As simple as the name is, the concept is even simpler. It is founded on the idea that the value of an audit decreases every day after the audit work is completed. How quickly it decreases is governed by how quickly the environment, you just audited, changes.
Many internal audit plans and programs are built assuming that change is minimal, but in today's environment that assumption is seldom valid.
The truth of these principles began to take shape for me when I realized that the active membership of the IIA in Charlotte, NC was made up principally of governmental entities, utilities, banks, consultants, and other financial services companies. Notwithstanding recent events, at the time these organizations were considered pretty slow change outfits. Missing were high tech companies, Internet businesses, software companies (even though Microsoft had quite a large campus there) and other organizations known for their rapid rates of change. By the way, at one point to test this hunch I had a look at the membership directories of a couple of other Chapters and the same trend was evident.
Now, admittedly, this is not a valid statistical sample, but it got me thinking.
Why do companies that thrive in high-change markets seem to place less value on internal audit? I considered the possibility that maybe they were moving so fast they just couldn't come to the meetings. However, their CIAs and CISAs (if they had any) would need CPE too, so I dismissed that idea.
After discussing this with lots of my IIA and ISACA colleagues, the conclusion to which I came was kind of troubling. The consensus was that these organizations didn't see much value in the classic internal audit approach; one defined by lots of discovery testing, long engagements, huge reports, and a healthy appetite of workpaper preparation. Apparently, it was just too slow.
As a team at Royal & SunAlliance, we realized that an audit approach for the 21st century had to deal with change in a way that one for most of the 20th did not.
Interestingly, we were providing assurance services for a 300 year-old British insurance company. By some definitions, this is the epitome of a low change organization. However, this one was on a rapid growth vector. They were buying companies all over the world, connecting them together, and trying to drag their systems and processes into the current epoch. Over what had become a seriously fast moving organization, we had to somehow provide an opinion to the Audit Committee that meant something.
In response, the we began to evolve the Speed of Change model. Given the subject with which it deals, I suppose it will always be evolving. As it took shape, we found that it had something like five pillars, they are:
- Audit work is perishable. Reports must be issued very quickly after the audit work is completed.
- Brevity is valuable. Reports should be short, outfits experiencing lots of change can only work on so many things at once anyway.
- Risk and change go hand-in-hand. Risk profiles and audit plans must include a variable for the likelihood that things will stay the same. We'll be back soon if it is in flux, not so soon if its stable.
- Drilling exploratory wells wastes valuable resources. Plopping down in an area and testing till we find some deviation is not a good use of people or time. Other ways are better.
- Effective business-audit partnerships are crucial. You've got to know the management of each unit well and they need to see your role as valuable.
Over the coming weeks and months, I think I'll explore this concept and others through this blog. I invite healthy debate and discussion.
How do your organizations audit in a world that shows no signs of slowing down?
How do you ensure your audit functions are providing work-worth-paying-for?
Prescott Coleman, CIA, CISA
No comments:
Post a Comment