Home > Risk > Why does internal audit need to be agile?

Why does internal audit need to be agile?

November 18, 2019 Leave a comment Go to comments

You don’t have to go very far to hear an internal audit leader talk about agile. Richard Chambers, President and CEO of the IIA, shared this:

A lot is being said about the need for internal audit to be “agile.” My definition of agility is simple: “Internal audit’s ability to pivot swiftly to address emerging risks and changing stakeholder expectations.” It’s critical to our success!

Why does internal audit need to be agile?

We live in a world where business conditions are changing all the time and the pace of change is accelerating. That is universally accepted.

Internal audit needs to be able to respond to those changes promptly.

When new risks of significance to success are identified, internal audit needs to be able to update its plan and provide the assurance and insight that leaders need – when they need it, not when a static plan provides.

This is why Richard and I both talk about auditing at the speed of risk. I also talk about auditing at the speed of the business, which perhaps more clearly identifies that we need not only to be agile in our audit planning, to add and then perform the audit of a new area promptly, but also provide the assurance and insight that is needed at speed.

If the CEO comes to you, as the internal auditor, and asks for your thoughts on a new strategy, can he wait weeks or months until there is a gap in your audit schedule? No.

If the CEO asks for your thoughts as you complete the fieldwork, is it appropriate to make him wait until everybody has blessed a formal audit report? No.

It starts with an agile audit plan, where you can ensure each audit project is focused on what is needed now, for today and tomorrow.

But then you need:

  • Every audit project to be as short as possible. It’s very hard to move quickly to a new topic when the audit team is tied up on month-long (or longer) projects. If you limit each audit to the enterprise risks that matter, eliminating the work that would only matter to local or middle management, you can keep the great majority of audits within my target of 60-100 hours.
  • The ability to complete every project quickly. When you have done enough work to determine your opinion, stop. Don’t keep working to fill the time available/budgeted. Don’t work just to complete the audit program or checklist when the results are already known.
  • Eliminate unnecessary documentation. Only document your work to the extent that there is value, not just to comply with department standards. If documentation is required by regulators who may audit your work, or if the results are disputed by management, then ensure your documentation is sufficient. But otherwise, challenge the need for every hour spent.
  • Auditors who can think, not only performing work at speed, but are able to know when they have done enough and can stop.
  • The ability to know when you need to change the audit plan. You need to know when business conditions and plans change, either downgrading and removing projects that are no longer high risk-rated, or adding new ones.
  • A relationship with management where you can discuss the results of your work and agree on necessary corrective actions quickly.
  • An audit committee that understands the need for agile auditing.

I welcome your thoughts.

  1. November 18, 2019 at 10:50 PM

    Norman, I appeciate your posts, but this time I miss the most important requirement: you need to have the right staff. Since I started as an EPD-auditor, IT has developed in so many ways, you can impossibly know everything. A recent study in the Netherlands (NBA, the Dutch organisation of CPA’s) about IT-developments proves that many financial and maybe IT-auditors as well, miss knowledge and understanding of IT-developments in the business indepent what industry. They know about dataanalytics, proces mining and algorithms. but that influences their own work.

    This is only possible when your audit department is big enough and you have sufficient budget for education and training.

    I’m glad you mention the issue of documentation. It is a big issue with public chartered accountants. So I can imagine that in case the work of internal audit is of significance to the external auditor much time need to be spend to deliver documentation that meets the external auditor’s standards.

    • Norman Marks
      November 19, 2019 at 5:01 AM

      You are right. You have to have the right staff, including co-sourcing and guest auditors.

  2. November 19, 2019 at 1:49 AM

    Norman, I do not see it as the responsibility of Internal audit (IA) to design risk business processes – that is in the hand of the relevant business area. Otherwise you take the leadership responsibility away from business management.

    Assuming the task of IA is to ensure that defined and decided processes are in fact effectively executed, I see the base for a close collaboration with risk management and the business organisation where:
    – A new risk is identified, or an already known and addressed risk has significant changes of impact and/or likelihood. This may be discovered by literally anyone.
    – To address this properly, risk management, the relevant business function(s) collaborate to define optimal change of processes … with the support of IA, but then again, IA does not know anything about the business processes the business function(s) do not know. Collaborating, IA is involved to design their audit process and decide when and how to validate the effective execution of the changed/new processes.

    Agile … If/when IA is based on eg. annual fixed audit scheduling, they need to change, and potentially assign 75% of resources to these, and allow 25% to address ad hoc or emerging issues. However, in my experience, IA often end up using a significant share of their time on issues (reported potential cases of fraud/inappropriate behaviour) anyway – which essentially means the “fixed” audit plan is a statement of “this is what we do, if nothing happens”, and this is prioritized to know, what is (first) cut out of that plan if/when resources are needed for incidents and/or adaptation to new or changed risks.

  3. November 19, 2019 at 6:47 AM

    Richard – I am in 100% agreement with the sentiments here and this aligns with my long held beliefs on what agile should mean in the world of Internal Audit. I am a fan of the short small audit approach – if for no other reason that small projects have less chance of becoming huge runaway projects and they force a conclusion. There is a balance however …too many small projects may lead to an excessive amount of unproductive time spent with the inevitable administration of project startup and completion administration …. there is a balance sometimes that will be 100h sometimes 300h rarely 1000’s though!

  4. November 19, 2019 at 7:15 AM

    Norman, I don’t disagree with the need for IA to be agile but I am concerned with some of your bullet points. Before commenting let me say that I believe the object of an audit is to report to management whether the business objectives in the area being audited have been, are being or are likely to be achieved. In order to do this the auditor will need to ensure that management have identified the risks threatening the achievement of the objectives and have implemented controls to manage these risks down to acceptable levels. In agreeing the audit all parties should be satisfied that the business objectives are those of the highest priority and the CAE should ensure the audit work carried out is sufficient to result in an ‘unchallengeable’ conclusion, and no more.
    So to take your first bullet point, I agree every audit should be as short as possible, consistent with the need to reach a conclusion. If that’s longer than 100 hours, so be it. If the business objective has been correctly identified, there should be no work of interest to only local or middle management. When you write, ‘If you limit each audit to the enterprise risks that matter’, I presume this is shorthand for, ‘limit each audit to the business objectives that matter and examine controls over the risks which threaten them’.
    In the second bullet point you state,’ Don’t work just to complete the audit program or checklist when the results are already known.’ If you are referring to audit programs or checklists set up by previous audits, then I am concerned. Such programs or checklists can easily be wrong because of systems changes giving rise to new risks. In addition they allow the auditor to get away with a superficial understanding of the systems being audited, with the result that important risks may be missed, or the effectiveness of controls overestimated. In my opinion, the first priority of an auditor is to thoroughly understand the systems they are auditing before deciding on the audit program.
    I’m not sure what you mean by, ‘when the results are already known’. If the results are that the objectives are being met, the audit program contains unnecessary work. If the results show that the objectives are not being met, then the audit work could stop, although there is the danger that other serious deficiencies, including material fraud, could be missed.
    I would agree with the need to eliminate unnecessary documentation, although if it is required by departmental standards, these should be amended.
    Certainly a good relationship with management is essential, together with frequent, face-to-face reporting back to them. This should prevent misunderstandings and hence disagreement over the final report.

    David Griffiths (www.internalaudit.biz)

    (As an aside, the TSB Bank in the UK ran into serious problems when transferring systems. Comments from the investigation are at https://www.bbc.co.uk/news/business-50471919)

  1. November 19, 2019 at 4:46 AM
  2. November 21, 2019 at 11:04 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: