men in freefall

Should We Audit at the Speed of Risk?

5 minute read
Norman Marks avatar
The annual audit plan is typically out-of-date even before it is approved by the audit committee.

It’s quite a few years since I first started talking about “auditing at the speed of risk” (since at least 2002). Sometimes I also referred to “auditing at the speed of the business.”

The world within which we live and work is dynamic and turbulent — even more so now than when I first started using the term to describe the impact of new technology. If we rely on an annual risk assessment and plan, we end up auditing what used to be a risk, not what challenges the organization today or tomorrow. In fact, the annual audit plan is typically out-of-date even before it is approved by the audit committee!

Richard Chambers similarly uses the term to explain that we need to move to a model that relies on a more continuous assessment of risk and (as I described in a controversial blog) identification of the audit engagements that would provide the most valuable information (assurance, advice and insight) to our leaders in executive management and on the board.

The Need for Agile Auditing

Another leader in internal auditing has shifted the focus just a little. In COVID-19 Crisis Highlights the Value of Agile Auditing, Protiviti’s Brian Christensen and Sharon Lindstrom talk about the need for “agile auditing.” Here are some quotes. Note that the first quote uses that same phrase.

  • We (internal auditors) have to be able to move at the speed of risk, which, as we’ve seen from the past several weeks, can be lightning fast.
  • Auditors should ... see themselves less as an assurance provider and more as a proactive partner. In essence, we have to become part of the response team.
  • While traditional risks remain, auditors should be ready to quickly change their focus as newer challenges present themselves. 
  • Even as the COVID-19 crisis continues to rage, auditors need to be thinking about the next step forward, when the marketplace and the economy gradually regain their footing .... But when the economy begins to move into the recovery phase, Agile auditing needs to refashion itself again.
  • It is at this point that internal auditors may need to re-think their risk assessment frameworks.
  • It is IA’s responsibility to evaluate not only the likelihood of new risks during this phase, but to also assess how quickly such challenges may arise and the extent of their duration. [My thoughts on this: It is NOT internal audit’s responsibility to identify or assess risk. That is a management responsibility. Internal audit should be assessing how well management does that, not doing it themselves.]
  • Looking ahead, Agile auditing will continue to be the best way forward for IA, as organizations adjust with a changed market and social environment. It will enable auditors to better align assurance with the dynamic condition of a post-COVID world.

I have also been talking about Agile auditing for years. I am encouraged to see this new focus by Protiviti on it.

What do I mean by agile auditing?

  • Being able to shift rapidly to audit what matters now and in the next period when everything is changing constantly.
  • Being able to perform audit engagements at speed. If you think of an agile person, they move with quick steps. IA functions that take weeks or even a month to perform an audit are not agile.
  • Being able to stop auditing when there is little value in continuing.
  • Being able to accelerate and expand an audit engagement when new and significant issues or opportunities emerge (a.k.a., stop-and-go auditing, as discussed in Auditing that Matters).
  • Being able to communicate the results when they are needed by management or the board. If you take even a week to share the nature and extent of issues, you are not agile.

One of the points I made in my recent webinar with Richard Chambers illustrates this. Richard asked me what I might include in my audit plan for the second half of 2020. I replied that “I don’t think that far ahead!” I said that today I would be working on what mattered right now and this week, anticipating what might matter next week and month, and later looking at how the business will be changing in future months. Our environment was and is changing very fast indeed, and where we should put our limited internal audit resources should be changing at the same speed.

Related Article: The Core Principles of Effective Internal Auditing

Learning Opportunities

The Speed of Management Is Changing Too

In its CFO Signals for Q2, Deloitte makes a couple of interesting observations:

  • Many management teams remain focused more on ensuring viability and adapting for near-term performance than on evolving their company for success post-crisis. Still, teams’ focus varies greatly by industry, and many appear to be putting in substantial work on survival, adaptation and evolution at the same time.
  • 60% of CFOs do not expect to return to a pre-crisis level of operations in 2020. Instead, 21% expect to reach this milestone in the first quarter of 2021, with 39% saying second quarter of 2021 or later.

The speed of management is changing.

Decisions have to be made faster in response to changing conditions and in anticipation of what is around the corner.

We have to provide the assurance, advice and insight that will enable the leaders of our organization to make intelligent and informed decisions at that higher speed.

So, I now suggest a number of "mottos":

  1. “Audit at the speed of risk”
  2. “Audit at the speed of business”
  3. “Audit at the speed of decision-making” [NEW]
  4. All of these require “Audit with agility”

What do you think?

About the author

Norman Marks

Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.