The existence of a partnership between IT risk and IT audit seems obvious, but it can be hard to achieve because everyone is always busy. Risk has its own priorities and so does audit. Getting the two teams together to streamline things such as artifact collection or pulling cross-team data sometimes seems nice to have compared to the must haves everyone is swamped with.
Personally, I’ve seen a lot of success in accomplishing these types of initiatives using more of an iterative approach than a formal project. Small, consistent wins over time are impactful and will not get in the way of priorities.
Setting up a temporary team is a great way to encourage cross-team collaboration without taking up too much time. A team consisting of representatives from the first, second and third lines of defense is ideal. The first line can talk through the pain points they face while being audited or providing input for a risk assessment while also providing insight on how artifacts can be collected or automated. Someone from the second line can speak to the common trends, gaps and best practices they have seen throughout the organization. Finally, the audit team member can speak to the things an artifact must contain, such as information provided by the entity (IPE) and information used in the execution of controls (IUC), that allow an artifact to be relied on by both internal and external audit.
Although a temporary team should not take on the overhead associated with additional Scrum events, such as frequent retros and daily scrums, there is benefit in having a shared board or place to record and prioritize user stories (or deliverables). Then, by thin-slicing user stories to be achievable within a sprint, customers and stakeholders will see continuous improvements across their audit and risk assessment experiences. These user stories might consist of things such as automating a control or making updates to the risk or audit program. Ensuring each user story can be accomplished within a sprint is key to reiterating the importance of this team as it will result in continuous improvement and increased risk assessment and audit satisfaction.
This all sounds great, but it is essentially useless if you do not have leadership buy-in. If only risk assessments and audits were everyone’s passion and priority, we would have the time and resources to accomplish these things fairly quickly. Unfortunately, that is not the case. Leadership needs to understand the importance of this collaborative effort, and providing leaders with data can stress the importance of these activities. Some examples of influential data include:
- Decreased audit and risk assessment time
- Cost savings associated with reduced travel or external audit engagement time
- Increased customer satisfaction associated with audits and risk assessments
- Less technology debt or overhead on product teams’ backlogs
Cross-collaboration benefiting the organization is an obvious statement. But getting the buy-in and resources to achieve this can be challenging. Using data to gain leadership’s support will encourage the formation of cross-functional teams. Then, using these teams to accomplish incremental but powerful outcomes will result in improvements across all three lines of defense.
Editor’s note: For further insights on this topic, read Benjamin Bartz’s recent Journal article, “IT Risk and IT Audit Working Together to Reduce the Burden on the Business,” ISACA Journal, volume 5, 2023.