Q&A from the 2023 IIA/ISACA GRC Conference

Q&A from the 2023 IIA/ISACA GRC Conference
Photo by Towfiqu barbhuiya / Unsplash

In August, I presented on Auditing with Agility at the GRC conference, which was co-hosted by the Institute of Internal Auditors (IIA) and ISACA. You can find a recap of the event in a previous blog post: 2023 IIA/ISACA GRC Conference Recap. At the end of the presentation, the volume of questions far exceeded the time available to answer them. So I encouraged attendees to submit their questions anyway, and committed to producing a blog post addressing them. This is that post.

The audience submitted a total of 38 questions. Those questions fell into a few categories, including:

Questions on Auditing in Sprints

A few questions centered around how to fit audit audit work into time-boxed sprints. It's not uncommon at first to think about sprint-based auditing as simply breaking your traditional audit into sprints. While that's part of it, it isn't the whole story. Not only are you breaking down delivery into timeboxes, you're also focusing on specific risks that are truly essential to the organization. Auditors have gotten into the habit of auditing EVERYTHING. I, too, and guilty of this. What drove this for me was the fear of something going wrong and somebody asking "where were the auditors?". But that's not our role as auditors. We're not here to make sure nothing ever goes wrong. We're here to protect and enhance organizational value and to provide assurance and advice for our organizations. We can't do that if we're trying to audit EVERYTHING. And if you're trying to audit EVERYTHING, then you're going to struggle with time-boxed delivery.

Now if you think about the most important or essential risk you're auditing and focus only on that, you can more easily deliver on that risk in a short timebox.

Two great resources to help shift from auditing EVERYTHING to focusing on what really matters are Norman Marks' book, Auditing that Matters, and my book, Beyond Agile Auditing. The latter also includes information on managing audit work via sprints.

Questions on Time Commitment

Some questions centered on the amount of time audit clients spend and the level of engagement required from clients when auditing with agility. Think about the time clients spend during and after a traditional audit. If the audit identified findings, audit clients then spend resources to address those findings. If those findings aren't aligned to what's most important or the client's current operating model, then it isn't a great return on their investment. For example, if the finding requires segregation of duties (SOD) when the risk of bad things getting into production is mitigated by automated pipeline tests, then the client spends time implementing SOD on top of the existing automated control. This wastes time during implementation of the manual, repetitive SOD control and every time the SOD control is performed.

It would be much better for clients to invest their time during the audit to help the auditors truly understand what the key risks are and how they are managed, so the results of the audits are more relevant and valuable. That saves more time in the long run.

Questions about Reporting or Communicating Results

Reporting or communicating results was also a recurring theme. One reason organizations turn to agility within internal audit is to get results into clients' hands sooner. One techniques to accomplish this is communicating results as soon as they're identified and confirmed, rather than waiting until the end of the audit. This raises questions about when to issue an overall audit opinion and what to include in the final report at the end of the entire audit.

The short answer: it depends.

It really depends on things like:

  • Can and should you provide an opinion with each communication or does it make more sense to conclude once all results are identified?
  • Do you even need an overall opinion?
  • Is it more helpful to consolidate all results into a comprehensive final report or to only deliver results as you identify them?

It will really depend on the unique attributes of the situation at hand and the needs of your stakeholders. Chapter 5 of Beyond Agile Auditing discusses reporting when you choose to communicate results iteratively.

What if not everyone has bought in yet?

Another popular question asked how to begin to adopt agility before the entire department is on board. I actually recommend tis as a GREAT place to start. Here's why. One driver of failure when some organizations try to adopt better ways of working is an all-or-nothing approach or a mandate. Oftentimes this is met with resistance, as people feel like the change is happening to them, not with them. Adopting a more gradual approach defends against this. Jon Smart calls this inviting over inflicting change in Sooner Safer Happier.

Instead of waiting until everyone is ready to take a leap, start with a few motivated individuals who are energized by improving internal auditing. Empower that small group to experiment with agility and share their results with the rest of the department. This builds excitement with others in the department (and with other audit clients). That creates momentum, bringing more and more people in the department along. Kee in mind that what we're doing isn't changing. We're changing how we do it. So it doesn't have to be a department-wide change dependent upon wholesale buy-in from the start. Chapter 9 of Beyond Agile Auditing explores this further.

Standards for Auditing with Agility?

The most popular question (i.e., the one that received the most votes/thumbs-up in the conference app) was "Are there specific standards for Auditing with Agility?"

In short: no.

The beauty of Auditing with Agility is that it is a way of working that provides you the flexibility necessary to adjust and meet standards, such as the Institute of Internal Auditors' Standards, Auditing with Agility is not a framework with prescriptive steps to follow or standards to comply with. The key to auditing with Agility is to determine your desired outcomes and select techniques that will deliver those outcomes while adhering to the standards you're held to as an audit professional. Instead of adding yet another set of restrictive requirements, Auditing with Agility provides options.

What about adhering to Auditing Standards?

Speaking of standards, a number of attendees asked how to ensure adherence with auditing standards when leveraging agility in the audit process. Chapter 9 of Beyond Agile Auditing has a section devoted to answering this question. As the IIA Standards are currently undergoing revision, let's explore this at a higher level so you have a general direction to follow as you proceed with agility. One question in particular asked about reduced documentation requirements and the impact on QAR results. From my personal experiences, I haven't encountered any QAR issues when valuing actionable insights over extensive documentation (one of the practices associated with value-driven auditing).

Operating with agility is not a license to forgo documentation or to fail to meet documentation requirements. Rather it is an opportunity for auditors to evaluate what documentation is truly needed. For example, the standards as of 10/11/2023 require our documentation to be sufficient, reliable, relevant, and useful. They aren't asking for perfection. So when incorporating agility, challenge yourself to document what you absolutely need to and nothing more. It's helpful to ask questions like "what can we NOT document, while still meeting our needs (including adherence with the standards)?"

This is just one example of how to comply with the IIA's standards when auditing with agility. I'd recommend working closely with someone who is familiar with the standards with which you need to adhere, and asking them how you can still adhere while experimenting with agility.

Question about "checkbox" auditing

Finally the audience asked how I would respond to the view that audit is a "checkbox" activity. It's disappointing that some organizations still have this view. Disappointing, yet real. Based on the posts I see on LinkedIn, it seems that checklist-auditing (auditing using a generic checklist or the last audit's audit program) is still fairly common. With that being commonplace, it's no wonder our clients might see audit as a checkbox activity, rather than one of great value. As auditors, we need to do better. Our organizations and our clients deserve better from us. For more information on moving away from checklist auditing, check out my blog post here.

We covered a lot of ground here, and they are still some questions from the GRC conference I haven't yet answered. Those center primarily on auditing in the public sector (e.g., federal government/inspector general community) and getting buy-in from regulators. I'm currently researching these and hope to have answers for you in an upcoming post. Meanwhile, if you have experiences with these, please comment below. I'd love to hear your story!