Every year, most audit departments dust off the previous year’s risk assessment as a starting point for the upcoming year. With some variations, we all do basically the same thing. Update the audit universe, engage with management to discuss the risks in their areas, score and rank the audit universe, and then pick areas to add to the plan. We then present the plan to the audit committee, and commit to getting it all done in the next year. Some departments will proactively revisit the audit plan each quarter, but we rarely deviate from the audit plan we presented.
Our audit planning process is antiquated and flawed
If we really want to add value to our organizations and become a relevant partner to management, our audit plan should be nimble. We should be able to tackle emerging risk areas without getting caught in the bureaucracy of modifying the plan. One way to reach this goal is to employ the concept of agile auditing.
PwC’s 2017 State of the Internal Audit Profession Study1 noted when internal audit employs agile audit techniques, 88% of the organization’s stakeholders see audit as adding significant value. Audit techniques, that allow a business to be agile, can be applied in two phases: addressing identified critical risks and executing individual audits. Notice that said addressing risks, not completing an audit plan.
What does Agile mean
Agile began as a software development methodology. At TeamMate, we develop our internal audit software using agile techniques. At its core, the practice of agile development requires short, focused bursts of activity that include planning, testing, and quality assessment, which then ends with presenting the results. All of the activities are designed to reach an overall goal that has been completed and reviewed within the budgeted time frame. Since the method can be applied beyond software development, professionals from different disciplines are considering agile techniques in their fields, like internal audit. Many of us have a hard time thinking of our work in this way. We create an annual audit plan and stick to it. Some even create a multi-year plan. When we get stuck on completing and being evaluated based on long term audit plans that cannot easily change, our audit methodology is as far from agile as possible.
Agile audit plan development
Since we start with a risk assessment, we naturally prioritize auditable entities by risk exposure. Instead of taking the high-risk areas and committing the team to a predetermined list of audits for the next year, we can build a shorter plan, maybe pick the most critical risk areas and commit to work that will cover no more than the next quarter. The quarterly plan should go through testing, review, and results presentation within the allotted time. Before the quarter end, we should already be developing an audit plan for the next quarter, again using a risk based approach, but now considering the outcome of prior testing and changes to our organization’s risk profile.
In our current environment, we must be able to include new risks and add new audits in a timely fashion. See the attached Risk Questionnaire for ideas on how to approach adding new risks throughout the year. With an agile audit plan methodology, we can partner closely with management to audit in the right place at the right time.
Agile audit execution
Within the individual risk based audits, we can also apply agile techniques. If we think about the most common way we organize an audit, we have planning, fieldwork, wrap up, and reporting. We typically view the audit as a fixed timeline in which we complete all testing before we start reviewing, and the audit ends with the manager and lead tackling the audit report before we present the final result to the audit committee. Any errors that turn up in the review or any issues challenged by management immediately extend our timeline past the budgeted audit end date. What if we were to structure fieldwork into 1- or 2-week activities? Each activity would be planned, executed, reviewed, and reported to management with a short presentation. At the end of the audit, the work is complete and reviewed, management has already seen all of the issues, and the final presentation is a summary of the prior meetings. Audit software helps with this process. We will have real time review and automated reporting to keep the time needed to a minimum.
If we conduct the audit in shorter bursts of activity, we will be in a better position to course correct when we uncover something that needs exploring. In our current process, we are often limited by the rigid structure of our audit process and the need to stick to the predefined scope and timeline.
Will it work?
Time will tell. Agile auditing is a new technique that may or may not work for every department. Since we are all serious about our role as a relevant partner, now is the time to modernize our approach to internal auditing. The rigidity of the traditional audit plan is one place we can start to undo the stereotype of auditors as policy police. When we rethink our internal process for developing the audit plan, and set ourselves on a path for more agile auditing, we will join the audit departments who are adding significant value.