As we emerge from a global pandemic, businesses and governments are rethinking the way they operate. To succeed in this challenging, constantly evolving landscape, many are embarking on large-scale transformation initiatives to change strategic focus or positioning, to enhance customer experiences, accelerate digital transformation, or to undertake mergers or acquisitions.
While the benefits of ground-breaking change can be momentous, transformation also comes with significant risks. Change initiatives frequently fall short of delivering expected benefits because they lack sufficient or appropriate oversight and assurance.
To achieve goals during the change process, risk management and internal audit activities must be synchronous, enabling organizational leaders to swiftly make fully informed decisions. Yet too often, risk management practices are not sufficiently agile to respond to the risks challenging the organization today, or tomorrow. In fact, traditional audit approaches often miss value-added opportunities to provide independent insight or assurance.
Transformational change is swift, complex and continual. Organizational leaders need real-time insights and foresight regarding strategic decision-making processes and independent opinions regarding how effectively risks related to transformation are being managed.
Risk frameworks and processes that are focused on a historical examination of processes and controls for a pre-determined period of time cannot provide the type of assurance senior management and boards require for change efforts that shift, in concert with needs and opportunities, in real time.
Speed, flexibility, accuracy essential for independent risk assessments during transformation
An independent risk assessment (or IRA) during transformations requires speed, flexibility and accuracy. Internal auditors must be forward focused and agile, and be able to shift and focus on what matters at a particular moment in time. This requires assessing, experimenting and pivoting. Then repeating this process again, in step with the transformation efforts, to assess the evolving risk landscape of the transformation.
This can be challenging for both risk management and internal audit departments that are already dealing with an accelerated pace of business, an increasingly complex risk landscape, rapidly changing technologies and mounting demand for auditing skills and resources.
Consequently, internal audit is increasingly enhancing in-house expertise and resources with agile IRAs. An agile IRA involves a team of independent risk advisors partnering with internal audit on the transformation journey. These advisors serve as a global positioning system (GPS), helping to calculate where the organization is now and where it wants to be. They then assist in charting an efficient path, navigating past obstacles, and recalibrating in real time as needed to reach the desired destination.
A Closer look: what are the principles of agile independent risk assessments (IRAs)?
The Principles of Agile Audits and Agile
The agile approach to project management originated in the software development industry to enhance efficiency and reduce costs. The approach is similar for internal audits and IRAs, which work together in synchrony. Rather than a rigid, single-phase plan, projects involve continuous, flexible planning in brief sprints, along with collaboration and frequent check-ins among the audit team, stakeholders and management team. This enables priorities and tasks to adapt to changing needs and facilitates quickly identifying and resolving problems and realizing benefits.
The agile approach is based on four principles:
- Individuals and interactions take priority over processes and tools – including ongoing and time-bound reporting
- Real time insights are more important than comprehensive documentation – as a result there are shorter audit reporting timelines
- Focus on responding to change over following a plan, inevitably there is increased communication with the client as a result
- Analysis is focused on future state vs. reporting historical results
The benefits of these four guiding principles result in proactive and more value-added insights, timely and relevant findings, enhanced management of expectations and a focus on future risks vs. post-mortem reviews.
How does Agile Audit and Agile IRA compare with traditional audit techniques?
Attribute | Agile Auditing & Agile IRA Principle | Traditional Auditing |
---|---|---|
Guiding Focus | Defined Value Expectation: Example: To provide management with an ongoing assessment of progress, quality and attainment of the transformational objectives at defined gates and milestone |
Audit Objectives: Example: To assess the level of assurance that the required functionality will be delivered, business process controls will be effective and change impacts will be well-mitigated upon implementation of the new technology |
Work Plan | Fixed timeframes | Linear stages of planning, fieldwork and reporting |
Planning | Continuous, iterative and incremental updates of risk assessment to inform areas of review for sequential, fixed work cycle | Planning phase risk assessment informs development of audit program with defined criteria, sampling approach and procedures for the entire fieldwork phase |
Communication with Auditee | Frequent and collaborative discussion (e.g. discuss in-progress work products, audit team embedded with transformation team) | Communication with auditee at critical points of audit stages |
Agile Internal Risk Assessment
Multiple advantages of integrating an agile IRA
Integrating an agile IRA into a transformation project can offer numerous advantages, especially in the wake of a COVID-19 pandemic that has stretched resources and disrupted internal audit among countless organizations.
- With a focus on delivering value, agile IRAs of transformation emphasize continual identification of current and emerging risks and frequent re-evaluation of audit scope and priorities. This approach improves risk focus and produces more responsive risk management and more timely and meaningful reporting.
- Designed to be collaborative and productive, agile IRAs also strengthen the efficiency and effectiveness of internal audit during transformation initiatives and reinforce an end-to-end, forward-thinking mindset.
- Moreover, independent assessments equip internal audit with best practices for identifying key implementation risks, issues and control gaps. This ensures that the audit committee, board and senior management have additional assurance regarding risk oversight for any critical strategies the organization implements.
- Ultimately, agile IRAs contribute to mitigating risks and augmenting organizational resilience by facilitating the monitoring and adjustment of change initiatives, preventing the escalation of problems into crises.
As risks quickly evolve and new risks emerge, agile IRA is essential to realize the intended outcomes of transformation initiatives. When decision-making processes must be guided by swift assessments of the risk/reward balance, an agile IRA enables business leaders and internal audit to rapidly and safely navigate the shifting landscape.
In effect, an agile IRA is an invaluable GPS that enables transforming organizations to get to where they need to be, when they need to be there.
To learn more about independent risk assessment contact Hash Qureshi at [email protected]