The age of Agile in Internal Audit

Agile methodology aims to reduce cost and time to delivery while improving quality. Most commonly associated in Malta with the gaming industry and software development, this article looks at how Agile can be adapted to the specific needs of an internal audit function and its stakeholders.

In 2014, Richard Chambers, CEO of the Institute of Internal Auditors, published an article in Internal Auditor magazine entitledAuditing at the Speed of Risk. The article spoke of the need for internal auditors to be proactive in their approach to managing emerging risks and trends. Five years on, this article remains just as relevant as it was back then. Organisations face countless new challenges and opportunities each day, but new risks as well. The key challenge for internal auditors is to identify and control such risks using, among others, continuous risk assessments as a mechanism for identification and management of risk. New risks need to be anticipated and reflected in the internal auditor’s audit plan. In this respect, the internal audit profession has transitioned from a pure compliance-based approach function to a risk-based approach profession.

Internal Audit in Malta

The current internal audit landscape in Malta has been greatly bolstered in recent years by European legislation and other local initiatives. Through its guidelines on internal governance, issued in September 2017, for instance, the European Banking Authority has reinforced the requirement for banks to set up an internal audit function. Banks are expected to conduct audits and review internal governance arrangements on a regular basis. Solvency II, which was transposed through the amended Insurance Business Act, also requires the presence of an internal audit function in authorised insurance and reinsurance companies. The Malta Financial Services Authority has also stepped up its game by requesting certain new license holders in the financial services sector to set up an internal audit function for companies.

Outside of financial services, most entities in the public sector also have their own dedicated internal audit function. Alternatively, they are subject to audits by the National Audit Office or by the Internal Audit and Investigations Department. The Malta Gaming Authority has also identified the internal audit function as one of the key functions which a B2C and B2B licensee is required to have.

These developments highlight the growing role of internal audit in the current Maltese landscape. Though the focus is generally on public interest entities, this does not rule out the possibility of a wider scope in the future, particularly given the growing stature of the internal audit function.

Introducing Agile IA

Agile methodologies have been introduced in a variety of fields, ranging from software development to project management. Internal audit is no exception to the rule, with Agile Internal Audit (Agile IA) also breaking into the scene. The concept of Agile IA is a mindset that supports a collaborative environment for the internal audit function and the business area in order to solve business problems using a fast time-iterative time-boxed approach.

Before the introduction of Agile, the first and main process model utilised by businesses was the Waterfall Model which was based on the traditional systems development life cycle. The focus of the Agile model lies on development and testing being done concurrently, which allows for more and even better communication between the various stakeholders. As a result, when compared to the traditional Waterfall methodology, Agile IA is more focused on stakeholder needs and aims to reduce wasted effort. In Agile IA, projects are more iterative in nature, which may change the timing of controls and how they are executed.

An evolving approach

The shift from traditional internal audit to Agile IA brings a change both in the mindset and the work processes associated with the internal audit function. Amongst the shifts brought about by an Agile approach, there are shifts from rigid planned activities to quick iterative activities. Agile makes the argument for changing from the need of a formal audit plan to the creation and maintenance of a backlog of audit risks. Backlog is a term introduced by the Agile methodology which represents a list of items that need to be done within the project. Such a backlog would be updated following the different sprints or work needed to be carried out by the audit team. In turn, each sprint would need to be defined and assessed against the established Definitions of Ready and Done.

Another obligatory shift for Agile IA is the shift from the requirement of having comprehensive documentation to timely and relevant documentation and reporting. Required documentation will need to be concise enough to deliver shorter reports, yet sufficiently robust. However, to achieve this, frequent communication meetings are required by the audit team and the process owners. Such mini-deliverables (called sprint point of view) would include assurance reports, lists of completed tasks or recommendations and would flow to the final project point of view. In the end, this final project point of view should link to the company’s strategic objectives.

Finally, Agile IA requires a change from the function following a pre-set plan to an activity, to a function that responds to emerging needs of the company. Such requirement is linked to the need for internal auditors to perform a continuous risk assessment and be proactive in their approach to identify risks.


All Big 4 audit firms have introduced the concept of Agile IA internationally. Whilst still in its early stages, the concept of Agile has already been introduced in Malta, with a number of courses offered on the island. Though it may be too early yet to jump on the bandwagon and introduce a full-fledged Agile IA function or for existing functions to change, as requirements continue to grow in Malta, elements of Agile IA are already being introduced. As the market and risk environment matures, Agile methodologies will continue growing in stature as a means of assisting internal audit functions in staying at the top of their game.  

About the author

Clayton John Mifsud is a Risk Advisory Manger at Deloitte Malta. For more information, please visit

Did you find this useful?