In today's fast-paced landscape, the risk environment is constantly changing. Strategic and operational risks are ever-evolving, driven by external or internal factors — or both — causing risk exposure levels to escalate faster than ever before.
Internal audit teams are challenged to ensure that assurance goes beyond passively reviewing past events. We must offer deep insights considering macro-level organizational challenges and the current risk environment to advise management and the audit committee on navigating these challenges successfully.
Stakeholder expectations of assurance providers are rising in tandem with risk management pressures. Against this landscape, it has been worth critically assessing the inherent weaknesses of the traditional audit approach and how elements can be redesigned to deliver greater organizational value. Wolters Kluwer TeamMate's Touchstone Insights for Internal Audit report reveals that more than 70% of organizations are either planning to or are executing an Agile audit methodology (see box, below right).
Audit teams have long been criticized for lack of timeliness. Stakeholders are frustrated with the time taken to deliver audit results, typically in the form of a final audit report. With the risk landscape volatility, senior management cannot afford to wait until the audit's conclusion to receive a long-form audit report. The sooner management receives the audit report, the swifter it can respond.
In our age of collaboration, the auditor's "trusted advisor" vision seems disconnected from the actual audit approach, which can be perceived as "top-down," rather than collaborative. This approach is a fit for fraud investigations, given the nature of the work. However, for an audit, perhaps engaging more collaboratively means auditors will have experienced guides to help them more efficiently navigate the sometimes-unfamiliar terrain of the business process.
A blanket "top-down" approach for all assurance activities can, at best, result in audit-client resistance, and at worst, conflict. Either way, it's a disastrous outcome for internal audit's position as a trusted advisor and for the organization's ability to address risk.
The challenges with traditional audits also have included the characteristically long-winded exit process to confirm details of findings as well as receive and finalize management responses, including timeliness. These conversations are usually held only at the end of the audit based on the traditional audit methodology. This approach only further delays finalizing audit reports and the start of the real value-add — implementing management actions.
Collectively, this process creates situations where risks are identified and remain unmitigated, or control deficiencies remain unchecked for even longer. This situation leads to frustrated audit teams and management, disillusioned stakeholders, and more importantly, a greater risk to organizational objectives. On average, it takes about five weeks to communicate results — two weeks to issue a draft report, two weeks to receive management responses, and one week to issue a final report.
According to Touchstone Insights for Internal Audit, 79% of respondents say collaboration with the business is extremely important. To deliver valuable, timely results in a collaborative approach, audit teams should consider adopting an Agile methodology, based on the 12 principles enshrined in the Agile Manifesto designed for software development. Each audit department can interweave these principles across its audit process to strive toward a fully Agile approach to "steal the best bits."
Here are three things that internal audit functions can do today to become more Agile.
1. Increase the Frequency of Risk Assessment Updates
Risk assessments are the birthplace of a risk-based audit approach. Agile audit departments respond to the changes in the risk environment by continually pivoting toward new and emerging risks.
Traditionally, an organization's risk assessment was performed annually. Given today's rapidly changing risk landscape, an annual risk assessment is quickly outdated and can endanger the audit plan's relevance.
For audit teams to deliver relevant assurance, they must become more Agile and strive toward a risk assessment that continually reflects what is keeping senior management up at night. This means that risk assessment updates must be done more frequently, and certainly more than once a year.
According to Touchstone Insights for Internal Audit, 61% of respondents update their risk assessments annually (see box, right), and the frequency of these updates increases as departments adopt an Agile methodology. Of those teams that execute an Agile methodology, only 28% perform risk assessments annually. Most Agile functions have moved to at least quarterly updates.
2. Adopt a Truly Risk-based Audit Approach
Organizational management is constantly scrutinizing spending, and even internal audit is not immune to this scrutiny. Audit teams must continue to demonstrate value through assurance and consulting services across a broader spectrum amid growing complexity. Management and audit committees also want internal audit to display sound judgment by increasing focus on heightened risk areas.
Narrowing focus on areas of significant risk leads to more clearly framed objectives. A truly risk-based approach also is a building block of efficiency. With a clearly defined and refined set of objectives, Agile teams do not simply design and execute an audit program based on an exhaustive set of risks identified in a risk assessment. In doing so, the audit team balances the promise of reasonable assurance, the risk profile, resources, and value-add.
The Touchstone Insights for Internal Audit study shows that when audit teams adopt an Agile approach, these teams scope the risks to be covered and focus on the highest risks. The value of using an Agile approach is that audit teams can quickly pivot to areas of greater risk. Management and operational frontline staff involved in the audit are less burdened with audit procedures covering lower risk business areas. According to the survey, 40% of agile teams create their audit scope in conjunction with the business.
Moreover, audit committees prefer audit teams to focus time and effort on higher value-adding assurance activities. An Agile approach of flexible audit planning aims to improve audit committee satisfaction and confidence by delivering valuable, relevant assurance for the organization.
3. Strive for Frequent Communication and Closer Collaboration
Audit teams are moving toward an Agile methodology to sharpen their focus on delivering value. The value of audit findings can diminish sharply over time, as the organization faces an identified, but unmitigated, risk that threatens its objectives. Agile tools and processes ensure that teams plan and communicate audit findings timely to preserve their value.
Agile teams generally divide their work into time-boxed "sprints" around key or high risks. There are deliberate activities embedded within the approach to ensure more frequent communication and facilitate closer collaboration between the audit team and the organization.
During each sprint, audit teams already discuss and resolve issues and build a list of reportable issues, often before the draft reporting process begins. At the end of each sprint, auditors share their findings with management. This approach also allows management to plan its response or even address these issues before the final report is issued.
The delivery of the final audit results hinges on two key activities:
- Issuing the draft report.
- Receiving management responses.
When comparing traditional audit teams with Agile teams, Touchstone Insights for Internal Audit finds that Agile teams are more likely to issue draft reports within one week (see box, abovet right). The report also shows that for the 29% of teams that do not execute Agile activities, the focus is on tracking using estimated/scheduled time versus actual time. While this metric may help calculate utilization and time to complete the audit, it does not provide transparency into the work performed and the conclusions about risks to the organization.
Agile audit teams often use Kanban boards, and in some cases, share them with the organization to provide visualization of work in progress. This approach can make it easier to identify roadblocks. Kanban boards can range from simple to very complex. Teams striving to become more Agile can leverage existing tools to establish a visualization, which can build a collaborative foundation within the team and with the organization.
Establishing a collaborative foundation with management and more frequent communication are at the center of the Agile methodology. Together, they help a greater percentage of teams receive management responses and issue final audit reports within a week (see boxes, right).
Audit teams looking to become more Agile today can embed more frequent and open communication practices with management and build a collaborative culture to improve the timeliness of valuable audit insights.
Sio Naidoo, CIA, is product manager, Asia Pacific at Wolters Kluwer TeamMate in Sydney.
Want to be a part of Your Voices? Click here to learn how to contribute a blog post.