Agile Auditing: The What, How, and Why

Author Linh Truong is a chief audit executive

You have probably heard the buzz words around Agile Auditing, including “sprints” and “daily scrums.” You have probably attended one or more free 1-hour webinars that provided you with some teasers about Agile Auditing but not enough to act. You might have even attended a conference session that explained many of the terms and concepts but not enough to know how to practically apply the concepts. At the end of the day, you may still be asking: What exactly is Agile Auditing?How does one practically implement it? Why should auditors adopt it? 

Let’s start with what Agile is: It is simply a project management methodology used in software development but could be applied to any project in any discipline. Agile software development is an umbrella term for a set of framework and practices based on the values and principles expressed in the Agile Manifesto. There are four Agile Manifesto values (according to the official Agile Alliance website https://www.agilealliance.org/: 

  1. Individuals and interactions over processes and tools 

  2. Working software over comprehensive documentation 

  3. Customer collaboration over contract negotiation 

  4. Responding to change over following a plan 

There are also 12 Agile Principles based on the Agile Manifesto values that are the guiding practices to support teams in implementing and executing with agility. The twelve Agile Principles can be paraphrased and summarized as follows: 

  1. Highest priority is to satisfy the customer through early and continuous delivery of value 

  2. Changing requirements are welcome 

  3. Deliver frequently  

  4. Businesspeople and developers must work together throughout the project 

  5. People should be given the environment and support they need to get the job done 

  6. The most efficient and effective methods should be used to convey information 

  7. Working software is the primary measure of progress 

  8. Agile processes promote sustainable development 

  9. Continuous attention to excellence and good design enhances agility 

  10. Simplicity is essential 

  11. The best results emerge from self-organizing teams 

  12. Teams should reflect on how to become effective and adjust accordingly 

Now that we understand what Agile is, we can begin to know how to apply these principles to the internal audit discipline. To cross-pollinate the Agile world with the internal audit world, let’s look at the official definition of Internal Audit according to the Institute of Internal Auditors: 

 Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 

Satisfy the customer through early and continuous delivery of value (Principle #1) 

If Internal Audit’s objective is to “improve an organization’s operations,” then our customers would be the key stakeholders who own all the processes that comprise of the organization’s operations. Internal audit reports to the audit committee but our work should be to identify control gaps and weaknesses as well as offer recommendations that will improve the company processes which satisfies both the board and the business owner’s objectives. Auditors should understand the business and focus on addressing the business risks. Risk-based auditing concepts should be applied throughout each phase of the audit by: 

  • Developing the audit plan based on the highest enterprise risks to the organization. 

  • Scoping the audits to include only the processes that are most impactful to mitigating those risks 

  • Conducting a process level risk assessment to identify the controls that, if proven to be ineffective, would have the most impact and be most critical in mitigating the risk 

  • Testing only those controls within those processes that are most critical. For example, if talent management is a top enterprise level risk, auditors should not be testing all controls related to the human resources function but only testing the controls with the processes related to addressing talent management (e.g., recruiting, onboarding, training & development, etc.), and only the most critical controls related to those processes. 

Changing requirements are welcome (Principle #2) 

In the software development world, this simply means the development team should continuously adapt to the changing needs or user requirements of the users of the software. To translate this to the audit world, an audit plan that was developed 9-12 months ago may not reflect the priorities or be able to address the changing risk profile of the organization. Therefore, on a macro level, the audit plan should be evaluated on a quarterly basis to determine whether any changes need to be made. This is critical to remaining relevant to the business owner and the organization’s needs. Similarly, on a micro level, the audit team should feel comfortable adapting the audit approach and testing methodology as more information is learned throughout the audit.  

Deliver frequently (Principle #3) 

Assuming auditors are consistently offering recommendations that are valuable (this could be a topic for an entirely different article), our profession needs to deliver recommendations earlier. To do this, auditors should transition from a sequential method of providing written recommendations in the final report. Opportunities for improving business processes could be verbally delivered on a more real-time basis. For example, audit teams could schedule weekly status update meetings with key stakeholders to include discussion of issues identified during audits. Such meetings could also provide “early” delivery of value as well. 

 Businesspeople and developers must work together throughout the project (Principle #4) 

In the same way that software developers must work closely with their customers, the businesspeople, to understand what their needs are to deliver a product that is valuable in addressing those needs, so must auditors. Auditors can only improve a business process if they understand it and the best way to do this is to interact and work closely with the businesspeople. In practice, this is done by engaging the business owners throughout each phase of the audit and every step of the way and collaborating to fine tune the scope of the audit and the audit program. 

The most efficient and effective methods should be used to convey information (Principle #6) 

It is hard to believe that some audit departments are still writing reports using narratives written on word documents. Board reports have moved primarily to PowerPoint presentations with colorful graphics, bullets of succinctly stated key takeaways and dashboards with key metrics and performance measures. 

Working software is the primary measure of progress (Principle #7) 

In the software development world, developers are delivering software to their customers who can use the new functionality to improve the way they work and achieve their objectives. In the internal audit world, auditors are delivering recommendations that, if implemented by their customers, improve the way they work and achieve their objectives. A measure of success then would be how well a process has been improved after implementing an auditor’s recommendations. Ideally, audit reports would provide useful information and insights to management that is impactful to the organization’s goals and objectives. It is not progress to merely add layers of incremental controls that attempt to eliminate residual risk without consideration to the cost-benefits of that investment of resource and effort. 

Simplicity is essential (Principle #10) 

Simplicity is the art of maximizing the amount of work that is not done. This involves exclusion of any non-critical activities. At its core, Agile is about focusing on and prioritizing the most value-adding activities and minimizing or even removing the activities that do not add value. In audits, the activity that provides the customer with the least amount of value are the audit workpapers. Although documenting our work is important and is required by our professional standards, it can be minimized to achieve its objectives without being exhaustive. Ideally, audit functions should be transitioning to automated workpapers to be efficient and allow for most of their time to be allocated towards providing valuable recommendations. 

 The remaining Agile principles all relate to leadership and teamwork principles. The benefits of Agile Auditing can be grouped into two categories: the Audit Team and the Audit Customer. The Agile way of working relies on the concept of an empowered team that is “self-organizing(Principle #11) and that such teams should be given “the environment and support to get the job done(Principle #5) which refers to the type of leadership that is needed for empowered teams to thrive and innovate. There is no need to micro-manage teams. The 15-minute daily scrum meetings provide team members with transparency and accountability. Therefore, one of the reasons why organizations should implement Agile Auditing is that it attracts and retains talent that is motivated and self-initiated.  

Another reason to implement Agile Auditing is that the agile way inherently focuses on continuous improvement and pursuit of excellence.Principle #12 requires that the audit team “reflect” on their effectiveness and “adjust accordingly”. This objective can manifest itself in the form of lessons learned or “lookbacks” after each Sprint or audit milestone, as well as after an audit is complete, to identify areas for improvement that translate to actionable changes in processes and procedures for future audits. Principle #9 mandates that teams devote “continuous attention to excellence.” Audit departments should develop, if they have not already, a Quality Assurance and Improvement Program (QAIP) initiative that involves: 

  • Review of audit work for quality and conformance to IIA Standards 

  • Periodic external review of the Internal Audit function (Quality Assurance Reviews every 5 years) 

  • Post audit surveys from audit clients and key stakeholders 

  • Documentation of audit procedures to standardize and institutionalize agile processes so they are sustainable (Principle #8)  

A sustainable process also requires technology and tools that help audit teams be more efficient and effective. This includes audit software and data analytic tools that allow for 100 percent testing in a fraction of the time that it would take to perform testing manually. It also means decisions for scoping can be data driven rather than random rotation of business units, geographical locations or other indiscriminate sections of auditable entities or data sets. 

For the audit customers and key stakeholders, including senior management and the board, Agile Auditing ensures that the audit function’s time, efforts, and resources are aligned with the things most important to their objectives. As outlined in Principle #1, auditors ensure the audit plan is based on the highest risk areas to the organization at an enterprise level. At a granular level, the planning of each audit engagement involves the continuous filtering of the most critical controls in the most impactful processes within those audited areas. If testing is limited to only key controls, then a failed control will not be a low risk finding that is not worthy of the executive’s attention or remediation. There should be no more “So what?” findings on audit reports. This audit approach provides a high level of assurance that the audit function remains aligned and relevant to the business owner’s priorities and the organization’s strategic goals.  

In summary, Agile Auditing seeks to benefit the end users of internal audit services and the audit team members themselves by: 

  • Providing value by being customer driven and delivering that value in a timelier and more frequent basis 

  • For minimizing non-value adding activities so that audit teams can be more efficient 

  • Empowering audit teams to be self-organizing 

  • Aligning audit efforts with what matters most to key stakeholder  

  • Encouraging audit functions to be adaptable at every level, from the audit plan to each phase of the audit process 

If audit teams cannot audit at “the speed of risk” then they are late in their delivery and if their audit plans are not aligned with the organization’s top risks, they are not relevant. The only path to becoming trusted advisors to executives and be welcome to the seats at the table is to be agile. Agile Auditing is quickly becoming necessary rather than an option for audit leaders to choose. Audit functions should evolve to meet the demands of the dynamic and complex environment that organizations face today. Companies are learning to be agile to survive and even thrive. Will audit functions be able to transform with the companies they serve? 


audit
agile audit

Fill Out the Form to Access On-Demand CPE