The coronavirus pandemic has taught us the importance of being able to react to risks much faster within our audit plans. If anyone had doubts about the viability of agile auditing, those doubts are gone.
The IIA (Institute of Internal Auditors) has been telling us to prepare for “Emerging and Atypical Risks” for a while now. In the 2019 Pulse of Internal Audit report, The IIA made it clear that we can no longer operate under an annual audit plan. As the Pulse report pointed out, “Like never before, alignment and collaboration among all risk functions is vital as organizations identify, decipher, and assess emerging and atypical risks.” Did you take that advice, or are you scrambling to adjust?
The coronavirus is a solid example of an atypical risk that audit, risk management, and the board should have considered together, repeatedly, as the risk impact, likelihood, and velocity grew. If you were operating under a traditional audit plan, this level of collaboration was unlikely to occur.
Let’s play this one out. Most organizations start annual planning in October for the coming year. You meet with the audit committee and lay out the next 12 to 36 months of planned coverage. This year, the coronavirus took hold in China in December and January, and then spread to over 170 countries in less than two months. If your audit planning process lacks the flexibility to react to this atypical risk and you cannot therefore easily change your plan, then your audit department cannot effectively perform its duties.
An agile department would be able to pivot immediately to address this risk. If we were planning in December for the first quarter’s audit plan, we might have already included supply chain disruption from early reports of the virus. By mid-January and into early February we would have known for certain that we needed to adjust.
A savvy audit department could have added a Business Continuity Plan Audit, a Logistics Audit, or add consultations with any number of impacted departments to the quarterly plan to ensure the company had considered the risk response to a widespread virus. Many companies have pandemic response plans in their IT departments, but few if any had similar plans in their daily operations outside of IT.
We will get through the pandemic, and business as usual will resume. Don’t let this lesson slip by without acting. It’s time to move away from the long, sluggish audit plan and adopt agile auditing. While we can clearly see the need for a move to agile auditing at this moment, the impetus to make the switch has been with us for several years now.
If you want to learn more, check out our webinar by clicking the button below.