ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > When It Comes to Changing IA, Do Not Let Perfection Be the Enemy of the Good Enough

When It Comes to Changing IA, Do Not Let Perfection Be the Enemy of the Good Enough

Bob Kress
| Published: 2/8/2016 3:09 PM | Permalink | Email this Post | Comments (2)

I compare notes with internal audit (IA) colleagues in other companies from time to time, and whenever the topic turns to adapting the internal audit function to the digital era, I hear a consistent theme:  “This is such a big challenge. Where do we even begin?”

The fear of getting started is understandable. Transformation is a significant challenge. There are a lot of moving parts, and they are all in motion at the same time. IA professionals who are used to predictability, precision and process are naturally going to be a bit unnerved by a change effort that can, at times, appear to be messy and even chaotic. The good news is that if you have the courage not just to get your feet wet but to dive in, you will discover that the water is fine.

Based on our experience in transforming the internal audit function at Accenture, you do not need to have all of the answers to begin asking some illuminating questions. Certainly everyone wants to do as good of a job as possible, but when it comes to change on this scale, there is nothing wrong with learning as you go.

Take analytics in the internal audit function as one example. No one says you have to be an advanced user of analytics to begin benefitting from its power. You will learn more and grow more sophisticated in your use of analytics tools by actually applying them to current IA tasks rather than by studying them in the abstract.

Advisory services is another good example. Many IA organizations are used to providing retrospective audits only. While important and a critical foundation for IA functions, there is a real opportunity to add value for the business by providing advisory services around risk identification, controls and mitigation as new products, services or business functions are being created. This helps prevent problems, and the business will appreciate the value IA can add. Do not try to follow all the rigor typically built into the audit process—remember, the focus is on value-add, so tailor the advisory services approach accordingly.

Having encouraged everyone to dive in, there are certain high-value decisions where you will want to take your time and consider your options before taking the plunge. Consider the question of which enterprise governance, risk and compliance (eGRC) platform you decide to use. The process, change management and technology investment will be sizable, and once you begin using the solution, it will not be easy to change course. In these instances, you will want to exercise prudent caution.

But generally speaking, we have found that it is better to get started, make some initial progress, and then make things better over time rather than waiting for every principle and process to be perfect before implementing IA changes.

Read Bob Kress’ recent Journal article:
Transforming the IT Audit Function—Taking the Digital Journey,” ISACA Journal, volume 1, 2016.


Re: When It Comes to Changing IA, Do Not Let Perfection Be the Enemy of the Good Enough

Interesting read. I do appreciate and advocate for the need or importance of IA to conduct value adding advisory services. After all, prevention is better than cure. However, its important that when such is mentioned ,it takes into consideration the safeguards that need to be implemented such that  when conducting the Post Implementation review the when the client asks "where was the auditor" or comments that "IA was part of this project from inception", IA will have a good answer.
Bevan at 2/12/2016 3:07 AM

IA success

Getting started is important. Just take one more step. Beauty is in the eye of the beholder they say. Here this means the beauty of audit does not exist on its own but it is created by the auditees. The activity of the individual, team or the organization (auditee) to prevent recurrence is equally important for the audit success. IA with the focus of adding value to business is always a win-win. Very nice article.
Jayakumar Sundaram at 2/13/2016 11:51 PM