Skip Ribbon Commands
Skip to main content

8 Steps to Becoming an Agile Internal Audit Shop

20/02/2020


Business environments have never been as dynamic as they are today, between unpredictable markets, macro-economic changes due to geopolitical uncertainty, disruptive technologies and an ever-changing regulatory landscape. To keep up with shifting risk scenarios, internal auditors know they need to be nimble and responsive to continue to drive value for their organizations. That’s where agile auditing comes in.

Internal auditors work to identify, assess and respond to risk, those presenting opportunities and those which could be detrimental to the health of the organization. The agile audit process keeps your finger on the pulse of your organization so you can adapt quickly to change. It is iterative, allowing you to revisit your audit plan and reprioritize due to changes in current risks or the emergence of new risks, as a continual process for selecting internal audits.

However, while the concept of agile audit is not new, it’s often seen as an all or nothing approach and too disruptive in itself to fully adopt. Yet it is agile auditing’s innate flexibility that allows internal auditors to adopt its practices, bit by bit, rather than all at once.

Choose According to Need

Transitioning to an agile auditing methodology over a period of time can help to effectively manage the change and garner support from the organization’s leaders and managers in the process. By taking a phased approach, you have the flexibility to focus on what works and adapt or eliminate what doesn’t.

Start out small: Adopt agile concepts that have the most impact for your organization or internal audit function. For example, two key elements of an agile audit are reducing the internal audit planning timeline — focusing on a six-month or one-year time horizon so that your audit plan and focus are flexible to adapt to emerging and changing risks.  Increasing the frequency of communication throughout the audit to deliver real time, value-driven results management can quickly action from a report issued a month or two after the audit is complete.

Get the board onboard: Gaining executive and board support is critical to the success of implementing agile audit concepts, as transparency and collaboration amongst all parties is necessary to fine-tune the process to the organization’s evolving needs. Discuss with executives and audit committee members what you would like to accomplish with agile audit, how it will unfold and the changes to expect in report formats and contents. Share the new approach with whoever you are auditing and explain how it will improve the process. Seek their feedback upfront to understand both concerns and get early feedback on ideas to enhance the process in order to ease implementation.

Simplify the list: Typically, an audit starts by identifying and assessing all the risks within the audit you need to consider and the traditional audit program is designed to complete a thorough assessment of each. Distill them to the most significant risks, working with management to agree on key risks, and focus on those that truly matter. Leverage your audit results to then focus on key risk issues and opportunities, deep dive into areas of most concern and stop auditing where your initial assessment identifies little to no value. The key is understanding insights from the audit, abandoning work that is not driving value and quickly shifting to cover areas of greater risk and reward.

Tighten your timelines: Many organizations have two-to-three-year timelines for internal audit projects. By changing that to a one-year window and meeting with your team on a monthly or biweekly basis, you’ll be able to present the status of your work, revisit risks and control objectives and make sure you are focusing audit efforts in the right areas. This will allow for risk-based decision making and economical and efficient resource planning by aligning audit efforts with organizational needs.

Optimize your report writing: Agile auditing will provide real-time insights that can be used to customize the report format (i.e. length and content) to meet stakeholder needs. A concise report that covers critical factors and delivered real time allows you to respond quickly and with more impact than a “perfect” report issued long after the work has been completed.

Collaborate and Communicate

Agile audits are risk driven, so it is critical to work with your organization’s board, audit and risk committee and management to agree upfront what those key risk exposures are. Outline your audit objectives, scope and risk areas to collaborate with your stakeholders on what will drive value-added audit results addressing the risk areas of greatest concern for your audit client(s).

Agile, real-time audit results allow you to define key milestones (i.e. sprints) and agree on nature and frequency of audit status reporting and progress updates through weekly or biweekly meetings. 

With more frequent milestones and reporting you can readily assess how well risk areas are being managed and decide on a timelier basis the sufficiency of control testing to direct resources where needed. Or you might discover unexpected layers of risk — an agile process enables the auditor to pivot from scheduled, but less critical programs when the need arises.

Let’s Scrum

Part of the agile audit process includes scrums — fixed-schedule stand up meetings, both with the team and/or management where the team reviews projects’ progress or lack thereof. Benefits include:

  • Flexibility that reduces business environment-related risk: requirements can be added or modified throughout the project, to respond to business threats or opportunities on an ongoing basis;
  • Regular feedback that reduces expectations-related risk: there are regular opportunities to obtain feedback and set clear expectations with project stakeholders;
  • Team ownership that reduces estimation risk: the scrum team and those employees who are delivering the requirements, own and estimate product increments;
  • Transparency that reduces non-detection risk: transparency in the framework ensures risks are detected and communicated early, leading to better response and mitigation; and,
  • Iterative delivery that reduces investment risk: the approach is to continuously deliver pragmatic insights in a timely manner.

Who Benefits

Agile audits are suited to all organizations, big or small, public or private. For smaller companies that are resource constrained, being able to almost immediately switch gears and focus on changing risk exposures, while still following best practices, can increase their competitiveness. Agile processes will also drive value for large organizations with considerable resources dedicated to audit by augmenting resources and making them more efficient and focused.       

Keep it Simple

At the end of the day, what’s most important is to drive efficiency and effectively report timely audit results to drive risk-based decision making, appropriately and sufficiently in conformance to professional standards. Agile approaches can be implemented in increments, building out concepts over time to drive effective change management and garner organizational buy-in. The journey could take one year or several, leveraging lessons learned to be a value driver for your organization, always remembering change does not need to be monumental to drive value.

For more information, contact Mariesa Carbone, National Leader, Enterprise Risk Services, at 780.453.5377 or [email protected], or Geoff Rodrigues, National Leader, Internal Audit Services, at 416.596.1711 or [email protected]