Rethinking How We Approach Internal Audit: GRC Conference Recap

While ISACA’s recent Governance, Risk, and Compliance (GRC) three-day hybrid conference covered a myriad of topics, a recurring theme was the need to embrace an agile mindset and methodology, specifically when it comes to internal audit. Here are takeaways from a couple of the sessions we were most intrigued by...

The future of internal audit—traditional vs. agile vs. both

In the session “Auditing Agile and Hybrid Projects,” Ivan Rincon, Director of Application Management Services for the Ministry of Transportation and Infrastructure of British Columbia, focused on the benefits of agile and nuances of using a hybrid of traditional and agile projects. 

Rincon highlighted four key things to keep in mind when auditing agile and hybrid projects: 

1. The importance of education. Everyone involved needs to understand the mindset behind agile and hybrid approaches, as well as the basic principles and language related to them. The benefits over the traditional course will quickly disappear if key stakeholders aren’t up to speed on the ins and outs of agile vs. hybrid. 

2. Auditors should embed themselves on a delivery team to understand the cadence and communication with the stakeholders. 

3. Speaking of stakeholders, it’s too easy to forget to loop in third parties when transitioning to agile/hybrid. Everyone must use the same models to prevent waiting on a contractor who frankly might have no idea how the new agile system works.

4. It's important to ensure the audit plan itself is agile and it should be discussed proactively with the project team, as auditing should never be a secretive process. Communication is even more crucial in agile/hybrid projects. 

Can you measure internal audit value?

Patty Miller, the founder of PKMiller Risk Consulting, asked the question point blank—is it possible to measure internal audit's value? Her session, “Measuring Internal Audit Value—Is It Possible?”, tackled the challenge head-on, emphasizing that value is in the eye of the beholder. Miller asked attendees what success looks like in their organization. And the answer might be more complicated than expected. 

One would initially think completing a project on time and on budget is a success. But Miller challenges this thinking.

“What if, as you’re finishing the project, you stopped just as a potential issue is identified?" she asked.

It’s still on time and it’s still on budget, but ignoring possible issues (or worse, softening an issue to avoid unfavorable client review) doesn’t feel like a success.

For a truly valuable internal audit, Miller honed in on a few essential items:

• The need for balanced metrics to track value delivery and improvement over time. These should be in value drivers, client behaviors, client feedback, and the audit process itself.
• A documented mission focused on helping the organization achieve its objectives and a clear charter providing the necessary authority, access, and unrestricted scope to set the internal audit team up for success.
• Finally, to lead the team, a “courageous and respected” CAE willing to tackle challenging issues, who strives to innovate and enhance performance. 

Miller had an incredibly pertinent refrain throughout the session: “You’re not here to issue reports. You’re not here to test controls. Your job is to help the company succeed.”
    
Thirsty for more audit content? Until Oct. 31, 2021, you can stream the entire Workiva Amplify conference on demand, including agile audit authority Rick Wright’s session on what it takes to make the minds and processes of audit teams more agile.