A blanket "top-down" approach for all assurance activities can, at best, result in audit-client resistance, and at worst, conflict. Either way, it's a disastrous outcome for internal audit's position as a trusted advisor and for the organization's ability to address risk.
The challenges with traditional audits also have included the characteristically long-winded exit process to confirm details of findings as well as receive and finalize management responses, including timeliness. These conversations are usually held only at the end of the audit based on the traditional audit methodology. This approach only further delays finalizing audit reports and the start of the real value-add — implementing management actions.
Collectively, this process creates situations where risks are identified and remain unmitigated, or control deficiencies remain unchecked for even longer. This situation leads to frustrated audit teams and management, disillusioned stakeholders, and more importantly, a greater risk to organizational objectives. On average, it takes about five weeks to communicate results — two weeks to issue a draft report, two weeks to receive management responses, and one week to issue a final report.
According to Touchstone Insights for Internal Audit, 79% of respondents say collaboration with the business is extremely important. To deliver valuable, timely results in a collaborative approach, audit teams should consider adopting an Agile methodology, based on the 12 principles enshrined in the Agile Manifesto designed for software development. Each audit department can interweave these principles across its audit process to strive toward a fully Agile approach to "steal the best bits."
Here are three things that internal audit functions can do today to become more Agile.
1. Increase the Frequency of Risk Assessment Updates