Can Auditing Be Agile? Your Biggest Questions Answered
For many auditors, ‘agility’ is a concept that feels disconnected from the reality of their jobs. Stuck in tactical planning cycles, hampered by legacy processes and dependent on other business functions, auditors may feel like being agile is a distant dream. But there is a way to get there.
During a recent webinar titled ‘How to Become an Agile Champion: Practical Advice for Auditors,’ industry leaders from ING, the IIA and Workiva discussed why agility is well within the reach of auditors and how to achieve it. Based on the results of an informal post-attendance survey conducted by Workiva, nearly all attendees (96%) found the discussion content to be beneficial. The webinar attendees also had several insightful follow-up questions, some of which we would like to share with you in this blog post.
Q: How agile can you actually be as an audit department when the wider organisation is not following the same practices?
A: Transforming to an agile environment won’t come overnight and will require buy-in from the organisation. An effective method when campaigning internally to get teams on board is to be clear on their roles and simplify the ask.
Designing processes and channels of communication that don’t burden the teams and are transparent in their intent is a helpful starting point. If this new process can be simple and reduce obstacles in the current environment, it will be easier to enable other teams. A phased approach lends itself well to this transformation: set attainable and reasonable milestones from departments outside of audit and recognise their success along the journey!
Q: What is the involvement and role of the audit committee in the journey toward agility?
A: Put simply, support and encouragement. Adopting new work behavior and methodologies can add stress to individuals. It is critical that the audit committee steers the department in a sustainable and effective manner.
Q: Regarding combined assurance, do audit, compliance and risk management teams have to develop a plan together? If so, how do they decide which areas or functions to audit?
A: Communication and transparency across the first, second and third lines will be integral for your success. When risk management can get close to real-time monitoring and evaluation, they will enable a dynamic audit team to receive this assessment, drive agile planning and focus on the areas that present the greatest exposure internally. Then their findings won’t be solely based on a static point in time but across the life cycle of the processes.
Q: The compliance and risk management departments are the second line of defence. They’re not completely independent. Can audit rely on the work they do?
A: The phrase “trust but verify” should be ever-present in the minds of auditors (both internal and external). The work your colleagues perform can indicate potential issues or exposure and should absolutely be a part of our professional judgement when performing and concluding audit work. That said, the onus is still on internal audit professionals to understand the environment and evaluate the appropriate level of assurance. The audit team may find that internal work is contradictory to their conclusion(s). It is imperative to include this in your documentation, as contradictory evidence strengthens the understanding of your subject matter and encourages critical thinking.