Lean Auditing E-Book

LEAN AUDITING

Driving Added Value and Efficiency in Internal Audit

This edition first published 2015 © 2015 James C. Paterson / Risk & Assurance Insights Ltd. First edition published by John Wiley & Sons, Ltd.

Registered officeJohn Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom

For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please visit our website at www.wiley.com.

The right of the author to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The publisher is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. It is sold on the understanding that the publisher is not engaged in rendering professional services and neither the publisher nor the author shall be liable for damages arising herefrom. If professional advice or other expert assistance is required, the services of a competent professional should be sought.

Library of Congress Cataloging-in-Publication Data

Paterson, James C., 1963-     Lean auditing : driving added value and efficiency in internal audit / James C. Paterson. – First edition.         pages cm     Includes bibliographical references and index.     ISBN 978-1-118-89688-4 (hardback)    1.     Auditing, Internal.     I. Title.     HF5668.25.P367 2015     657'.458–dc23

2014031378

A catalogue record for this book is available from the British Library.

ISBN 978-1-118-89688-4 (hbk)     ISBN 978-1-118-89690-7 (ebk) ISBN 978-1-118-89689-1 (ebk)     ISBN 978-1-119-01706-6 (ebk)

Cover Design: Wiley Cover Image: ©iStockphoto.com/Rogotanie

DEDICATIONS

This book is dedicated to:

Isabelle, my wife and companion – I love you:

And my children:

Tim, Will, Nick and Felicity.

I'm so proud of you all!

CAEs and others in governance, risk, compliance audit and assurance, who are working to bring about positive change against, sometimes, quite considerable opposition.

I hope that this book serves in some small way to acknowledge many of the challenges and dilemmas you face. I also hope it gives some comfort that you are not alone in facing these challenges.

WITH SINCERE THANKS

To Lynda McGill – thank you for “reading every word” and for such patient, constructive and insightful input and for being so much more than just a conventional editor.

To all the Chief Audit Executives (CAEs), auditors and others, named and unnamed, who agreed to be interviewed: THANK YOU for your wisdom, practical good sense and for demonstrating just how useful the lean mindset can be.

To past colleagues in internal audit at AstraZeneca between 2002 and 2009 – we did work that was ahead of its time. Your efforts and achievements gave me the inspiration to go into consulting and training, and to write this book. Thank you.

To my clients and all who have participated in workshops with me across the globe. Thank you for your contributions, insights and enthusiasm – for learning and for sharing your war stories and practical insights. Your ongoing interest has kept me going over the nine months it took to research and write this book.

Contents

Foreword

Introduction

THE VALUE YOU SHOULD RECEIVE FROM READING THIS BOOK

PART 1 LEAN AND LEAN AUDITING IN OVERVIEW

PART 2 LOOKING AT INTERNAL AUDIT PLANNING AND ASSIGNMENT DELIVERY

PART 3 LOOKING AT KEY UNDERPINNING CAPABILITIES, PROCESSES AND WAYS OF WORKING

PART 4 FINAL REFLECTIONS

PART 1 LEAN AND LEAN AUDITING IN OVERVIEW

1 Lean Auditing at AstraZeneca

2 A Brief History of Lean, Notable Principles and the Approach Taken by this Book

ORIGINS OF LEAN AND THE BENEFITS IT DELIVERS

KEY LEAN PRINCIPLES, TOOLS AND TECHNIQUES

3 Key Lean Tools & Techniques

UNDERSTANDING CUSTOMER NEEDS: THE KANO MODEL

GEMBA

IDENTIFYING WASTE (MUDA)

A WORD OF CAUTION ABOUT LEAN TOOLS AND TECHNIQUES

4 The Development of Lean Auditing and Its Benefits

THE KEY BENEFITS OF ADOPTING A LEAN AUDITING APPROACH

A FEW WORDS ON TERMINOLOGY IN THIS BOOK

5 The Wider Benefits of a Lean Audit Approach – and How to Use This Book

THE WIDER ORGANIZATIONAL IMPLICATIONS OF A LEAN AUDITING APPROACH

HOW TO USE THIS BOOK

PART 2 LOOKING AT INTERNAL AUDIT PLANNING AND ASSIGNMENT DELIVERY

6 Who Are the Customers of Internal Audit?

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

CONCLUDING REMARKS

7 What Really Adds Value – And What Doesn’t

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

DELIVER VALUE TO MULTIPLE STAKEHOLDERS – BUT MANAGE BOUNDARIES

CONCLUDING REMARKS

8 The Importance of Role Clarity in Assurance and the Insights Lean Can Offer

AN IIA PERSPECTIVE ON THE UNIQUE ROLE OF INTERNAL AUDIT

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

CONCLUDING REMARKS

9 The Audit Plan: Taking a Value Approach

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

CONCLUDING REMARKS

10 Factoring in Risk Assurance in the Audit Plan

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

CONCLUDING REMARKS

11 Considering the Allocation of Resources to Optimize Value Add

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

12 Assignments – Types, Scheduling and Resourcing

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

CONCLUDING REMARKS

13 Using Assignment Scoping and Planning to Drive Added Value

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED ACTIONS

CONCLUDING REMARKS

14 Assignment Delivery – Managing What Really Goes On

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

CONCLUDING REMARKS

15 Using Communication and Quality Standards to Maximize the Added Value from Assignments

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

CONCLUDING REMARKS

16 Assignment Follow-Up and Follow On

COMMON PRACTICE AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

CONCLUDING REMARKS

PART 3 LOOKING AT KEY UNDERPINNING CAPABILITIES, PROCESSES AND WAYS OF WORKING

17 Measuring Performance and Driving Improvements in Audit Ways of Working

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

CONCLUDING REMARKS

18 Using Lean Audit Principles to Underpin Cultural Change in the Wider Organization

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED PRACTICES

CONCLUDING REMARKS

19 Leading the Audit Function

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED ACTIONS

CONCLUDING REMARKS

20 The Audit Function: Selection, Training & Development and Ways of Working

COMMON PRACTICES AND IIA STANDARDS OF NOTE

COMMON CHALLENGES & DILEMMAS

RECOMMENDED ACTIONS

CONCLUDING REMARKS

References and Other Related Material of Interest

PART 4 FINAL REFLECTIONS

21 Further Thoughts about Where and How to Start the Journey Towards Lean Progressive Auditing

22 A Brief Look into the Future

References and Other Related Material of Interest

Other Recommended Reading

Appendix – Illustrative Kano Analysis Regarding Internal Audit

BOARD AND AUDIT COMMITTEE PERSPECTIVES ON VALUE ADD (ILLUSTRATIVE)

SENIOR MANAGEMENT PERSPECTIVES ON VALUE ADD (ILLUSTRATIVE)

LINE MANAGEMENT PERSPECTIVES ON VALUE ADD (ILLUSTRATIVE)

Closing Dedication & Thanks

Index

End User License Agreement

List of Tables

Chapter 7

Table 7.1

Chapter 11

Table 11.1

Table 11.2

List of Illustrations

Chapter 3

Figure 3.1 The Kano model, using a mobile phone as an example: delighter – added functionality; satisfier – price; dissatisfier – not working

Figure 3.2 The SIPOC model as applied to an audit assignment (simplified)

Chapter 6

Figure 6.1 Internal Audit has many customers

Chapter 8

Figure 8.1 The three lines of defence model

Figure 8.2 Accountability – when it goes well we all want to take the credit

Figure 8.3 Accountability – when it goes badly it was someone else’s fault

Figure 8.4 Accountability mapping framework

Figure 8.5 Assignment depth and breadth – options for audit

Chapter 9

Figure 9.1 Key sources of value destruction (illustrative)

Chapter 10

Figure 10.1 A vital ingredient for audit success: joining up the assurance jigsaw

Chapter 11

Figure 11.3 Audit plan coverage – by tier (illustrative)

Chapter 13

Figure 13.1 Metaphor for auditing without a working hypothesis

Figure 13.2 Metaphor for auditing with a working hypothesis

Chapter 14

Figure 14.1 The auditor challenge of maintaining perspective

Figure 14.2 A risk control matrix (illustrative)

Chapter 15

Figure 15.1 Assessing what has been found: how big and how bad

Figure 15.2 Ratings template, using the notion of being “In Control”

Figure 15.3 What many stakeholders value from reporting

Guide

Cover

Table of Contents

Part

Pages

ix

xi

xii

xiii

xiv

xv

xvi

xvii

xviii

xix

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

33

34

35

36

37

38

39

40

41

42

43

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

65

66

67

68

69

70

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

205

206

207

208

209

210

211

212

213

215

216

217

218

219

220

221

222

223

224

225

227

228

229

230

231

232

233

234

235

236

237

238

239

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

279

281

282

283

284

285

286

287

288

289

290

291

292

293

295

296

297

298

299

300

301

302

303

304

305

306

307

Foreword

“Lean is a valuable concept, because it forces you to think about the bigger picture. It's a way of thinking; it's a mindset, with related tools and process behind it.

We start with identifying what are the valuable services and products that matter to your customer. And then thinking about what is necessary for you to deliver those in an acceptable level of quality and all the rest of it. Everything else is Muda (waste).”

Norman Marks (GRC thought leader)

Introduction

If you are reading these words, I imagine you have some interest in lean or in audit, or both, and may be wondering how these disciplines might be combined.

This is what I wondered in 2005 when I was Chief Audit Executive (CAE) for AstraZeneca PLC. Lean was suggested to me as something that could help the audit function step up its “added value” contribution, as well as improve its productivity.

I was uncertain at first about the applicability and usefulness of lean tools and techniques to internal auditing. But, as we learned about lean, and started to apply it, we were able to create a number of best practice ways of working and also achieved significant productivity gains (of around 20%).

This book outlines what lean can offer to internal auditing. It is based on over four years' experience applying these techniques as a CAE. Thereafter, I have been running my own company and lean auditing has been one of the core areas of my training and consulting work. I have been fortunate to travel to the US, across the UK and Europe, the Middle East, the Far East and Australia to share lean auditing principles and techniques. I have been heartened by the interest in what I have had to say, and in the results that have been achieved by applying these ways of working.

As I prepared to write this book, I was keen to ensure that the efforts of other CAEs and auditors who are working to improve the impact of internal audit should also be captured. I therefore interviewed a number of CAEs from a range of organizations in the UK, US and elsewhere and their views and insights are captured throughout the book. I have also been fortunate to receive insights from other leading figures in the internal audit world, including Richard Chambers, President & CEO of the Institute of Internal Auditors (IIA), Norman Marks (a well known thought leader in Governance, Risk and Compliance (GRC)), Sarah Blackburn and Nicola Rimmer (both former Presidents of the UK Chartered Institute of Internal Auditors (IIA UK)) and Chris Baker, Technical Manager of the IIA UK. Herein are also selected board members' observations about internal audit.

Consequently, this book represents not just the best of what I managed to achieve at AstraZeneca, and with my clients. It also captures a wider range of progressive practices in internal audit as well as related good practices in the GRC arena. You only need to reflect on the devastating impact of the financial crisis of 2007 and 2008, and countless other risk and governance surprises, to recognize there is considerable room for improvement in this field!

This book addresses many efficiency opportunities through lean ways of working. However, of equal or perhaps greater importance, this book offers a range of insights into what it means to add value, and through this, to reposition the role of internal audit as a key ingredient of organizational success.

As we will see, many of the CAEs I have interviewed for this book already have a “seat at the top table”. Consequently, whilst a number of the principles, tools and techniques outlined in this book will be aspirational for some internal audit functions, they are successfully in operation for many others.

Whilst I will argue that the internal audit profession should play a more prominent, value-adding role, I do not believe that internal audit should take the lead in driving organizational performance and behavioural change. That is a role for the board and senior management. My belief is that internal audit should more clearly act in a catalyst role for organizational growth, continuous improvement and sustainability.

I hope to demonstrate that the use of lean principles and techniques can both inspire and support internal audit to take up such a role.

However, I also want to acknowledge that there can be significant barriers to achieving what I am proposing. Some of these barriers may be practical, but most come from the mindsets and preferences of board members, senior managers, and a range of others who prefer a traditional “compliance and control” role for internal audit.

In my opinion, the traditional “compliance and control” focus of audit acts like a heavy hand on the audit profession, limiting its ability to play a fuller role. The dominance of traditional ways of working partly stems from a legitimate need to gain assurance over the basics, but also from a significant inertia that has built up within the internal audit profession itself.

As this book proceeds I will try to outline how the lean audit mindset (and ways of working that flow from it) differs from the traditional internal audit mindset, and traditional ways of working. I hope to demonstrate that, if internal audit is prepared to relinquish some of its familiar work in compliance and control auditing, which may appear to offer a degree of security, it will in fact make the internal audit profession more secure in the long run. Indeed I would go so far as to say that by continuing to carry out a large portion of traditional controls and compliance work internal audit may perpetuate a range of organizational and cultural problems with Governance, Risk, Compliance and Assurance.

As a result, some of the principles and practices outlined in this book may be challenging for some of the more traditionally minded auditors, senior managers and board members. As far as possible, I will try to explain how progressive and traditional ways of working can work together side by side, but I think that truly operating with a lean frame of mind does challenge a number of long-held conventions about internal audit. To my mind being prepared to “rock the boat” is a necessity if we want to put internal audit on the right path to being properly acknowledged as a key ingredient for sustainable organizational success.

THE VALUE YOU SHOULD RECEIVE FROM READING THIS BOOK

CAEs and internal auditors should be able to use this book as a resource to:

Benchmark current audit plans, reports and ways of working;

Identify practical ways to increase value adding activities, and minimize non value added activities within internal audit;

Reposition the role that audit can play in the organization and understand the wider organizational benefits that will flow from that.

Board members and senior managers should be able to use this book to:

Identify whether internal audit is truly playing a positive role in their organization;

Identify traditional, stale practices in Governance, Risk, Compliance and Assurance, that are not really adding anything;

See the benefits of embracing lean principles in the arena of Governance, Risk, Compliance and Assurance, more generally.

Academics and others with an interest in sustainable organizational growth should be able to use this book to:

Deepen their understanding of the challenges that many audit professionals face on a day to day basis;

Consider how lean principles might offer an interesting insight into debates about what makes effective Governance, Risk, Compliance and Assurance.

Those with an interest in lean should be able to use this book to:

Understand how lean principles, tools and techniques have been applied successfully to the world of Governance, Risk, Compliance, Audit and Assurance;

Consider other ways in which lean approaches might be applied in these fields.

I personally have several hopes for this book:

That it will stimulate more granular “real world” discussions about the dilemmas and challenges that auditors face;

That lean principles, tools and techniques will enjoy a more mainstream position in the audit profession, and that we will become much more rigorous when we talk about “adding value” and efficiency;

To open up more reflection on a range of long established ways of working within internal auditing;

To create a greater recognition that through the development of a

multi-disciplinary approach to internal audit

we will enhance the reputation of our profession, and properly emphasize the importance of leadership and softer skills

alongside

detailed technical skills.

Overview of the Contents

This book is structured as follows:

PART 1 LEAN AND LEAN AUDITING IN OVERVIEW

1 Lean Auditing at AstraZeneca

In which I briefly explain the origins of lean auditing when I was CAE at AstraZeneca and the results it delivered.

2 A Brief History of Lean, Notable Principles and the Approach Taken by this Book

In which I discuss the origins of lean, its key principles and how it has increasingly been recognized to deliver results in a range of fields. I also outline the different sorts of lean (e.g. Lean Six Sigma and lean systems thinking) and the approach this book takes to these.

3 Key Lean Tools & Techniques

In which I outline a selection of key lean tools and techniques that have proven their worth in terms of driving greater effectiveness and efficiency and also in an internal audit context.

4 The Development of Lean Auditing and its Benefits

In which I explain how I developed lean auditing with a range of audit functions, and the benefits that have been obtained, both for internal audit and key stakeholders.

5 The Hallmarks of Lean Auditing and the Organizational Culture this can Support

In which I discuss how some conventional and traditional audit ways of working can perpetuate problems with organizations' Governance, Risk, Compliance and Assurance practices. I then go on to explain how lean progressive ways of working will not just improve the impact of audit assignments but also play a role in improving the wider organizational GRC culture.

PART 2 LOOKING AT INTERNAL AUDIT PLANNING AND ASSIGNMENT DELIVERY

6 Who are the Customers of Internal Audit?

In which I explore the question of the range of stakeholders who have an interest in audit and the benefits of having clarity about which of these stakeholders are key – if any.

7 What Really Adds Value – And What Doesn't

In which I use lean techniques to examine what we really mean by “adding value”, and – just as important – to understand what doesn't add value. This chapter also addresses the important topic of differences between stakeholder perspectives concerning what adds value (and what does not).

8 The Importance of Role Clarity in Assurance and the Insights Lean Can Offer

In which I highlight the vital importance of having clear roles and accountabilities in order to drive both effectiveness and efficiency; and some of the key tools that can be used to drive greater role clarity, both for key functions as well as internal audit.

9 The Audit Plan: Taking a Value Approach

In which I discuss the ways in which taking a lean, value-added approach to the audit plan can ensure that audit looks at the right areas, overcoming the common failing of having a disconnect between the audit plan and the key objectives and risks of the organizations they support.

10 Factoring in Risk Assurance in the Audit Plan

In which I discuss the crucial role of understanding the risk assurance picture before developing the internal audit plan. This approach challenges some common conventions in audit planning, including the way management is asked for their views on the areas that audit should look at.

11 Considering the Allocation of Resources to Optimize Value Add

In which I discuss how lean, progressive audit practices can encourage greater quality debates about the way audit resources are allocated across different risk areas in order to maximize the value derived from the plan. A number of the techniques outlined have been invaluable for a number of CAEs facing pressure on their budgets.

12 Assignments – Types, Scheduling and Resourcing

In which I highlight the need to move beyond standard assignment types and to resource and schedule assignments more flexibly, based on their value. Lean techniques help us to create a clearer flow of assignments during the year, reducing delays in starting to deliver the audit plan as well as the common problem of rushing to complete assignments towards the end of the year.

13 Using Assignment Scoping and Planning to Drive Added Value

In which I highlight the importance of properly scoping and planning assignments so that they can deliver the maximum value. This includes the important step of being clear about the key risks and controls that should be tested, and making the maximum use of intelligence so that the assignment does not simply repeat what is already known and has the maximum chance of delivering outcomes that matter.

14 Assignment Delivery – Managing What Really Goes On

Where I discuss the reality of what actually happens when audits start. I look at the many ways that time can be lost and offer a range of proven approaches to help drive audits forward in a purposeful way. In particular, I examine ways to think more carefully about what testing should be done and the challenge of knowing when to stop.

15 Using Communication and Quality Standards to Maximize the Added Value from Assignments

In which I discuss the ways in which assignments can get into difficulty in their latter stages. This can include difficulties and delays at audit closing meetings, finalizing audit reports (including agreeing actions) as well as meeting quality assurance standards. Lean, progressive ways of working help auditors drive assignments towards a value adding conclusion and overcome the many delays and distractions that are commonplace.

16 Assignment Follow-Up and Follow On

In which I show how lean principles encourage audit to take a fresh look at the process of tracking remediation of open actions and audit follow-ups. Lean ways of working can radically reduce the time and effort spent by audit doing follow up work, whilst driving greater reliance on management assurances.

PART 3 LOOKING AT KEY UNDERPINNING CAPABILITIES, PROCESSES AND WAYS OF WORKING

17 Measuring Performance and Driving Improvements in Audit Ways of Working

In which I examine the way lean encourages us to take a fresh look at the metrics and key performance indicators collected and reported by audit. I also look at ways to enhance assignment methodologies, to strengthen quality control in a streamlined way and to drive value from External Quality Assessments (EQAs).

18 Using Lean Audit Principles to Underpin Cultural Change in the Wider Organization

In which I highlight in more detail the ways in which lean ways of working can help to improve the GRC and assurance culture of an organization. Areas that can be improved include streamlining the policy and compliance landscape, strengthening the role of risk and compliance functions, and improved assurance coordination.

19 Leading the Audit Function

In which I discuss the leadership characteristics and capabilities of Chief Audit Executives (CAEs) who lead lean, progressive, value-adding audit functions. In particular I share key messages from my own experience and from other CAEs about how they retain a sense of perspective in managing the many dilemmas that CAEs have to navigate.

20 The Audit Function: Selection, Training & Development and Ways of Working

In which I examine the way that lean, progressive, audit functions approach recruitment, staff development and leverage other skills, through guest auditors, guest advisors and/or co-source providers. This chapter raises some important questions concerning the optimal balance of skills within an audit function.

PART 4 FINAL REFLECTIONS

21 Further Thoughts about Where and How to Start the Journey towards Lean Progressive Auditing

In which I examine choices around where and how to start or make further progress in relation to lean audit ways of working. A key message, based on my experience as a CAE and with clients, is that implementing lean auditing does not have to be time-consuming or expensive.

22 A Brief Look into the Future

In which I examine potential developments in audit and my hopes for the future. I also reflect further on the key dilemmas that internal auditors and CAEs face on a day-to-day basis and consider whether we can do more as a profession to support one another in this regard.

PART 1Lean and Lean Auditing in Overview

1Lean Auditing at AstraZeneca

After 15 years working in a range of finance roles, I was appointed the CAE of AstraZeneca PLC in 2002. My appointment came a few months after the enactment of the US Sarbanes–Oxley Act, following the collapses of Enron and Worldcom.

If I needed a reminder that good financial control was important, this was it. I therefore spent the first two years in my role supporting and quality assuring the embedding of Sarbanes–Oxley disciplines, whilst also working on a range of other areas in GRC and assurance as well as developing the internal audit function.

By 2005 we had made progress on a number of fronts. However, it was clear that pressure on costs would increase, and as a result my audit management team and I decided that we should engage with the cost agenda in a proactive manner: “Better to work on our efficiency and effectiveness ourselves than have someone else do it for us.”

At the suggestion of one of the Audit Directors, David Powell, we decided to work with colleagues in AstraZeneca’s manufacturing function, who specialized in lean manufacturing techniques. We contacted John Earley (now Partner, Smart Chain International), who was working in manufacturing at the time, and after obtaining some key inputs from him, we developed a number of new ways of working within the audit function.

What impressed me at first was just how quickly and cheaply the lean techniques could be implemented and the scale of the efficiency gains achieved. In later years I also admired the way lean principles informed much of what we were doing to deliver added value: from audit planning to stakeholder engagement, from our approach to assignment delivery to the way we carried out testing, and from the way we reported our work to the performance metrics we used.

The lean auditing approach also offered a positive way of thinking about the role of internal audit and the value it could deliver that was appreciated by both senior managers, the board and audit staff. In addition, our approach to audit planning and the ways that we had changed our executive and board reporting gained recognition within the internal audit profession (within the IIA UK and also the Corporate Executive Board, Audit Director Roundtable).

Further details of the progressive practice we developed will follow in subsequent chapters. However, first it seems appropriate to say a bit more about lean.

References and Other Related Material of Interest

Paterson, J. (2007)

Business partnership redefined

, Audit Director Roundtable. AstraZeneca case study

Paterson, J. (2008)

Internal audit for the 21st century

. IIA Scotland

Paterson, J. (2009)

Internal audit: the times they are a changing

. Chartered Institute of Management Accountants

Paterson, J. (2009)

Future developments in internal audit

. IACON

Paterson, J. (2012)

Giving assurance IIA UK

. Heads of Internal Audit Service

Paterson, J. (2012)

Developing an effective audit strategy

. IIA UK Head of Audit Service

2A Brief History of Lean, Notable Principles and the Approach Taken by this Book

Having explained that the application of lean made a significant difference to internal audit within AstraZeneca, this chapter sets out some background about lean: where it came from, its key principles and the benefits that are likely to result from putting it into practice.

ORIGINS OF LEAN AND THE BENEFITS IT DELIVERS

Some argue that the story of lean can be traced back to boat construction in 16th Century Venice, but I suspect we could go back further to road building techniques and weapons manufacture in Roman times. However, the story of lean as a holistic set of principles, tools and techniques is widely understood to centre around Toyota’s achievements after World War Two.

Influenced by developments in the US and elsewhere, for a period of over a decade Toyota developed various production line techniques into a complete management system, called the Toyota Production System (TPS). TPS comprised a range of product and process development techniques, supply chain management techniques, new approaches to problem solving (such as root cause analysis), improved approaches to customer service and new approaches to leadership and teamwork. In 1965 the Deming prize for quality was granted to Toyota for TPS.

As a result of TPS, Toyota became capable of making cars at a significantly lower cost than a number of major US motor manufacturers, despite their scale advantages. Toyota, alongside many other Japanese car companies (who were using similar approaches), therefore gained increasing success across the world.

The label “lean” for the techniques developed and applied by Toyota was first used in 1987 by John Krafcik, a student at that time of the Massachusetts Institute of Technology (MIT) International Motor Vehicle programme. Krafcik observed that Toyota’s systems and processes:

Required less investment for a given production capacity;

Went from concept to delivery with less time and effort;

Delivered products with fewer defects.

He observed: “It needs less of everything to create a given amount of value, so let’s call it lean.”

After this came a series of important books from key players in the MIT International Motor Vehicle programme:

The machine that changed the world

by Womak, Jones and Roos, that gave an account of the techniques employed by Toyota and other Japanese manufacturers and demonstrated the superior performance of this approach;

Lean Thinking

by Womak & Jones, which sets out the key principles of lean and also noted the successes of a number of other organizations in the US and Europe as a result of implementing lean techniques.

Typical benefits obtained from lean ways of working include:

Reductions in: defects, lead times, cost, inventory and waste;

Improvements in: customer satisfaction, productivity, capacity, responsiveness and quality.

Since then extensive research has been undertaken to deepen our understanding of the power of lean and numerous other lean books have been published. Lean techniques have been successfully applied in a range of sectors outside of motor manufacturing (e.g. in white goods and pharmaceuticals manufacturing) and, increasingly, in service sectors (e.g. airlines, healthcare). Lean has also been successfully applied in a range of support and service areas (including finance and administration).

KEY LEAN PRINCIPLES, TOOLS AND TECHNIQUES

The overall philosophy underpinning lean is to maximize customer value whilst minimizing waste. The Lean Institute states that lean means: “creating more value for customers with fewer resources.”

The Five Key Principles of Lean

The five key principles of lean can be summarized as:

Specify Value from the Point of View of the Customer

The aim is to have a deep and ongoing understanding of exactly what the customer is looking for and what they value. A common question in lean circles is “What is the ‘Voice of the Customer’ saying?” Lean asks us to be wary of giving the customer simply what is convenient for the producer, though it recognizes the place for offering new and innovative products/services (even if they were not requested), if they are going to be valued by the customer (e.g. the Apple iPod).

Identify the Value Stream

Having understood what is valued, the goal is to understand, in detail, the sequence of processes and activities that deliver this value, all the way from raw materials (if applicable) to the final customer. Lean asks us to critically appraise the purpose of each of these steps: what value is added by each step (in the eyes of the customer) through the whole process, from end to end.

Flow

Based originally on a production line mindset, but extended to a more general principle, lean encourages us to make value flow. Lean asks us to look out for waste in any form, such as rework, delays or other interruptions to delivering value. Other issues (such as overburdening or underutilization) should also be noted and addressed. This lean principle also requires close attention to the supporting or preparatory activities that underpin customer delivery.

Pull

The lean goal is to deliver customer demand at the time it is needed –not too early (since that can be inefficient and wasteful) or too late (since that will normally not be what the customer wants), but “just in time.”

Seek Perfection in Ways of Working

Lean asks us to seek the ideal way – delivering exactly what the customer wants, when it is wanted, at a fair price and with minimum waste. This lean principle goes deeper than just being in line with competitors and what others are doing, (e.g. taking a benchmarking approach). Lean is a way of working that looks for maximum customer value with zero waste – at least as a goal. Linked to this principle is the “Kaizen” notion that one should strive for ongoing improvement, since few processes, if any, will achieve the goal of perfection.

The lean principles set out above should not be viewed as a linear step-by-step checklist, but rather as a set of underpinning principles informing all ways of working.

Other Schools of Lean and the Neutral Approach of this Book

Associated with lean is the field of product quality and six sigma (which is used to drive a very low rate of deviation from required standards). This has led to Lean Six Sigma, which is useful for the manufacture of products that need to be made to a high product quality specification.

In addition, lean has been combined with systems thinking (which is concerned, amongst other things, with the ways different parts of an organization are interrelated), resulting in the lean systems approach.

Other approaches to lean also exist, but I take an open-minded approach to the various “flavours” of lean. I think each lean approach has something interesting to say, but I do not believe internal audit should be wedded to a specific lean approach. I have spoken to some CAEs who have been through a lean review (often as part of a wider organizational programme), but have found this has offered limited benefit. This can happen when those driving the lean review are mostly focused on looking for cost savings, or outsourcing opportunities, or do not have a deep understanding of the unique role of internal audit.

My experience suggests success in implementing a lean auditing approach is often about recognizing the context of specific organizations and adapting what should be done to deliver workable results, whilst staying true to the overall spirit of lean.

Cost Reduction and Lean

It is worth writing a few words about lean in relation to cost reduction, since this is one of the key reasons lean attracts attention. Indeed, as mentioned earlier, when I was CAE of AstraZeneca cost management was one of the reasons I was interested in lean. However, lean ways of working should not simply be equated with cost cutting. John Earley (Partner, Smart Chain International) explains:

“Lean is not simply about cost reduction. Managing and reducing cost is a by-product of lean, it’s not a driver for it.

Cost cutting measures may buy you time, but often they won’t have transformed the business, and as a result the consequences of cost savings will pop up as costs somewhere else. They’ll arise in customer complaints, or in other areas that might hit your reputation, or your bottom line. In other words, one part of the business might cost less, but the business as a whole suffers, and so often it becomes a negative spiral.

Lean takes a different approach looking at value as well as efficiency. Will lean reduce cost? Yes it will, but the idea behind lean is if you take care of the value the cost will take care of itself.”

I think one of the reasons I enjoy working on lean auditing is that, whilst it supports productivity it does not do this in some bleak and heartless manner. To my mind, lean is as much about building added value and developing staff to do this, as it is about productivity and cost management.

References and Other Related Material Of Interest

Bicheno, J. & Holweg, M. (2008)

The Lean toolbox: the essential guide to Lean transformation

.

Lean Enterprise Institute (2009)

A Brief History of Lean

.

http://www.lean.org/WhatsLean/History.cfm

Lean Enterprise Institute (2009)

Principles of Lean

.

http://www.lean.org/WhatsLean/Principles.cfm

Lean Systems Society (2014)

http://leansystemssociety.org/

Morgan, J. & Brenig-Jones, M. (2009)

Lean Six Sigma for Dummies

. John Wiley & Sons, Chichester.

Womack, J. & Jones, D. (2003)

Lean Thinking (Revised & Updated

).

Womak, J., Jones, D. T. & Roos, D. (2007)

The Machine That Changed the World

. Simon & Schuster Ltd

3Key Lean Tools & Techniques

This chapter outlines the lean tools and techniques I have found to be most useful in an internal audit context. This list is small compared to the full range of lean tools and techniques, but – at this stage – I would rather give a flavour of what there is, rather than swamp the reader (since a full description of these tools could comfortably fill several books).

UNDERSTANDING CUSTOMER NEEDS: THE KANO MODEL

The Kano model (created by Dr Noiaki Kano) is one of the most powerful lean tools for thinking about what customers do and do not value. It involves listening to the “Voice of the Customer” in relation to what is valued and mapping this out for ongoing reference. Of particular interest is the insight that there are different types of value related attributes. The three key types are summarized below:

Basic requirements or dissatisfiers

:

This is an attribute or requirement a customer expects as part of a service or product and if it is not present the customer will be dissatisfied or unhappy (e.g. clean sheets in a hotel room, or food in a supermarket that is not mouldy). However, if the attribute is present it will not necessarily result in anything more than a neutral feeling. Although these attributes are basic, this does not mean they will be easy to achieve;

Performance factors or satisfiers

:

These are requirements or attributes where the customer value perception will vary depending on the extent to which it is present: for example, “more is better and less is worse” or “easier to use is better and less easy to use is worse.” This could include the ease of checking into a hotel, or the price of a car;

Delighter or exciter factors: These are requirements or attributes that customers may not expect, but delight them when present (e.g. a complimentary breakfast at a hotel). These delighters need to be given at a sensible cost, but may make the difference between choosing one product or service over another – consider Apple products and the extent to which the look and the feel of these is valued by customers.

The Kano model can be set out in diagrammatic form as follows:

Figure 3.1 The Kano model, using a mobile phone as an example: delighter – added functionality; satisfier – price; dissatisfier – not working

The Kano model highlights an insight many will recognize: a given amount of time and effort may have a hugely different impact on customer satisfaction. In other words: effort and added value are not always linked in a linear way. Indeed, sometimes providing less can result in a more satisfied customer (e.g. a concise report compared to a longer one).

Thinking about what the customer wants through a Kano approach is central to lean auditing. The aim is to gain a deeper appreciation of what each of the different stakeholders of internal audit want and – just as importantly – what they do not want.

GEMBA

“Gemba” is the Japanese word for the real place (e.g. the place where a news event takes place). In the context of lean it usually means the factory floor or workplace. A key lean technique is to “Go Look See” what is really going on (known as the Gemba Walk). This is the way any waste can be identified, and this is also the place where opportunities for improvement might be identified.

There are some similarities between the Gemba Walk and the western management notion of “management by walking about”, with lean emphasizing the importance of:

Engaging with what is actually going on when analysing issues or difficulties, with an emphasis on facts rather than opinions; and

Ensuring that staff and managers pay close attention to what is going on, on a day-to-day basis, as a way of driving improvements in effectiveness and efficiency.

Shigeo Shingo, one of the leading lean practitioners from Toyota sums up the lean Gemba mindset:

“Get a grip on the status quo. The most magnificent improvement scheme would be worthless if your perception of the current situation is in error.”

Gemba has a great affinity with internal audit, since it is all about looking at the reality of what is happening. The challenge for auditors is to apply this approach to their own ways of working. A good example of a Gemba approach would be to pay attention to the difference between how an audit manager or CAE would summarize the audit process (or how it is written in an audit manual), and what it is actually like to carry out an audit assignment in practice.

Value Stream Mapping

In order to improve the way that activities and processes are carried out to deliver value, lean offers a range of tools and techniques to help visualize what is happening so that processes and activities can be improved. Specific approaches include:

SIPOC mapping

SIPOC refers to Supplier, Input, Process, Output, and Customer and is a framework that can be used to breakdown a process;

In an internal audit context, a number of the key SIPOC elements are set out in Figure 3.2.

Deployment flowcharts (or Swim Lane diagrams)

Figure 3.2 The SIPOC model as applied to an audit assignment (simplified)

Which can be used to illustrate, amongst other things, the roles of different functions in a process.

Process mapping is a technique familiar to many in internal audit. When applied to internal audit processes it can be a powerful way of drawing out a range of improvement opportunities in audit planning, assignment delivery and the process of drafting, editing and rewriting audit reports.

IDENTIFYING WASTE (MUDA)

Lean principles regard waste (or Muda in Japanese) as being anything a customer would not want to pay for. No matter how normal difficulties, delays or waste seem, lean demands that we pursue waste free ways of working. However, Shigeo Shingo observed:

“The most dangerous kind of waste is the waste we do not recognize.”

Indeed, much of my work with auditors starts with helping them to notice waste in audit activities that seems so normal it has become invisible.

Lean defines the normal waste items that so often get missed. Taichii Ohno of Toyota suggests seven key areas of waste in a production context:

The waste of overproduction;

The waste of waiting;

The waste of unnecessary motions;

The waste of transporting;

The waste of over-processing, or inappropriate processing;

The waste of unnecessary inventory;

The waste of defects.

In a service context, other forms of waste include:

The waste of making the wrong product;

The waste of untapped human potential;

Excessive information and communication;

The waste of time;

The waste of inappropriate systems;

Wasted energy, resources and other natural resources;

The waste of (excessive) variation;

The waste of no follow-through;

The waste of knowledge.

Other difficulties that can interrupt the flow of value to the customer include:

Unevenness, or Mura in Japanese;

Overburden, or Muri in Japanese.

To address the various types of waste that can arise, lean provides a range of tools and techniques, including:

Heijunka

This technique aims to prevent issues arising by smoothing the flow of work. This includes techniques to standardize and sequence what is done.

Jidoka – Also Known as Autonomation

This aims to prevent errors arising. The idea is to create machines, systems and processes that rapidly identify when poor quality occurs because of the impact on the customer as well as the resulting waste and rework that arises from poor quality.

Just in Time

This is a widely known lean technique, and is about delivering the right quality product or service at the right time at an optimal cost.

Andon – Visualization

Lean ways of working require ongoing monitoring of what is going on with clear, visible indicators or metrics. These allow staff and management to identify any issues or difficulties and act on them in a timely manner. In an audit context this is a particularly useful technique when tracking assignments.

Root Cause Analysis (RCA)

RCA is a fundamental technique in lean, and one that should be familiar to internal auditors. Specific RCA methods include:

The Five Whys: the approach encourages us to question why things are happening, so that the real reasons for difficulties are known, thus maximizing the chances of a proper solution;

The Fishbone (Ishikawa) diagram: where effects/symptoms are traced back to their causes using a structured framework.

A WORD OF CAUTION ABOUT LEAN TOOLS AND TECHNIQUES

In addition to my neutral stance on any specific brand of lean, I want to flag up an important message at the outset in relation to lean tools and techniques: these should be used to enable and facilitate efficient and value adding internal audit work, not become a thing in themselves.

John Earley (Partner, SmartChain International) explains:

“Which lean tools you apply and how you apply them is situation specific. There’s nothing in the lean toolkit that is mandatory. This is where the difference between success and failure could be. You have to be very pragmatic how you apply lean.

To take an analogy: If you are going to hang a door, and you have got a toolbox full of tools, you don’t use every tool in the box. You pick the tool that you need to do the job properly and you make sure they’re in good shape and you know how to use them, and then you do the job, then you put the tools back in the box and wait for the next job.

When applying lean over a period of time, there’s always a progression of things happening and the techniques that you use at one point in time may not be as important at another time. However, the constant factor that runs through that whole thing is the mindset and culture of customer value, efficiency and continuous improvement.”

Norman Marks (GRC thought leader) offers similar advice:

“You don’t have to necessarily go off to Japan and get a black belt in lean. You’re not going to learn about lean internal auditing by going to Toyota and walking through their plant.

My advice is that this is mostly common sense. It’s standing back and saying, I want to be of value to my customer, so what do they need? Not just what I want to give them, but what do they actually need for them to be effective.

Throw out the traditional and replace it with common sense. And just because everybody else is operating in a traditional way, doesn’t mean it’s best.”

References and Other Related Material of Interest

Kano, N. (1984) Attractive quality and must-be quality.

Journal of the Japanese society for quality control

.

4The Development of Lean Auditing and Its Benefits

It was originally intended that I would be the CAE at AstraZeneca for three or four years, but the work we did on lean auditing and the impact it was having encouraged me to stay longer (for seven years in all). Increasingly, I became interested in sharing the lean auditing ideas and practices that we had developed with other CAEs. In addition, I could see an opportunity to do more work in the field of leadership development and culture change (which I had done for two years prior to becoming CAE at AstraZeneca). As a result, at the beginning of 2010, I set up my own business specializing in lean auditing, Risk Assurance, CAE coaching and internal audit effectiveness (www.RiskAI.co.uk).

Whilst I have seen significant differences in the contexts and cultures that audit functions have to operate within, it is noteworthy that many of the challenges and dilemmas faced by audit functions across the globe are similar (albeit each with its own very specific flavour). Some common challenges and dilemmas facing the internal audit functions that I work with are:

How to prioritize the differing needs of multiple stakeholders in the audit process: the board/audit committee, senior managers and those being audited;

How to develop an audit plan that addresses the most important risk areas when there are often strong expectations that audit should focus on financial controls and compliance testing;

How to get a place “at the top table”, influencing senior management whilst retaining independence and objectivity;

Managing requests to delay or cancel assignments, which can result in difficulties completing the audit plan each year;

Getting information and data on a timely basis so that audit assignments can start without delay;

Finding that many managers are not engaged with the audit process;

Arguments over whether audit has enough evidence to demonstrate its findings, sometimes requiring additional testing;

Disagreements concerning the wording of audit reports, the timescales that actions should be completed within, and the grading of reports.

The root causes for these areas of difficulty are various and may be linked to problems with communication and underlying systems. However, a number of the problems that arise are due to poor process disciplines in audit and, from my experience, questions about the role of audit, as well as the mindset of some managers and auditors.

As we will see during the course of this book, lean ways of working can help audit to navigate through many of these challenges and dilemmas, helping the internal audit function become more impactful, as well as providing a range of other benefits at an organizational level.

As I mentioned in the introduction to this book, my experience developing lean auditing techniques as the CAE of AstraZeneca provided a solid foundation to work with clients and workshop participants. However, other CAEs I have worked with have faced other areas of difficulty, which we addressed through new lean auditing approaches. In addition, other CAEs I know have developed their own good practices that further “raise the bar” on what value adding and efficient auditing can be like.

As a result, this book contains many internal audit best practices developed by, and with, other CAEs, alongside those developed during my time as the CAE of AstraZeneca.

THE KEY BENEFITS OF ADOPTING A LEAN AUDITING APPROACH

The key benefits of adopting a lean audit approach to internal audit are:

An audit function that is oriented towards engagement with key stakeholders, with a clear value add mindset;