Strawman Best Practice IIA Change Forum June 2017 Auditing Change Strawman Best Practice IIA Change Forum June 2017

IIA Guidance on Auditing Change The IIA Change Forum has developed this guide identifying a number of basic standards when auditing change and incorporating elements of best practice. This has been developed by professionals leading change portfolios in IA functions and is drawn from insights and a review of change audit strategies across participating organisations. The volume of Change introduced by organisations is increasing and is often high risk. Internal Audit needs to consider how this is reflected and incorporated into the Audit Universe and plans while taking account of the strategic outcomes and business objectives that it is trying to deliver. Although Internal Audit may be invited to review programmes, the Internal Audit planning process needs to understand the scale, volume, complexity of business Change and approach, including agile and waterfall, to ensure that audit coverage is provided where appropriate. The lifecycle of the programme will also vary what might be relevant to consider as part of audit engagements. This note provides guidance on the common practices identified and includes the following: Identifying and understanding the business change planned for an organisation Risk assessing programmes and identifying audit engagements Audit engagement types and approaches to auditing change Internal Audit Reporting in relation to Change We suggest that this is reviewed and considered in addition to the existing publications and resources available through the IIA.

1. Identify and understand the business change planned for the organisation A change audit plan will be a key element of the overall internal audit plan. Due to the nature of programme delivery, the audit plan for change needs to be aligned to the organisation’s business priorities, flexible and able to respond to change quickly. The timescales for audit delivery will need to align to the delivery timescales of the key programmes under review. Title Description Best Practice Intelligence gathered from stakeholders This is to support audit’s understanding of the overall change agenda for the organisation, areas of key risk within it and progress of individual programmes. Do Hold regular meetings with change stakeholders including business sponsors of key programmes and SME’s receiving the change, senior management responsible for Portfolio/Change delivery and Technology. Regularly review Audit and Risk Committee Board Packs for change related content and risks. Regularly review change portfolio level reporting/MI and minutes of change forums to understand progress, programme initiation, levels of investment, changes to the plan and risk and control environment of the business unit receiving the change. Consider Internal Audit attendance at change portfolio level meetings including oversight and approval boards. Cross Audit Team Intelligence sharing Share and leverage information gathered across change and business aligned Internal Audit resources with visibility of planned business change up to and including Audit Director level. Incorporate output from previous audit reports, co-source and external assurance if appropriate. Incorporate perspective on business change / assurance outcomes over business units receiving the change from across Internal Audit as part of Change Audit planning. Use the information gathered through stakeholder management with the business and previous audit reports. Strategic objectives and priority Identify and understand the business driver and organisational priority for the programme as part of the broader business strategy. Portfolios or programmes within them are often identified as regulatory, mandatory or discretionary. This may be based on the strategic or business plan importance of the programme or driven by regulatory or legislative requirements. Understand the rationale and strategic importance of the programmes considered as part of annual planning within the organisation. This should include a view of emerging and planned regulatory change.

1. Identify and understand the business change planned for the organisation Title Description Best Practice Lines of Defence (LoD), Regulator, external assurance , co-source arrangements & Third Party engagement Understand the priorities and focus areas for other lines of defence, Regulators, external assurance providers , co-source arrangements and other third party engaged on programmes. Do Schedule regular updates with LoD, third parties, and external assurance if appropriate to understand their engagement and perspective on key risks and progress of the programme. Ensure the Regulators perspective is considered if engaged. Dynamic Review of the change audit plan Programme delivery timescales can frequently change at short notice. Internal Audit need to be able to respond to this and ensure the audit plan is aligned to look at the high risks elements of the programme at the right time. Revisit the change audit plan on a regular basis to ensure that it remains aligned to programme delivery and is focused on the key risks. Audits can be added, postponed or removed from the plan as required.

2. Risk assess programmes and identify audit engagements Programmes should be risk assessed by internal audit to identify the key programmes for inclusion in the audit plan and a toolkit to conduct this can be developed. Risk assessments conducted by management can be used as an input to this process if they have been prepared and are available. The scoring basis will vary across organisations but an approach to identifying High, Medium and Lower risk programmes should be defined. Risk assessments should be reviewed regularly to ensure Internal Audit continues to be focused on high risk change and can adapt the plan if required. Change Portfolio Perform Risk Assessment Prioritise Results (H/M/L) Update Audit Plan Risk Assessment Areas -Complexity -Benefit -Cost -Business/Process Impact -Customer Impact -Regulatory/Strategic -Organisational Capacity

2. Risk assess programmes and identify audit engagements The following areas can be considered when risk assessing programmes: Title Description Best Practice Regulatory / Strategic priority The regulatory, legislative or strategic priority of the programme can impact the risk assessment based on the impact on the organisation if it does not deliver within the required timelines. Do Incorporate the regulatory or strategic impact of the change into the risk assessment. Customer Impact The customer impact of a programme can be considered in relation to the scale of the change visible to the customer and also the potential impact on the customer if the programme fails to deliver as anticipated. Conduct risk is also considered within this. Incorporate the impact of the change on the customer into the risk assessment. Complexity The complexity of a programme increases the risk associated with successful delivery and implementation in the business. There are different elements to consider when assessing the complexity of a programme. For example, size, scale, IT, customisation etc. Assess the complexity of individual programmes taking in to account the size, scale, level of IT change, extent of customisation, third party engagement etc. Benefits The benefits to be delivered by a programme and the strategic importance of the benefits will be a key driver for initiating a programme. Incorporate the level of benefits (financial, non-financial and key business outcomes) anticipated to be delivered by the programme into the risk assessment or the impact of failure to deliver. Cost The costs involved in delivering a programme are a useful indicator in assessing the size and scale of a programme. Incorporate the costs required to deliver the programme into the risk assessment and assess whether the on-going costs to support the deliverables post-implementation (e.g. maintenance/recurring costs) have been considered. Impact on Operational Functions The extent of the process, business or people change delivered will impact the risk profile of the programme. The risk profile of the business can also change where anticipated programme changes are not delivered, manual workarounds are introduced or enhanced controls are delivered as part of a revised operating model. Incorporate the scale of the process or business change into the risk assessment of the programme and the impact on the business unit risk profiles and controls, where known. Organisational capability and capacity The organisational capability and capacity to deliver change extends across business as usual ability to absorb the change as well as ability of programme resources to deliver it. Consider the level of change underway and the organisational capability to deliver and absorb additional work.

3. Audit engagement and approach to auditing Change Audit engagement in change programmes can take different forms depending on the scale and extent of the change and associated risk. Three of the key risk types considered by an audit engagement include strategic risk, deliverability risk and operability post implementation risk. All audit engagements should focus on the achievement of the intended business outcomes and consider the link to overall business strategy. They also need to consider the delivery approach adopted by the change initiative i.e. agile or waterfall. Audit engagement can include change initiative reviews, continuous monitoring and change process/thematic review. Programme A Thema t i c Continuous Monitoring Audit 1 Audit 2 Programme B Key Audit Activity Programme Activity

3. Audit engagement and approach to auditing Change Audit engagement can include the following: Title Description Best Practice Change Initiative Audits There are several approaches to auditing a programme that may be suitable depending on the stage it is at. Governance reviews focusing on the design and operation of programme level controls. E.g. oversight structure (including Steering Committees), MI & reporting, Planning, RAID Management. Stage Gate reviews as the programme moves from one stage into another and focused on key deliverables at that stage e.g. initiation into delivery. Targeted Reviews/Deep dives can be executed at different stages of the programme lifecycle and focused on a particular area of risk e.g. Testing. Post implementation reviews conducted at the end of a phase or implementation. Do Identify the key programmes that will deliver the strategic objectives for the organisation and agree the level of audit coverage to be provided. This should also identify any key programmes where audit is not planning to engage. Understand the key stages and timescales for the programme delivery and develop an engagement model for the programme focused on the areas of highest risk and key controls. Assess the delivery risk associated with the programme on a regular basis. Assess the business outcomes planned for the programme and business engagement. Assess the continued alignment of the programme to the organisation’s strategy and confirm it remains relevant e.g. it has taken account of any changes in the business or market since commencement. Develop a test plan toolkit focused on programme level risks and controls which can be reused. Continuous Monitoring Internal audit can have on-going engagement with a programme throughout the lifecycle. The programme audits in this case are complemented by on-going monitoring of the programme. This can be used to inform Board Reporting, assess the operation of programme oversight, risk assessment or audit planning for future phases. Examples include attendance at key forums including Steering Committees. Define Internal Audit’s role when attending key forums. Consider how Internal Audit independence will be maintained and clarify that the Internal Audit role is non decision making when attending the forums. Consider Defining a continuous monitoring strategy for key programmes to clarify audit engagement and outline reporting to be produced from this work. Define an approach to raise issues identified during continuous monitoring with management and ensure they are addressed. Change Process / Thematic Reviews There are a number of processes defined to support the delivery of change across an organisation and these should be considered within the audit plan. Process reviews can be conducted on a thematic basis over a sample of projects to assess the controls in place. E.g. Business case approval, benefits management or Governance and Steering Committee effectiveness. Include key change processes within the audit universe and review as appropriate.

4. Internal Audit Reporting Audit engagement in change programmes can take different forms depending on the scale and extent of the change and associated risk. These can include the following: Title Description Best Practice Final Reports Final report produced following the completion of an audit engagement and which contains the findings identified through the work. Do Develop templates for audit reporting. Real time updates throughout audit engagements Change programmes are delivery focused and need to address issues in a timely manner to prevent further impact on the programme. Regular discussion with key stakeholders including programme managers and sponsors throughout an audit engagement on the emerging issues will support audit understanding, confirm factual accuracy and provide management with an opportunity to start to take action. Note: This does not impact the inclusion of the findings in the final report. Schedule regular meetings with key programme stakeholders including programme manager and sponsor to discuss emerging issues from reviews or continuous monitoring where applicable. Consider reporting to Steering / Oversight Committee during Continuous Monitoring period and audit engagements. Audit Committee Reporting Regular reporting produced for the Audit Committee providing an update on audit and programme progress. Include update on the outcome of the audit engagements for key change programmes Providing a perspective on key risks or issues emerging from Change delivery and opinion on overall ‘health’ of change delivery portfolio.