The recent evolution of the Three Lines model underscores the idea that internal audit must work to create and protect business value. This requires strategic thinking, especially in this rapidly changing business environment. Whilst change is a factor in every business, some organizations may be going through profound transformation, implying a major exposure to change risks.
When this happens, the ability of management to properly govern the risks associated with rapid change can be a discriminating factor for the success or even the survival of the organization. In such situations, internal audit has a unique opportunity to create value by assessing how management governs such transformation.
We recently spoke to members of the internal audit team at Rome, Italy-based Telepass, a digital mobility company providing electronic toll collection, mobility services payment solutions, and insurance, to discuss how the team has designed its approach to auditing change governance. We spoke to Michele Variale, chief audit executive at Telepass, as well as senior auditors Michela Michini and Antonio Za. The following is a synopsis of our conversation on how internal audit can provide real value to the organization by focusing its audit lens on change management.
Do internal audit functions have a line of sight into the business allowing them to assess change governance?
Generally speaking, internal audit is in a unique position to observe and provide insight and foresight on a company. The matter is if internal audit is considered as a credible partner to opine on matters like change governance, which is not typically in most audit plans. So, it depends on the culture of organization and the visibility and trust that internal audit has been able to develop with directors and management.
When should internal audit plan for a change governance audit?
In those business environments where the achievement of shorter- and longer-term objectives are linked to management’s ability to transform the business, we should observe that the change risk factor is pervasive across a large portion of the audit universe. Hence, internal audit stakeholders might see value in a thematic review of management’s ability to govern change and the adequacy and effectiveness of change risk management. Additionally, a change governance review can provide insights of important business elements such as resistance to change and business culture, which are pivotal in transformation programs. Having said that, never tackle a change governance audit without the full support of management and the board.
Why is management and board support so essential to the success of an audit of change governance?
Gaining sponsorship from management and the board allows internal audit to overcome any scepticism that may surround change governance audits, considering that there is not a consolidated approach and not a lot of guidance available on how to conduct such audits. To achieve support and correctly set expectations, early involvement of management and the board plays an important role. They should be involved in the pre-planning phase of the audit, that ideally should foresee a preliminary involvement of the risk committee in scope setting, seeking feedback on the audit approach to be adopted, and understanding where management and the board see value in an internal audit assessment of change governance.
Next, what tactics should internal audit take to approach a change governance audit?
First, organizations change over time. So, a change governance audit should assess business evolution over a longer period than a typical audit. We have seen benefits in structuring our change governance audit as a multi-year engagement, divided in parts to fit periodic audit plans, allowing an assessment of the evolution of what we like to call “change enablers.”
What is the link between change governance and change enablers?
We have considered change as a business result of decisions and activities on key processes we have defined as “change enablers.” To us, auditing change governance implies assessing those processes facilitating or enabling change. At Telepass, auditing change governance means reviewing change-related aspects of corporate governance, ERM, people management, innovation management, data governance, and a few other change enablers we have derived by focusing on the company’s strategic plan.
What is the starting point of a change governance audit?
The starting point is gaining a profound understanding of business strategy, to ensure auditors and management share knowledge and relevance of key change initiatives in the pipeline. Moreover, it is essential to share with management a common taxonomy and vision of engagement objectives to avoid misunderstandings later in the process.
Definitions are critical: we have found common ground with management in defining “change” as the set of activities required to transform the “as-is” firm in the “to-be” firm, designed in the strategic plan. Consequently, we have agreed upon a definition of “change governance” as the identification, adoption, and application of models, processes, competencies, and principles required to manage change in the expected direction and gain reasonable assurance of achieving those objectives in the expected shapes, manners, and timelines.
I agree, definitions are important, but how do you measure adequacy of change enablers?
Change enablers do not develop overnight, rather they gain maturity as the business evolves. That’s why we also agreed upon maturity scales to properly evaluate progress in maturity of elements in every change enabler. In short, be cautious in undergoing a change governance audit without properly agreeing with management upon definitions, evaluation strategy, and change objectives.
What benefits have you experienced as a result of your change governance audits?
Mainly three: First, having internal audit involved in understanding how management governs change allowed us to provide management with a living example of how internal audit can contribute to value creation, going beyond value protection. Second, we have seen the audit team step up its effectiveness, measuring itself against a new way of approaching audits and fostering a holistic view of the business that every auditor in the team can embrace. Finally, we have seen a consolidation in internal audit’s credibility with management and the board and its committees, since directors were able to see that internal audit is also able to observe and comment on matters impacting the company’s strategy and governance.
Thanks so much for sharing these important insights.
We appreciate the opportunity very much and hope it will help other internal audit functions to consider looking more closely at change governance in their organizations. 
Michele Variale is chief audit executive at Rome, Italy-based Telepass. Michela Michini and Antonio Za are senior auditors at Telepass.