Agility as a conceptual basis for modern ways of working helps teams and organisations to react flexibly and efficiently to changing conditions and (customer) requirements. This is because it provides answers to central questions that classic project management methods struggle with. These answers can also be applied to the challenges facing internal auditing.
In controlling, changing forecasts have often become accepted as a management tool in contrast to rigid budgets and target/actual comparisons. Against this backdrop, it seems appropriate that internal audit should also consider whether annual audit planning is still appropriate for a dynamic environment. The process of risk-oriented audit planning, i.e. the structured analysis of risk areas, possible weaknesses and available resources, is still an important means of coordination and communication between the stakeholders of internal audit, but the output of this process, namely the audit plan as such, with a built-in "buffer" for ad hoc issues, is demand-oriented and must be constantly adapted. Thus, elaborate and rigid planning should take a back seat in favour of a constant and flexible coordination of relevant topics. The same applies to the planning and implementation of individual audits.
In principle, the sustainable improvement of the first line of defence with its organisational and procedural measures to control risks should be the goal of every organisation. For this purpose, an audit by the auditors is not always the appropriate approach. One reason for this is that the audit regularly brings an elaborate, findings-oriented process of interim identified solutions to a formal conclusion in report form. In contrast, an agile approach looks for possibilities to identify weaknesses unbureaucratically together with the department concerned and to implement suitable measures in a needs-oriented and, above all, speedy manner. A conceivable approach for the audit would be to carry out a short "readiness check" beforehand, in order to possibly not even initiate audit procedures according to the findings obtained. In this way, audit reports could be issued regularly after remediation of identified weaknesses without significant findings in the interest of an effective first line of defence.
Agile approaches deliberately rely on autonomous, interdisciplinary teams as key drivers of change and optimised outcomes. Taking into account the aforementioned importance of improving the first line of defence, this raises questions about the composition of audit teams. Thus, in the context of the readiness check phase and the subsequent implementation of measures, it seems sensible to rely on agile teams whose members are made up of the affected specialist departments, the audit department and possibly other specialist departments. Goal-oriented work in time-limited intervals, as used for example in Scrum, promises not only efficient work and effective results, but also a positive working environment. Destructive "finger-pointing" or forced recommendations can be counteracted in this way.
Das agile Arbeiten - beispielsweise nach Maßgabe von Scrum - zielt darauf ab, die eigenen Arbeitsergebnisse und -weisen stetig kritisch zu hinterfragen und mit gegebenen Anforderungen abzugleichen. Die Organisation soll so in der Lage sein, Fehler frühzeitig zu erkennen, kontinuierlich zu lernen und Veränderungen schnell umzusetzen. Anspruch der Internen Revision sollte es daher sein, nicht nur die Organisation insgesamt zu befähigen, aus Fehlern und Schwachstellen rasch die notwendigen Schlüsse zu ziehen, sondern diese Denkweise auch für die eigene Arbeitsweise zu übernehmen.
Today, internal audit is forced to adapt to the increasing volatility of the audit object and environment on the one hand, while on the other hand it is under growing pressure to adopt the effectiveness and efficiency advantages that arise from agile ways of thinking for its own way of working. Those who close their minds to this development not only miss the opportunity to reposition themselves in the company, they also run the risk of increasingly losing relevance. Agile auditing offers the opportunity to gain relevance in the company and to meet the demands of stakeholders even better.
Further Information (in German only)
Technology and risk functions play a critical role in ensuring technological and operational resilience.
Technology and risk functions play a crucial role in resilience.
There are some fundamental issues that require immediate action and reorientation by those responsible for internal audit.
How should internal audit orient itself in the future?
Innovative technologies make it possible to improve business models and make companies more agile and responsive.
Many companies already use forms of automation in their processes.
Empfehlungen für kurzfristige Governance-Maßnahmen, um Unternehmen sicher durch die aktuelle Krise zu führen.
Empfehlungen für kurzfristige Governance-Maßnahmen in der aktuellen Krise
Luisa v. Esterházy
Partner, Risk & Compliance Services
KPMG AG Wirtschaftsprüfungsgesellschaft