We need to stop auditing the past and turn towards auditing what matters today and will matter in the future.
Risks and business conditions change all the time, so an annual plan or even one that is updated quarterly won’t lead to auditing what matters today. You audit what used to matter.
That requires making sure you understand changes in risk and the business as they happen, anticipate the risks the business and its leaders will face in the coming period, and update the audit plan accordingly.
Rather than an audit plan that is annual, semi-annual, or even quarterly, it needs to be updated on a far more continuous basis. A rolling audit plan that reflects what should be audited now and soon helps an internal audit activity remain both relevant and valuable.
We need to audit at the speed of risk and the business.
Both Richard Chambers and I have been talking about this for a long time, and I practiced it over two decades as a CAE.
However, talking about it in blogs and at conferences is not enough.
People need practical guidance, so I have written a new book, Auditing at the Speed of Risk with an Agile, Continuous Audit Plan.
It explains continuous risk assessment, what should be in the audit plan, how to communicate it, and more.
The book includes detailed examples of audit plans from three of my companies, as well as many stories about specific situations and how the continuous approach led to audits that delivered huge value to executives and the board.
I was privileged to have a review board of distinguished practitioners and leaders of the profession, who made sure this book will lead internal auditors towards the goal of world-class performance.
I welcome your thoughts.
- Internal audit wastes so much time on policies, documentation, and more! - January 17, 2024
- The risk to an organization of technology debt or deficit - December 11, 2023
- When enterprise risk-based audit plans are not enough - November 15, 2023