My friend, Jason Mefford, recently interviewed Toby DeRoche on this question. Toby has a training program in Agile Auditing that leads to a certification as an Agile Auditor Professional (cAAP). Toby describes his approach this way:
“You’ve listened to the rest, now learn from, and get certified by, the best in agile auditing.”
We can only audit at the speed of risk, if we update our audit process. Traditionally, internal audit completes a risk assessment once each year with only minor updates when needed. The audit plan is set, and the focus is on plan completion – not on gathering risk insights.
Traditional internal auditing is a broken model that is too slow, too historical, and too rigid. In today’s dynamic business environment you have to be more proactive and agile, or you risk being seen as just another compliance function.
With a risk-based, agile approach, you can quickly see that an annual plan is no longer acceptable. In fact, most modern internal audit groups are already making the transition to agile auditing.
Audit plans must be flexible, able to adapt to cover critical and emerging risks at a speed that makes sense for our organizations. The agile audit methodology creates an audit plan that meets the needs of a modern, risk-based team.
In contrast to the traditional process, agile…
