ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Agile Audit Practice

Agile Audit Practice

Spiros Alexiou, Ph.D., CISA
| Published: 4/10/2017 3:07 PM | Category: Audit-Assurance | Permalink | Email this Post | Comments (0)

Auditors are expected to complete audits on material issues within shorter and shorter time periods. Such audits and their completion depend on the availability of key personnel, who are also increasingly pressed for time as they are involved in day-to-day operations and other, often mission-critical, projects. Yet audit methodology, which involves a rigid separation between audit phases, such as planning, fieldwork and reporting, has failed to keep up with these changing requirements. As a result, the inability to schedule timely meetings with key personnel creates bottlenecks and this causes delays in moving to the next phase typically due to a very small part of the previous phase being incomplete.

IT projects, on the other hand, also face similar challenges and those challenges have been met by adopting more efficient methodologies, collectively called Agile. The key difference is that formal documentation is only produced at the end of the audit rather than during the planning phase. The Agile methodology for audits would entail:

  • No strict separation between phases. This means that planning and fieldwork can run in parallel. Fieldwork can begin on steps that have already been planned. Instead of a possible meeting with hard-to-schedule key stakeholders slowing down the entire audit, it only slows down one step; while that one step is slowed down, fieldwork on other steps continues.
  • A sample of data, if required, is requested at the start. There is no need to wait for planning to be complete to request data. Data can often speak for themselves much better than a user, who has typically a much different focus than auditors. Keep in mind that often there is a delay in obtaining data, hence, it is important to have tasks, especially those that do not depend on the audit team, running in parallel.
  • Formal documentation produced only at the end of the audit. This does not mean that there is no planning; it only means that formal documents are produced at the end, documenting what the audit did, rather than the initial understanding of what it was planning to do. This greatly improves efficiency in that whether some tests are material or not is not apparent until the data are in. In a traditional audit, a disproportionately large amount of time may be spent documenting a completely immaterial test planned because of a lack of data.
  • From the very start, every effort should be given to determine the key, material issues, but without producing formal documentation, which will only be produced at the end.
  • Managing idle time and bottlenecks. For instance, document and write up findings as they come if there is idle time. If not, schedule tasks so as to minimize time spent on waiting for data or meeting time.
  • Shifting resources, if necessary.

Read Spiros Alexiou’s recent Journal article:
Agile Audit,” ISACA Journal, volume 2, 2017.

Comments

There are no comments yet for this post.
Email