Since new risks emerge constantly and organizations modify objectives to meet changes in the world, we must react quickly. Auditors can audit the risks in priority order by creating a backlog of the risks from the assessment. With the assessment updated each quarter, the priority will change, and emerging risks will flow into the list for ranking. Fieldwork can react based on the changing priorities. From the example risk assessment above, we can create a prioritized risk backlog to tackle in fieldwork like the one below.
The Scrum Master (or audit lead) will solicit feedback on roadblocks and progress in daily scrum meetings. This meeting gives the scrum master a chance to step in and assist with getting documentation and setting up meetings. Plus, you can invite the audit stakeholders to keep them informed. A typical agenda for the meeting is shown below.
At the end of the week or every two weeks, the scrum master will host a review session with the audit stakeholders. In this session, the results of the period’s audit are discussed, both what went well and the uncovered issues.
Many of the common challenges we face in auditing ITGCs are naturally addressed when applying an agile approach.
New technology is regularly introduced into an organization’s environment. New systems and scheduled upgrades can be assessed for risk ranking by refreshing the risk assessment each quarter.
Since the point of agile is to audit the highest risk areas first, time spent on low-risk applications will be minimized.
The audit universe in an agile IT audit department starts with a complete application inventory. To keep the listing regularly updated, many teams send out surveys to gather information regarding new and retiring applications.
A common issue raised against ITGCs is underestimating the scope of a system implementation or upgrade. Having open discussions with management about upcoming changes each quarter provides a perfect opportunity to uncover the scope of a system change and apply either change management or SDLC controls.
The volume of testing simply wears out some control owners. The agile approach creates prioritized risk ranking and takes some pressure from the control owners with lower-risk applications.
The pace of risk is speeding up, and the impact of emerging risks is felt more each year. Adopting an agile approach when assessing and testing IT general controls ensures the organization’s most critical risks are tested, and issues are mitigated as soon as possible. Following the simple process described above, you can take advantage of many of agile auditing’s benefits and keep up with the pace of risk.
For a deeper dive into taking an agile approach to auditing IT controls, register for the related free CPE webinar taking place on October 7th 2021.