Addressing ITGC Challenges with Agile Auditing
By Toby DeRoche
Many internal audit departments plan to adopt agile auditing principles soon to keep up with the rapidly changing risk landscape. When asked about the transition, most say they plan to focus on business risks first and hold off on IT General Controls (ITGCs). Since agile concepts were developed for IT professionals, it is ironic that so many auditors are hesitant to apply agile to ITGCs. This article will demonstrate how to apply agile techniques to ITGCs and address many common challenges in auditing ITGCs.
Addressing Challenges
Many of the common challenges we face in auditing ITGCs are naturally addressed when applying an agile approach.
Rapidly changing technology: New technology is regularly introduced into an organization’s environment. New systems and scheduled upgrades can be assessed for risk ranking by refreshing the risk assessment each quarter.
Testing low-risk controls: The point of agile is to audit the highest risk areas, so time spent on low-risk applications will be minimized. Our plan is designed to audit the right risks at the right time.
Unclear audit universe: The audit universe in an agile IT audit department starts with a complete application inventory. Many teams send out surveys to keep the listing updated and to gather information regarding new and sunsetting applications.
Change management controls: A common issue raised against ITGCs is underestimating the scope of a system implementation or upgrade. Having open discussions with management about upcoming changes each quarter provides a perfect opportunity to uncover the scope of a system change and apply either change management or SDLC controls.
Assurance fatigue: The volume of testing simply wears out some control owners. The agile approach creates prioritized risk ranking and takes some pressure from the control owners with lower-risk applications.
Conclusion
The impact of emerging risks is felt more each year, and risk velocity has increased so that we cannot plan too far into the future. Adopting an agile approach when assessing and testing IT general controls ensures the organization’s most critical risks are tested and issues are mitigated as soon as possible. Addressing the challenges above is just a small taste of the many benefits we realize when implementing agile auditing.
Agile Audit Resources:
Courses:
Agile Auditing: Lessons Learned for Successful Implementation
Agile Audit: Best Practices for an Easy Transition
Internal Audit Discussions: Making the Shift to Agile Auditing
Agile Auditing - Rethinking the Audit Plan for Financial Services Organizations
Focused Agile Audit Planning Using Analytics
Making the Mindset Shift to Agile Auditing
Certificates/Certifications:
Certified Agile Auditor Professional® (cAAP™)
Books:
Agile Audit: Transformation and Beyond
Agile Auditing: Transforming the Internal Audit Process
Agile Auditing: Fundamentals and Applications
Auditing at the Speed of Risk with an Agile, Continuous Audit Plan