Training insights: Focus on the fundamentals

It’s easy to take the basics for granted, but sometimes focusing on the fundamentals can save time and effort later and may throw up unexpected benefits. This is certainly the case with work programmes, which are so ubiquitous that they become part of the furniture of audit work – built up over time, used daily, but rarely questioned.

However, warns James Paterson, who leads the Chartered IIA’s new course on The basics that matter, this is a mistake. Old-fashioned work programmes may undermine internal audit’s efforts to become more lean and agile, to focus on the issues that matter most and to provide faster, more responsive and insightful reports, says Paterson. 

This is why the course is aimed at heads of audit and those experienced in developing, reviewing and using work programmes. It aims to give experienced audit managers time and space to look at the way they write and use programmes and explore whether they could structure and articulate these more effectively and efficiently.

“Internal auditors are acclimatised to the culture of the organisation and the team they work in, but the downside is that they can take the work programme for granted and not question the basics,” Paterson says.

Over time, work programmes tend to accumulate more detail, which ultimately wastes effort and may lead to unintended consequences. “It’s tempting to include everything for fear of missing something, but this can lead to each work programme taking far too long to complete and make it hard to see the wood for the trees,” explains Paterson. “You need to find the optimum balance between sufficient detail and the ability to prioritise effectively and focus on what really needs to be done.”

This is, then, a practical workshop, aimed at helping experienced internal audit managers to think about the details and to benchmark what they do against best practice, using real examples to help them to refresh and streamline their work programmes. “Many people think their work programmes are good enough, but in fact they often haven’t taken a step back and looked at alternative ways of structuring what they are doing, so that, for example, it is clear what controls are really the most critical and should be done first in a lean and agile sprint.”

Paterson points to the example of a team that had 30 high priority areas to be tested. He urges attendees to break these down into blocks of ten. “The smarter you are about what is really key, the more likely you are to spot critical issues early on and then you can focus on these, rather than wasting time testing things and documenting information that isn’t critical,” he points out.

Another detail that is often overlooked is the way in which risk and control areas are described, yet these descriptions influence the way in which they are tested. “To start with, it can be easy to take for granted the way things are designed so that risks are managed within an agreed risk appetite,” Paterson explains. “Work programmes should always start with ensuring policies, processes and systems are well designed, before you move on to their operational effectiveness. Looking at design can sometimes highlight over-control in one area and under-control in another, and highlight root causes for symptoms that may be seen elsewhere.”

To benchmark where you are, consider how many work programmes your audit team has created and how these are built on over time, Paterson suggests. “If you find you regularly develop work programmes from scratch and/or you have hundreds (even thousands) of controls, you will benefit from this course.”

Every head of audit would find it useful to think about this challenge at the level of control objectives, as opposed to detailed controls, and whether these are set at the right level to make a library of controls that is multi-purpose and able to cope with varied situations, he advises.

Now is a useful time to do this, since the pandemic has prompted significant change and introduced a host of new risks in all sectors. Internal audit teams should be looking to do their work faster, more efficiently and more flexibly, however this in itself creates risks.

“The pressure to speed up can, paradoxically, mean that you miss basics that undermine what you’re trying to do,” Paterson warns. “It’s too easy to focus on completing the programme, rather than on what is most critical and the causal factors behind this. If you re-examine your work programmes, you will think more deeply about what you want to achieve, clarify your priorities and work in more structured sprints.”

He has seen demand for support in this area grow over the past few years: “Internal audit teams want to implement lean and agile ways of working without compromising quality, and to offer more insights through root cause analysis. This often means revisiting the way work programmes are written, since they were constructed with a more traditional mindset.” This course draws on these experiences and requests.

Paterson refers to the work programmes as the practical “guide rails” that give internal auditors the structure they need to complete their work more efficiently and effectively, including getting to the heart of causal factors.

“Better work programmes help you to understand causal factors as you work through the audit process. It’s more efficient to gather this evidence as you do the audit, it supports lean and agile ways of working and it helps you to write shorter, more insightful reports,” he says.

He wants attendees to bring existing work programmes to the workshop so attendees can compare practices. “There are huge opportunities ahead, but it’s important to look critically at the details of how we work, so we move forward on firm foundations,” he adds. 

This is one in a range of Chartered IIA courses for internal audit leaders.

This article was first published in January 2022.