Addressing Emerging Risk With Agile Auditing

Addressing Emerging Risk With Agile Auditing

Trying to keep up with emerging risks can be exhausting. In my current role as a Senior Risk Manager in an IT SOX assurance team at Verizon, I am always concerned about staying ahead of emerging risks so we can address anything critical before it becomes a problem. 

In just the past 90 days, my team, like so many others, has had to consider the organizational impact of emerging risks related to fuel shortages, food shortages, geopolitical unrest, legislation changes, pandemics, mass shootings, protests, and more. When dealing with such unprecedented levels of uncertainty, we need to rethink how we build an audit plan and how we perform an audit. 

I’ve found an effective strategy to be adopting an agile mindset that focuses on addressing management’s most urgent risks through more frequent risk assessment and true risk-based auditing, which I explore in my new book, Agile Audit: Transformation and Beyond. Read on to learn about how to take a two-part strategy to adopt an agile approach, and register for my upcoming CPE webinar with AuditBoard, “Transitioning to Agile Audit,” taking place on July 28, 2022, for a deeper dive into finding agile techniques that work for your department. 

Two-Part Strategy for Auditing Emerging Risks

I have found that when used correctly, agile auditing focuses an audit team’s efforts on emerging risks by continually realigning their risk prioritization with senior management’s top concerns. The strength of this approach comes from implementing a comprehensive two-part strategy that changes the frequency of the risk assessment and the approach we take with our audits so that the audits we are performing are always in line with the greatest risks to the organization. 

The first part of the strategy is to complete more frequent risk assessments so that the audit plan time horizon addresses the most current risk concerns. In most cases, I have found that a quarterly assessment with real-time updates works best. For example, my team completed a formal risk assessment in March for the next quarter, but in April a new announcement from the PCAOB prompted us to revise the assessment and change the plan we had just started to execute. We were able to make this shift smoothly because our agile approach gave us the tools we needed to do so.

The second part of this strategy is to audit based on risks and controls, not timeframes. Prior to transitioning to agile auditing, my team would commit to six to eight-week projects — and we often used every minute, sometimes digging deeper or expanding the scope to fill the time. Now we start the audit with specific risks in scope, and the audit is over when those risks and controls have been adequately tested. Our agile approach includes a firm “definition of done,” so once that threshold is reached, we can move on to auditing the next high-risk area. Now we are able to address more of the risks that are concerning to senior management.  

2024 Focus on the Future Report

Start Your Agile Transformation Now

By implementing an agile mindset across our audit process, we are handling emerging risks more confidently with stronger alignment with our stakeholder’s expectations. Taking an agile approach to both audit planning and execution allows internal auditors to make decisions more frequently, with a shorter commitment period, and to work through audits based on the time it takes to evaluate controls instead of being locked into a timeframe. All these benefits came from an agile transformation that we implemented in our department. 

Transitioning to an agile approach in internal audit is a natural shift as the ability to react to risks in near real-time has become more urgent. As with any modern business function, the complexities of the area require an adapted implementation that fits the uniqueness of any organization’s specific internal audit program. Now is the time to act and learn more about this way of working and how it can be used within your audit department.


Toby DeRoche, CISA, CIA, CRMA, is an experienced internal audit professional with over 15 years in internal audit, fraud examination, and technology consulting, currently working as an IT SOX Risk Manager at Verizon. He is also an experienced speaker and writer, having delivered many whitepapers, blogs, and presentations on assurance topics, and the author of the book Agile Audit: Transformation and Beyond. As the founder of Insight CPE, LLC, Toby is dedicated to advancing the profession by providing meaningful continuing education for assurance professionals. Connect with Toby on LinkedIn.