Many internal audit departments plan to adopt agile auditing principles soon to keep up with the rapidly changing risk landscape. When asked about the transition, most say they plan to focus on business risks first and hold off on IT General Controls (ITGCs). Since agile concepts were developed for IT professionals, it is ironic that so many auditors are hesitant to apply agile to ITGCs. This article will demonstrate how to apply agile techniques to ITGCs and address many common challenges in auditing ITGCs — and for a deeper dive into this topic, register for the related free CPE webinar taking place on October 7th 2021.
Assessment
In an agile audit environment, the audit universe starts with the organization’s most critical applications and includes all the risks associated with those applications. The output from the assessment is a prioritized listing of all the risks for all of the critical applications. A simplified version of the risk assessment matrix may look like this illustration:
Backlog
Since new risks emerge constantly and organizations modify objectives to meet changes in the world, we must react quickly. Auditors can audit the risks in priority order by creating a backlog of the risks from the assessment. With the assessment updated each quarter, the priority will change, and emerging risks will flow into the list for ranking. Fieldwork can react based on the changing priorities. From the example risk assessment above, we can create a prioritized risk backlog to tackle in fieldwork like the one below.
Risk Backlog:
- Change management could result in unauthorized changes.
- Users have access to dev and prod environments (SOD).
- Backup and recovery can fail if not.
- Users have higher levels of access than required for the jobs (UAR).
Daily Scrum
The Scrum Master (or audit lead) will solicit feedback on roadblocks and progress in daily scrum meetings. This meeting gives the scrum master a chance to step in and assist with getting documentation and setting up meetings. Plus, you can invite the audit stakeholders to keep them informed. A typical agenda for the meeting is shown below.
Agenda Items:
- Trouble getting documentation
- Trouble getting interviews
- Issues to be confirmed with management
- Push back from audit stakeholders
- Any expected delays
Results Review
At the end of the week or every two weeks, the scrum master will host a review session with the audit stakeholders. In this session, the results of the period’s audit are discussed, both what went well and the uncovered issues.
Addressing ITGC Audit Challenges
Many of the common challenges we face in auditing ITGCs are naturally addressed when applying an agile approach.
Changing technology
New technology is regularly introduced into an organization’s environment. New systems and scheduled upgrades can be assessed for risk ranking by refreshing the risk assessment each quarter.
Over testing controls on low-risk applications
Since the point of agile is to audit the highest risk areas first, time spent on low-risk applications will be minimized.
Lack of critical application inventory
The audit universe in an agile IT audit department starts with a complete application inventory. To keep the listing regularly updated, many teams send out surveys to gather information regarding new and retiring applications.
Discrepancy applying change management vs. SDLC
A common issue raised against ITGCs is underestimating the scope of a system implementation or upgrade. Having open discussions with management about upcoming changes each quarter provides a perfect opportunity to uncover the scope of a system change and apply either change management or SDLC controls.
Control Owners with audit fatigue
The volume of testing simply wears out some control owners. The agile approach creates prioritized risk ranking and takes some pressure from the control owners with lower-risk applications.
Conclusion
The pace of risk is speeding up, and the impact of emerging risks is felt more each year. Adopting an agile approach when assessing and testing IT general controls ensures the organization’s most critical risks are tested, and issues are mitigated as soon as possible. Following the simple process described above, you can take advantage of many of agile auditing’s benefits and keep up with the pace of risk.
For a deeper dive into taking an agile approach to auditing IT controls, register for the related free CPE webinar taking place on October 7th 2021.
Toby DeRoche, CISA, CIA, CRMA, is an experienced internal audit professional with over 15 years in internal audit, fraud examination, and technology consulting, currently working as an IT SOX Risk Manager at Verizon. He is also an experienced speaker and writer, having delivered many whitepapers, blogs, and presentations on assurance topics, and the author of the book Agile Audit: Transformation and Beyond. As the founder of Insight CPE, LLC, Toby is dedicated to advancing the profession by providing meaningful continuing education for assurance professionals. Connect with Toby on LinkedIn.
