Training insights: Reassess, reform, reposition
Reaching the top levels in an audit team never means you know all there is to know about internal auditing – it usually opens up wider issues and questions just when it’s harder to find the support you need. At times of rapid change and disruption, this can be even more of a problem. New challenges emerge and innovations can change perceptions of what is best practice surprisingly quickly. Management attention is diverted and working relationships may be strained. It’s easy to lose touch with what others are doing.
In our careers as chief audit executives (CAEs) in private-sector and public-sector organisations and subsequent experience of consultancy and training, we became aware of the importance of discussing concerns in a constructive environment with others who understood the role first-hand. One of the challenges is that there are many “grey areas” – some issues are unique because of the circumstances, or the people involved. Sometimes a CAE must assess the best (least worst) option and step into uncharted territory.
We asked what courses we would have found useful when we were CAEs and have aimed to create a space where current CAEs can explore the challenges they face and gain perspectives and ideas. We do not intend to give the right answer, since the right answer for one may not work for another, but to support CAEs with ways to think through challenges to enable them to see all the pieces on the chessboard, view it from different perspectives and play it as skilfully as possible.
James piloted the head of internal audit induction programme in 2010 and it has run three times a year ever since, offering a workshop where CAEs (often, but not always, new to the role) can reflect on the challenges with others who want to re-assess where they stand.
The workshop covers technical aspects of the role, such as audit planning and assurance mapping and coordination, managing an internal audit team, undergoing an external quality assessment (EQA), developing political savvy and influencing governance, risk management and compliance developments in the organisation. We look at lean and agile practices to sharpen the ways we think about adding value and what it means to be proactive and insightful.
Feedback on this workshop led us to create a series of more in-depth and focused workshops on audit planning, assurance mapping, preparing for an EQA, root cause analysis and lean and agile auditing. These work well as open courses, but even better when conducted in-house, which enables us to create specific learning outcomes to help the internal audit team reach the next level in key areas. We hope these courses will evolve further to give attendees an even richer sense of the range of practices and challenges they might encounter, drawing on good practice in the UK and referencing interesting developments across Europe.
Workshops at this level are often about the dilemmas faced by CAEs, and participants learn to spot typical problem areas (for example, tension between what the audit committee and the executive want), although the way to resolve such issues may differ significantly from organisation to organisation. Influencing and political factors are usually as important as technical abilities. CAEs need to become attuned to the weak warning signs that flicker on the horizon, but could turn into serious issues if they are not addressed early. They need to be strategic about selecting their battles – it may be better to aim for many small wins, rather than making a stand, so everything does not happen at once. Ultimately, through this approach, a CAE can ensure the internal audit team is properly positioned and the role is correctly understood.
As experienced CAEs, we understand that it can be hard to deliver audit engagements consistently to our (or stakeholders’) quality, time and cost targets, while also delivering the insight and value they need. We also understand that many internal audit functions struggle to deliver impact, manage key stakeholders, communicate difficult messages and evolve to a more data-driven approach, while all the time meeting, and surpassing, the needs of the audit committee.
Moreover, a number of internal audit teams still lack a clear, documented view of their own key risks – either strategically for the whole function, or operationally at the assurance and advisory engagement level. The Chartered IIA’s workshop that looks at this area helps delegates to map their key strategic and operational internal audit risks, consider responses to these and learn from others’ experiences. All CAEs and senior audit managers should think constantly about how they can be more attuned to the risks facing the internal audit team. If risk management is good for the organisation, it is good for us as well.
Common elephant traps for CAEs
- Not achieving two or three improvements in the first six to 18 months. Such as smarter assignment scoping, more agile, brief reports and joining up the assurance “jigsaw”.
- Making changes too quickly without keeping people onboard. This can include managing the delicate balance between what the audit committee wants and what senior management wants.
- Neglecting the political dimensions of the role, including how to navigate assignment delivery in sensitive areas, and securing the necessary resources for the internal audit function.
- Focusing on innovation to the point where you neglect to monitor compliance with IIA Standards and regulations.
- Being on the back-foot around EQAs, leaving a review to the end of five years and preparing at the last minute.
We run a range of virtual courses for internal audit leaders. Click here to read about them.
James Paterson was global head of internal audit at AstraZeneca and has been consulting, coaching and training since 2010. He is the author of Lean Auditing. John Chesshire was head of audit and then chief assurance officer for the States of Guernsey, and has worked in internal audit, risk and governance in organisations, largely in the public sector. He is now a consultant and trainer.
This article was published in July 2021.