Articles Clarissa Lucas, CIA, CISA, CIDA Apr 10, 2023
Many internal audit functions have adopted Agile methods such as daily scrum meetings and quick sprints, but is doing Agile the same as being Agile? A more flexible, customized approach may be more effective.
At a recent conference, a CAE sat on the edge of her seat, attentively listening as the speaker explained how his team had “gone Agile.” Using terms such as daily scrums and scrum masters, the speaker explained that Agile auditing is a methodology used to perform audits in time boxes called sprints.
The CAE returned to work, eager to begin her own Agile audit transformation. Her team started by piloting an audit that was performed in sprints. Next, the team advanced by applying that same methodology to another audit and then more and more audits.
Six months later, the CAE showed the audit committee how the team was progressing with Agile auditing. She pointed out that internal audit now used the sprint-based methodology in 15% of its audits. A committee member wanted to know more. “What does that mean?” he inquired. “What do we get from doing Agile auditing versus not doing Agile auditing? And what does it look like when all the audits are using the Agile auditing methodology?”
Thinking back to the conference, the CAE explained that Agile auditing promises flexibility and speed. “Great!” the committee member said. “How flexible have we been with these Agile audits versus the non-Agile audits, and how much faster were they?”
Like many internal audit leaders, the CAE had adopted Agile techniques for Agile’s sake, measuring its success by the percentage of audits that used the methodology. Yet, the committee member was questioning its true value to the organization.
To demonstrate that value, internal audit needs to change its mindset from a strict Agile auditing approach to auditing with agility. By customizing the use of Agile practices during each audit to achieve desired outcomes, internal audit can deliver greater value, strengthen working relationships with audit clients, and proactively respond to changes.
For the CAE, changing her mindset to auditing with agility required some soul-searching. Reflecting on the previous six months, she had believed Agile auditing would be quickly adopted by her team and readily accepted by internal audit clients. Instead, the team was slow to build momentum.
When the CAE dug deeper into that sluggish progress, she learned that some team members were struggling with Agile. They were concerned about applying a strict sprint-based delivery model in certain situations — particularly in those where their clients didn’t manage their work in sprints. The CAE also uncovered a significant lack of buy-in from both the audit team and clients. They weren’t clear on the benefits and outcomes they were supposed to be working toward.
The lesson learned: Agile auditing isn’t a silver bullet. It’s easy to get lost in the idea of doing Agile audits and measuring success by outputs such as the number of audits performed. Instead, auditors should focus on being agile and achieving desired outcomes such as the ability to respond to change more quickly and greater efficiency.
That is exactly what auditing with agility does. It takes the profession beyond the strict, one-size-fits-all confines of Agile auditing, while delivering the flexibility and efficiency Agile auditing promised. It also transitions the focus from outputs to outcomes. While the difference in wording between Agile auditing and auditing with agility is minor, the difference in practice and delivery of value is immense.
Agile auditing is a great tool to have in the audit toolkit. In certain situations, it reduces the time spent in the reporting phase of an audit and gets results into audit clients’ hands earlier, enabling them to address control gaps sooner. In other situations, Agile auditing isn’t the best tool for the job — it may not yield the best results.
Think of it this way. A carpenter is building a wooden table and has a toolbox containing a screwdriver, hammer, and nail gun. He also has boards and nails, but no screws. If the carpenter tries to use a screwdriver to drive a nail into a board, he is probably not going to achieve what he wants — at least not effectively, efficiently, or safely. Sure, he can use the handle of the screwdriver to drive the head of a nail into a board, but was the screwdriver really the best choice of tools? The hammer or nail gun would have achieved the goal sooner and likely more safely.
The same can be said for taking the identical approach to every audit. Auditors may provide assurance and insights, add value, and improve the organization’s operations, but will they be effective in their quest to achieve those goals? Will the organization’s stakeholders find the work useful and timely? Will clients buy in to the audit results? Internal auditors need a customizable audit approach.
Auditing with agility differs from the Agile auditing methodology in that it is not a methodology at all. Instead, it is a flexible approach that enables teams to customize the practices used during each audit to achieve desired outcomes (see “Are You Agile?”).
Agile auditing is often thought of as something auditors do, whereas auditing with agility is a way of adding agility to audit work. The essence of internal audit work doesn’t change; the way auditors do their work is what changes — for the better. Auditing with agility comprises three core components.
Value-driven auditing. The primary outcome of value-driven auditing is a stronger alignment between audit work and value to the organization. Other potential outcomes include more timely communication of results and elevated awareness of risks and control gaps. Examples of practices auditors can apply to achieve these outcomes are delivering value frequently, breaking down the audit scope into manageable pieces, and increasing visibility.
There are key differences between Agile auditing and auditing with agility:
Doing Agile
Being Agile
Integrated auditing. In the context of auditing with agility, integrated auditing involves tying audit work more closely into the client’s daily work, while maintaining independence. The primary outcomes of this approach are increased client engagement and buy-in, stronger client relationships, and greater efficiency during the audit. To achieve the outcomes associated with integrated auditing, auditors can implement practices into an audit such as intentional collaboration with the client and feedback loops.
Adaptable auditing. This approach adds flexibility to the audit process and can improve internal audit’s ability to respond to today’s constantly changing environment. With adaptable auditing, auditors also can gain greater efficiency, while wasting less time. Practices that internal audit can use to achieve these outcomes include intentionally pausing to determine whether to stop auditing or pivot the audit’s focus, pursuing simplicity, leveraging self-organizing teams, and limiting the amount of work in process.
The key to auditing with agility is creating customized approaches for individual audit engagements, in addition to developing and maintaining the audit plan. Auditors select practices from each of the core components, choosing those designed to achieve desired outcomes.
This customized approach can help address common audit problems such as obtaining documentation from clients to test in-scope controls. For example, an audit team sent clients a list of evidence necessary for the audit, but it took a few weeks for the clients to provide those items. Moreover, the documentation wasn’t what the auditors were looking for. Not only is this frustrating for auditors, it’s also frustrating for audit clients when auditors reach back out to ask for the documentation they actually need.
For its next audit, the team wanted more audit efficiency, greater client buy-in, and an increased ability to respond to change. Thus, the team selected practices from each of the core auditing with agility components that are designed to achieve these outcomes, such as increasing the visibility of audit work, integrated planning, and pursuing simplicity (see “Agility Practices”).
Below are examples of desired outcomes, associated practices to help achieve these outcomes, and the practice’s auditing with agility component.
For Increased Efficiency
Practice: Increasing visibility
Agility component: Value-driven auditing
For Greater Client Buy-in
Practice: Integrated planning
Agility component: Integrated auditing
For Faster Reaction to Change
Practice: Pursuing simplicity
Agility component: Adaptable auditing
Increase Visibility. Auditors should make sure all of the team’s current work and all work that needs to be completed is visible to team members. This can be done using a task board, which can be a digital task board, physical dry-erase board, or even a wall with sticky-notes on it. Making all of the work visible via a task board creates transparency and enables teams to identify and address inefficiencies such as duplicative tasks or work that does not add value.
Integrated planning. Both the auditors and the audit client must be actively involved in identifying key risks and controls, determining appropriate control testing procedures, and compiling the list of evidence needed to test the in-scope controls. This collaborative planning approach can result in a stronger mutual understanding of the audit’s scope and the evidence needed to perform the audit. In turn, that can result in greater client buy-in of the audit. As a bonus, when auditors request evidence from the clients, the clients know exactly what to provide, and the auditors know exactly what they will receive.
Pursue simplicity. Rather than trying to audit everything, auditors should focus on what truly matters to the organization and streamline the audit scope to focus on those areas. Auditors should re-evaluate the scope throughout the audit to confirm that they remain focused on what matters and pivot as needed to stay aligned.
A common question about auditing with agility is whether there is room for Agile methods such as sprints and scrums. Absolutely. If the auditors decide that delivery in sprints is the best way for auditors to achieve a desired outcome, such as getting results into stakeholders’ hands sooner, then that is the approach they should choose. Similarly, auditors should conduct daily scrums if they decide they are the best option for achieving the desired outcome of increasing the ability to respond to change in a particular audit. The key is to anchor back to the desired outcomes and unique attributes of the audit — such as the current environment and client preferences — to select the practices that best fit that specific situation, rather than blindly applying the same approach to every audit.
Internal audit functions that currently perform sprint-based Agile auditing, as well as those that don’t, can benefit from auditing with agility, leveraging it to drive more effective audits, while increasing the ability to respond to change. These qualities are quickly becoming table stakes for audit functions that want to stay relevant while enhancing and preserving organizational value. By auditing with agility, internal audit no longer has to choose between Agile and not-Agile. It can create a customized audit approach to add agility to audit work, achieve the desired outcomes, and deliver more value to stakeholders.