Home > Risk > Does agile auditing mean auditing faster?

Does agile auditing mean auditing faster?

My friend, Jason Mefford, recently interviewed Toby DeRoche on this question. Toby has a training program in Agile Auditing that leads to a certification as an Agile Auditor Professional (cAAP). Toby describes his approach this way:

“You’ve listened to the rest, now learn from, and get certified by, the best in agile auditing.”

We can only audit at the speed of risk, if we update our audit process. Traditionally, internal audit completes a risk assessment once each year with only minor updates when needed. The audit plan is set, and the focus is on plan completion – not on gathering risk insights.

Traditional internal auditing is a broken model that is too slow, too historical, and too rigid. In today’s dynamic business environment you have to be more proactive and agile, or you risk being seen as just another compliance function.

With a risk-based, agile approach, you can quickly see that an annual plan is no longer acceptable. In fact, most modern internal audit groups are already making the transition to agile auditing.

Audit plans must be flexible, able to adapt to cover critical and emerging risks at a speed that makes sense for our organizations. The agile audit methodology creates an audit plan that meets the needs of a modern, risk-based team.

In contrast to the traditional process, agile auditing is a risk-centric approach to developing and executing audits, based on a shorter audit lifecycle from assessment to reporting, which focuses on gaining and sharing insights with management related to the most urgent risks in an organization.

We’re not trying to audit faster; we’re trying to audit the right things at the right time.”

Benefits of Agile Auditing

    • More flexible, more aligned, proactive audit plan
    • Less time preparing the audit plan
    • Less time planning individual audits (weeks to days)
    • Significantly reduce time for audit report issuance (often 30-40% of traditional audit hours).
    • Increased communication between auditors and management improving the quality of findings and recommendations.
    • Avoid surprises and contention with management at the end of the audit.

In his intro to the interview, Jason says:

We’ve been talking about agile auditing for years, so why are a few succeeding and others are reluctant to embrace it or failing in their implementation?

Agile doesn’t mean faster, and it doesn’t apply to just one part of the audit process. It is a paradigm shift and one of the most important changes to #internalaudit in many years.

Here is an excerpt from the interview. Toby says:

One of the first things people think is that they’re going to start having these really, really, short, really, really, fast audits. You know, and I’ve even seen people posting on LinkedIn. Like, I’m so frustrated with this whole agile thing. How am I supposed to do an audit in six days? Like, well, why in the world would you think you can do an audit in six days? That’s not the point of this, the whole point wasn’t for us to be able to audit faster, the whole agility idea is that I’m homed in on the things that matter right now.

After this, Toby talks about the need for continuous, dynamic, audit planning; the need for prompt and effective (agile) communications to management and the audit committee; and, an aversion to trying to force the language and (in some cases) techniques in Agile for IT development onto internal audit.

I agree with all of that, except his trashing of the idea of small audits.

I have been practicing, talking, and writing about what is now thought of as agile auditing for about 30 years! That included:

  • Continuous audit (enterprise) risk assessment with a rolling audit plan
  • One page or less audit reports
  • Communication of our results that focused on the closing meeting and face-to-face discussions with management to reach a common understanding and agree on actions
  • Reporting agreed-upon actions instead of recommendations
  • Opinions in every audit report that explained the results in English rather than traffic light colors, and a macro opinion (as explained in later IIA guidance) annually
  • Staff that could think in business terms, and audit at speed

Yes, they completed audits fast.

Here is an excerpt from the audit plan of my excellent East Coast Audit Director (Tom Wisniewski) as he started 2001:


Accounts Payable Controls – Bayway Review of Accounts Payable Controls including approval authorizations 80
Comets Company Wide Project Determine what does not work in Comets. 120
East Coast Power Construction Contract Review of all construction contracts. 200
Foreign Trade Zone – Bayway Review of all procedures, controls, and compliance with all Foreign Trade Zone regulations. 100
Inventory Accounting Consolidation, Evaluation & Rollup for East Coast Refineries and Terminals Review of the entire East Coast Inventory evaluation, rollup, and gain and loss through the Comets system. 120
Outstanding Findings – East Coast Refining All open outstanding findings. 40
Polypropylene Project Review of all construction contracts. 200
Assessment of Raw Material Costs (Crude and Cat Feed). Review of the entire East Coast Raw Material evaluation and rollup through the Comets system. 120
PWC – Procurement, Accounts Payable, Fixed Assets, Payroll, Turnaround, Physical Inventory, and Quarterly Reviews. Assist PWC on their annual audit of Tosco 250
Quarterly Earnings Review – 1st QT. Limited Quarterly Review. 56
Quarterly Earnings Review – 2nd QT. Limited Quarterly Review. 56
Quarterly Earnings Review – 3rd QT. Limited Quarterly Review. 56
Reformulated Gasoline Bayway Regulatory audit to ensure compliance with guidelines 800
Solid Waste Disposal – Environmental Compliance Regulatory audit to ensure compliance with guidelines, including a visit to the dump site 120
Enterprise EMPAC Security and Upgrade Plus E-Security Evaluation of Controls and Security designed into EMPAC.  Plus any parts of EMPAC not being used and why. 100
Network Security Assessment – Bayway Continuously run the ISS software for this location and work with the location to fix all high-risk security vulnerabilities found. 50
Novell Security Assessment – Bayway Continuously run the Kane software for this location and work with the location to fix all high-risk security vulnerabilities found. 50
PWC – IT Audit Assistance Perform whatever scope required by PWC. 60
Comets Security Review of Comets security for the East Coast Locations. 80
Independent Contractor Guidelines Compliance Review Independent Contractor Contracts to assure that they comply with IRS Contractor/Employee Guidelines. 140
Exchanges Review of Exchange Accounting at Bayway 120
Catalyst & Chemicals Review of Procurement and Recovery Procedures. 80
Procurement of Computer Hardware and Software Review of Procurement and disposal of excess equipment procedures. 80
IT Disaster Recovery – Bayway Review of existing IT Disaster Recovery Procedures for Bayway. 60
Bayway Traffic Review controls for contracting rail and trucking services. 90
Process Safety Management Review compliance of safety procedures and follow up of near misses. 80
TOTAL       3,308


That is 26 projects for 3 people, including Tom – except this was only the part of his audit plan that focused on projects at the refinery in New Jersey. While one regulatory compliance audit was a massive 800 hours (the first year of the audit), most are small and fast.

There were an additional 19 projects focused on our wholesale terminals and pipeline operations (from 40 to 120 hours per audit) and 13 at our Pennsylvania refinery (one regulatory compliance audit was for 300 – the same audit as performed in 800 in New Jersey – but the others are, again, small and fast).

That’s a lot of projects for 3 people. I should add that all but one was completed within budget. I should also point out that these were not the same projects we had on our audit plan at the start of the year. The change over the year was about 40%, as new risks were identified and included in the plan, replacing ones that no longer rated high risk.


Fast doesn’t mean quality suffers!

We were able to perform a great many audits, focused on a great many sources of risk to the enterprise, because:

  1. We focused on those few sources of risk at a location or within a process where a failure would matter to the success of enterprise objectives. We did NOT perform anything like a full-scope audit, ever! That meant that the scope was limited and could be achieved without wasting time on sources of risk that did not matter to the achievement of enterprise objectives.
  2. Once we had done enough work to reach a professional opinion, we stopped.
  3. I had a great team of experienced professionals. They had a business orientation, understood processes and controls, and could reach a professional opinion without performing unnecessary work.
  4. Documentation, such as working papers, were limited to what had value. For our regulatory compliance audits, which were going to be reviewed by government examiners, the working papers were exemplary. Otherwise, they were minimal. Reviews were performed (by me, for the most part) through discussion rather than focusing on what had been written down in working papers, and were focused on whether the scope had been covered and the opinion was appropriate.
  5. We knew that every hour spent on an audit that was not necessary was an hour that could have been spent looking at something else that was important.


Agile internal auditing does not necessarily mean short and fast audits.

But it does mean there is a focus on only auditing what matters, with great efficiency, and that means that audits can be completed faster.

When an area has a great many sources of risk that matter, you can include them all in a single and large audit, which can delay sharing valuable assurance and insight (requiring regular discussions with management throughout the audit, as suggested by Toby), or you can split them into a number of smaller audits. Both approaches have their merits.

But the key is to audit only what matters – and that leads to smaller and faster rather than larger and slower audits.

I am reminded of one of the precepts of Lean: smaller batch sizes in production. The concept there, which enables lower inventory carrying costs and more agility in manufacturing, applies here as well.

If you have a large audit, it is hard to pivot and reallocate resources to a new and more significant source of risk.

So, the answer to the question in the title is “Generally, yes. If not, re-examine whether you are really only auditing what matters!”


What do you think?

  1. May 25, 2021 at 9:26 AM

    Norman, I notice 250 hrs in the plan for assisting PWC, plus 60 on IT assurance. Was that justified? When I was a CAE I didn’t use internal auditors to assist the external auditors as I considered the reduction in audit fee (if any) wouldn’t be worthwhile plus I had more important work for my highly qualified auditors.

    • Norman Marks
      May 25, 2021 at 10:28 AM

      David, thanks for the question.

      Yes, it was worthwhile.
      1. The reduction in fees was several times the cost of providing support, plus our involvement led to significant efficiencies in management involvement.
      2. I made sure I had sufficient resources to address all the more significant risks to the enterprise. In other words, I made sure that providing support to PwC was on top of the resources needed to meet my responsibilities – and the same goes for the regulatory compliance work.

  1. May 24, 2021 at 4:49 PM
  2. May 25, 2021 at 12:59 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: