“Data is a precious thing and will last longer than the systems themselves.” (TimBL)
Agile auditing means many different things to many people, businesses and industries but a consensus is that there are benefits to be had from a more flexible iterative approach.
Agile internal auditing remains a discussion topic for many audit Committees and Internal Audit teams in the insurance industry, particularly in the London Insurance Market which operates on a fairly bespoke method of pricing premiums (and all transactions that follow through once insurance cover is bound) and which does not necessarily lend itself to an agile approach that is afforded to the processing of homogenous transactions, such as is seen more in retail banking, for example.
In our opinion, there are some negative implications for internal audit adopting a pure agile approach in that the distinction between first, second and third line of defence becomes a grey area for an internal auditor carrying out what effectively amount to a first or second line of defence monitoring role. A key element of providing assurance is derived from an internal auditor’s independent role and his or her direct reporting line to the Audit Committee, and not to the executive directors. Is this key facet of internal audit impartiality impaired with this type of approach for internal audit?
That said, JCBFL embraces the agile mindset to the extent that we are adaptive, responsive and nimble in our approach and thinking. This could not be more relevant to the current climate of Covid 19 global restriction where the insurance internal audit and audit inspection community has had to adapt to remote working to continue to provide assurance to Audit Committees and underwriters, respectively.
Practical examples where a simple internal audit agile approach can be deployed for an internal audit might be for the testing of underwriting controls across a large Lloyd’s syndicate writing multiple classes of business. Data can readily be downloaded into Excel from most underwriting platforms and then the internal auditor can use Excel applications such as pivot tables, basic macros and VLOOKUP to test the whole portfolio of data for a number of factors such as risk written within authority, permitted territory, within set limits (Sum Insured), other coverages etc. These quick cost-free Excel techniques can be applied to other areas where there are a significant number of transactions subject to internal audit such as Delegated Authority bordereaux processing or for Accounts Payable. More sophisticated data analytics, and in particular Computer Assisted Audit Techniques (CAATs), are also an important tool for an agile IT internal auditor.
In brief, through the use of technology, or even some simple Excel applications, an internal auditor can select and analyse full data sets to periodically audit, continuously audit or monitor key organisational data for abnormalities or variances that can be used to enhance more traditional techniques which identify and effectively evaluate organisational risk and compliance with control and regulatory requirements.