South Africa is in dire need of a culture of accountability and a governance mindset. The challenge is how to instill this and then maintain it.
When we set out to develop ALICE™, we only wanted to make our own lives easier, increase coverage and de-risk our organisation appropriately. But when implementing ALICE™, there were unintended, yet valuable consequences.
An overall improvement in the mindset to governance
When performing manual audits according to the audit plan, our auditees could prepare and ensure a ‘clean’ audit of their area. This was a temporary clean-up of the area, and controls would slip until the next audit cycle.
When we started to automate the audits and monitor the auditees on a more frequent basis, this temporary ‘clean-up’ for the audit became more burdensome than just performing the controls properly from the start. This led to the governance mindset shifting into a more permanent mindset and an overall improvement in management controls and oversight.
Introduction of appropriate frequency, key performance indicators (KPIs) and gamification assisted in driving a governance mindset
We introduced ALICE™ across the organisation continuously. This meant that audit findings were being raised on a continuous basis, which was overwhelming and remediation thereof was unmanageable. This meant that the audit findings were ignored because tackling it was daunting.
We had to identify a method to drive both adoption of ALICE™ and remediation of the audit findings. We lessened the frequency of continuous to scheduled audits – daily, weekly, monthly. This made remediation efforts manageable. To drive the adoption of ALICE™, we introduced KPIs based on the score produced by ALICE™.
The introduction of gamification of the scores aided in timely remediation. The combination of appropriate audit frequencies, KPIs and gamification resulted in addressing findings and an overall improvement in the governance mindset.
Enablement of management to view and remediate exceptions and the introduction of SLAs
With ALICE™, both management and internal audit had visibility of exceptions at the same time, and this led to conflict. Through this transparency, we inadvertently removed the time and the ability for management to provide comments or provide mitigating controls.
We had to rethink how we approach audit findings. Whilst both management and internal audit wanted the ‘real-time’ visibility, management did not want to be measured on real-time remediation of the audit findings. Consequently, we introduced the concept of service level agreements with management over audit findings. This allowed both management and internal audit the visibility into the audit findings on a real-time basis – but allowed management a reasonable time to remediate the audit findings.
These unintended consequences came about by practically implementing something that was never done before but has been truly beneficial in driving a culture of governance and accountability. Something that South Africa is in dire need of.
Quick wins for improving a governance mindset
- Create transparency by introducing a more continuous way of monitoring of which both management and assurance providers have visibility.
- Perform audits at an appropriate frequency depending on the maturity of the control environment.
- Introduce KPIs linked to the results of the continuous monitoring tool.
- Gamify the key performance indicators between departments/ entities to drive enhanced governance.
- Enable management to identify exceptions and remediate without the involvement of assurance providers.
- Introduce SLAs to allow management to remediate before reporting as findings.