If internal audit is perceived as a bureaucratic process that slows down daily operations and is only carried out because it is imposed by top management, then internal audit must change its strategy.
When I visit an organization for a third-party audit, it is normal to perceive a certain reluctance from the auditees to provide the information. This perception should be a wake-up call that communication regarding internal audit needs to improve. The internal auditor is an integral part of creating value for the business. Communication must always be totally open to create a positive environment for the growth of the risk culture.
If Agile techniques are brought into internal audit, the immediate effect usually is the abolition of the complete annual audit plan because it becomes a risk-based internal audit that addresses the control needs of the remediation plan for each individual risk in time to respond with corrective actions to any deviations from the plan. To be effective, the audit must be ready to verify the status of the controls of each individual risk when the need arises—timeliness is essential.
The audit plan should not be imposed by an aging policy and expected to be completed on the whole organization. Instead, it should be revised on the basis of the risk lifecycle and only for the risk that requires attention. One way to respond to this need is to prepare key risk indicators (KRI) to implement a gap analysis. The results of the KRIs are prioritized in the risk treatment plan and the most critical situations are included in the audit plan to verify the related controls.
Focusing audit interventions based on risk assessment in situations where verification is actually needed creates the conditions for improving trust in the auditors’ work. This flexibility to adapt to business changes and operational process variations is the right direction for a more operational use of audit findings. There is no longer a need for generic and obsolete results from audits to satisfy compliance with some framework or regulation. Instead, the value is in timely data that can be used in actions to improve operating processes and business continuity. The perception of the usefulness of the audit results is a virtuous process that increases trust and consequently the quality of the information collected.
Using Agile practices to focus on risk assessment also increases the speed of audit. The audit process should be modeled to interact continuously with the risk management process by sharing the reciprocal results. The findings of the audit remediation plans are entered as inputs in the risk scenarios, while the risk treatment plan is an input to create indicators for the definition of the audit plan.
Editor’s note: For further insights on this topic, read Luigi Sbriz’s recent Journal article, “Agile Manifesto for Internal Audit,” ISACA Journal, volume 2 2023.