On the Frontlines: 3 Things to Do Now to Become More Agile

Audit teams have long been criticized for lack of timeliness. Stakeholders are frustrated with the time taken to deliver audit results, typically in the form of a final audit report. With the risk landscape volatility, senior management cannot afford to wait until the audit's conclusion to receive a long-form audit report. The sooner management receives the audit report, the swifter it can respond.

A blanket "top-down" approach for all assurance activities can, at best, result in audit-client resistance, and at worst, conflict. Either way, it's a disastrous outcome for internal audit's position as a trusted advisor and for the organization's ability to address risk.

The challenges with traditional audits also have included the characteristically long-winded exit process to confirm details of findings as well as receive and finalize management responses, including timeliness. These conversations are usually held only at the end of the audit based on the traditional audit methodology. This approach only further delays finalizing audit reports and the start of the real value-add — implementing management actions.

Collectively, this process creates situations where risks are identified and remain unmitigated, or control deficiencies remain unchecked for even longer. This situation leads to frustrated audit teams and management, disillusioned stakeholders, and more importantly, a greater risk to organizational objectives. On average, it takes about five weeks to communicate results — two weeks to issue a draft report, two weeks to receive management responses, and one week to issue a final report.

According to Touchstone Insights for Internal Audit, 79% of respondents say collaboration with the business is extremely important. To deliver valuable, timely results in a collaborative approach, audit teams should consider adopting an Agile methodology, based on the 12 principles enshrined in the Agile Manifesto designed for software development. Each audit department can interweave these principles across its audit process to strive toward a fully Agile approach to "steal the best bits."

Here are three things that internal audit functions can do today to become more Agile.

1. Increase the Frequency of Risk Assessment Updates

For audit teams to deliver relevant assurance, they must become more Agile and strive toward a risk assessment that continually reflects what is keeping senior management up at night. This means that risk assessment updates must be done more frequently, and certainly more than once a year.

According to Touchstone Insights for Internal Audit, 61% of respondents update their risk assessments annually (see box, right), and the frequency of these updates increases as departments adopt an Agile methodology. Of those teams that execute an Agile methodology, only 28% perform risk assessments annually. Most Agile functions have moved to at least quarterly updates.

2. Adopt a Truly Risk-based Audit Approach

Organizational management is constantly scrutinizing spending, and even internal audit is not immune to this scrutiny. Audit teams must continue to demonstrate value through assurance and consulting services across a broader spectrum amid growing complexity. Management and audit committees also want internal audit to display sound judgment by increasing focus on heightened risk areas.

Moreover, audit committees prefer audit teams to focus time and effort on higher value-adding assurance activities. An Agile approach of flexible audit planning aims to improve audit committee satisfaction and confidence by delivering valuable, relevant assurance for the organization.

3. Strive for Frequent Communication and Closer Collaboration

Audit teams are moving toward an Agile methodology to sharpen their focus on delivering value. The value of audit findings can diminish sharply over time, as the organization faces an identified, but unmitigated, risk that threatens its objectives. Agile tools and processes ensure that teams plan and communicate audit findings timely to preserve their value.

The delivery of the final audit results hinges on two key activities:

• Issuing the draft report.
• Receiving management responses.

When comparing traditional audit teams with Agile teams, Touchstone Insights for Internal Audit finds that Agile teams are more likely to issue draft reports within one week (see box, abovet right). The report also shows that for the 29% of teams that do not execute Agile activities, the focus is on tracking using estimated/scheduled time versus actual time. While this metric may help calculate utilization and time to complete the audit, it does not provide transparency into the work performed and the conclusions about risks to the organization.

Audit teams looking to become more Agile today can embed more frequent and open communication practices with management and build a collaborative culture to improve the timeliness of valuable audit insights.

Sio Naidoo, CIA, is product manager, Asia Pacific at Wolters Kluwer TeamMate in Sydney.