I started talking about an agile internal audit practice many years ago. In fact, I still have the deck from a presentation I gave to my local IIA chapter in 2002 entitled, “The New Age of Internal Audit.”
I said, for example:
- The greatest risk is typically at the edge
- Where things are happening
- Where there is change
- Where management’s tolerance for risk is highest
- Put IA resources where the risk is
- Provide assurance
- Add value by helping manage the risk
- Audit at the speed of the business (and at the speed of risk)
- Risk is constantly changing
- Continuous risk assessment
- Confront the risk — the core of the risk, the politically risky risk — head on
Preparing Auditors for Turbulent Change
The idea was that internal auditors need to be prepared to rise to the challenge of turbulent change (driven primarily by technology) and modify our traditional practices. Risk is greatest where there is change and we must be responsive to those changes, providing assurance on what matters most (where the risk to objectives is greatest) when it matters (not taking weeks to complete a full audit and not then taking additional weeks or longer to report the results). Continuous risk assessment and the agility to change our plans at speed are essential.
Does Your Audit Department Constantly Adapt?
In 2014, I presented to IIA Malaysia on “The Agile Audit Department.” I quoted Richard Chambers (emphasis my own): “… executives face extraordinary headwinds spawned by a turbulent environment in which risks materialize virtually overnight. Just this year, global financial and business markets have been rocked by spectacular cybersecurity breaches, geopolitical instability in the Middle East and Eastern Europe, refugee crises, and more.”
Then I shared what Jack Welch, former CEO of GE, said: “If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”
My point was that if we are not prepared to change when everything around us is changing, we are doomed. Just because we have been successful in the past doesn’t mean that the same practices will make us successful today and tomorrow.
I also shared a quote from “Creating an Agile Organization” by Peter Cheese, Yaarit Silverstone, and David Y. Smith: “The new business environment will favor those companies able to execute strategy faster, with more flexibility and adaptability, and move their companies ahead briskly.”
Then I asked if we, internal auditors and CAEs especially, are agile.
- Are we able to execute faster, with more flexibility and adaptability, and help move our companies ahead briskly?
- Are we constantly adapting so we can audit what is important now and will be tomorrow, or are we continuing to audit what was the risk when we put the annual audit plan together?
- Are we helping leaders manage the business at the speed of risk? Are we auditing at the speed of the business — and of risk?
An agile internal audit department has these attributes:
- Focuses on providing assurance that matters, on what matters, when it matters.
- Has moved from hindsight to foresight and insight.
Performs nimble, focused audits.
Related Article: The Evolution of Internal Audit
A Return to Agile Auditing in 2021
Let’s fast forward to 2021.
AuditBoard reports: “Adopting agile principles into one’s audit practice is a trend sweeping across the internal audit world, yet many auditors are unsure where to get started. A recent AuditBoard poll of over 1,000 internal auditors found that 82% say agile auditing has the potential to add more value to their work compared to the traditional project approach — although 45% reported a lack of knowledge or resources as the most significant obstacle to adopting agile.”
It also states, in a different article: “When we talk about how to improve the internal audit function as a value-add function rather than just a cost center in the business, we frequently hear ‘agile’ and ‘relevant’ tossed around as vague cure-all concepts. When you hear these words in connection with audit, what comes to mind?
“Did you think of the word “relevant” as being “pertinent, applicable, appropriate, suited, fitting, important”? A relevant audit team is one that audits activities that align with business objectives and is an important department within the business. All valuable things!
“Today, ‘agile’ is a buzzword that too often just signifies ‘fast,’ and our present use doesn’t encompass what the word truly means or the potential for improving audit. Agile actually means an action that is ‘nimble, limber, spirited, sharp, active, clever, acute.’ Clearly, an internal audit department that encompasses these qualities will be better able to anticipate and respond effectively to changing business risk profiles than one that is simply ‘fast.’
“This begs the question: Can audit be relevant without being agile? Probably not, and an audit department should try to be both. CAEs need to break out of their historical frame of reference to embrace agility in pursuit of relevance. If the internal audit department functions without both agility and relevance, audit may follow a prescribed routine, potentially missing emerging risks and delivering a suboptimal customer experience.”
While those two excerpts are valid, I would not recommend following any of the actions the company goes on to recommend. For example, it has “internal audit as a rotation” as its #1 action — an action I would not place in my top 20. The closest recommendation I would make is the inverse: hire people who have line operations experience, whether in finance, marketing, IT, engineering, or other function. The intent is not to make them better auditors when they return to their line position, but to ensure auditors understand and have a business perspective when they perform their work.
Related Article: Breaking Down Agile Business Strategies
Other Takes on Agile Auditing
PwC UK tells us that agile auditing (its version) can lead to “a 20% time saving on regulatory audits” and “a 10% time saving on less standard audits.”
However, it is referring to audits that require, on average, five people. Planning alone, which requires the involvement of everybody on the team, is two weeks.
Many of the audits my team performed were just two or three weeks, from planning to reporting! I bet I could save more than 50% of the time spent on every audit compared to the PwC approach!
I prefer the way that my friend Sandy Pundmann of Deloitte describes agile internal audit in an article published by the Wall Street Journal.
“Agile IA is a flexible methodology for adapting Agile to the specific needs of an internal audit function and its stakeholders. Originally a software-development methodology, Agile aims to reduce costs and time to delivery while improving quality. Specific characteristics of the Agile methodology include delivering tested products in short iterations and involving internal customers during each iteration to refine requirements.
“Agile IA has many potential benefits, but implementing it calls for shifts in the function’s approach, such as that from rigidly planned activities to fast, iterative activities, and from following a preset plan to responding to emerging needs.”
However, the urge to adhere to principles and practices that have proven to work in software development is a distraction. Discard the idea of scrums, etc. (techniques in Agile) and focus on the goal. Provide assurance on what matters, when it matters, and help the organization succeed.
I agree with AuditBoard that this requires an internal audit function that is “nimble, limber, spirited, sharp, active, clever, acute.”
How Does Internal Audit Become Agile?
How do you get there? Here are my suggestions, proven in a couple of decades of world-class practice (and described more fully in “Auditing that Matters”):
- Make sure that you are auditing the issues (both risks and opportunities) that matter to the success of the organization. What has to happen, or not happen, for enterprise objectives to be achieved? Can you add value by auditing the controls that ensure those things happen or not happen, or by providing related advice and insight?
- Leverage the organization’s ERM program (after auditing it for reliance purposes) but don’t be limited by it.
- Make sure you are not auditing issues that don’t matter! Eliminate from the scope or each audit any area where, should there be breakdowns, there would be minimal or no real impact on the achievement of the objectives of the enterprise. In other words, make sure you are auditing what matters to the enterprise rather than to local management.
- In fact, eliminate from the audit plan projects that don’t meet the criteria in #2.
- Only perform sufficient work to reach an opinion. Work doesn’t have to ‘expand to fill the time available’ (contrary to Parkinson’s law — a fine book, by the way). Once you have formed a professional opinion, STOP auditing and move to close!
- But if you run across an issue that would be significant but wasn’t in scope, consider adding it to the scope of the audit. Don’t get trapped by the belief that you are limited to what was initially planned.
- Similarly, if you find you need more time to address an important area, consider adding time to the audit or scaling back another, lesser issue. This is called ‘Stop and Go” auditing.
- Make sure your team has the experience, imagination, flexibility, and confidence to retain focus on what’s important, even when the target might be moving. Hire the best people to do the right work, rather than doing the work your people are capable of.
- Don’t be an obstacle to an agile, nimble, focused audit. For example, allow your team to adjust without always having to go to you for permission.
- Ensure documentation, working papers and so on, are no more than necessary. We are not judged by the quality of our working papers, but by the assurance, advice, and insight we provide. Challenge yourself to find the value of every hour of documentation and stop documenting where there is no real value. How many times do you ever refer to the working papers from a prior audit?
- Target no more than 100 hours for any audit, with exceptions justified carefully. That will keep you focused. Don’t fall into the trap that awaits Agile users of scope creep, where local management and the audit team find other ‘stuff’ that is interesting and even valuable to local management. (Obviously, if you truly have multiple areas of great significance in a single location, and you can only visit once – and I question that – then you will need more than 100 hours. But make sure that you really need all that time to reach an opinion on each area of significance to the enterprise.)
- Encourage fast and nimble audits that are completed as soon as possible, as every hour that is saved is one that can be used on another audit. There are always more issues that merit our attention!
- Communicate, communicate, and then communicate again. Discuss issues with management as soon as they surface and work with them to effect valuable change, identifying agreed action items rather than trying to look good by writing reports with recommendations. Listen, listen, and then listen again as management has (or at least should have — if not, that’s another issue) a better understanding of the business, risks, and opportunities.
- Incent your team to use their professional judgment, always thinking about what they see and what it means. Encourage them to feel empowered. Hire people who can and are able to think.
- Remember at all times that our job is not to write reports or identify findings: it is to help the organization succeed at speed.
- It is not about us: it is about the company we work for. Enjoy and savor its success, as we are contributing to it.
- Be sufficiently agile to change and do so quickly and with no regrets.
Which Agile Are You Practicing?
By the way, if your audit projects need scrums and sprints, they are giant mammoths rather than agile beings.
Capital A Agile internal auditing is a fad and should be ignored.
But small A agile internal auditing is not just a great practice, it is essential.
I welcome your thoughts.
Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.