Home > Risk > Should we audit at the speed of risk?

Should we audit at the speed of risk?

It’s quite a few years[1] since I first started talking about “auditing at the speed of risk”. Sometimes I also referred to “auditing at the speed of the business”.

The idea is that the world within which we live and work is dynamic and turbulent – even more so now than when I first started using the term to describe the impact of new technology.

If we rely on an annual risk assessment and plan, we end up auditing what used to be a risk, not what challenges the organization today or tomorrow. In fact, the annual audit plan is typically out-of-date even before it is approved by the audit committee!

Richard Chambers similarly uses the term to explain that we need to move to a model that relies on a more continuous assessment of risk and (as I described in a controversial blog) identification of the audit engagements that would provide the most valuable information (assurance, advice, and insight) to our leaders in executive management and on the board.

Another leader in internal auditing has shifted the focus just a little. In COVID-19 Crisis Highlights the Value of Agile Auditing, Protiviti’s Brian Christensen together with Sharon Lindstrom talk about the need for “agile auditing”. Here are some quotes. Note that the first quote uses that same phrase.

  • With regard to immediate needs, the question we as internal auditors are asking ourselves right now is, “How can we be most helpful at this moment?” We have to be able to move at the speed of risk, which, as we’ve seen from the past several weeks, can be lightning fast.
  • Auditors should put aside worries about violating independence standards for internal audit when providing consulting to the second and first lines of defense and see themselves less as an assurance provider and more as a proactive partner. In essence, we have to become part of the response team.
  • While traditional risks remain, auditors should be ready to quickly change their focus as newer challenges present themselves.
  • Even as the COVID-19 crisis continues to rage, auditors need to be thinking about the next step forward, when the marketplace and the economy gradually regain their footing….. But when the economy begins to move into the recovery phase, Agile auditing needs to refashion itself again.
  • It is at this point that internal auditors may need to re-think their risk assessment
  • It is IA’s responsibility to evaluate not only the likelihood of new risks during this phase, but to also assess how quickly such challenges may arise and the extent of their duration. [Note by Norman: It is NOT internal audit’s responsibility to identify or assess risk. That is a management responsibility. Internal audit should be assessing how well management does that, not doing it themselves.]
  • Looking ahead, Agile auditing will continue to be the best way forward for IA, as organizations adjust with a changed market and social environment. It will enable auditors to better align assurance with the dynamic condition of a post-COVID world.

I have also been talking about Agile auditing for years[2]. I am encouraged to see this new focus by Protiviti on it.

What do I mean by agile auditing?

  • Being able to shift rapidly to audit what matters now and in the next period when everything is changing constantly
  • Being able to perform audit engagements at speed. If you think of an agile person, they move with quick steps. IA functions that take weeks or even a month to perform an audit are not agile
  • Being able to stop auditing when there is little value in continuing
  • Being able to accelerate and expand an audit engagement when new and significant issues or opportunities emerge (a.k.a., stop-and-go auditing, as discussed in Auditing that Matters).
  • Being able to communicate the results when they are needed by management or the board. If you take even a week to share the nature and extent of issues, you are not agile

One of the points I made in my recent webinar with Richard Chambers illustrates this. Richard asked me what I might include in my audit plan for the second half of 2020. I replied that “I don’t think that far ahead!” I said that today I would be working on what mattered right now and this week, anticipating what might matter next week and month, and later looking at how the business will be changing in future months. Our environment was and is changing very fast indeed, and where we should put our limited internal audit resources should be changing at the same speed.

In their CFO Signals for Q2, Deloitte makes a couple of interesting observations:

  • …many management teams remain focused more on ensuring viability and adapting for near-term performance than on evolving their company for success post-crisis. Still, teams’ focus varies greatly by industry, and many appear to be putting in substantial work on survival, adaptation, and evolution at the same time.
  • 60 percent of CFOs do not expect to return to a pre-crisis level of operations in 2020. Instead, 21 percent expect to reach this milestone in 1Q21, with 39 percent saying 2Q21 or later.

The speed of management is changing.

Decisions have to be made faster in response to changing conditions and in anticipation of what is around the corner.

We have to provide the assurance, advice, and insight that will enable the leaders of our organization to make intelligent and informed decisions at that higher speed.

So, I now suggest a number of ‘mottos’:

  1. “Audit at the speed of risk”
  2. “Audit at the speed of business”
  3. “Audit at the speed of decision-making” [NEW]
  4. All of these require “Audit with agility”

What do you think?

[1] Since at least 2002.

[2] Since at least 2010, and it is covered in Auditing that Matters.

  1. May 22, 2020 at 10:17 AM

    Norman, I don’t like mottos I’m afraid – too much like glib marketing phrases. If there has to be a motto it should be, ‘Helping the organization achieve its objectives’. Which would apply to all functions in an organization. IA achieves its part by ‘Being able to shift rapidly to audit what matters now and in the next period when everything is changing constantly’ and reporting whether ‘what matters most’ is helping or preventing the achievement of these objectives.
    I think that the annual plan has some advantages in that in many countries the Audit Committee has to prepare an annual report for the shareholders, so they need to approve the audits that will enable them to do this. It also enables the resources and annual budget for the department to be agreed. However the Committee need to understand that the plan will change almost as soon as they have agreed it and they will then need to agree the change and/or devote more resources to IA.
    When I look at the searches on my website (internalaudit.biz), many are for audit templates. Does that suggest agile auditing or ‘stuck in a rut’ auditing?

    • Norman Marks
      May 22, 2020 at 10:20 AM

      So true

    • Mark Williams
      October 7, 2020 at 3:29 AM

      You make a good point on the need for an annual plan. I also see value in a 12month view to ensure we’ve the right skills needed to deliver the plan for the longer-term. Agreed, safe to say things will change! So perhaps updating the plan on a rolling basis (monthly) or continuous basis (real-time: as audits finish and a new ones start)? That way you’ve always a 12month plan, and say each month or quarter it’s updated where you pay more attention to the now and near term (next quarter) and simply have placeholders that can easy move for the 6month+ view. How do you think a typical Audit Committee might respond to this way of working?

      • Norman Marks
        October 7, 2020 at 6:42 AM

        I had a sort of annual plan, but told the audit committee it would be updated continuously. I had more certainty about the next month and that certainty diminished looking further out.

        They had no problem, as it makes sense.

  2. Michael Corcoran
    May 22, 2020 at 10:51 AM

    Way to obtuse to understand.

  3. Mark Williams
    October 7, 2020 at 3:09 AM

    Thank you, I think you make some excellent points. I have witnessed first hand that the pandemic has accelerated the theme of agility as a way of dealing with VUCA (volatility, uncertainty, complexity and ambiguity – HBR link below). In fact, for some internal audit departments the pandemic has forced them work in more smaller units of work, and in a more iterative or incremental way to deliver value earlier to stakeholders. Also, an agile team-level framework (like Scrum) has also helped teams collaborate and sync-up while having to work remotely.


  1. May 22, 2020 at 10:13 AM
  2. June 3, 2020 at 5:48 AM
  3. June 4, 2020 at 9:29 AM
  4. June 7, 2020 at 9:54 AM
  5. June 7, 2020 at 10:34 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: