Embracing Progressive Auditing Practices to Position Your Internal Audit Team for Success
Internal Audit teams are going through some major transformations as they look to move away from a traditional approach comprising sample-based testing and an Annual Plan, to a more progressive and digital approach that is more responsive to risk, leverages data and technology to test full populations. Progressive audit practices can add real value to your auditing capabilities, and many are steps in the agile auditing direction. This article assumes a basic familiarity with internal auditing practices.
Setting the Scene – The Case for Change?
I am a big supporter of agile auditing; before we went agile, I was part of a global audit team that was very progressive. Either is a great place for Internal Audit to be and perhaps what is missing is what is the starting point for the journey. As I have said in previous articles, Internal Auditors can be a conservative bunch. We like proof; we like to triangulate feedback; we like to think in a structured way, and we like the details. Well, some of us do and some do more than others, let’s be honest.
Over my career to date, I have spent time in Audit teams that were traditional for a long time but then morphed first into a progressive Audit function and then into an Agile Audit function. Internal Auditors don’t change too quickly by nature, but if you want to add more value to your organization, you must aspire to being either a progressive or an agile audit team. Traditional auditing is in decline and rightly so; teams largely focused on sample-based testing and an annual risk view, are not changing with the times and the case for change is critical. Internal auditors must be data and tech savvy, with capabilities to assess risks more quickly and to add more value. The audit cycle is shortening and there is increasing proximity among Lines 1.5/2/3 of Defense, despite our different mandates, as we are all looking to leverage the same data. Potential future integration / organizational realignment of resources is a possibility in digital organizations.
Progressive practices for sure are value-added and can really unleash improvements in the Audit function. For me the starting point if you aspire to being a progressive Audit function is having the right Vision (and Mission) statements. Your Vision is strategic aspiration, your North Star that guides the team. Often the Vision statement will not mention the word “Audit”. What it may well mention are strategic audit topics or capabilities that you want to develop (or want more of) i.e., critical thinking, data science analytics capabilities, innovative products, AI/blockchain & crypto capabilities, critical data/tech-oriented skill sets, trusted advisor status, etc. For traditional Audit teams, it is an adapt or die moment.
Establish an Audit Vision supported by progressive initiatives to change your audit DNA
Progressive Audit teams have a clear and ambitious Vision that the entire team rally around; it will be of little use if the Chief Audit Executive defines it and says, “here you go – deliver that”! So, a clear Vision is a great starting point, and it typically is a sentence or two max. Not War and Peace. Your Vision should be difficult to achieve and it likely will represent a multi-year journey (2-3+ years) to get there. Once set, Audit will embark on a progressive journey, and you will need to take the time out to reflect upon the journey (e.g., every 6 months or so) to assess progress, new priorities, and changes etc.
The team needs to plot the course towards the Vision and start the journey; that typically will result in Audit, identifying strategic initiatives and changes needed to start realizing the Vision. Investment in change will be needed and shared ownership will be a key measure of the team’s drive and success. Strategic changes can be many things, but within Audit it helps if you group them into People, Process and Product related projects; Culture may be a fourth overall category that may transverse the other three categories. For many Audit teams that start out on the progressive Audit journey, there is the quick realization that important historical aspects of the Audit Function’s set-up need to change.
For example, if your Vision is to be data driven delivering full data audits (instead of sample based audits), then you will need to invest in data science skill-sets and these may need to be new hires to gain traction – indeed there is great value from embedding a data scientist directly within an audit team to share know-how and sharpen the team’s data capabilities; you will soon be gathering several years of data to review and be applying data hypotheses to the data; products may need to change too – progressive Audit teams offer many different audit products for different types of audit and assurance work.
Your audit methodology will need to change to set an expectation that the team performs more data analytic audits (the CAE can set a higher target every year until you get close to your North Star / target) and exhausts possibilities for data driven audits being considered as part of the audit plan. To get this part right, you will need to consider the approach to perfecting the data sets for your audits, so pre-planning becomes more important to iron out the dataset, access to the underlying tables (i.e., will the client IT team host Audit or will they drop the data into a separate database instance for you?) and ensuring the data is normalized, etc. So, you may end up with fewer traditional audits, replaced by more full-data audits, desk-top / self-assessment reviews, forward-looking project audits, business insights, controls design reviews etc. The team’s skill set needs to be invested in always progressing and continuously learning new skills. You will want your future auditors to have the business know-how and critical thinking skills as well as data and tech capabilities akin to a data scientist.
Are We There Yet?
All of this is possible in a progressive, well-led Internal Audit function and it applies to both smaller teams as well as bigger, global teams. If you sustain your focus, you will achieve your Vision and then you will at some future date set a new Vision, with greater ambition, etc. This may lead to an agile audit implementation at some future point, but agile supported by a SCRUM methodology, is not for every organization. I have played a big part of an Agile Audit implementation within a global Audit team, and it can work well, but requires some adjustment to fit in an Audit context. That said, being a progressive Audit function is a great place to be and is on the agile path. While I will not get into adopting agile auditing now, there are many progressive auditing approaches that are core agile audit components that any Audit team irrespective of size, can adopt, such as Sprints, Sprint Reviews and Team Retrospectives. These are all great ways to increase audit transparency, while reducing low risk testing, focusing on auditing risks / topics that matter and adding value to your organization.
It is always time well spent to set or revamp your Audit Vision and investing time to honestly assess existing and desired capabilities and team impact/positioning. So, if you are a traditional audit team and function, it may make sense to strive to be a progressive audit function first. Shared team reflection, including challenging the traditional status quo, and investment in priorities aligned to your Vision, will yield results and positive, value-added impact for your Audit function and organization.
Want to learn more? – Check-out Shane’s recent Webinar with Chartered Accountants Worldwide Network USA on Auditing the Future – Where Does Internal Audit Go from Here?
Here is the webinar link: https://lnkd.in/eAT2d9e7
Shane Rogers FCA, MBA is an independent risk and audit management consultant. A former Audit Managing Director and US-based CAE with deep, partner-level, investment banking, and insurance experience globally, he has led progressive and agile Audit teams that thrive. A Chartered Accountant, Shane has global experience working in Price Waterhouse, Credit Suisse / First Boston, and Swiss Reinsurance. Shane conducts external Audit assessments (against IIA standards virtually or in hybrid mode) and ERM team assessments and positions teams to optimize business impact and value-add. He can be contacted via LinkedIn, or email [email protected], or (M) 646-417-1613.