Like almost every other business function, internal audit (IA) has been comprehensively disrupted by the global pandemic. In just a few months, audit teams have had to adapt quickly to fewer resources, rapidly evolving business priorities, and a distributed workforce. The good news is that IA groups, by virtue of their organizational knowledge and visibility into risks, are well-positioned to advise the management and board on how to navigate the uncertainties ahead. But to do so effectively, they might need to rethink traditional approaches to auditing.
Risks are changing so quickly today that long-drawn-out audits with rigid, pre-set plans no longer work. Auditors need to be able to quickly pivot and respond to new risks such as employee health and safety risks, information security risks, supply chain risks, and even the possibility of an economic downturn. Auditors also need to be able to deliver frequent insights to the management and board—all while coping with limited resources. That’s where agile auditing can help.
At a recent MetricStream webinar, our internal audit expert pointed out that agile internal auditing is ultimately a mindset. It’s about being flexible and responsive to changes in both internal and external environments.
Agile IA focuses on faster audit cycles, timelier reporting, less waste, and greater business value. In fact, it pushes auditors and stakeholders to determine upfront the value that will be delivered by a particular audit project. It also helps prioritize audits based on their importance and urgency—which is critical in today’s fast-evolving environment. Since agile auditing requires IA teams to do more in a shorter time frame, a lot of discipline and rigor is involved—right from audit planning and resource allocation, to field work and reporting. Compared to traditional audits, agile auditing is quicker and more iterative.
Documentation requirements are fewer. And instead of a predefined plan set in stone, agile audit plans are usually flexible. They’re broken down into multiple shorter cycles that make them more agile and responsive to change.
Why is agility in auditing so important now? Because the world has changed. Risks that were top-priority just a few months ago may not be as relevant anymore. If auditors want to help their organizations thrive, they have to be more agile and move at the speed of risk. An EY survey found that almost half (46%) of IA functions around the globe are reprioritizing their internal audit plans to address new risks that have been identified as a result of the pandemic.
Since an agile audit has shorter and more iterative cycles, auditors can be flexible about incorporating new risks and auditable areas throughout the year. They can also keep pace with emerging risks and assurance needs by regularly reviewing and reprioritizing their audit plan. The idea is to focus on what really matters at the moment. For instance, how might remote working models during the pandemic impact organizational governance? Are an organization’s contingency plans in line with industry best practices? Are employees trained on the cybersecurity risks of working from home?
Are remote access controls built to scale? Is there a clear communication plan for customers? These are all areas where IA practitioners can provide valuable and timely insights with the help of agile auditing
In a post-pandemic world, technology is no longer simply a nice-to-have, but an imperative. Especially in a distributed workforce, internal auditors need technology to collaborate better with stakeholders, access information quickly—and enable agile auditing.
MetricStream Internal Audit Management facilitates a dynamic, risk-based approach to agile audit planning where new risks can be continually added to the plan as priorities shift. The product accelerates internal auditing with streamlined, automated processes. It also helps optimize resource allocation, so that auditors can do more with limited resources. Real-time reporting and analytics tools process massive volumes of data quickly, so that auditors can speed up reporting, and enable business leaders to make decisions faster. But this is just the beginning. With artificial intelligence, robotic process automation, and advanced analytics, IA practitioners will be able to continuously monitor and easily detect risks even while working remotely. They will be able to collaborate more seamlessly across the lines of defense, and automatically integrate data on risks and issues from multiple diverse sources.
They will also be able to anticipate risks, and predict disruptions more effectively. All these capabilities, in turn, will enable them to demonstrate better agility as they help their organizations tide over the pandemic.