Check out my post from the IT Revolution's blog, which includes another sneak peek of my upcoming book, Beyond Agile Auditing!
This post has been adapted from the Introduction to Beyond Agile Auditing: Three Practices to Revolutionize Your Internal Auditing Practices by Clarissa Lucas, coming in May 2023.
How Internal Auditing Works Today
According to the IIA, Internal Audit exists to “enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” In most organizations today, auditors carry out this mission by using a fairly standard and rigid process (a traditional waterfall audit approach) that adheres to standards set forth by the IIA. These standards include requirements about the attributes of internal auditors and Internal Audit organizations, as well as requirements outlining how internal auditing activities should be performed.
Traditionally, audits are performed in stages, with the audit team completing one stage before moving to the next stage. This is known as a waterfall approach (which should look very familiar to anyone in software development or project management). In audit work, the waterfall flows like this: planning, fieldwork, reporting, and follow-up. Typical audits in large, complex organizations can last about three months, inclusive of planning, fieldwork, and reporting.
Because the audit was performed in silos, audit clients (those being audited) are sometimes surprised by the results delivered in the report. With that, negotiations begin, with auditors clinging to the gaps they identified and nonauditors rallying for the language or the ratings assigned to observations in the report to be modified. Auditors argue that the gaps are significant to the organization and their clients argue that they’re irrelevant or not as important as the auditors are making them out to be.
The rounds and rounds of revising the report and quarreling over seemingly minor items in the report further extend the length of time between identifying a gap and the audit clients actually addressing the gap. Suddenly, it becomes more about winning and proving your adversary wrong than helping the organization achieve its objectives. Finally, after weeks of negotiations that you thought would never end, the auditors deliver the final audit report.
Problems with the Traditional Internal Audit Approach
This waterfall approach has been a successful approach for decades, but it presents some challenges in today’s world. In the past, this framework worked well because risks were fairly static. There were rarely changes to the organization’s goals or products between the time the audit started and was completed. The risks remained the same year after year, so it was easy for the audit team to conduct the same audit over and over again. This is still true in some areas, and the traditional waterfall approach can still be successful in these unique cases.
But in most areas today, risks are changing at a velocity previously unseen. This new environment creates unique challenges for auditors, including:
- Difficulty in adjusting the approved scope to accommodate changes once fieldwork has begun
- Limited pockets of feedback during the audit
- Communication breakdowns
- Lengthy periods of time between identifying gaps and communicating gaps to the client
These limitations can result in stress (for both the auditors and the client), impediments to achieving objectives (which is the exact opposite of what clients and auditors both want), and an adversarial (or challenging, at best) relationship between auditors and their clients.
In the past, most audit work was repetitive and known. Auditors would primarily focus on financial statement audits or compliance audits, where the year-over-year scope would remain relatively similar. The prior year’s list of risks and controls typically served as the list of risks and controls to cover in the current year’s audit. An example of this type of audit is one focused on determining compliance with the Sarbanes-Oxley Act (i.e., SOX audits), where the controls and test procedures rarely changed from period to period.
These types of audits are still performed today; however, the risk landscape has drastically changed, transformed by a number of influences, including the COVID-19 pandemic and the digital revolution. Both the pandemic and the digital revolution have changed the way organizations conduct business and operate. Many risks that are present today weren’t present or as prevalent a few decades ago, such as risks associated with the following:
- Large-scale remote or hybrid workforce models
- Global cybersecurity
- Connected devices and the Internet of Things
- Climate change
- Organizational reliance on artificial intelligence, machine learning, and automation
- Transition from on-premises technology infrastructure hosting models to cloud-based or hybrid hosting models
This is definitely not an exhaustive list, but you get the jist: we’re all facing more risks, and they’re being introduced at a much faster pace than we’ve historically experienced. Additionally, many audit clients are working with agility, and the old control mindset no longer works in these situations.
In response, the audit profession expanded its scope to include many more types of audits, including those assessing risks beyond compliance and financial reporting risks, such as operational risks, strategic risks, and environmental risks. Some of these audits cover areas where the work is more unique and less predictable than in SOX and compliance-focused audits. However, expanding the scope of audits is not enough; auditors need to modify their approach as well.
Change is Coming
Auditors can no longer cling to an approach that does not enable them to accommodate change or understand how teams work today. PwC, a professional services firm, poses a thought-provoking question: “When nothing in the internal or external environment is status quo, isn’t it time to think differently about internal audit?” They advocate for thinking about auditing differently by highlighting an audit team that “identifies high risk transactions with channel partners, [in] real time, to fundamentally change the scope and approach of the audit.” PwC doubles down on this by closing with the following:
“For the internal audit function, avoiding change is not an option. Transforming itself is not only what the business needs, it’s crucial to the function’s contribution to the enterprise, not to mention its continuing relevance to the business.”
PwC isn’t alone in this perspective. A 2021 article by McKinsey furthers the argument by stating,
“As the risk landscape becomes more complex, the onus is on IA functions to review their current operations—ensuring they are equipped for a working landscape that, in some areas, has seen years of change in just a few months.”
With an ever-changing environment, an audit approach that encourages flexibility and the ability to respond to change is superior to and provides more value than one that operates with rigidity.
To further illustrate this, consider the traditional waterfall audit approach. The timeline for completing these audits may span anywhere from a few months to a year, depending on the organization. Auditors following this approach invest time in the beginning of the audit to understand the control environment and identify key risks and control points for the entire process or technology under review.
There is a problem with applying this approach in today’s ever-changing and unpredictable environment, as Jonathan Smart explains in Sooner Safer Happier: Antipatterns and Patterns for Business Agility:
“Due to the long duration of traditional projects, the control environment is likely to have changed since initiation, with new controls to implement. For this to be discovered late in the lifecycle leads to unplanned work, [and] delays….”
While Smart is not referring directly to audit projects, his statement accurately captures the essence of what auditors and clients can experience when using a waterfall approach.
An audit managed using the traditional approach sets the stage for the audit “at a time when the least information is known.” Auditors gain a high-level understanding of the controls within the process during the planning stage; however, deeper knowledge is gained during fieldwork, when the auditors dive deeper into the specifics of the process and supporting controls. When the auditors are best positioned to determine the detailed scope of an audit, they’re already deep into the testing phase. Changes to the scope at this point typically lead to extending the audit beyond original deadlines and require approval for the changes (resulting in unplanned work for both the auditors and the client), if the auditors recognize the need to change.
Waterfall Challenges at Capital One
According to an IIA Financial Services brief on Agile Auditing, Capital One (a publicly held, US-based bank with over 50,000 employees) experienced challenges with the traditional audit approach, both from the auditor’s perspective and across the rest of the organization.
The challenges faced by the clients included:
- The need to periodically reeducate auditors
- Lack of consistency in the audit “rules of engagement”
- High volume of requests and questions toward the end of the audit
- Lack of visibility into the results of the audit until the audit team revealed the draft audit report
Capital One’s auditors also experienced challenges with the traditional audit approach, including:
- Limited time for research and education prior to engagement
- Information not available in a timely manner
- Elongated delivery cycle times
- Waterfall report reviews and revisions
- No break between audits—auditors ran from one to the next
This example shows that both auditors and audit clients are negatively impacted by clinging to the way audits have always been conducted and applying one rigid audit approach in every situation without accounting for the uniqueness of the processes or products under review. On a positive note, it shows a commonality between the two historically opposing sides, auditors and clients, but that’s the only positive thing I’m seeing here.
There are far more negative impacts, like pulling audit clients away from their daily work to accommodate unplanned work in the form of numerous unexpected audit requests, delayed delivery of value (thus reducing the value of what’s delivered), and burnout. The negative effects far outweigh the positive ones.
So what’s next? Where can Internal Audit go from here? The next step in the evolutionary journey took Internal Auditing to Agile. Well look at this transformation in the next excerpt from Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices by Clarissa Lucas. Coming from IT Revolution in May 2023.