In my last article I looked at the reasons why change is an important part of a successful internal audit function and how important it is for an organisation to be absolutely clear about why they are implementing change in the first place. In my opinion, this vital first step is the foundation on which everything else is built.
So, once that has been considered, discussed, agreed – what’s the next logical stage? How do you actually go about making it happen? Drawing on many years of experience in the area of internal audit and risk management, I’d like to offer my perspective on some key steps to take when effecting change successfully within an internal audit function.
Of course, there is no one size fits all solution – each organisation has its own specific identity, direction, needs and opportunities. However, there are some guiding principles which, if applied to change management, hugely increase the chance of success.
Sometimes called tone-at-the-top, this is all about ensuring that your Board not only backs any change programme, but that this support is visible to all involved. It’s also probably the one ingredient without which you can pretty much guarantee a change initiative in a big business will fail. And don’t forget the importance of good communication all the way to the top, so set the reporting lines clearly and as high as possible from the outset.
Well, which one? The particular challenge for an internal audit function is that we have a wide range of customers, many of whom may have differing, and sometimes conflicting, requirements. So, by all means meet with stakeholders, and consult with them on their requests and requirements. However, your first and most significant action is identifying your primary, secondary and tertiary customers. From there, ensure that expectations are being managed effectively. The process can be helped by learning about and understanding what has been tried in the past. This not only helps to raise awareness of any potential corporate “scar tissue”, but may also help identify what is likely to work well in the specific culture of your IA function.
The simpler the better. While assurance can be many things, it can’t be everything, so it’s important to decide what position the function will occupy. In the internal audit function in Royal Mail, we set out to be the pre-eminent risk and assurance function in our industry worldwide, and build our strategy around that.
Just as important as identifying what you are trying to achieve is knowing whether it’s working. Test this by asking the team, from senior to junior, to give a simple and accurate summary of where the organisation is headed. You’ll soon know if you have shared your goals effectively. My advice is to communicate until you reach the point where you think you may be overdoing it – then communicate some more!
There’s also a lot of good IIA guidance available, so use it to help shape your plans; and remember the basics of good general project management, from planning to identifying milestones.
Change is an emotive process and inevitably both your resilience and patience will be tested when driving any major change programme. When we interview for Royal Mail internal audit, we specifically test for resilience in prospective candidates. So, think about how you can keep resilience levels high – both for you and within the function.
One effective way is introducing the idea of quick wins. Create momentum by sharing your view of what you want to achieve in 30 days, in 60 days, in 100 days as part of the bigger picture. Help everyone to maintain perspective – and a sense of humour. Look for things to celebrate, and celebrate them well together.
The bad news is that it’s not enough just to have a clever strategy for the transformation of internal audit within a large organisation, no matter how well executed. As a profession, internal audit, probably more than any other, requires a clear understanding of where similar assurance activity happens within the business. Sometimes thought of in the context of ‘three lines of defence’, the reality is somewhat broader. So, as we evolve the IA role, how does that impact the totality of assurance that the Board is getting? Is there a new way of meeting a Board requirement? Is a need not currently being met? Is there a more efficient way of providing the required level of overall assurance? These are all questions that need to be considered and addressed.
Change management may be an area of IA expertise, but that doesn’t mean we should be complacent about its implementation within internal audit functions.
It’s worth taking time to think through the issues raised here, and any others that you may feel relevant to your organisation. After all, if done right, the process could transform your organisation.
In part (iii) I will share my view of what a changed and high-performing internal audit function could actually look like. How will it compare to yours?