Addressing ITGC Challenges with Agile Auditing
Auditing | Delivery Method: Self Study | CPE Hours: 0.25
Addressing ITGC Challenges with Agile Auditing
By Toby DeRoche
Many internal audit departments plan to adopt agile auditing principles soon to keep up with the rapidly changing risk landscape. When asked about the transition, most say they plan to focus on business risks first and hold off on IT General Controls (ITGCs). Since agile concepts were developed for IT professionals, it is ironic that so many auditors are hesitant to apply agile to ITGCs. This article will demonstrate how to apply agile techniques to ITGCs and address many common challenges in auditing ITGCs.
Addressing Challenges
Many of the common challenges we face in auditing ITGCs are naturally addressed when applying an agile approach.
Rapidly changing technology: New technology is regularly introduced into an organization’s environment. New systems and scheduled upgrades can be assessed for risk ranking by refreshing the risk assessment each quarter.
Testing low-risk controls: The point of agile is to audit the highest risk areas, so time spent on low-risk applications will be minimized. Our plan is designed to audit the right risks at the right time.
Unclear audit universe: The audit universe in an agile IT audit department starts with a complete application inventory. Many teams send out surveys to keep the listing updated and to gather information regarding new and sunsetting applications.
Change management controls: A common issue raised against ITGCs is underestimating the scope of a system implementation or upgrade. Having open discussions with management about upcoming changes each quarter provides a perfect opportunity to uncover the scope of a system change and apply either change management or SDLC controls.
Assurance fatigue: The volume of testing simply wears out some control owners. The agile approach creates prioritized risk ranking and takes some pressure from the control owners with lower-risk applications.
Conclusion
The impact of emerging risks is felt more each year, and risk velocity has increased so that we cannot plan too far into the future. Adopting an agile approach when assessing and testing IT general controls ensures the organization’s most critical risks are tested and issues are mitigated as soon as possible. Addressing the challenges above is just a small taste of the many benefits we realize when implementing agile auditing.
Agile Audit Resources:
Certificates/Certifications:
Certified Agile Auditor Professional® (cAAP™)
To receive CPE for reading this article: "Enroll in Course for FREE" below.
---------
© 2022 Toby DeRoche, and published with author permission. The opinions expressed here are solely those of the author and do not represent the opinions of the cRisk Academy®.
Your Instructor
Toby DeRoche is a bestselling business writer, highly credentialed governance professional, and entrepreneur. Toby has combined his background in English Literature, an MBA, and over 20 years of business experience by authoring more than 250 business thought leadership blogs for industry leaders across the U.S., Canada, and Europe, several of which have been featured in Forbes Business. He has also written 16 whitepapers and four books, including Agile Audit: Transformation and Beyond, Only Audit What Matters (an Amazon bestseller), Modernize Your Audit Department, and Not Yet: A Warming Tale About My Neighborhood, and he contributed two chapters to the 28th edition of ISACA's CISA Review Manual as an IT control subject matter expert.
Certifications:
- Certified Internal Auditor (CIA)
- Certified Information Systems Auditor (CISA)
- Certified in Cybersecurity (CC)
- Certified Agile Auditor Professional (cAAP)
- Certified Agile Auditor Professional - Scrum Master (cAAP-SM)
- Certified Fraud Examiner (CFE)
- Certified in Risk Management Assurance (CRMA)
- Certified in Control Self-Assessment (CCSA)
In 2019, he founded Insight CPE, a company focused on continuing education for audit, risk, and fraud professionals. Through this platform, he has delivered over 130 custom training programs and presentations, including the CyberControl System and the Certified Agile Audit Professional.
Today, Toby continues to write, consult, and coach, primarily working with organizations to enhance their governance and cybersecurity practices, combining strategic insight with practical solutions. Outside of work, Toby enjoys spending time with his wife and son, whether enjoying the outdoors or watching movies together.