The Tuckman Model of Group Development says that it takes time, effort, and pain to align and be productive as a combined function or team. The alignment process evolves from simply bringing similar groups, functions or processes together (forming); to determining the best approach moving forward (storming); to aligning (norming), and ultimately becoming efficient (performing).
The continuum of aliging Internal Audit (IA) with Governance, Risk and Compliance (GRC) functions follows the same steps, and I've added some challenges that span the four stages – Visibility, Efficiency, Accountability and Collaboration. These areas, before they result in benefits, start out as growing pains during the alignment process.
Emerging Visibility – IA or GRC groups begin to identify other oversight functions performing similar activities, yet with different and sometimes competing priorities. Initial reactions are to protect the empire instead of aligning with these groups. It’s all new to everyone and to further complicate matters, there are political, geographic, or financial (e.g., funding) factors that stand in the way of alignment.
Inefficiency – With increased visibility into these multiple oversight groups comes the realization that duplication exists. This equates to inefficiency because of duplicate resources, processes and misaligned objectives. In some cases these groups may be working against each other, not intentionally, but as these factors come to light the redundancies and inefficiencies become exposed.
Lacking Accountability – Closely following the visibility of these separate GRC functions is an analysis of their objectives. Looking at the whole often results in the disclosure of gaps, or areas no one group is focused on. This could be certain risk categories, control exposures, geographies, or process areas. The question then becomes which group needs to address these gaps.
Lack of Collaboration – The question quickly becomes, “why aren’t these groups working together?”, and “how much time, resources and money have we been wasting doing the same things?” This lack of collaboration also exposes more gaps and lacking accountability.
One of the first questions for IA is should they align with these other GRC groups, and how. Further, how closely (if at all) should they align their approaches, thresholds, and decision criteria with others? An example is that IA conducts their annual audit universe risk assessment (AURA) by identifying potential auditable entities, assessing their criticality, and determining for which entities to perform audit engagements. Other groups, such as Enterprise Risk Management (ERM), also perform risk assessments which drive activities such as risk evaluation, gap identification and remediation plans. It stands to reason that IA and ERM should align at least some level of their assessment approaches in order for risks to be evaluated under the same lens, and for the two groups to leverage each other’s results.
Other intersections exist where IA could leverage other groups’ work and vice versa. Automated tools can help in this process as approaches can be applied more consistently, and results along with supporting documentation is more visible and accessible. Multiple groups can access and leverage the information and alignment is better achieved. Another factor in this dilemma is the use of tools and how to align them across these groups. If a common technology solution is used, IA must weigh the benefits of sharing information against limiting access to such areas as privileged and confidential audit projects.
In my next blog in this series, I'll talk about striking the right balance and moving forward!