Can Internal Audit Be Agile?

Should It Be?

I’ve always been uncomfortable with the term “agile” when applied to GRC generally or Audit specifically. I guess I still have some internal auditor left in my DNA, but it sounded like the flavor of the month. “Agile” seemed a little too furtive and vague to be an attribute to aspire to. Its serious stuff and success require consistent practices and methodology. Agility didn’t seem to fit.

I was reminded of my aversion recently in a recent blog by Norman Marks. (Why does  internal audit need to be agile?). While he questioned the use of the term “agile” he did propose some alternative terminology and audit practices that I totally support.

My thoughts on what we now consider agile are in a paper called “Its time for Auditors to Get Out of Control” published in the on-line edition of Internal Auditor.

I am also convinced that the perception of internal auditors is not aligned with the characteristics of agile behavior or practices as illustrated below.

Agile Synonyms Agile Antonyms
athleticbuoyantenergeticlive,limbergraceful apathetic depressed dispirited down dull ignorant

The underlying belief driving Agile project management is that “best business value emerges when projects are aligned to clear business goals, delivered frequently and involve the collaboration of motivated and empowered people.

If that is what agile means in a business sense, I am on board. But what does it mean to internal auditors? Let me suggest a few areas where agility is needed from internal auditors.

  1. Adding Business Value: The first premise is that internal auditors must add value. As things stand today, I do not believe most internal audit resources and practices are focused on value adding activities. Business adds value by managing strategic risks. Studies show that audit resources are focused instead on critical but non-value adding activities. Strategic risks can be derived from the Risk Factors reported in regulatory filings. My personal experience is that the reported Risk Factors are not a major input in creating an audit universe and defining auditable entities.
  2. Clear Business Goals: My experience is that most value is derived from achieving relatively few business objectives. In my experience with a global oil and gas company early in my career, most of the value of the business was derived from finding oil and gas reserves. The company had to achieve dozens of other objectives to stay in business. But finding and producing oil and gas reserves drove the share price. Failure in other areas could drive value down. But preserving value in my view is managements role. Internal audit can only add value if it focuses on where the value is.
  3. Deliver Frequently: This is where Norman Marks hit the nail on the head. Every audit project needs to be as short as possible. Documentation must be minimized. Long audit projects suggest a lack of focus. Excessive documentation does not add value. I was a CAE before work paper automation took hold. Our files were paper files. We used our audit file room as a conference room. Meetings were seldom disturbed by someone looking for an audit file. And when we were, the old file was used to plan the new audit, making the same mistakes as the first and producing another file no one wanted. Creating unnecessary documentation does not add value. Automating unnecessary documentation is not progress.
  4. Collaboration of Motivated and Empowered People: The internal audit profession values independence and rightly so. But independence does not mean isolation. Independence is required to exercise judgement. It should not be used as a barrier to collaboration. Risk and control self assessment practices are a measure of collaboration and they have not flourished and have not evolved. Unreliable self-assessments are a measure of the organizations ability to be agile, and a measure of the skill of the auditor. Business and internal audit resistance to proven self assessment practices can be a sign that internal audit is not aligned with business goals.
  5. Achieving Agility in the Business: The single biggest contribution internal audit can make to create or increase agility in the business is to streamline internal controls and allow the business to take more risk. In my experience the ratio of internal audit recommendations that increase “controls” (I am referring to the number of controls primarily, not the level of control) to those that reduce controls is about 50:1. I believe careful design of control portfolios at the portfolio level could reduce the number of controls by 30-40% without having an adverse impact on overall control effectiveness. Specifically, I am calling for the assessment of internal controls at a portfolio level for a given objective or process. That is only possible if the focus is shifted to business objectives.

The bigger issue is not whether internal auditors can embrace agile behaviors and practices. No doubt some of the requirements of the IPPF may present some obstacles, but none should be major. The bigger issue is whether internal audit can help make the business agile.

The words of Russell Ackoff provide some guidance on how to be agile

The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter”.

Please visit me at

Bruce McCuaig

Published by Bruce McCuaig

I'm interested in all aspects of risk and compliance management. I want to make it work for business executives, the practitioner community and the business.

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: