Following on from my attendance at an audit conference last week (you can tell it enthused me) I watched a great presentation on lean methodology. Earlier this year I went on a lean auditing course (again a good investment of my time). Now I am not uncritical of lean process methodology. It was born within, and to some extent still better fits, manufacturing, commodity and operational process tasks. As avid readers of this blog (if there are any!) would know, I feel internal audit is almost diametrically opposed to this process orientation, it is a thinking, bespoke and qualitative task, not subject to automation and systematisation. My other key concern is the often two-dimensional manner in which the ‘customer’ is considered in the process. In particular the customer is regarded monolithic and homogenous, not heterogenous and, often, with contradictory views.
There is, however, lots of benefit in stepping back and cold reviewing any process. Even the process of documenting it can be cathartic in itself. The idea of looking at stakeholders and considering, explicitly, what they want, even if it is contradictory or challenging is important. This task is more important in my view to identify what not to do rather than what to do. Audit processes in my view contain far too much to do, not too little.
So one key area is the area of reporting. Report-writing takes hours, it is a complex and subtle craft and writing a nuanced argument is difficult and challenging. So then thinking about what bits of a report add value (to all stakeholders) and what ones don’t is important.
The other interesting element for me from lean auditing was its natural pre-disposition to ‘de-layer’ or ‘de-clutter’ processes. Yet internal audit has the opposite tendency (particularly when done badly) to add controls and processes. Now the right answer should be to do both proportionate to the risk management level required for the risk appetite. So why not embed or link lean teams with internal audit teams? One to review from an add perspective, another from a delayer perspective. Better still, why not train auditors in lean process review and do both a controls audit and lean audit at once?
So whilst I am not yet prepared to fully sign up and worship the cult of lean just yet, I am seriously considering how I can use and embed some elements of it within my audit process.