Now is an opportunity for internal audit leaders to pause, reflect and consider whether it is time to forgo past practices — even if they have proven remarkably successful — for a different approach to internal auditing.
Internal Audit Has a Choice
As I said to Karen Kroll for the article, "Reassessing Risk: What Matters Most Now?":
“Never has business changed so much, so fast”
“As the business is probably going to be run differently, so shouldn’t we run internal audit differently?”
“Doing a traditional audit that takes weeks, if not longer, is not necessarily going to help business leaders run the business today”
Another recent article in Internal Audit 360, "The Value Challenge in the Evolution of Internal Auditing" stated, "The recent macroeconomic developments emphasize a change that is already taking place: remaining anchored to the most traditional and archaic conception of the internal audit mandate exposes the profession to the highly probable and impactful risk of losing relevance, progressively emptying not only its perceived value but the real content of the profession as well."
We live in an era of epochal changes which demand an evolution of the internal audit profession. Paraphrasing Darwin: if we as auditors will be more reactive to change and will change proactively, we will not only survive, but also consolidate a competitive advantage. The alternative would lead the function to an inexorable, progressive decline.
Related Article: The Core Principles of Effective Internal Auditing
How Nimble Is Your Audit Team?
A growing number of internal audit departments are moving from a static annual audit plan (or worse) to a dynamic one that is based on a continuous understanding of how the business and its environment is changing. (Some call that risk assessment, but it’s really more than that.)
Internal audit needs to continuously monitor the business to dynamically update the audit plan, so it is addressing what's important to organizational leaders now and in the near future.
But there is more to being agile, a term mentioned in the second piece. Think of the navy: Do its commanders send in a fleet every time there is an issue?
They recognize the need for agile, fast and mobile forces that are capable of acting quickly to achieve their mission, in addition to the more traditional use of overpowering force. Internal audit needs similar capabilities.
Sometimes a fleet of auditors needs to be sent in to attack an issue. But that fleet takes time. It requires time to plan, mobilize and execute. It may also require time to consolidate, consider, evaluate and report its findings.
Can the organization wait? Don’t they need information on significant "risks" now rather than later?
The modern internal audit team needs to be as agile as its audit planning. It needs the ability to send in a one or two person team that will get in and out rapidly, with the information needed by leaders of the organization. Audit at the speed of risk and the business, providing management and the board with the assurance, insight, and advice they need, when they need it (i.e., not waiting weeks for a formal report), in a readily actionable form.
In my internal audit departments, the typical audit was one or possibly two people for a week or two total, not just fieldwork. They focused on the few risks at any location or in any business process that had the potential to be significant if poorly controlled.
If you spy an enemy risk on the horizon, you need to evaluate and respond at top speed, not wait until the fleet has arrived.
How agile is your internal audit team? Do you have speedboats or only battleships?
Is your average audit 200 hours or more? If so, are you auditing areas where, even if there were problems, they wouldn’t rise to the level that requires CEO or board action? Why? Are you taking too long to provide management and the board with essential assurance, advice and insight?
Audit with focus and be agile about it.
I welcome your thoughts.