5. Transformation and Change Assurance (▼2) has been saved
5. Transformation and Change Assurance (▼2)
2021 Hot Topics for IT Internal Audit in Financial Services
Why is it important?
The crisis has elevated the need for strategic change and transformation up the board agenda to enable organisations adapt, survive and thrive in a changed environment. It has also dramatically disrupted how change is delivered within organisations and the way change teams now operate. With remote delivery having been forced on change teams they have had to adapt and transform their approach to ensure they were still able to effectively deliver change whilst minimising its impact on the delivery plan.
In this new landscape there is an increased need to deliver change at pace in order to adapt and keep up with the realities of a rapidly evolving macro environment. This, in turn, has driven (or accelerated) the adoption of new delivery methodologies and techniques e.g. Agile, in order to deliver at speed whilst adapting to frequent changes to requirements due to unforeseeable external factors.
In many cases, this has compounded the burden on the change teams as they adapt their ability to deliver programmes remotely, in an environment of frequent flux and often moving requirements. They are having to transition to new alternative methods of delivery, are training individuals and recruiting SMEs, whilst grappling with the challenge of how to maximise the full potential of these delivery approaches when having to deliver change using remote teams.
What should Internal Audit be doing?
With this fundamental shift in the approach to delivering change, it is important for Internal Audit to focus on the organisation’s portfolio of change to ensure that the ability for organisations to meet their regulatory requirements or organisational strategic objectives has not been materially impacted. There are some key areas that we recommend Internal Audit should focus on:
- Continuous assurance: Establishing a continuous oversight and assurance approach that follows the change portfolio’s lifecycle and helps to ensure, for example that programmes are appropriately resourced, have the right controls in place to achieve time, cost and quality objectives. As the assurance plan develops, the overall portfolio governance arrangements should be continually monitored for changes and potential delivery ‘fatigue’.
- Leverage other assurance functions: Leveraging the relevant governance and assurance functions to review specific aspects of the project or programme at the right time can provide early visibility of risks and drive timely action before issues materialise. This can be achieved through the use of second line for ongoing oversight, challenge and support, especially in regard to risk around the change methodology and factoring its impact on the wider portfolio of change. Close collaboration between all lines of defence around the delivery of change assurance is critical to provide the optimal levels of assurance most efficiently across the change portfolio.
- Portfolio level assessments: The function should also look beyond individual transformation activity and ensure their work also covers the overall portfolio management practices; the role of the board and executives in terms of portfolio oversight against strategic transformation objectives; the realisation of benefits across the wider portfolio; and whether individual programmes add value against the overall portfolio.
- Agile reporting: The ability to provide near real time visibility of risks and flag concerns before issues materialise will be key to help drive successful delivery and added-value assurance, meaning a traditional “after the fact” audit will no longer suffice.
- Skills and training: Internal Audit teams need to be alert to any changes to delivery approaches by change teams, for example a shift away from waterfall delivery to Agile or DevOps delivery approaches, and plan to have the necessary skills and capabilities in place to be able to adequately provide oversight and assurance on these programmes.