Tom Fox's guest on this week’s show is Toby DeRoche, a professional auditor and Senior Manager of Risk Management at Verizon. He and Tom talk about the importance of risk assessment and how it has changed in recent years.

Agile Audit

Agile Audit is simply auditing the things that matter at the current moment. It's an iterative approach, going through the entire audit lifecycle and compressing it down to the essentials. "We're saying, so here's everything that I could audit, but here's what's most important to the organization today," Toby tells Tom. "It's this continual cycle… giving you the answers to what's the most burning question you have related to risk and control in your organization today.”

Focus on The Highest Risk

If an audit plan isn't focused on relevant issues, or the highest risk, no one is going to care how well the auditing plan was executed. Focusing on low-risk issues wastes everyone's time. "We should be focusing on the things that are the highest risk and only those things," Toby says. If internal auditors aren't focused on management support, strategic objectives, and challenges, then they aren't doing their jobs.

Communicating Vs Reporting

Tom asks Toby to differentiate between communicating and reporting results as an internal auditor. Giving reports is not communication, he responds; it’s just regurgitating facts. "A much more effective way of getting the information across is to make it more digestible," Toby remarks, because it’s much more impactful, and people can more easily grasp what you're trying to say.

Looking Ahead

Companies in the future will have no choice but to use the concepts of risk assessment, continuous improvement, and continuous risk assessment. Auditing must be part of the company's objectives. "Anything that we're doing that's not focused on what matters to management and the highest risk to them achieving their goals right now, then we're completely missing the picture," Toby stresses.

Resources

Toby DeRoche | LinkedIn

Only Audit What Matters