First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Why does internal audit need to be agile?

agile internal audit

You don’t have to go very far to hear an internal audit leader talk about agile. Richard Chambers, President and CEO of the IIA, shared this:

A lot is being said about the need for internal audit to be “agile.” My definition of agility is simple: “Internal audit’s ability to pivot swiftly to address emerging risks and changing stakeholder expectations.” It’s critical to our success!

Why does internal audit need to be agile?

We live in a world where business conditions are changing all the time and the pace of change is accelerating. That is universally accepted.

Internal audit needs to be able to respond to those changes promptly.

When new risks of significance to success are identified, internal audit needs to be able to update its plan and provide the assurance and insight that leaders need – when they need it, not when a static plan provides.

This is why Richard and I both talk about auditing at the speed of risk. I also talk about auditing at the speed of the business, which perhaps more clearly identifies that we need not only to be agile in our audit planning, to add and then perform the audit of a new area promptly, but also provide the assurance and insight that is needed at speed.

If the CEO comes to you, as the internal auditor, and asks for your thoughts on a new strategy, can he wait weeks or months until there is a gap in your audit schedule? No.

If the CEO asks for your thoughts as you complete the fieldwork, is it appropriate to make him wait until everybody has blessed a formal audit report? No.

It starts with an agile audit plan, where you can ensure each audit project is focused on what is needed now, for today and tomorrow.

But then you need:

  • Every audit project to be as short as possible. It’s very hard to move quickly to a new topic when the audit team is tied up on month-long (or longer) projects. If you limit each audit to the enterprise risks that matter, eliminating the work that would only matter to local or middle management, you can keep the great majority of audits within my target of 60-100 hours.
  • The ability to complete every project quickly. When you have done enough work to determine your opinion, stop. Don’t keep working to fill the time available/budgeted. Don’t work just to complete the audit program or checklist when the results are already known.
  • Eliminate unnecessary documentation. Only document your work to the extent that there is value, not just to comply with department standards. If documentation is required by regulators who may audit your work, or if the results are disputed by management, then ensure your documentation is sufficient. But otherwise, challenge the need for every hour spent.
  • Auditors who can think, not only performing work at speed, but are able to know when they have done enough and can stop.
  • The ability to know when you need to change the audit plan. You need to know when business conditions and plans change, either downgrading and removing projects that are no longer high risk-rated, or adding new ones.
  • A relationship with management where you can discuss the results of your work and agree on necessary corrective actions quickly.
  • An audit committee that understands the need for agile auditing.

I welcome your thoughts.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.