Former IAPG member Michelle DeBella shares cycle time tips; simplify and don’t fear escalation. 
The longer it takes to complete an audit, the less impact it is likely to have, especially for new and rapidly growing companies, prompting internal audit’s struggle to reduce the audit cycle time.
Michelle DeBella addressed that issue at a recent IAPG meeting, borrowing from her experience running internal audit (IA) at Uber, and earlier for a long stint at Hewlett Packard Enterprise and HP Inc. (HP).
“We invest a lot of our time and talent in audits, and if we don’t get audit results in a timely fashion, their impact can be lost,” Ms. DeBella said. “Really dynamic companies don’t want audit results as a scorecard of what they did, but to show them what they can work on and where the risks lie. And they need that information in a timely fashion to put into their budget and planning processes.”
Shorter is better. Long audits can drain the audit team’s sense of engagement and excitement about what they’re doing and its focus, and they tend to be inefficient, wasting already limited resources, Ms. DeBella said. She then provided “process accelerator” tips on the “how” and “what” to audit. Changing how to audit is “low-hanging fruit,” she said, but also challenging because people are used to the existing approach.
Simplicity is key. At Uber, her team standardized the audit scoping and planning form, making it easy to fill out and as multipurpose as possible by minimizing the narrative and instead providing boxes to check and/or simple-text entry. She said she also supports standardizing and simplifying the audit report.
“I believe if you put word on paper, somebody must review it. So every additional word adds to cycle time,” Ms. DeBella said. She added that in a global company where English is not everyone’s first language, a highly narrative report can be difficult to understand or even produce, slowing the process and reducing the impact. Plus, fewer words mean fewer errors and less time-consuming wordsmithing by stakeholders.
“You can pursue audit reports that have the same look and feel, but you can make them relevant to stakeholders in very different areas: legal, technology, accounting, engineering, etc.,” she said.
At rapidly growing Uber, her team agreed to keep the audit report very simple: a one-page executive summary and one page of metrics to help convey the size and scale of the business. To avoid delays from an issue owner inquiring about an issue, detailed issue information and testing attributes were captured on a separate form. Simplifying the report template, she said, also reduces variability and the need for chief audit executive (CAE) review of the full report.
Ongoing remediation. Ms. DeBella added that her HP team sought to dispel the notion that remediation can only occur after the audit, sometimes resulting in a “gotcha” scenario whether intended or not. Instead, Ms. DeBella said, it is more efficient for IA to offer results as the audit progresses, enabling management to implement remediation plans along the way.
Rely on IA staff. Most participants in the IAPG meeting acknowledged reviewing every report, but that can slow the process. Ms. DeBella said that, based on risk, she removes herself from certain review cycles, such as reports for audits with few issues, and instead relies on her directors to put out quality reports.
Enforce SLAs. Tough service-level agreements (SLAs), handled politely, can also speed up the audit process. Ms. DeBella’s team first sets deadlines for themselves, requiring audit report drafts to be completed for manager review by specific dates. To drive accountability, late audit-report delivery is captured by a metric that also reveals who held up the process.
The IA team crafted a similar SLA for the business owners, giving them 48 hours before audit-report publication to comment, ask questions, and/or clarify incorrect text. Emphasizing factual correctness countered stakeholders’ attempts to wordsmith. “The more transparent we were upfront about SLA times and sticking to them, and explicit about what those 48 hours were for, the better it worked,” Ms. DeBella said, noting the importance of refreshing that message in a professional manner at the start and close of the audit.
Don’t fear escalation. “Teams don’t have to feel bad about asking, ‘Do you have any comments? We’re going to publish tomorrow’—that’s not a mean message,” Ms. DeBella said. She added that if management stubbornly misses deadlines, emphasizing that late-response metrics will be reported to the audit committee is an effective tactic. “At HP, we were highly focused on that statistic, and there was a concerted effort by management not to show up on that list,” Ms. DeBella said.
Support from above. Ms. DeBella said Meg Whitman, the HP CEO she served under, supported escalating issues in 24 hours and resolving them in 48. Resolving complex audit issues in that time may be rare, but a culture where timely issue resolution is expected creates the right kind of pressure to drive action. And if stakeholders argued that signoff from another department’s president was necessary, Ms. DeBella reminded them of the deadline and gave them options to pursue commitments from lower-level executives.
What to audit. Bringing representatives from each corporate function as well as management to the audit-planning table can also reduce cycle time by decreasing the likelihood of loose ends or the need to bolt on an overlooked element. Plus, it can help determine whether it makes sense to perform a lengthy big picture audit or deliver smaller pieces of information more rapidly. That is especially true for fast-growing companies, Ms. DeBella said, where immature processes under audit may change even before a major audit is completed. “Some of that [planning] will drive audit speed, too, because you don’t end up auditing things where change is already in progress or that don’t add value,” she said.
Audit intensity can vary. For example, Ms. DeBella said, her team found that self-assessments were more appropriate in low-risk countries or well-defined lower-risk processes. So internal audit may have three or four audit plans of different size and intensity that fit the different situations. “Some audits can be executed very fast, and the end-to-end audit can be saved for something that has a bigger pile of risks associated with it, or management wants a deeper view of,” Ms. DeBella said. “Not every audit has to look and feel the same.”
Good practice. In fact, smaller, tailored audits can benefit staff development, Ms. DeBella said, enabling the audit team to practice interview and documentation skills as well as sizing up risk and negotiating their findings with stakeholders. “There are so many benefits from those small and manageable projects,” Ms. DeBella said.