Q&A with Clarissa 1/16/2024

I'm often asked a number of questions about Auditing with Agility, and themes definitely tend to emerge with those questions. Here's one I get frequently:

Question: As an auditor, one of the key things I hear is, “You can’t conduct an audit of XYZ because you’ll only tell us what we already know!” Any advice on responding to that to get a more positive outcome?

Answer: As an auditor, this is pretty discouraging to hear, right? It really isn’t much value to the organization for internal audit to tell key stakeholders what they already know. Besides, you’d probably rather spend your time doing work that your stakeholders will find insightful and valuable. Here’s where agility in the overall audit risk assessment and planning process is really helpful. First, it’s important to gain an understanding of what your clients already know.

If there are a number of initiatives they’re working on to enhance their key controls or to fix known gaps with key controls that cover the majority or all of your planned audit scope, maybe it’s not the right time to go in and do an audit in that space. So gain that understanding of what your clients already know with regard to the audit scope, and what they’re doing to address it. If they’ve got a good grasp of where the gaps are and are making progress on addressing them, and that completely overlaps with your planned audit scope, perhaps it’s time to shift your focus to another area of the organization. Meanwhile, stay close to those clients to keep on top of their progress, and partner with them when they’ve completed addressing the gaps or making those improvements to provide independent and objective assurance to them that the gaps are addressed as they expect (that’s when you’d come in and do your work in that space).

Maybe what your clients already know covers only a portion of the audit’s planned scope. If that’s the case, it might make sense to adjust the scope to include the areas where your clients don’t have as much visibility into the effectiveness of their controls and have a more targeted scope. You’ll still want to stay close to their progress on the areas that you exclude from the scope due to ongoing work they’re doing, and then you can help them validate that the work they’ve done has effectively managed the risk once they’re complete (in a subsequent audit activity).

If it turns out that the scope of your planned work is still focused on the areas that are most important to the organization, and what your clients already know isn’t within that same space as your planned scope, going through that exercise should help your clients understand that you’ll be providing assurance or advice that will be valuable to them and won’t tell them what you already know.

Additional content:

New IIA Standards, Effective 2025: The new Global Internal Audit Standards were released by the Institute of Internal Auditors (IIA) on January 9, 2024 and will become effective January 9, 2025. Here is a link to the new Standards: https://www.theiia.org/globalassets/site/standards/globalinternalauditstandards_2024january9_printable.pdf. In addition, check out the IIA's website for more information on the Standards and the Standard-setting process.
New CTRL Phreaks Podcast Episode: Episode 4 of the CTRL Phreaks podcast is now available. In this episode, Bill Bensing and Clarissa Lucas talk to Robin Yeman and Dr. Suzette Johnson about applying Lean, Agile, and DevOps concepts beyond the world of software development. Listen to it wherever you listen to podcasts. The link to the episode on Apple podcasts is available here.

Don't forget to get your copy of Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices today. It's available in paperback, eBook, and audiobook versions. Order here.