls

Analytics / Testing as a range Know when to stop

Reporting & Action Plan Feedback & Quality Improvement

In the lean/agile webinars we work in more detail on key changes to make to the methodology and benchmark what others have done

17

Old Mindsetfor RCA

New Mindsetfor RCA

Do Audit Do RCA

Do RCA as part of the Audit

Root cause analysis, insight, reporting

Aim for: “Every Finding Only Once”

Symptoms Causes Key actions

Link to impact and cost benefit

No actions on minions

Senior managers only ..

Always more than one root cause Prevention Detection - as a minimum

www.RiskAI.co.uk

RCA – need to go beyond 5 whys – see RCA course ..

edit Master title style

18

Consequences: Killer facts etc.

Apparently no overdue complaints But this is the complaints filing cabinet

Information Security This was one desk

Regulatory fines

(e.g. UK FCA)

Different levels of consequences .. (illustration)

e.g. Purchases not tendered amounting to $3mProject benefits of $5 m not yet committed

If this error rate applied to past 12 months $5mIf cost out-turn is 5% in all areas this would amount to $10m overspend

If this process applied across all departments $2.5mIf all projects under delivered by 2% this would amount to $20m

Recent fine of $20mAdditional regulatory interest / visits amounting to Consent decree (e.g. … privacy arrangements and monitor)Increase in customer complaints – loss in net promotor rankings

Recent fines of $Fm and $Gm Collapse of … Newspaper stories about .. Senior Executive fined $H000 / Loss of FCA approval in SMR

Sensible extrapolation

Ask at the start of the assignment – if we found X would you care?

You can use this technique to focus testing

Newspaper stories

www.RiskAI.co.uk

19

Reporting innovations Process Visualisation

Audit Heat map

Ø Try things out

Ø Get feedback

Ø Try again

Project Assurance map

Project dashboard

www.RiskAI.co.uk

Also: Flash reports, Urgent Issues up-dates, Newsletters

See this as a journey …

Team awareness Champions Exam question/scoping Methodology quick fixes Pilots / quick winse.g. reporting Follow-up process

Team disciplines Seeing waste on an ongoing basis Controls library Methodology up-gradeBetter templates/tools

Stronger RCAThematic analysis Working hypothesisRisk Assurance planningMeasuring value Learning culture Methodology development Team leadership/impact/ political savvy

J C Paterson: Training with IIA UK: ü Audit planning ü Lean/agile auditingü Assurance mapping ü Root cause analysisü Influencing and political savvy

Let’s innovate in IA without forgetting our standards

www.RiskAI.co.uk

Lets address IIA standards questions as we operate in new ways .. Too often new ways of working ignore this!

21

These slides have been developed for the exclusive use of those attending the IIA UK Lean/agileauditing webinar on 26/10/20, by James Paterson, Risk & Assurance Insights Ltd.

This presentation has been prepared solely for educational and illustrative purposes.

Whilst every effort has been made to ensure the factual accuracy of the content herein, norepresentation or warranty is given as to its accuracy.

All materials copyright RiskAI unless stated otherwise.

This presentation should not be relied upon as the basis for making any investment or other decisionand it is not claimed that any of the content or views contained herein, whether expressly made orimplied, represents the views of management.

The slides should not be reproduced, or circulated by e-mail, or put into shared folders to beseen by others, without permission:

E-mail: info@riskai.co.uk

LinkedIn: https://www.linkedin.com/in/james-paterson-2749b612/

www.RiskAI.co.uk

22

www.RiskAI.co.uk