How to successfully launch an outcome and risk based internal audit service
Outcome and risk based internal audit is a novel approach to effective assurance being used by a number of private and public sector organisations to achieve the holy grail of assuring business success, writes Neville de Spretter.
Note: An outcome is defined as the result and benefit of achieving an objective, a desired future state – what an organisation wants to achieve. Outcomes are permanent, long-term and independent of organisational structure; objectives are temporary, short-term and specific to a particular organisational structure.
A CEO with whom I worked in the late 1990s frequently quoted ‘make certain to apply the “7 Ps” – proper planning and preparation prevents very poor performance’ in encouraging the business to deliver projects effectively. It has lodged in my mind ever since…!
In my role as an independent consultant I’m frequently asked to facilitate and lead on building, revitalising or modernising internal audit services. Over a number of years ACCA’s technical activities and advice, research and insights, together with the IIA’s standards and guidance, have effectively guided and supported the projects.
Recently I’ve been asked by boards and senior management to establish internal audit that is aligned with – and integral to – strategic and operational outcomes, is collaborative, pragmatic, and predictive in assuring outcome delivery. They want to know that outcome risk connectivity and interdependencies, both vertically and horizontally, at all levels, are understood, visible and transparent, and that the risks are being robustly managed. They want internal audit that is forward looking, solutions based, agile, adaptive, enabling and commercially focused.
It means an internal audit focus on outcomes (and their measures and targets), risk and controls, in contrast to the conventional internal control, retrospective, binary reporting focused approach. Accordingly, once outcomes are clarified, mapped, measured and targeted, I’ve been working with organisations to identify the risk to each outcome, aligning risks with outcomes, and giving clarity and transparency to the activities that manage and mitigate each risk – and thereby establishing the audit universe.
Assurance is then provided in a non-adversarial, business-enabling way: the activities are effective to manage or mitigate each risk to a level of residual risk that’s acceptable to the business, or they’re not. If they’re not, it is relatively simple to facilitate the actions needed to do so, or directors can agree to leave the level of risk where it is, and this is visible to all stakeholders. It provides a clear and holistic picture of what’s important to the organisation with the benefits of:
- Integration – everything the organisation needs to do and employ to deliver its required outcomes is linked at all levels across the whole value chain from customers through staff to suppliers.
- Predictability – the probability of the required outcomes being delivered is objectively forecast, enabling risk mitigation, and providing assurance that outcomes remain on target to be delivered.
- Transparency – any stakeholder is able to see what the business intends to employ, do and deliver, and the progress being made and expected.
So, while keeping in mind the ‘7 Ps’, the following summarises how planning for successful implementation has been approached, utilising ACCA’s and the IIA’s guidance.
Neville de Spretter FCCA
Neville is a member of ACCA UK’s Internal Audit Network Panel, an independent specialist in governance, risk management and control, principal at AdLibero2 Ltd, an associate of Perendie, a non-executive director of StyleSeeker Ltd, a steering committee member for the CRSA Forum, and a committee and drafting panel member for the British Standards Institution.
Outcome and risk based internal audit has been, and continues to be, implemented in both private and public sector organisations, in the UK and overseas.