Agility and internal audit – four ways to do more with less

Do more with less…and please, can you identify risk faster and provide more value? As a result of COVID-19 and the changing environment, including sustained work-from-home (WFH) arrangements, stakeholders are asking how internal auditors can address risks faster, be more efficient, use data analytics more effectively, and achieve internal audits’ mission and objectives with fewer internal audit resources. The ongoing challenge: do more with less.

Auditing during the pandemic while organizations transform faster to meet consumer demands is a challenge, but it also presents opportunities to the internal audit mission and function:

The challenges and opportunities above serve as examples. Look at the opportunities as approaches to answering these questions: How can we be more agile? Can we do more with less?

Implement these four quick takeaways to get started now:

Modify virtual meetings’ fit for the purpose, not fit for you.

In today’s environment, many of us experience an ongoing virtual meeting overload. As a result of COVID-19, internal auditor productivity (in some cases) has increased based on the number of meetings and connection points with management and key business owners. In other cases, the productivity has decreased due to lack of face-to-face contact. What once was a simple face-to-face conversation with the business owner or a team member is now a virtual meeting blocked on someone’s calendar for a half-hour -or –hour-long increment. Instead, fit the time for the purpose and be cognizant of other people’s time. Booking an hour for a meeting when you know will require only 30 minutes creates the “opportunity cost” for you and the member of management; both of you lose that additional time that could have been spent on another critical call or discussion.

Further, meeting purpose (including a defined agenda) has become increasingly vague. Ask yourself these questions when scheduling that default half-hour appointment block or the one (1) hour “walk through” with business owners.

1. Is this meeting to share information only (e.g., a status update)? If yes, would an email and use of team collaboration and sharing tools suffice?
2. Is the meeting to discuss information to obtain immediate feedback from your peers or understanding from a key business owner (e.g., a discussion on an approach to address a risk or a virtual walkthrough of a process with a business owner)? If yes, have you confirmed in advance you have the right people included in the meeting? Do you have too many individuals which may result in not achieving the objectives?
3. Is the meeting to share information to decide on action (e.g., change the approach of an audit, confirm an observation with a business owner, and/or analyze the cost and benefits of an action)? If yes, have you developed pre-reads, sent information in advance and outlined the context for the goals and outcomes of the meeting including expected accountability and responsibilities?

If you are attending a meeting, or scheduling a meeting and the purpose and clarity of the outcome for the meeting is uncertain, take the three R’s approach:

• Rethink the purpose
• Reschedule the meeting
• Refine the objectives and clarify the expected outcome to those included

Finally, ask yourself if an email communication could be equally ore more effective than holding a meeting.

Status meetings and milestones should reinforce the “Why” of the audit and what’s in it for the business and stakeholders.

As internal auditor practitioners, we sometimes are caught up in the routine status updates with key process owners and stakeholders. After the pleasantries of introductions, a status meeting sometimes turns into a rundown of an outstanding request list, leaving the process owner wondering when the audit will be done. Ideally, status meetings should remind the stakeholders of four key points:

• The audit’s objectives, purpose and value to the business and stakeholders
• Status of addressing risks identified through the audit asking for constant feedback and alignment
• Feedback from the business owners on preliminary observations from internal audit
• Enhancements in collaborating with the business owners that are agreed to provide value for the business and worthwhile to report to stakeholders

Consider the length, time of the audit and the number of business owners and stakeholders involved when hosting status meetings. There are instances where an audit may have a very short window, i.e., short in time to complete and limited in hours allotted. In this case, being efficient in time and with the business owners is critical. A shared dashboard (with access for the business owners that includes the audit’s status utilizing internal cloud based sharing tools such as Google Docs, Microsoft Teams and others) may suffice instead of holding that default, half-hour meeting block.  

Create a risk “data lake” to involve your internal audit team and promote ideas and opportunities for internal audit to add value.

Various internal audit departments engage in multiple methods to conduct their risk assessments and capture ongoing risks, concerns and opportunities. The techniques and processes usually depend on the department’s resources, the availability and use of different tools, surveys and external resources. Most importantly, the most valuable insights to risks and areas of value for internal audit usually come from the time and effort to ensuring there are engaging conversations that occur with management, executives and audit committee.  

An opportunity for internal audit organizations is to create a risk data lake. A data lake in this context references a hub and central repository for auditors to immediately and actively document risks throughout the year identified through internal sources, specific internal audits, external sources and thought leadership, and conversations and meetings with business owners and stakeholders. For those internal audit departments that are smaller in size, personnel and technical resources consider setting up a simple spreadsheet as the following:

As the repository or hub is built out over the year, simple functions can be used within the spreadsheet such as pivot tables, duplicate searches and key word searches. Furthermore, visualizations on the data over time can be created as well. The point is to keep the process simple and value added - not create additional unneeded administration.

For internal audit departments with more resources and data analytics capabilities, you may already have an implemented governance, risk and compliance (GRC) software that can capture risk types and emerging risks overtime. However, most GRC tools do not have the ability to analyze structured and unstructured data from multiple sources. Your organization can utilize and expand upon the repository approach above by incorporating various sources, integrations and visualizations depending on your capabilities. The focus should be an ongoing test, learn and adapt function to identify emerging risks faster and provide more value to the process.

Challenge the need and timing for the audit you are performing.

Can a limited-scope audit suffice for a full-scope audit? Can a walkthrough or control design assessment suffice for a limited-scope audit? Can initial data exploration and analysis suffice instead of a walkthrough?

The approved audit plan and internal audit objectives for any given year has a considerable impact on the flexibility that can be applied. However, to be agile we need to develop a culture, including obtaining buy in from stakeholders, that audit plan flexibility and changes should be considered the norm to keep pace with the ever changing and uncertain environment. Refer to our agile auditing series article for additional thought leadership on how to apply agile methods to your audits.

For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.