The CAE returned to work, eager to begin her own Agile audit transformation. Her team started by piloting an audit that was performed in sprints. Next, the team advanced by applying that same methodology to another audit and then more and more audits.
Six months later, the CAE showed the audit committee how the team was progressing with Agile auditing. She pointed out that internal audit now used the sprint-based methodology in 15% of its audits. A committee member wanted to know more. “What does that mean?” he inquired. “What do we get from doing Agile auditing versus not doing Agile auditing? And what does it look like when all the audits are using the Agile auditing methodology?”
Thinking back to the conference, the CAE explained that Agile auditing promises flexibility and speed. “Great!” the committee member said. “How flexible have we been with these Agile audits versus the non-Agile audits, and how much faster were they?”
Like many internal audit leaders, the CAE had adopted Agile techniques for Agile’s sake, measuring its success by the percentage of audits that used the methodology. Yet, the committee member was questioning its true value to the organization.
To demonstrate that value, internal audit needs to change its mindset from a strict Agile auditing approach to auditing with agility. By customizing the use of Agile practices during each audit to achieve desired outcomes, internal audit can deliver greater value, strengthen working relationships with audit clients, and proactively respond to changes.
It’s No Silver Bullet
For the CAE, changing her mindset to auditing with agility required some soul-searching. Reflecting on the previous six months, she had believed Agile auditing would be quickly adopted by her team and readily accepted by internal audit clients. Instead, the team was slow to build momentum.
When the CAE dug deeper into that sluggish progress, she learned that some team members were struggling with Agile. They were concerned about applying a strict sprint-based delivery model in certain situations — particularly in those where their clients didn’t manage their work in sprints. The CAE also uncovered a significant lack of buy-in from both the audit team and clients. They weren’t clear on the benefits and outcomes they were supposed to be working toward.
The lesson learned: Agile auditing isn’t a silver bullet. It’s easy to get lost in the idea of doing Agile audits and measuring success by outputs such as the number of audits performed. Instead, auditors should focus on being agile and achieving desired outcomes such as the ability to respond to change more quickly and greater efficiency.
That is exactly what auditing with agility does. It takes the profession beyond the strict, one-size-fits-all confines of Agile auditing, while delivering the flexibility and efficiency Agile auditing promised. It also transitions the focus from outputs to outcomes. While the difference in wording between Agile auditing and auditing with agility is minor, the difference in practice and delivery of value is immense.
The Right Tool for the Job
Agile auditing is a great tool to have in the audit toolkit. In certain situations, it reduces the time spent in the reporting phase of an audit and gets results into audit clients’ hands earlier, enabling them to address control gaps sooner. In other situations, Agile auditing isn’t the best tool for the job — it may not yield the best results.
Think of it this way. A carpenter is building a wooden table and has a toolbox containing a screwdriver, hammer, and nail gun. He also has boards and nails, but no screws. If the carpenter tries to use a screwdriver to drive a nail into a board, he is probably not going to achieve what he wants — at least not effectively, efficiently, or safely. Sure, he can use the handle of the screwdriver to drive the head of a nail into a board, but was the screwdriver really the best choice of tools? The hammer or nail gun would have achieved the goal sooner and likely more safely.
The same can be said for taking the identical approach to every audit. Auditors may provide assurance and insights, add value, and improve the organization’s operations, but will they be effective in their quest to achieve those goals? Will the organization’s stakeholders find the work useful and timely? Will clients buy in to the audit results? Internal auditors need a customizable audit approach.