CHAPTER 10: USING LEAN APPROACHES FOR YOUR LEAN PROJECT AUDIT/REVIEW

Introduction

The use of lean thinking techniques to deliver internal and external audits, or assurance reviews of lean projects, has a number of advantages including:

1. Leading by example.

2. Providing a learning environment and a test bed for auditors to try out lean thinking.

3. Focusing on real stakeholder needs.

4. Becoming more commercial by focusing on what is important to the end customer.

5. Getting to the root causes of issues, rather than making recommendations that merely fix a symptom of the problem.

6. Reducing wasteful audits and reporting and thereby reducing costs.

7. Becoming more effective in providing compliance, whilst also highlighting issues that may reduce costs and improve customer service for the area under review.

Some organisations, I am sure, see audit as a necessary evil – an inconvenience and cost overhead (or worse a muda). To a certain extent, some traditional audit teams have not done much to break this image. However, this is now changing and many audit teams have been adopting lean thinking – some without even realising it.

In this chapter we will consider how lean thinking can be applied to audit or assurance review. Throughout this chapter I have referred to ‘the auditor’, however, the same principles apply to anyone performing an assurance review of a lean project or other activity.

Identifying audit customers

Why do we do audits or assurance reviews? All audits are to provide some form of independent comfort that there is proper governance and compliance, and advice on how to improve. However, there is an opportunity for auditors to provide so much more. Internal auditors often have an overview of the organisation that is not available to many in an organisation. Because they consider a number of different areas, there is the opportunity to share best practice and lessons learnt from previous reviews in a different area of the business. This is one reason why many organisations see internal audit as an important part of career development for their high-flying trainees.

One of the accolades I most enjoy when auditing is when someone says ‘that’s a good question’ – it shows that I have led the auditee to look at the issue from a different angle.

During the review of the 2009 banking crisis, the House of Lords and others looked at the role of internal audit. The concern was that they were too focused on the needs of immediate management, in some cases to the point where they were not considering the real risks, rather than considering the needs of the wider ‘customer’ base.

So who are the customers of the review/audit? By considering the wider group, it helps to ensure the audit is providing a better service – customers include:

• the immediate auditee and their managers/senior management

• the Board – especially the audit committee

• regulators

• shareholders/other financers

• business partners of the organisation

• customers of the organisation.

I have listed the above in the order that they are normally considered by auditors. At first it seems strange to include end customers in the list. But they are the ones ultimately paying for the audit – therefore they should gain some benefit. Also, if an organisation is moving to lean thinking, placing more emphasis on customer value, it is important that their requirements are considered. For example, does the audit function generate more savings (including risk reduction) than it costs to operate?

Adding real value

The phrase ‘I am your auditor and I am here to help you’ is always an amusing one – and one often not believed by auditees. However, there are opportunities for auditors to add benefit, without losing their independence or objectivity.

As a Board member on audit committees, I have always found it most useful adding real value when we have meetings with the auditors without management being present. This ‘off the record’ briefing gives an opportunity to discuss issues which the auditor, especially if an external provider, may not be willing to share in a formal report. It is also a good opportunity for the audit committee to make clear what their expectations are. For example, before the commencement of any audit I would expect the auditors to have informal discussions with the main stakeholders. As with any meetings with customers, the auditors may need to limit expectations if the requirements are unrealistic but it is better to be clear on this in the scoping documents so there can be no misunderstandings as to what is to be delivered.

The audit process for reviewing a lean project is similar to any assurance or audit review and can be summarised as:

• plan and scope

• listen and review

• gather and review corroborative evidence

• publish findings and recommendations.

The Institute of Internal Auditor’s Publication, Internal Auditing: Adding Value across the Board, describes internal audit as:

‘An independent, objective, assurance and consulting activity that adds value to and improves an organisation’s operations.’³

This definition covers the consulting role that internal audit often provides, in addition to the compliance role.

The implementation of Sarbanes-Oxley (SOX) gives a good illustration of how auditors can apply lean thinking to all that they do. Most impacted audit teams reviewed the quality of the design and operation of the financial reporting controls needed for SOX compliance. The better ones went beyond that to identify:

• Where there was wastage due to over or duplicated control.

• How the same level of control could be achieved using alternate controls (e.g. through centralisation or automation).

• Controls where their risk level is well below the cost of the control.

This could be achieved without impacting independence or the quality of the audit opinion on the adequacy of the control framework. One organisation I worked with estimated that each SOX control cost about $1,000 per year to maintain and test. So any reduction in the number of controls can have a large saving in reducing waste – far greater than the cost of the audit.

Identifying and mapping the audit value stream

Good planning of the review should ensure that the process for the review has been considered and documented. This could be considered in the form of a value stream, to ensure that all activities are required in order to add value to the audit. The PDCA cycle could also be applied to review the plan.

Reducing waste

A lean audit is partly about helping to reduce waste – if it is conducted in a way that is wasteful it will lose creditability with auditees and stakeholders. Waste can be incurred at any stages of an audit, including:

• allocating inappropriate resource

• impact of disruption on the auditee

• failure to gather enough corroborative evidence, leading to misreporting

• inappropriate recommendations

• reporting on individual symptoms rather than the root causes of findings.

Where audits are repeated, this waste is also often repeated. Table 7 shows some of the common types of audit wastage and their consequences. These can be reduced by steps including:

• proper planning

• ensuring the auditee and other stakeholders (including end customer) are consulted

• investigating the work performed previously on the area and then referencing this rather than repeating the same exercise

• full involvement of the customer throughout the process.

Table 7: Audit waste areas

Waste area	Common audit causes	Consequences
1. Defects	Failure to check audit findings with nominated business representative Unrealistic recommendations, for example cost more to implement than the benefit they create Defective planning, leading to the wrong areas or issues being reviewed	Mistakes in drafting reports cost time and effort to rectify and cause loss of confidence from the auditee
2. Overproduction	Excessive auditing of low risk areas Inappropriate timing of audits Management overload in responding to audit issues	Producing too many audits/audit findings, sooner or faster than is needed – when the audit resource used could have been better applied elsewhere
3. Waiting	Audits postponed or delayed due to staff shortages or time overruns on other projects	Audit has to stop because of resourcing/supply issues
4. Not utilising talent	Not asking opinion or ideas from auditees Not identifying members of audit team with previous experience of similar audits Not using resources provided by lean and audit institutes and similar organisations	Not fully using the skills, talents and knowledge of staff and other business partners
5. Transportation	Inadequate storage/referencing of working papers Not using video conferencing or similar media rather than visiting all locations	Waste causing by having to move, or handle, components or work packages between stages
6. Inventory excess	Inability to recover audit findings to enable efficient follow-up	Excessive storing of components or finished product
7. Motion waste	Inadequate audit planning leading to too many repeat visits	Unnecessary physical movement
8. Excess processing	Too many review steps before report is issued or findings revealed so that action can be taken	Steps that are duplicated or otherwise unnecessary to achieve customer value

Creating flow of the audit and output by eliminating waste

There are two aspects of flow to consider for the audit:

1. The planning and organisation of the audit to ensure that it is conducted with minimum waste.

2. The forming of recommendations and reporting in a way that will ensure points are easily understood and accepted by the auditee.

I once arrived to conduct an annual audit I had conducted for the previous three years. I telephoned in advance to agree the details, but when I arrived at the location I found an empty field – the offices had been re-located (luckily only three miles away). On another audit I arrived on the agreed date to find that the client was not ready – I had the team on site but it was a week before they were able to provide some of the data we needed and had asked for. When conducting an audit of lean, it is even more important to ensure that proper planning has been conducted, including:

• Agreement of scope and objectives with key stakeholders.

• Risks being clearly identified – both for the subject of the review and the audit itself.

• Briefing information for the audit team (including site arrangements, culture and nature of the project and any sensitive issues).

• Informing auditees of timing of visit, ideally with interview schedulers and list of documents required.

• Agreeing logistic arrangements (including access to offices, parking, desk space, e-connectivity, etc.).

• Arrangements for agreeing factual accuracy and presenting findings (e.g. show and tell sessions).

Evidence to support findings is vital, to use an analogy:

‘If the moment has come to tell people their baby is ugly, do yourself a favour and make sure you have the evidence to back it up.’

Peter Voser: What does a CFO expect from Internal Audit?

The reporting of findings should also be aligned to lean. A 500-page report with over 50 recommendations is unlikely to provide what the auditee needs. Instead, the report should be concise and aligned with the lean objectives and approach of the organisation, in particular:

• Reduce waste verbiage – make the report easy to read and review.

• Provide clear recommendations, backed up by evidence.

• Provide positive as well as negative feedback so that best practice can be shared across the organisation.

• Be consistent with the organisation’s ethos and lean approach – including stating benefits of any recommendations to the customer.

• Have clearly assigned and agreed actions – remember if the auditee has a better recommendation than yours that will meet all of the objectives, this is to be preferred, as it will ensure buy in and action.

Key tests for any lean audit recommendations should include:

• Will this add customer value or just waste?

• Have I reached the root cause of this issue?

• Have I considered all related implications?

• Can it be implemented effectively or is there a simpler way of achieving the same objective?

Responding to auditee (customer) pull

First we need to consider who the ‘customer’ of the audit is. This could include the auditee, other stakeholders, management and indeed the end customer. Most of them would probably prefer that the audit was not taking place – they see it as waste rather than adding any customer value. So the auditor needs to demonstrate the purpose and reason for the audit – and allow some flexibility so that the audit is not seen merely as an unwanted imposition. This may require time to explain the reasons and background for the review and to remove any pre-conceptions about the audit bad guys and gals. There may also need to be some flexibility to include additional areas important to the auditee, as long as these do not conflict with the overall objectives of the review. I found this an extremely useful approach, especially where auditees were willing to be quoted as the source of findings or suggestions in the report.

Reporting is one of the most contentious areas. Where the auditor needs to deliver bad news which could be detrimental to the auditee, it needs to be done on the basis of factual evidence based on metrics and data that are auditable (i.e. from stated sources, where the same finding and conclusion would be obtained by another auditor of similar competence). I remember one auditee who would always say that our team’s draft report was full of ‘factual inaccuracies’. Rather than argue with this assertion, I would work through the report with him, providing evidence to support the findings. I was also prepared to make changes to the tone and wording of the report where the underlying meaning remained – this usually made the report more acceptable to him and I normally got very good feedback at the end of the review, whilst not compromising the integrity of the report and its findings and recommendations.

One useful technique is to conduct a very short before and after review of the customers’ expectations, including:

• Previous experiences and what could be done to improve this next time.

• Whether the audit is seen as adding management and customer value.

• Understanding the role of the auditors.

• Fit with the culture and expectations of the area under review.

• Technical competence and understanding of lean approach.

• Friendliness and approach of the team.

• Value in terms of:

   Risk advice

   Controls advice

   Compliance advice

   Added value.

Pursuing audit perfection

Perfection is certainly a goal that we should be aiming for from our audits. This will require constant learning and modification based on feedback from stakeholders and tweaking of the audit approach. For example, we need to avoid confirmation bias. We all have a preference to reports that confirm our own beliefs or preconceptions. If I write a report that praises management for their achievements, it will be well received by stakeholders and I will likely get good feedback. However, that does not make the work high quality – within a few months there could be a project failure due to risks that I have failed to report on. Without care the same bias can be applied to the whole of the audit process, impacting how we plan audits, conduct interviews and gather evidence. Hence perfection cannot be measured purely on the basis of feedback.

I once wrote a single recommendation about the need for a disaster recovery plan at a client. For this particular client there were a number of specific risks that made this a very high significance recommendation. They wrote a plan and the following year I reviewed it. I now had six recommendations relating to the disaster recovery plan! The client thought that this was unfair. But in pursuit of perfection I had to raise the new points.

Summary

By ensuring that we apply lean principles in the conduct of our own review, we will show empathy with the customer and the lean approach they are taking. This will enable a more effective audit – where in the spirit of lean it is seen as a collaboration rather than something to be feared.

An excellent source of further information on lean auditing is provided in the book of the same name by James C Paterson.

_________________________

³ Source https://na.theiia.org/about-ia/PublicDocuments/Internal_Auditing-Adding_Value_Across_the_Board.pdf