As a power and utility company serving millions of customers across multiple states, our client was not only highly visible to the public but also subject to stringent regulatory oversight. As a result, the need for an internal audit (IA) process that delivered the most advanced compliance, controls, and risk management functions was critical. For many years, KPMG had advised the client on Sarbanes-Oxley compliance and IA. Now senior management needed help applying KPMG Agile IA principles to increase value and further reduce risk from the IA function.
Redefining IA through collaboration
IA functions need to adjust their priorities and methods to match dynamic business conditions. If IA can’t adjust to meet new risks and changes within the enterprise, then its value is diminished. While our client already leveraged some Agile IA concepts, the full breadth and value of the Agile principles had not yet been explored within the IA function.
Audits of any type come with negative connotations, and when it is an IA function, it can add a layer of complexity. Ten to fifteen years ago, the audit function was much more rigid and focused almost exclusively on policy compliance. And even now, audits tend to be conducted in silos, with only limited communication to the rest of the business. As a result, managers and personnel came to regard auditors as the corporate “police,” whose role was to detect problems or risks and leave the solutions to others.
In our client’s case, senior management appreciated the value that KPMG offered by helping the company identify and avoid risks. But they also understood that to enhance compliance and risk processes, increased alignment between IA and the entire rest of the business would be essential.
Agile IA equals speed to value
Working closely with KPMG, our client set out to reposition the IA function. Instead of acting as a detective finding existing problems, the KPMG IA team became a trusted adviser of the company, taking steps to solve problems proactively—sometimes even before they actually arose. The basis for this transformation would be following the KPMG Agile IA methodology.
Agile IA accelerates audit cycles by enabling faster decisions, more nimble process adjustments, and a greater emphasis on reliable, relevant data. These elements foster better decision-making overall as well as increase IA’s transparency and trust within the organization. The cumulative effect is to raise the perceived value of IA to a wider range of stakeholders.
Quickly establishing the principles of Agile IA with the client was key. Consistent weekly or even daily communication set the tone and built confidence from the start. And unlike traditional audits that follow a linear, structured, and predetermined model, Agile audits are more flexible and fluid, performed through short, iterative “sprints” aimed at determining specific risk points. This allows for continuous touchpoints with stakeholders and staff and ongoing process improvements as the audit proceeds. Communication and collaboration were also critical for building greater trust in our recommendations, which were codeveloped with the client.
We also showed our client how to restructure IA processes. For example, auditing 100 percent of a population instead of a small sample not only yielded more credible insights but also shed new light on key business processes. In addition, powering our audits through data analytics helped provide scope and magnitude to observations and recommendations, so that leadership could prioritize which risks need to be handled first.
Operationally, collaborative, empowered teams replaced individuals focused on discrete tasks. Heads-up collaboration supplanted rigid, heads-down processes. And instead of repeating the same audit event every year, Agile spurred participants to think critically about adapting new controls to continuously meet changing conditions and emerging risks.
Better practices build business-wide buy-in
Key examples of how our KPMG Agile IA initiatives paid off for the client include:
- Faster reporting cycles. The “sprint” approach to communicating questions and findings accelerated the process of producing an approved report to a matter of weeks instead of months. This didn’t just mean faster access to results but less time and effort for participants within IA and beyond.
- Concise, consistent reporting. Concise and consistent reporting templates for upper management allowed for a smooth process instead of a long, painful one, as reporting could be prior to Agile IA.
- Prioritized risk reduction via data analytics. Instead of relying on small, anecdotal samples, KPMG used Agile to gather larger data sets and analyze them more effectively. This produced risk insights that were statistically valid, providing scope and magnitude to the observations and allowing the client to better prioritize their risk reduction strategy.
- Future-focused risk reviews. Instead of simply raising alarms over existing threats, Agile IA gave the client advance warning of potential near- or long-term issues.
- Better, faster risk mitigation. Enabling better, faster risk mitigation equates to less-effort audits, resulting in cost savings.
- Greater stakeholder trust. Agile IA methodologies drive speed to value, making things better, faster, smarter, and safer for our client’s external stakeholders and customers.
- Greater trust for IA. The most important asset that our work yielded was less tangible. By making IA more efficient, relevant, and collaborative, we built greater trust for it throughout the business. This in turn made it easier for IA to gain cooperation and insight from other departments.