In today’s fast-paced landscape, the risk environment is constantly changing. Strategic and operational risks are ever-evolving, driven either by external or internal factors (or both), causing risk exposure levels to escalate faster than ever before. Internal audit teams are challenged to ensure that assurance goes beyond passively reviewing past events. We must offer deep insights considering macro-level organizational challenges and the current risk environment to advise management and the audit committee on navigating these successfully.
Stakeholder expectations of assurance providers are rising in tandem with risk management pressures. Against this landscape, it has been worth critically assessing the inherent weaknesses of the “traditional audit approach” and how elements can be redesigned to deliver greater organizational value. Data from the Touchstone Insights for Internal Audit reveals that more than 70 percent of organizations are either planning to or are executing an Agile audit methodology.
Audit teams have long been criticized for timeliness. Stakeholders are frustrated with the time taken to deliver audit results, typically in the form of a final audit report. With the risk landscape volatility, senior management cannot afford to wait until the audit’s conclusion to receive a long-form audit report. The sooner management receives the audit report, the swifter they can respond.
In our age of collaboration, the auditor’s “trusted advisor” vision seems disconnected from the actual audit approach, which can be perceived as “top-down” rather than collaborative. This approach is a fit for fraud investigations, given the nature of the work. However, for an audit, perhaps engaging more collaboratively means auditors will have experienced guides to help them more efficiently navigate the sometimes unfamiliar terrain of the business process. A blanket “top-down” approach for all assurance activities can, at best, result in audit-client resistance, and at worst, conflict. Either way, it’s a disastrous outcome for Internal Audit’s position as a trusted advisor and for the organization’s ability to address risk.
The challenges with traditional audits have also included the characteristically long-winded exit process to confirm details of findings and receive and finalize management responses, including timeliness. These conversations are usually held only at the end of the audit based on the traditional audit methodology, this only further delays finalizing audit reports and the start of the real value add—implementing management actions. Collectively, this process creates situations where risks are identified and remain unmitigated, and/or controls deficiencies remain unchecked for even longer. This leads to frustrated audit teams and management, disillusioned stakeholders, and more importantly, a greater risk to organizational objectives.
On average, it takes about five weeks to communicate results.
Two weeks to issue a draft report
Two weeks to receive management responses
One week to issue a final report
To deliver valuable, timely results in a collaborative approach, audit teams should consider adopting an Agile methodology, based on the 12 Agile principles enshrined in the Agile Manifesto designed for software development. Each audit department will balance interweaving these Agile principles across their audit process to strive toward a fully Agile approach to “steal the best bits.”
3 things that audit departments can do today to become more Agile:
Increase the frequency of risk assessment updates
Risk assessments are the birthplace of a risk-based audit approach. Agile audit departments respond to the changes in the risk environment by continually pivoting toward new and emerging risks. Traditionally, an organization’s risk assessment was performed annually. Given today’s rapidly changing risk landscape, an annual risk assessment is quickly outdated and can endanger the audit plan’s relevance.
For audit teams to deliver relevant assurance, they must become more Agile and strive toward a risk assessment that continually reflects what is keeping senior management up at night. This means that risk assessment updates must be done more frequently, and certainly more than once a year.
According to the Touchstone Insights for Internal Audit, 61 percent of respondents updated their risk assessments annually, and the frequency of these updates increase as departments adopt an Agile methodology. Of those teams that execute an Agile methodology, only 28 percent perform risk assessments annually. The majority have moved to at least quarterly updates.
Adopt a truly risk-based audit approach
Organizational management is constantly scrutinizing spending, and even Internal Audit is not immune to this scrutiny. Audit teams must continue to demonstrate value through assurance and consulting services across a broader spectrum amidst growing complexity. Management and audit committees also want audit departments to display sound judgment by increasing focus on heightened risk areas in organizations.
Narrowing focus on areas of significant risk leads to more clearly framed objectives. A truly risk-based approach is also a building block of efficiency. With a clearly defined and refined set of objectives, Agile teams do not simply design and execute an audit program based on an exhaustive set of risks identified in a risk assessment. In doing so, the Agile audit team balances between the promise of reasonable assurance, the risk profile, resources, and value-add.
The Touchstone Insights for Internal Audit shows that when audit teams adopt an Agile approach, these teams scope the risks to be covered and focus on the highest risks.
The value of using an Agile approach is that audit teams can quickly pivot to areas of greater risk. Management and operational frontline staff involved in the audit are less burdened with audit procedures covering lower risk business areas. Audit committees prefer audit teams deploy precious time and effort to focus on higher value-adding assurance activities. An Agile approach of flexible audit planning aims to improve audit committee satisfaction and confidence by delivering valuable, relevant assurance for the organization.
40 percent of Agile teams create their audit scope in conjunction with the business.
Strive for frequent communication and closer collaboration
Audit teams are moving toward an Agile methodology to sharpen their focus on delivering value. The value of audit findings can diminish sharply over time, as the organization faces an identified, but unmitigated, risk that threatens its objectives. Agile tools and processes ensure that teams plan and execute the timely communication of audit findings to preserve its value.
Agile teams generally divide their work into time-boxed “sprints” around key or high risks. There are deliberate activities embedded within the approach to ensure more frequent communication and facilitate closer collaboration between the audit team and the organization.
During each sprint, audit teams are already discussing and/or resolving issues and building a list of reportable issues, often before the draft reporting process begins. At the end of each sprint, audit findings are shared with management. It also allows management to plan their response or even address these issues before the final report is issued.
The delivery of the final audit results hinges on two key activities:
- Issuing the draft report
- Receiving management responses
When comparing traditional audit teams versus Agile teams, Touchstone Insights for Internal Audit found a 16 percent increase in teams who issue draft reports within a week.
Touchstone Insights for Internal Audit also showed that for the 29 percent of teams who do not execute Agile activities, the focus is on tracking using estimated/scheduled time versus actual time. While this may help calculate utilization and time to complete the audit, it does not provide transparency into the work done and the conclusions on risks to the organization.
Agile audit teams often use Kanban boards, and in some cases, even share them with the organization to provide visualization of work in progress. This can lead to the easier identification of “roadblocks.” Kanban boards can range from simple to more complicated. Teams striving to become more Agile can leverage existing tools to establish a visualization, which builds a collaborative foundation within the team and with the organization.
Establishing a collaborative foundation with management and more frequent communication are at the center of the Agile methodology. Together, they help a greater percentage of teams receive management responses and issue final audit reports within a week.
Audit teams looking to become more Agile today can embed more frequent and open communication practices with management and build a collaborative culture to improve the timeliness of valuable audit insights.