Examples of programmes include operating model redesign, business process re-engineering, automation, and the development of shared service capabilities. The pace and complexity of change introduces transition risk during the process of transformation, as well as the potential for enduring new risks.

Integrated and coordinated assurance

An integrated approach to risk management can make a real difference, ensuring programme objectives are achieved whilst maintaining an effective control environment. There should be an assurance map that identifies which functions and teams are responsible for oversight of which risks. In particular, most programmes of change fail because culture is not adequately considered.

• So, what role should internal audit have in supporting the delivery of transformation and cost reduction programmes?
• When and how should internal audit be engaged?
• Are there pointers to consider when embarking on a transformation or cost reduction programme?

Food for thought

In my experience, preparation and planning can make a significant difference. The stronger the relationships with the wider management team, the more likely internal audit will be invited to the table at the outset of the programme. Potential roles might be to:

• Become trusted business partners who provide insight into the risks of the programmes and provide proactive response and assurance mechanisms. This involves speaking the same language as the business, with the ability to adapt to the pace of the transformation.
• Challenge and help shape the response to strategic risks, looking around corners to help identify how the programme will impact the strategic direction of the business.
• Understand the stage of the transformation or cost reduction programme, and the risk nature, scale and velocity expected at each stage. The audit plan needs to emerge and evolve as the programme does.
• Track changes and how risks may mutate, with new risks may materialising as the organisation moves to ‘business as usual’. It is important also to consider the unintended consequences of the change – and recognise that this could be positive or negative.
• Create real time programme monitoring through the use of either Key Risk Indicators or the reporting of controls performance. This will help provide ongoing assurance to the transformation team that programme risks are being managed.
• Design controls as the process and solution are being developed and implemented, ensuring controls are relevant and operate in a timely manner and the business ‘hits the ground running’ when the transformation is complete.
• Evaluate and provide assurance around culture and behaviours, using the existing approach that internal audit should already have considered and providing objective evidence to support necessary interventions.
• Provide expertise in areas such as technological enhancements but know when to call upon deep experts. It is important to work with subject matter experts to understand the impact of technology on strategic objectives, and how audit programme delivery can become more impactful and effective.

Conclusion

Internal audit should provide the eyes and ears of management throughout a programme of change. When effective it should have a key role in influencing the development and response to risks across the organisation. By speaking the language of the business – and becoming trusted business partners – internal audit helps the business succeed in delivering their strategic objectives.