Home > Risk > Agile and more effective internal auditing

Agile and more effective internal auditing

It is a pleasure to talk about a consultant’s paper on internal auditing that has significant value. Far too often, my posts are critical. This time is different.

A new KPMG Australia paper has a somewhat limiting title of “COVID-19: Enhancing internal audit effectiveness”. The subtitle, “A practical guide for agile internal audit” is more meaningful.

While COVID may have been the stimulus for the paper and a good marketing tag, the paper makes suggestions that should have pre-dated and now continue past this crisis.

  • Agile internal audit techniques allow for a timely and fit-for-purpose approach to providing assurance during uncertain and changing times.
  • Agile internal audits are founded on the agile project and change management methodology, built to accommodate continually changing circumstances. As the agile method is shorter and iterative it allows for more flexibility and delivers greater impact when new initiatives arise, or significant business interruption occurs. Agile approaches to delivering outputs are increasingly being used across all organisations, including second and third line functions.
  • Agile internal audit delivers reduced costs, efficient delivery and improved quality.
  • Agile is based around the concepts of:
    • shorter, accelerated audit cycles
    • timely insights
    • greater stakeholder interaction and alignment to stakeholder needs
    • reduced waste and documentation
    • frequent communication
    • increased audit quality.
  • Agile assists in prioritising audits based on risk and the organisation’s readiness to perform the audit, with the delivered report focusing on providing insights and delivering briefer, timely feedback – with less words and, ideally, more visuals.

I will let you peruse and think carefully about the excellent table that contrasts  traditional and agile auditing.

There is a great deal to think about, not least of which is why KPMG says that full scale internal audits are still required. I challenge that, as I pretty much stopped doing them in 1990! Agile audits that are focused like a laser on the risks that matter and can provide the assurance, advice, and insight on what matters when it matters should dominate the audit plan.

What do you think of the KPMG piece and my comment?

  1. July 5, 2020 at 11:58 AM

    I’ve read the KPMG paper and my ‘jargon alert’ was constantly ringing. I’m not for or against agile or lengthy audits but I am a supporter of audits where the focus is on informing the board that their objectives are likely to be achieved, not on ‘defined value expectations’. The attributes listed for agile audits are basically those for a risk based audit and the paper refers to prioritising audits based on risk but there is no mention of who identified the risks (hopefully management ) and the work required to ensure the risk identification is complete.
    There is also mention of ‘critical controls monitoring’. That’s management’s job,although an’agile’ audit could check they were doing it.
    The KPMG paper makes some good points but it is superficial and reads too much like advertising copy.
    David Griffiths

  2. Peter Neville Lewis
    July 6, 2020 at 11:22 AM

    GABI should also help users to identify the key issues quickly and focus on them.
    Do we try and engage Norman now we have the full monty with GABI along agile lines?
    I know however that he was not over enthusiastic with the guidance originally so there is always a risk that he will “diss” us
    What do we think?

    • Norman Marks
      July 6, 2020 at 11:34 AM


  3. Mark Williams
    July 6, 2020 at 11:37 PM

    Great summary and I think you’ve added important context. Yes, it’s a good primer for agile in IA. As an agile coach specializing in IA, I always suggest taking a look at some of the excellent case studies in the public domain as they provide more empirical evidence and detail in terms of “how” to be agile in IA. Here’s one of my favourites to share for any comments – Nationwide Building Society:

    Click to access IIA-presentation-15-May-2018-v13-agile-in-audit.pdf

    • Norman Marks
      July 7, 2020 at 6:34 AM

      This is excellent! Thank you for sharing. My only problem is that the audits tool an average of 12-16 weeks. That is not my idea of agile. I like the idea of a “rolling wave” plan, which is pretty much the same as continuous (my team didn’t wait for the quarter). I would also like
      to know how they became agile in their reporting.

  4. Bertrand
    July 7, 2020 at 4:36 AM

    I would believe that a full Agile audit approach (i.e. scrum) can only apply for audit advisory missions, not for assurance audit missions. Otherwise how can you manage a full collaborative approach and share the ownership of the audit report without impairing the independence?
    Agile is a too generic term that can be interpreted very differently (especially by consultants). For a long time, different kind of agile approaches have been practiced at internal audit level (CRSA, short scopes/budgets by experienced auditors focusing on high risks, advisory missions, short and innovative type of reports…).
    “Agile” and more standard audit missions are complementary in my opinion.

    • Norman Marks
      July 7, 2020 at 6:29 AM

      Bertrand, I don’t understand why it should not work for advisory engagements – it did for me! Our opinion is an independent one, and that is what matters.

  5. July 20, 2020 at 3:26 AM

    I ran a session on this today. I’ve been very surprised in most of the examples and literature people have focused on agile tools and methods instead of agile principles which means the promise of agile is not delivered. Here’s my take on it. https://www.todddavies.com.au/agile-internal-audit-from-theory-to-practice/

  6. July 27, 2020 at 6:08 AM

    Thanks Norman. My comments:
    > Balance between applying agile for efficiency vs agile for effectiveness – as Todd mentions often agile is about efficiency ..
    > Not seeing the power in a lean mindset as well.. Who is the customer and what actually adds value? Often thought through too simply in agile implementations .. Its not just the manager of the department you are working on
    > Not thinking through enough and reconciling agile with IIA standards .. How much can you simply change scopes in mid-stream?
    > Seeing any technique, lean or agile, as a thing to be followed slavishly, rather than a helpful input to good, progressive auditing – too much faddish thinking to my mind ..
    My website: http://www.RiskAI.co.uk with more, especially with the Lean Auditing (with you cited in it) ..

  1. July 5, 2020 at 11:06 AM
  2. July 7, 2020 at 6:07 AM
  3. October 5, 2020 at 3:14 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: