Recent years have caused disruptions to traditional operating models requiring internal audit functions to flex quickly and adopt scalable, flexible audit techniques and approaches. Internal audit now has the opportunity to permanently shift the dial.
Internal audit functions have the opportunity to pivot to a more pragmatic and agile approach and with expected continued demand for more rapid, targeted and efficient assurance internal audit functions will need to provide enhanced insights and quick responses to changing risks and priorities.
Benefits of agile audit
Agile internal audit techniques allow for a timely and fit-for-purpose approach to providing assurance during uncertain and changing times.
Agile internal audits are founded on the agile project and change management methodology, built to accommodate continually changing circumstances. As the agile method is shorter and iterative it allows for more flexibility and delivers greater impact when new initiatives arise, or significant business interruption occurs. Agile approaches to delivering outputs are increasingly being used across all organisations, including second and third line functions.
Agile internal audit delivers reduced costs, efficient delivery and improved quality. Agile is based around the concepts of:
- shorter, accelerated audit cycles
- timely insights
- greater stakeholder interaction and alignment to stakeholder needs
- reduced waste and documentation
- frequent communication
- increased audit quality.
Agile assists in prioritising audits based on risk and the organisation’s readiness to perform the audit, with the delivered report focusing on providing insights and delivering briefer, timely feedback – with less words and, ideally, more visuals.
The adoption of agile creates an opportunity for internal audit to think differently about the delivery of audit plans and the critical controls monitoring in the longer term.
Internal audit professionals pivoting towards an agile delivery execution need to consider the changes needed to key audit concepts.
||Traditional audit||Agile audit
||Audit objectives||Defined value expectations|
|Ownership||Internal audit team||Collective, team based|
|Engagement sequence||Linear||Sequential work cycles|
|Planning||Rigorously planned activities and a set master internal audit plan||Activities are quick, iterative (sprints) and incremental|
|Communication||Ad-hoc communication, typically during finalisation of fieldwork and reporting.||Frequent communications, for example daily meetings and auditees involved throughout.|
|Status updates||Ad-hoc – as needed or as defined by organisations audit methodology.||Daily and incremental with input from the client and key stakeholders.|
|Reporting||One report, provided on completion of the audit, and often requiring a laborious review process.||Smaller ‘summaries’ provided throughout project with focus on value and visualisation.|
|Documentation/working papers||Significant, comprehensive and thorough to ensure work is defendable, often reviewed at completion of project.||Rationalised and value based. 80/20 rule – 20 percent accounts for 80 percent of results. Reviewed throughout project.|
|Auditee relationship||Arm’s length||Collaborative relationship, with auditee ownership and agreement throughout.|
Full scale internal audits that adequately address complex and high risk reviews will always be required. Internal audit teams will need to give careful consideration to the application of agile, ensuring the appropriate nature of the audit topic and the profile of participating auditees. There are some internal audit areas which may be best aligned to agile approaches.
- Critical controls monitoring: repeatable and regular reviews provide routine communication of observations and prompt action. Additionally data analytics can be applied over critical controls in an agile approach. For example, focus on key business and compliance risks and associated controls such as delegations of authority (DoA), third party vendor management, cash management, cybersecurity and fraud risks.
- Change programs: including changes to processes and new products developed, the introduction of any new operations and operational technology implementation/updates and strategic change initiatives.
- Data-analytics driven internal audits: which could include core financial reviews such as payroll, accounts payable/receivable and procurement.
- Disaster recovery and business continuity: which could include reviews over the effectiveness of continuity plans, design adequacy, health checks and post recovery reviews.
Agile reporting adds value for stakeholders
Agile audit reports are brief, timely, and succinct. They are the culmination of observations which have already been shared and agreed with management, for which management have addressed or implemented actions. Key concepts include the following.
- A summary of observations at the conclusion of each ‘sprint’ is provided (eg through use of a memorandum). For example, a data analytic dashboard report is an effective one page summary highlighting exceptions.
- Reports are collaboratively discussed with auditees to provide insight and feedback for immediate action.
- The final report is a culmination of each summary at the conclusion of a sprint, providing themed findings and opinions of the process reviewed.
If you have any questions regarding the content of this article and would like speak to someone from our team please contact us.
Find out more
Be confident in managing your business' risk and opportunities with an effective governance, risk and controls environment.
KPMG can help clients develop an effective governance, risk and controls environment.