Addressing ITGC Challenges with Agile Auditing
Auditing | Delivery Method: Self Study | CPE Hours: 0.25
Addressing ITGC Challenges with Agile Auditing
By Toby DeRoche
Many internal audit departments plan to adopt agile auditing principles soon to keep up with the rapidly changing risk landscape. When asked about the transition, most say they plan to focus on business risks first and hold off on IT General Controls (ITGCs). Since agile concepts were developed for IT professionals, it is ironic that so many auditors are hesitant to apply agile to ITGCs. This article will demonstrate how to apply agile techniques to ITGCs and address many common challenges in auditing ITGCs.
Addressing Challenges
Many of the common challenges we face in auditing ITGCs are naturally addressed when applying an agile approach.
Rapidly changing technology: New technology is regularly introduced into an organization’s environment. New systems and scheduled upgrades can be assessed for risk ranking by refreshing the risk assessment each quarter.
Testing low-risk controls: The point of agile is to audit the highest risk areas, so time spent on low-risk applications will be minimized. Our plan is designed to audit the right risks at the right time.
Unclear audit universe: The audit universe in an agile IT audit department starts with a complete application inventory. Many teams send out surveys to keep the listing updated and to gather information regarding new and sunsetting applications.
Change management controls: A common issue raised against ITGCs is underestimating the scope of a system implementation or upgrade. Having open discussions with management about upcoming changes each quarter provides a perfect opportunity to uncover the scope of a system change and apply either change management or SDLC controls.
Assurance fatigue: The volume of testing simply wears out some control owners. The agile approach creates prioritized risk ranking and takes some pressure from the control owners with lower-risk applications.
Conclusion
The impact of emerging risks is felt more each year, and risk velocity has increased so that we cannot plan too far into the future. Adopting an agile approach when assessing and testing IT general controls ensures the organization’s most critical risks are tested and issues are mitigated as soon as possible. Addressing the challenges above is just a small taste of the many benefits we realize when implementing agile auditing.
Agile Audit Resources:
Certificates/Certifications:
Certified Agile Auditor Professional® (cAAP™)
To receive CPE for reading this article: "Enroll in Course for FREE" below.
---------
© 2022 Toby DeRoche, and published with author permission. The opinions expressed here are solely those of the author and do not represent the opinions of the cRisk Academy®.
Your Instructor
Toby DeRoche is a Certified Internal Auditor (CIA) who holds an MBA with an Internal Audit specialization from Louisiana State University. He is also certified in Control Self-Assessment (CCSA), Risk Management Assurance (CRMA), Internal Control (CICA), Fraud Examination (CFE), and he is a SAFe 5 Agilist (SA).
His professional background includes identification and documentation of weaknesses that result in heightened business risk, while recommending solutions to such situations. Toby began his career in internal audit with Macy's Inc. He then worked as an implementation and training consultant for Wolters Kluwer. As a Solution Consulting Manager at Wolters Kluwer, Toby works with organizations that are looking for software solutions to their audit, risk and compliance needs. Throughout his career, Toby has assisted numerous internal audit departments create, perform, and supervise financial, operational, and compliance audits to evaluate control frameworks, financial systems and operating procedures.
Toby is also an experienced author and presenter, having delivered over 50 continuing education presentations to audit, risk, and fraud professionals.