Tools for the job: Forewarned and forearmed
Delivering successful change that meets business objectives is becoming ever more challenging. The pace, volume and complexity of change projects are increasing and, in many cases, organisations are having to do more with fewer resources. It is therefore no surprise that many internal audit functions are being asked to assess organisational change risk exposure. However, when it comes to strategic business change, simply reviewing compliance with methodology and project controls, and commenting on reporting and milestones, is not enough. Why? Because stakeholders need a predictive view, on a timely basis, to allow them to anticipate risk and take action early.
Herein lies the challenge. Most internal audit functions have traditionally focused on risks, controls and compliance with methodology, all of which are good indicators of a well-run project. But extrapolating a predictive view of project outcomes from historic information is difficult at the best of times. It’s harder still when you’re expected to provide assurance (and challenge decisions) on a growing number of initiatives with a limited number of experienced resources.
Change is changing, and change assurance needs to change too. Internal audit must deliver predictive insight into initiatives to enable change leaders to have confidence that they will achieve their desired outcomes or warning to correct their course at the right time. So what do internal audit functions need to do differently to make a real impact on business outcomes?
From reactive to proactive
For too long, audit teams have had to work reactively. Often, they are involved only when change programmes approach a major milestone. In other cases, they’re called in when there’s already a problem. At this stage, they may be able to identify root causes that are affecting outcomes, but it is usually too late to drive meaningful action. (They then get shot for being the messenger.)
Internal audit functions must now focus on the overall roadmap – the clarity of objectives, the timing of assurance, how to measure value and the resources available. They have to deliver assurance that impacts business outcomes, and convince those driving the change that, done correctly, change assurance is invaluable to success. Equally, stakeholders should be asking for assurance from the outset and consider funding it from the change budget.
However, it’s not just about changing focus or perceptions (each of which is challenging enough) or delivering assurance at the right time. To impact outcomes positively, internal audit teams need access to the necessary skills (in particular, change practitioner experience), data and, vitally, to the people who are managing the strategic change initiatives.
Only when they are involved early and given access to the resources they need can internal audit functions form a balanced view about whether those initiatives are likely to succeed.
What needs to change
First, it’s important to consider the key attributes of good assurance. What best-practice activities can audit and risk functions adopt to support stakeholders, build confidence across the organisation and provide assurance about desired outcomes?
Timing, for example, is vital. It is possible to carry out complex reviews at short notice, but the required tools, plus a blend of project delivery and internal audit experience, are essential. If you get this right, stakeholders are more likely to engage and respond to recommendations before it’s too late. This forward-looking approach empowers managers to anticipate problems and consider trade-off decisions proactively.
For example, we have been developing an approach that combines practitioner experience with a bank of objective data, enabling us to understand the various factors that impact the success of change projects. Incorporating such an approach from the start enables you to carry out reviews without long periods of gathering evidence, so reducing disruption. Assurance professionals can then deliver actionable recommendations and data-driven benchmarks that are easily understood across the organisation.
How it works in practice
One of our projects involved senior executives in a multi-billion-dollar revenue financial group who wanted to assess the risks of implementing a new cloud finance platform just weeks before it was supposed to go live. Given the extremely tight schedule, we needed to be flexible and to manage expectations from the start.
Working with the client, we focused on the factors that could still be influenced, while recognising teams’ commitments and availability and ensuring that everyone understood the limitations of the review. We focused on reviewing areas that could directly impact outcomes, using experienced practitioners to support the interviews (as opposed to testing compliance with processes).
Combining insights from the past experience of practitioners with data to demonstrate what good looked like enabled us to have real-time conversations about risk exposure and possible actions. In just ten days, with minimal disruption to the delivery teams, we held short, interview-style sessions with subject matter experts to discuss each topic. We reviewed key documents and delivered insights using data to visualise risk exposure and understand potential consequences. This identified the risk areas (and opportunities to mitigate these risks) as well as highlighting areas that were going well.
Another project involved an internal audit team in a financial services client, which was asked by the audit committee to provide support and assurance for a portfolio of transformation initiatives worth around £100m per year.
To enable the team to provide an opinion on the risk to achieving strategic outcomes, we designed an audit approach that considered risk from an initiative, portfolio and overall organisation perspective. This was based on the health and performance of programmes, using data to provide a rapid, objective, baseline position. It highlighted exposure and areas that required deep dives into initiatives or thematic risk areas, such as benefits management.
Follow-up reviews helped internal auditors to understand whether the actions taken had achieved the desired results. This increased their understanding of the risk exposure of areas that had been highlighted in the reviews, or triggered by stakeholder concerns and events in the lifecycle of the initiative.
Considering risks at the initiative, portfolio and organisation levels created a bigger picture of organisational transformation and led to recommendations for actions that executives could take to improve the conditions that would increase the chances of success.
Key steps
It’s not easy to change the mindset in organisations, particularly where there are established delivery methods and many things happening at once. However, an outcome-focused approach will increase senior leaders’ confidence in the assurance they receive from internal audit.
Areas to consider:
• Move from thinking about process compliance to initiative health and organisational exposure. Are there thematic challenges across the organisation?
• Use data to benchmark what good looks like and to create a shared understanding of where you are and what needs to be done.
• Demonstrate that assurance isn’t something that’s done when a project is in trouble. Integrate assurance into project plans and schedule reviews early and at key decision points to allow recommendations that will positively affect outcomes.
• Share observations iteratively throughout the process to allow ongoing adjustments and early actions if necessary.
• Provide guidance on what good looks like and enable continuous assessment of how the baseline position changes over time.
• Give management the ability to understand how and when to make trade-off decisions (eg, about scope, outcome, cost, stakeholder satisfaction, etc).
Proteus is a consultancy that supports organisations to deliver large-scale transformation and change programmes.
This article was published in March 2023.