Everyone’s talking about agile auditing. And for good reason. Based on the agile software development framework, the eponymous auditing approach emphasizes iteration, frequent communication, and incremental value as a way of accelerating internal auditing and reporting.
However, agility is more than just a methodology. It’s more than simply doing things faster or demonstrating greater efficiency. It’s about embracing change - being willing to flex and adapt. It’s also about focusing on the objectives and issues that matter most to the organization.
Too many internal auditors get stuck in the past, doing things the same old way for years. Meanwhile around them, business models, processes, ecosystems, and strategies are changing at an unprecedented pace. Staying relevant in this world requires agility.
With that in mind, here are four key differentiators of an agile internal audit function:
Internal auditors add the most value when their activities and goals are closely aligned to the strategic objectives of the organization. While that may sound obvious, it’s often easier said than done, especially when there are so many shifts taking place inside and outside the organization. Regulations are constantly evolving, operations are being disrupted, processes are being digitized, new markets are being explored. To keep up with these changes, the internal audit function must be dynamic.
That could mean setting aside time at regular intervals to revise the audit plan in response to changes in risks, processes, business objectives, and strategies. It could also mean focusing more time and resources on high-risk areas, instead of trying to audit every part of the organization.
The other aspect of alignment is about integrating internal auditing with risk management frameworks. Not only does that help auditors stay in touch with the top risks keeping management up at night, but it also enables them to leverage existing risk scores and findings as the starting point of their audit plans. At a leading multinational bank, the internal audit function uses an integrated GRC solution to automatically capture risk assessment results from other assurance groups such as risk and compliance. By reusing this data in their own assessments, the audit team saves valuable time and effort.
The more closely aligned the internal audit function is to enterprise risk management frameworks and strategic objectives, the more targeted and meaningful its activities and insights are likely to be.
For timely insights on risks and controls, stakeholders rely not just on internal auditors, but also other auditing groups such as quality auditors or health and safety auditors. If each of these groups uses different taxonomies, tools, and methodologies to manage and report their findings, executives and boards are likely to be confused.
A better approach is to harmonize activities across assurance groups. Many organizations use a centralized GRC platform that helps standardize risk and control taxonomies, so that all assurance functions are communicating in a common, consistent language to the management team and board.
A GRC platform can also help map internal audit data to risk, compliance, and business data in a single framework. Thus, at a glance, internal auditors or management teams can clearly understand which risks relate to which policies, controls, regulations, issues, business objectives, and auditable entities. This kind of a birds-eye view of audit and GRC data enables stakeholders to make informed decisions.
It’s easy to fall into a trap of complacency when one has been used to doing things a particular way for many years. To shake things up, it’s important to bring fresh, diverse ideas and perspectives to the internal auditing table.
Many audit teams have adopted a rotational model wherein high-potential employees from finance, operations, IT, marketing, and other business groups are rotated into the internal audit team for a certain period. These individuals act as powerful change agents, injecting new skills and ideas into internal audit, while also bringing with them a deeper understanding of the business.
In other rotational models, internal auditors are assigned to a different business function. Not only does this approach improve the career opportunities of internal auditors, but it also enhances their knowledge of business programs, processes, technologies, operational changes, employee innovation, third parties, and other aspects of the organization – all valuable insights for the internal audit program.
Today’s internal auditors are expected to demonstrate a larger set of skills and competencies beyond the traditional accounting-focused expertise of the past. Technology skills, for instance, are becoming increasingly important for internal auditors, as organizations go digital.
“An internal audit function’s digital fitness must match that of its organization,” noted PwC in their 2019 State of the Internal Audit Profession Study. “If not, gaps across the lines of defense will widen, and more points of entry for risk will appear.”
Many internal audit teams are investing in training and upskilling programs to help them audit emerging technologies such as the cloud, AI, the internet of things, virtual reality, and business process automation. Some are also hiring data scientists to assess the quality of data, and to draw out meaningful insights for decision-making.
Meanwhile, the emphasis on soft skills in internal audit is growing. Qualities like creativity, effective communication, integrity, resilience, critical thinking, empathy, inquisitiveness, and learning on the fly are fast becoming the differentiators of a truly agile and responsive internal audit function.
The right audit management software can make a big difference to the agility and responsiveness of the audit function. It can streamline, standardize, and automate internal audit activities, while optimizing resource efficiency. But what makes an agile, effective internal audit management software system?
How do you know if your efforts at building a more agile internal audit function are working? For one, the opportunities to audit will increase as more requests come in from the management team and other stakeholders. Two, internal auditors will be recognized and appreciated in the organization for the good work they do. Stakeholders will consistently report high levels of satisfaction with the advice and insights delivered. And finally, productivity and value will be optimized as internal auditors leverage technology and process innovations to do more with less. All these results, in turn, will enable the internal audit function to cement its position in the organization as a truly relevant value provider.
Building a more Agile and Relevant Internal Audit Function - Timothy Berichon, CPA, MBA. Head of Internal Audit, Cooper Tire & Rubber Co., MetricStream GRC Summit 2019
Aligning Internal Audit Activities and Scope to Organizational Strategy: How the Business Environment and Organizational Strategy Impact Internal Audit – Nathanaël Betti, Gerrit Sarens, Internal Audit Foundation, 2018