ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > An Agile Approach to Internal Auditing

An Agile Approach to Internal Auditing

Meredith Yonker, CIA, CISA, CRMA, Audit and Risk Manager, The Mako Group
| Posted at 8:58 AM by ISACA News | Category: Audit-Assurance | Permalink | Email this Post | Comments (2)

Meredith YonkerAs internal auditors, we’ve seen an uptick in usage of the term “Agile” in reference to how more and more companies are developing software. Agile software development has grown increasingly popular as both software and non-software companies transition from traditional development methodologies, such as the waterfall model, to a value-driven Agile approach. Like any auditable area, this requires internal auditors to understand the key concepts, evaluate the risks and determine how to effectively audit the process based on pre-defined objectives. However, that’s not the purpose of this blog post. What we auditors find even more intriguing is how the values and principles behind Agile software development apply to the field of internal auditing.

The Agile foundation
Agile is an overarching term for various software development methods and tools, such as Scrum and Scaled Agile Framework (SAFe), that share a common value system. Developed in 2001, the Agile Manifesto provides a set of fundamental principles that Agile teams and their leaders embrace to successfully develop software with agility. Companies that have adopted Agile development practices recognize the urgency to adapt quickly to changing technology and deliver enterprise-class software in a short amount of time; otherwise, they run the risk of becoming extinct.

Some of the top benefits of agile development include:

  • Accelerated product delivery
  • Improved project visibility
  • Increased team productivity
  • Better management of changing priorities

Why apply Agile to internal audit?
At The Mako Group, we have found that applying Agile concepts to the internal audit function is not a new concept, but has never been more crucial than in our current environment. Like the companies we aspire to protect through objective assurance and advice, internal audit must be able to address emerging critical risks and provide relevant insight in a timely fashion. Despite our best intentions, many audit departments still develop a long-term plan that cannot be easily changed and often employ antiquated audit methodologies. If we truly want to add significant organizational value and be a trusted partner with management, internal auditing must evolve, and Agile techniques can help us do that.

Agile internal audit tactics
Just as companies are scaling Agile software development based on the size, capabilities and culture of the organization, the extent of an internal audit function’s agility will vary widely for one group versus another. Nonetheless, we have narrowed our focus to three key areas that every internal audit department should consider when becoming more agile:

  • Planning and prioritizing. Agile development teams utilize a backlog as the single authoritative source of work items to be completed, which must be continually prioritized. Items on the backlog are removed if they no longer contribute to the goal of a product or release; whereas, items are added to the backlog if at any time a new essential task or feature becomes known. Similarly, the internal audit function should maintain a backlog of areas to be audited that is regularly evaluated and updated based on risk exposure. Instead of committing to a rigid audit plan, this approach allows for timely inclusion of new risks or auditable areas throughout the year. The importance of collaborating with stakeholders during the planning and prioritization process cannot be overstated. Before beginning work on a task or feature in the backlog, explicit and visible acceptance criteria must be defined based on end user requirements, which is called the definition of ready. This is met for an item on the audit backlog when internal audit has the necessary resources available and agrees with the stakeholders up front on the scope, the goal of the project and the value to be delivered.
  • Streamlining the process. Iterations are one of the basic building blocks of Agile development. Also known as a sprint, each iteration is a standard period of time, usually from one to four weeks, during which an Agile team delivers incremental value in the form of usable and tested software. Ultimately, items that move off the backlog must be divided into a series of sprints, which provide a structure and cadence for the work. In the context of internal auditing, the fieldwork associated with an audit should be broken into fixed-length activities that are appropriately sized to promote the motivation of a tight deadline without stressing the resources in place. As the goal is to be quick and iterative, versus confined to a pre-determined plan, eliminating unnecessary resources and efforts is instrumental to an audit team’s successful completion of the work within a sprint. Whenever possible, gathering evidence independently, which also alleviates the burden on stakeholders, is an excellent way for internal auditors to be more efficient. Moreover, examples of waste in the audit process commonly include:
    • Distributing requests for evidence that are too vague.
    • Sending emails back and forth when a phone call or in-person meeting would be a more productive solution.
    • Exhaustively explaining every step taken without considering that concise documentation could achieve the same effect.
  • Soliciting continuous feedback. One of the most commonly practiced Agile techniques is a daily stand-up meeting, normally lasting no longer than 15 minutes, in which an Agile development team discusses each member’s contributions and any obstacles. To be truly effective, internal audit team members must regularly check in with each other and not hesitate to raise questions or issues as soon as they come up. Rather than waiting until the fieldwork has been completed to start internal reviews, quality assurance should be built into the daily audit activities.

Furthermore, internal auditors must not wait until the end of an audit to provide results. Early and frequent communication with stakeholders means that the final report or presentation should simply reflect a visual summary of the insights already discussed. We should not only identify opportunities to enhance an organization’s operations but also continuously improve our own audit processes. A crucial role on an Agile team to help foster an environment of high performance and relentless improvement is the scrum master. Acting as the coach of an internal audit team, a scrum master would ensure that the agreed Agile process is followed and encourage a good relationship among team members as well as with others outside the team.

Comments

Moving in the same direction

We are also attempting to approach our Internal Audit teams tasks with the Agile approach.  Advice such as the article above and practice will get us on the way to succeeding in this approach.  I think one of the challenges we will face is to be honest about sizing tasks upfront to appropriately determine the time and effort required for an item on the audit backlog.  Thanks for the article!
Shiraj at 4/19/2018 9:15 AM

How many internal audit teams are moveing into this direction

Great article.  I wonder how many (internal) audit teams are moving into this agile approach. Can someone comment on this?
Ludo908 at 8/17/2018 2:58 AM
You must be logged in and a member to post a comment to this blog.
Email