A Simple Strategy for Agile Auditing 

By Toby DeRoche 

Identifying and mitigating emerging risks has become increasingly critical over the past few years. If you are not familiar with the term, emerging risks seem to come out of nowhere, or it could be risks you know about that suddenly blow up into something much bigger than before. Climate change is an example we can all see. The western US has dealt with drought in the past, but now lakes and rivers are drying out completely, something we have never seen before. In the business world, anticipating emerging risks is extremely difficult, and it’s a never ending task. I have found an effective strategy for addressing emerging risks to adopt an agile mindset that focuses on addressing management’s most urgent risks through frequent risk assessment and true risk-based auditing. In my new book, Agile Audit: Transformation and Beyond, I describe in detail the benefits and implementation process for agile auditing. For now, I want to show you how to adopt an agile approach using a two-part strategy.

Two-Part Strategy for Auditing Emerging Risks

The first part of the strategy is to complete more frequent risk assessments. Realistically, you cannot predict what will be the most important risks to management beyond the next quarter, so stop trying. I have found that a quarterly assessment with real-time updates works best in most cases. To make this work, you cannot stick with face-to-face meetings as the only method you use to gather information. Instead, you need to rely on technology to either gather internal systems data or facilitate risk surveys and self-assessments.  

The second part of this strategy is to only audit what matters. This means that your risk assessment should be done at the risk level, not at the entity or process level. Then we can move directly into an audit focusing only on the high-priority risks and the related controls. Looking at full processes may be great for making the organization more efficient, but that is not where we can add the most value. To benefit the company, we need to audit the risks that can damage the organization. We are unlikely to have enough time to spend on low-risk areas just with the hope of efficiency gains. 

Start Your Agile Transformation Now

An agile approach to audit planning and execution allows internal auditors to make decisions more frequently to ensure we audit what matters most. Transitioning to an agile approach in internal audit is a natural progression in our evolution as a profession. Many others have made this move already with great success. Now is the right time to consider this modernization for your team too. 

Agile Audit Resources:


Certificate in Agile Auditing

Transitioning to Agile Audit

Agile Auditing: Lessons Learned for Successful Implementation

Agile Audit: Best Practices for an Easy Transition

Agile Auditing

Internal Audit Discussions: Making the Shift to Agile Auditing

Agile Auditing - Rethinking the Audit Plan for Financial Services Organizations

Focused Agile Audit Planning Using Analytics

Making the Mindset Shift to Agile Auditing


Certified Agile Auditor Professional® (cAAP™)

Certificate in Agile Auditing


Agile Audit: Transformation and Beyond

Agile Auditing: Transforming the Internal Audit Process

Agile Auditing: Fundamentals and Applications

Auditing at the Speed of Risk with an Agile, Continuous Audit Plan