Having historically relied on internal and external assurance providers, the French Ministry of Defence (MoD), much like other ministerial departments, was not familiar with internal audit (IA) until recently. A 2011 decree officially introduced the concept of IA into the French public administration. This required each ministry to comply with professional auditing standards and establish an audit committee as well as an IA service. An intergovernmental coordination committee was set up to harmonise consistent approaches and feedback channels. In the nine years since, IA in the MoD has advanced and shown its value, although the journey is far from over. The time is ripe to take a step back and draw some lessons from this experience.

Raising the sails with two main challenges

1. Limited audit culture: Independent and objective assessments of the MoD’s processes and operations are traditionally undertaken by Inspection Services, which cover numerous activities ranging from audit and evaluation to inspection and direct advisory work for top management. At times, their duties even extend to operational tasks. Internal audit is often limited to verification of financial and accounting processes, and;
2. An overcrowded assurance landscape: Being a complex and multi-layered organisation, the MoD tends to rely on different internal and external assurance providers, mainly independent inspection bodies, which poses challenges vis-à-vis coordination.

The combination of these features initially led to a stripped-back, minimal approach to IA focusing on compliance with standards, for fear that an ambitious reform would end up adding yet another layer of bureaucratic burden for operational services.

Moving forward, with the highs and the lows

The graphic below shows the aims and progression of IA in the MoD, and the challenges that accompanied them.

Main lessons learned: Find the right balance between ambition and pragmatism

Identify specific context

Establishing an IA function is no easy process. Understanding the environment, the rationale and the expectations of senior management are initial steps that should not be underestimated. First, reflecting on the context helps in identifying the best approach to take, and the objectives to set, for the introduction of IA. You should be pragmatic in your approach and ambitious in your objectives.

Identify key success factors

Seek top management buy-in for the long term

Top management support and buy-in are key to the introduction and long term development of an IA function, particularly in an environment where the audit culture and external compulsory incentive (e.g regulatory or financial) are low.  In this regard, the main setback for IA between 2015 and 2017 was the lack of commitment and buy-in at senior and top level management. In the end, we secured buy-in by:

• Focusing on IA governance: the early establishment of a small ministerial audit commmitee with non-executive members and external private sector senior experts chaired at the highest level proved effective not only in demonstrating initial management buy-in, but also in providing strategic guidance for the long term.
• Providing quick wins and tangible results in the short term. Our initial focus on coordination aimed at quickly responding to management’s fear that IA would add another layer in a crowded assurance environment.  It was also the opportunity for IA to take the lead in an area where expectations were high and legacy poor. In the short term, the assurance coordination work of IA started with basic information sharing to initiate the process and start getting results.
• In parallel, IA worked on the development of a proactive sharing and coordination tool with the MoD Business Intelligence service to ensure a more dynamic coordination in the longer term.  In another area, the development of the audit methodology started with a focus on recommendations and communication with auditees, where management expectations were high regarding IA in comparison to existing assurance activities, such as inspections or evaluations.

Clarify the objectives and goals of IA

Beyond compliance with standards, best practices or regulations, it is paramount to identify where the real added value of IA lies for the organisation. This of course may vary substantially depending on the context and the audit culture. In this process, we also identified non-negotiable objectives, such as the positioning of the IA service or the governance of the IA function (notably the composition and chairmanship of the audit committee) that were key to successful IA implementation.

Never give up communicating and educating

The majority of my time as Head of IA at the MoD, in the initial phases, has been dedicated to establishing and maintaining communication between all levels of management. Although this is partially due to the specific context of the MoD, the communication process is vital wherever you are. Communication and education aimed at convincing, clarifying and explaining what IA is about, and how it fits in the MoD assurance framework demonstrates the added value of IA. An MoD IA policy approved by the Minister early in the process was very helpful in this regard as it gave all stakeholders a general framework to work from.  

The exchanges were also an opportunity to listen to legitimate fears and expectations, and adapt project priorities accordingly. In this process, language has been important so as to avoid jargon and expert terminology, such as making reference to practical goals instead of standards. As of 2020, IA is a mainstay in the assurance landscape of the MoD, with strong leadership, enhanced coordination and a harmonised methodology.

Heading the MoD’s IA during this implementation period was a privilege. Facing multiple challenges, including cultural changes, forced me to not take the benefits of IA for granted and to seek what could be the tangible benefits of IA in the unique MoD environment.