Outside the box: The race for pace

If you only ask one question this week, make it this one: Could we move faster and work more flexibly without compromising internal audit credibility?

A: It’s one thing to pull out all the stops when there’s a crisis and another to work out how to make rapid responses part of everyday working life. Internal audit departments in all sectors have repeatedly demonstrated their ability to adapt and change to provide timely responses to fast-moving circumstances over the past 18 months. Now is the time to look at how this speed and vigour can be embedded into internal audit business as usual.

Fortunately, there are pioneers who were experimenting with ways to make traditional audit processes faster without cutting corners long before COVID-19, and many more teams have tested new approaches on a temporary basis in the past year. Some have incorporated Agile techniques – including breaking large audits into short chunks and offering regular real-time updates to auditees – while others have turned to software to automate time-consuming processes and request pre-audit information.

As in other areas, things that were previously seen as best practice and cutting edge are becoming more common, shifting the bar up a level (meaning that those who have not changed may find they’ve moved from the middle to the back of the pack without noticing). Annual plans are being supplemented with, or replaced by, rolling plans that are easily and swiftly adapted as and when new risks emerge. Risk-based auditing, in some form, is now standard, not exceptional. Boards, audit committees   and internal audit customers in many sectors are starting to expect faster feedback, more regular updates and dashboards that highlight at a glance the most important issues of the moment.

Everyone is at a different point on the scale, but all can make progress, particularly if we learn from each other and from what works elsewhere. Technology is, of course, helpful – many would say, essential – for most internal audit teams today, but this doesn’t need to require a large investment immediately. Incremental change, especially when this involves training team members and increasing management’s expectations, can take you further in the long term.

The key questions to ask now include: have we made our processes faster and more responsive over the past two years? Are we doing labour-intensive or time-intensive things today that we shouldn’t be doing tomorrow? Do we do things from habit and to meet demand rather than because they add real value? Do we need to do more consultancy or advisory work to provide a faster response to a new risk, or highlight an emerging issue? Do we need to communicate more with stakeholders about what a faster, more responsive internal audit function could achieve for them – and what needs to change to facilitate these improvements? Who is already doing things that we can learn from and can we talk to them?

Trying to do too much too fast can cause more problems than it solves, but internal auditors should be well able to assess these risks and challenges. It’s just as critical to consider the risks of falling behind the rest of your organisation or of providing out-of-date assurance on issues that haven’t been important for many years. We should ask whether we really do risk-based internal audit or whether we audit particular topics or areas of the business just because they have always been on the plan.

The risks of falling behind, of providing false or inaccurate assurance, or of simply auditing familiar topics (because we always do payroll, for example) are likely to have a significant impact on the future credibility of the profession. 

This article was first published in September 2021.