A Simple Strategy for Agile Auditing
By Toby DeRoche
Identifying and mitigating emerging risks has become increasingly critical over the past few years. If you are not familiar with the term, emerging risks seem to come out of nowhere, or it could be risks you know about that suddenly blow up into something much bigger than before. Climate change is an example we can all see. The western US has dealt with drought in the past, but now lakes and rivers are drying out completely, something we have never seen before. In the business world, anticipating emerging risks is extremely difficult, and it’s a never ending task. I have found an effective strategy for addressing emerging risks to adopt an agile mindset that focuses on addressing management’s most urgent risks through frequent risk assessment and true risk-based auditing. In my new book, Agile Audit: Transformation and Beyond, I describe in detail the benefits and implementation process for agile auditing. For now, I want to show you how to adopt an agile approach using a two-part strategy.
Two-Part Strategy for Auditing Emerging Risks
The first part of the strategy is to complete more frequent risk assessments. Realistically, you cannot predict what will be the most important risks to management beyond the next quarter, so stop trying. I have found that a quarterly assessment with real-time updates works best in most cases. To make this work, you cannot stick with face-to-face meetings as the only method you use to gather information. Instead, you need to rely on technology to either gather internal systems data or facilitate risk surveys and self-assessments.
The second part of this strategy is to only audit what matters. This means that your risk assessment should be done at the risk level, not at the entity or process level. Then we can move directly into an audit focusing only on the high-priority risks and the related controls. Looking at full processes may be great for making the organization more efficient, but that is not where we can add the most value. To benefit the company, we need to audit the risks that can damage the organization. We are unlikely to have enough time to spend on low-risk areas just with the hope of efficiency gains.
Start Your Agile Transformation Now
An agile approach to audit planning and execution allows internal auditors to make decisions more frequently to ensure we audit what matters most. Transitioning to an agile approach in internal audit is a natural progression in our evolution as a profession. Many others have made this move already with great success. Now is the right time to consider this modernization for your team too.
Agile Audit Resources:
Agile Auditing: Lessons Learned for Successful Implementation
Agile Audit: Best Practices for an Easy Transition
Internal Audit Discussions: Making the Shift to Agile Auditing
Agile Auditing - Rethinking the Audit Plan for Financial Services Organizations
Focused Agile Audit Planning Using Analytics
Making the Mindset Shift to Agile Auditing
Certified Agile Auditor Professional® (cAAP™)
Agile Audit: Transformation and Beyond
Agile Auditing: Transforming the Internal Audit Process
Agile Auditing: Fundamentals and Applications
Auditing at the Speed of Risk with an Agile, Continuous Audit Plan