How Financial Services Audit Teams Can Add Flexibility With an Agile Approach
Many traditional internal audit practices hinder our ability to respond to changes in the risk landscape within an appropriate amount of time. The reality today is that the speed of risk is constantly increasing. As Richard Chambers said in a recent report:
“The future is never predictable with any precision. That is an important reason why internal audit must continuously monitor risks so that it can adjust its plans swiftly in response to changing conditions. The era of a single annual risk assessment to build a 12-month audit plan is over.”
Agile auditing provides the flexibility needed to respond and react to the rapid shifts in risk exposure that financial services organizations face. Every company is unique, and its agile transformation will differ based on the team’s size, level of maturity, industry, technology solutions, and other resources available. Depending on these factors, larger organizations may have combinations of commercially available and homegrown technology, as well as professional services/business transformation teams, to support their journey toward increased agility. Smaller banks, credit unions, and insurance companies may have more limited resources at their disposal, but they may also be able to adjust their way of working more easily.
Learn how financial services audit teams can get started implementing an agile audit approach across the entire audit process — from risk assessments and planning through fieldwork, reporting, retrospectives, and more — and download AuditBoard’s full guide, Conquering Heightened Risk Exposure in Financial Services: 7 Steps to Transform With Agile.
Adding Flexibility With an Agile Audit Approach
While all internal auditors generally acknowledge the need for continuous monitoring, it can take time to make changes to an established and approved plan. For many organizations, audit planning is an annual exercise. Unfortunately, once those plans are approved and set into motion, too many audit teams rigidly adhere to the plan without considering changes to the risk environment, including the emergence of new or modified risk exposure. Banks and other financial institutions face an even bigger challenge given the practice of creating multi-year plans to provide comprehensive audit coverage.
Agile auditing takes a more flexible, iterative approach that relies on a shorter audit life cycle and open communication to ensure the audit teams are providing insights on the most critical business risks concerning management at that time. Auditors still need to understand why the project is on the plan, meet with executives in this area, understand the risk drivers, and establish the audit’s objective.
The main difference between traditional and agile auditing is that agile focuses attention on the audit areas and risks that are most important to the organization at that point in time. In an agile audit, the goal is not to perform end-to-end audits but to gain and share insights with management on the audited areas. Agile does not fundamentally alter the work of audit itself. Your core work — risk assessment, work programs, testing, audit findings, and audit reports — remains the same. What changes is the timing, communication, areas of focus, and degree of perfection of the work. When done correctly, agile auditing improves customer engagement, resource use, and adds value to the company.
The changes will impact all elements of the audit life cycle by condensing the entire audit horizon from a year to a quarter. The modification means completing the risk assessment, all audit fieldwork, and all reporting within a three-month window and starting the next quarter with a refreshed assessment incorporating the organization’s current objectives and concerns.
Shorter Audit Cycles
As a first step, internal audit should adopt a shorter audit cycle, ideally a quarterly cycle from assessment to audit committee reporting. Audit leaders must stay close to the business and partner with them to understand the most urgent risks that should be added to the audit plan within the next quarter. Many forward-thinking audit shops are tracking real-time risk metrics to take a more data-driven approach, rather than simply relying on stakeholder interviews. If audit leaders cannot predict which risks will take priority six months into the future, they cannot make plans three to four years in advance.
Quarterly Risk Assessments
For many internal audit departments, the risk assessment process takes a long time and involves people from across the business. The shorter cycle would mean performing quarterly risk assessments. Moving to a technology-enabled or even continuous risk assessment reduces the time for each quarterly assessment, allowing audit leaders to prioritize risks and decide on a plan for the quarter — auditing the right risks at the right time.
Agile Audit Planning
During the audit’s planning phase, risks are divided into manageable pieces and prioritized into sprints, usually one to two weeks of work. For instance, you might decide that you will form three sprints, and each one will deliver one or two meaningful pieces of work that you could present to your customer to show actionable results at the end of the sprint. To the extent you can, work should be prioritized by the level of risk associated with the testing.
The first deliverable in an agile approach is the most basic; a concept called a minimum viable product (MVP). The deliverable contains the two or three specific things the team must achieve during the project. In an audit context, the team should first audit the highest-priority risks to achieve the MVP. Expanding scope beyond what was needed to achieve the MVP means taking away from other high-risk areas, so making that decision takes careful consideration. For example, the project manager (called a “scrum master” in agile framework) may determine the MVP will be sprint zero (i.e., the planning phase) through sprint two. If you have time and the project stays on track, you can get to sprint three. If not, drop that sprint to move on to another, more value-added project.
Agile planning looks similar to traditional audit until you get to the audit work program. Auditors cannot create an entire audit work program in advance because the program only highlights the most critical risk areas. Instead, the team starts by creating a high-level work program with the work they intend to accomplish to achieve the MVP. In agile, this high-level work program in sprint zero is our backlog, representing the work to accomplish as it becomes relevant throughout the project.
Fieldwork Team Composition
The composition of the audit teams performing fieldwork may also need to change. A key staffing concept in agile includes using a project manager and self-organizing teams. The project manager removes roadblocks that impede the team’s testing and ensures they have the necessary resources. The individual also conducts weekly or bi-weekly sprint meetings with stakeholders to discuss audit progress and any issues. Self-organizing teams include individuals with various backgrounds, allowing them to make decisions at the moment, only going to audit leadership for major decisions that impact the scope of the work.
Daily Standup Meetings
Daily standups allow a project team to discuss progress and impediments before they become problematic, so they can ask for help or collaborate toward solutions to support the completion of the committed work. People may initially resist meeting every day, but daily standups are crucial to developing an agile mindset.
In a daily standup, the project team meets at a set time and place to discuss the work for that day. In 15 minutes, team members answer three questions:
- What did you accomplish yesterday?
- What are you going to accomplish today?
- What impediments are you facing?
Then, the team identifies steps to be taken that day to move the sprint forward. Next, the team leaves with clarity and action for impediments, updates the backlog with action items or additional tasks, and schedules follow-up meetings to address topics that require more discussion. Daily standups help keep the project on track and support cross-functional collaboration because connecting daily prevents people from working in silos.
Sprint Reviews
At the end of each sprint, the team shares the results with the stakeholders in a sprint review, often sharing a compact report document, often referred to as “Point of View” to report out findings from that sprint before the final audit report. During this review, all issues are presented, and action plans are gathered or confirmed. At this point, remediation should start if it has not already.More frequent engagement enables issue owners to start working on management action plans throughout the project instead of waiting until the end, which solves some of the delay issues experienced with the traditional waterfall approach. Delivering information this way can also help you realize when you have done enough work to identify the most critical risks and could shorten your audit project to move on to more valuable work.
Agile Audit Reporting
One of the most common complaints among auditors is that the reporting drags on for too long. In an agile approach, auditors are more concerned with communicating timely results to management and the audit committee than writing a report. It would be a disservice to the organization to hold this information back for three to six months while waiting for a formal audit committee meeting. By reframing the purpose of the internal audit function as one that gains insight into risk exposure through control testing, the need for near real-time reporting becomes critical.
Audit Retrospective
The audit team performs a retrospective at the end of the audit to determine what improvements should be made. Retrospectives are open, honest discussions about the audit that describe what went well and what could have been better. The outcomes are shared with the audit department so that everyone can benefit.
At first glance, these changes can seem overwhelming, but embracing the agile mindset and having the flexibility to audit the most critical risks without spending time on low-value activities is truly empowering. Coupling this result with a practice of continuous improvement adds new enthusiasm to the team as they all come together to create an efficient, effective, and flexible audit function. The first step is to plan for these changes so that the transformation from traditional to agile auditing will succeed.
The shift to agile auditing is one of the most exciting enhancements to the internal audit profession in recent years. By embracing the agile mentality, internal auditors in financial services are more aligned to key business risks and able to pivot in reaction to emerging risk trends and new regulations. To learn more about how to successfully transition from traditional to agile audit, download AuditBoard’s full guide, Conquering Heightened Risk Exposure in Financial Services: 7 Steps to Transform With Agile.
Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.
Marissa Carducci is a Principal of Product Solutions at AuditBoard, where she has advised some of AuditBoard’s largest audit and risk clients on leveraging technology with both traditional and agile audit strategies. Prior to joining AuditBoard, Marissa worked within EY’s Risk Advisory Services practice supporting both mature and immature SOX programs and internal audit functions. Connect with Marissa on LinkedIn.