There is a need to make internal audits more adaptable and iterative beyond what a linear waterfall approach allows. Enhancing the adaptability and iterative nature of audits is essential to moving beyond the constraints imposed by a linear waterfall approach. Agile audits necessitate embracing approaches that offer flexibility and responsiveness to changes, enabling auditors to adjust their strategies dynamically in response to evolving circumstances. By adopting an agile approach, auditors can better accommodate the complexities and uncertainties inherent in modern business environments, leading to more objective assurances and audit processes that add value by improving an organization's operations.
Whether concentrated on compliance, financial elements, internal operations, or IT, the aim of internal audits is to ensure an organization's effectiveness, compliance, and risk management.Navigating Uncertainty in Internal Audit Scope
At the outset of an internal audit, the scope is often uncertain. The audit scope may require modifications based on preliminary findings, identified risk, or business landscape changes. A linear waterfall approach, which assumes a structured flow of phases stemming from a well-defined scope at the outset, is often not ideal for carrying out an internal audit, which requires flexibility and the ability to adapt to developing circumstances. As new risk factors arise or the business environment shifts, internal auditors may need to adjust their focus and procedures accordingly.
Enhancing Adaptability in Internal Audit Processes
While a structured waterfall framework for the internal audit process has benefits, there is a need to make audit more adaptable and iterative than a linear waterfall approach allows. This flexibility should enable internal auditors to respond to changes, uncertainties, and emerging risk within an organization, ensuring that the audit remains relevant and practical.
Internal audits are conducted to methodically assess an organization's processes, systems, and controls. Whether concentrated on compliance, financial elements, internal operations, or IT, the aim of internal audits is to ensure an organization's effectiveness, compliance, and risk management. This systematic evaluation involves several specific stages:1
- Planning defines the scope and objectives of the audit by identifying key processes, risk factors, and controls to be assessed. This enables the creation of an audit plan that details the approach, resources, and timelines for the audit.
- Risk assessment evaluates and prioritizes risk associated with the audited areas by determining the significance of various threats to the organization. This guides the focus of the audit.
- Fieldwork involves collecting and analyzing relevant data and information. Tests of internal control effectiveness are conducted while interviewing key personnel to gain insights, gather evidence, and gain understanding to support audit findings.
- Reporting entails summarizing positive and negative audit findings and providing recommendations to management in a clear and concise formal audit report detailing observations and suggestions.
- Follow-up activities monitor the implementation of recommended actions by management. Auditors should confirm the effectiveness of corrective actions and assess the organization's response to audit recommendations.
During these phases, internal auditors should uphold objectivity and independence, safeguarding the integrity of the audit process. The objective is to furnish management with valuable insights for enhancing internal controls, risk management, and the organization's overall performance.2
This stepwise progression adheres to a linear waterfall approach with a sequential and somewhat inflexible structure. Progress is perceived as moving consistently downward through the planning, fieldwork, reporting, and follow-up phases. The internal audit process often requires revisiting earlier stages when new information emerges or changes in the organization's environment occur. Initial findings during the fieldwork stage may prompt auditors to adjust the scope or reassess risk, resulting in the need for iterative cycles of planning and execution.
Negative Externalities Associated With Internal Audits
In addition to the rigidity of the waterfall approach, there are other negative externalities or unintended adverse consequences that may impact the internal audit process. Internal audits can generate unfavorable opinions among staff members. For example, an internal auditor may identify existing procedures or control deficiencies during their audit. Staff members may perceive such findings as criticism of their work or competence, leading to defensiveness or resentment. If the audit procedures are not adequately communicated, misinterpretations of the audit's objectives and consequences may contribute to organizational confusion and anxiety.
Concerns about potential consequences of audit discoveries, such as deficiencies or noncompliance, could also dissuade individuals from openly discussing challenges or reporting issues. Moreover, placing significant emphasis on compliance within internal audits could foster a rigid organizational culture in which employees prioritize adherence to rules over fostering innovation and engaging in creative problem solving. This cautious culture may, in turn, discourage employees from undertaking calculated risk, potentially obstructing initiatives that embody innovation and entrepreneurial spirit.
Internal audits also carry the potential to cause organizational disruption. The time commitments required for audits can be burdensome, especially when coupled with uncertain costs linked to addressing identified issues or implementing audit recommendations. Additionally, there is a risk of reputational harm to the organization if unfavorable audit findings are unintentionally disclosed to the public.3
Limitations of the Waterfall Approach in Internal Auditing
While the internal auditing process often involves a structured and systematic approach akin to a waterfall model, negative externalities exist with this method. The waterfall approach is sequential and may not easily accommodate needed changes or adjustments during the audit process.
Such rigidity can lead to challenges in addressing emerging risk or adjusting the audit scope as needed. The sequential nature of a waterfall approach could result in a longer overall audit process duration. Protracted audit timelines may result in delayed recognition and resolution of organizational issues.
Moreover, the waterfall approach frequently necessitates comprehensive documentation at every stage, which can be time-consuming and costly. There is a potential risk of prioritizing documentation excessively, potentially hindering practical and timely actions.
The waterfall approach may not best address urgent or time-sensitive issues. This approach prioritizes completing each stage before moving to the next, potentially delaying the resolution of critical matters.
Alternatives for Addressing the Negative Externalities of Internal Auditing
Agile auditing highlights flexibility, collaboration, and an iterative product development process, addressing certain limitations of the traditional waterfall approach in internal audits. In contrast to the inflexible and sequential characteristics of waterfall methods, agile auditing is crafted to be adaptable, allowing adjustments in audit scope or priorities in response to emerging risk and evolving organizational needs. Its iterative nature allows for adjustments at various stages, addressing the challenge of inflexibility in waterfall approaches.
Moreover, while waterfall methods may contribute to extended timelines, potentially delaying issue identification and resolution, agile auditing promotes process iterations that produce audit increments and continuous improvements. Agile auditing enables the timely identification of issues and facilitates immediate responses, ultimately reducing the overall audit duration and enhancing responsiveness to emerging concerns.
In addition, communication gaps, often a concern with linear audit models, are mitigated in agile auditing. The agile internal auditing approach encourages regular communication, collaboration, and value cocreation among stakeholders, fostering a seamless flow of information and minimizing the risk of misunderstandings between audit stages.
Concerning employee engagement, agile auditing is less susceptible to the potential disengagement resulting from extended audits within a rigid structure. Agile methodologies actively promote collaboration and engagement, incorporating cross-functional teams and stakeholders throughout the audit process. This collaborative approach nurtures a sense of involvement and ownership among stakeholders.4
Additionally, traditional audits may impose significant costs and time commitments. Agile auditing, however, prioritizes efficiency and value delivery by concentrating on high-priority areas and delivering incremental improvements based on value assessments. Agile approaches optimize resource utilization, reducing unnecessary costs associated with traditional audit methods.
Agile auditing highlights flexibility, collaboration, and an iterative product development process, addressing certain limitations of the traditional waterfall approach in internal audits.Moreover, agile auditing addresses the challenge of adapting to changes in risk priorities, which may require cumbersome adjustments in waterfall methods. The agile approach incorporates a risk-based perspective, allowing auditors to dynamically adjust their focus in response to changing risk landscapes. This ensures that the audit remains aligned with the organization's most critical risk factors.
The Secret to Internal Audit Success
The effectiveness of agile practices lies in harnessing stakeholders' collective intelligence through the promotion of collaboration, communication, and shared decision making throughout the auditing process. An essential principle of agile involves forming cross-functional teams consisting of individuals with diverse skills and expertise who collaborate with the organization’s stakeholders. By leveraging the collective intelligence of stakeholders, a holistic understanding of audit requirements is achieved.5 Encouraging collaboration and open communication among audit team members and stakeholders is integral to agile. Agile practices value stakeholders' insights, perspectives, and knowledge by leveraging stakeholder feedback as the catalyst for informed and consensus-driven decision making.
Collective intelligence is effectively utilized by promoting autonomy and empowerment within audit teams. These teams independently establish the audit goal for each sprint and are entrusted with making decisions based on the collective intelligence of their members, fostering a sense of ownership and empowerment. The audit or scrum team typically comprises ten or fewer individuals, including a scrum master, a product owner, and developers or auditors. This cohesive unit takes on all audit-related activities, from planning to risk assessment, fieldwork, reporting, and follow-up. Operating without sub-teams or hierarchies, the audit team concentrates on a singular audit objective at any given time.
Continuous Improvement via Agile Iterations
Agile's reliance on iterative cycles and feedback loops, known as sprints, allows for continuous review, assessment, and improvement of audit work. The collective intelligence of the audit team generates ongoing feedback, fostering constant learning and refinement of audit processes.
Daily scrums or stand-up meetings, accessible to any stakeholder, facilitate regular updates on progress and discussions of potential challenges. This interaction enhances communication, ensuring that the collective intelligence of the audit team is used to address issues promptly and effectively.
Agile auditing also promotes ongoing enhancement through retrospective ceremonies following each iteration or sprint. The retrospective serves as a collaborative session for the scrum team to assess the overall performance of the sprint, appraise its successes and areas for improvement, and pinpoint opportunities for refinement. This reflective examination encompasses aspects of people, relationships, processes, and tools within the sprint and typically results in the creation of a plan or set of action items to improve the internal audit process.
Harnessing the Three Pillars of Agile
Within the Agile scrum framework, transparency is one of the three pillars of an empirical process, alongside inspection and adaptation.6 Without transparency, the effectiveness of inspection and adaptation is compromised, impeding the overall empirical process. This empiricism is how value is determined because transparency enables inspection, and inspection enables adaptation that aligns the audit process with what the stakeholders perceive to be of value. Adaptation promotes continuous learning, embraces needed change, and facilitates the delivery of incremental value. Therefore, the audit team should strive to make audit information accessible to all stakeholders, as scrum empiricism begins with transparency.
Leveraging Collective Intelligence for Agile Adaptation
Agile's adaptability to changing requirements relies on the diverse perspectives and expertise of audit team members and stakeholders. The audit team's collective intelligence is crucial in identifying and responding to audit changes, which is vital in adapting to an ever-changing risk landscape. If viewed through the lens of assurance, insight, and objectivity, internal auditing value is seemingly realized by leveraging the collective intelligence of all audit stakeholders; no one perspective can provide the overlapping of these three core elements of audit value. Such insights help create competitive advantages, protect assets, and ensure organizational performance—all of which collectively contribute to achieving organizational objectives and long-term success.
Enhancing Value Cocreation in Agile Auditing
Given the complexities of an internal audit, an agile audit allows for value cocreation in collaboration, decision making, problem solving, and continuous improvement processes by enabling the collective intelligence of the audit team and stakeholders. Value is cocreated through open communication and the active involvement of audit team members and stakeholders with diverse skills and perspectives. This cooperative approach contributes to a more comprehensive and efficient audit process that enhances the quality of audit outcomes and safeguards a well-rounded evaluation of the organization's internal controls, risk, and compliance.
Conclusion
Organizations encounter a continuously evolving risk landscape marked by dynamic technological shifts, regulations, policies, and procedures, among other challenges. In this fluid context, internal audits must adjust to disruptions and comprehend their implications for the organization. By employing an iterative and incremental approach, agile methodologies seamlessly integrate into internal auditing processes.
The amalgamated wisdom, capabilities, and perspectives of the diverse audit team in agile scrum are harnessed to fulfill evolving audit goals. This collective intelligence operates on the belief that the collaborative effort of the cross-functional audit team surpasses the individual capabilities of its members. The manifestation of collective intelligence occurs through collaborative efforts, transparent communication, and a shared commitment to producing superior audit outcomes. Cross-functional audit teams of individuals with diverse skills and expertise are better equipped to tackle various risk factors encountered in an audit without overreliance on individual specialists.
Agile audits facilitate change and adaptation to evolving risk and priorities. The iterative nature of agile scrum allows the audit team to continuously learn, adjust, and improve, leveraging its collective intelligence to enhance audit performance. The agile approach aims to provide early value to customers by adapting to timely feedback. It is crucial to clarify that agile is not presented as a one-size-fits-all solution for auditing; Instead, audits can succeed in waterfall, agile, or hybrid environments when auditors embrace adaptability and promptly respond to customer needs. The focus should be on delivering high-impact tasks while recognizing and letting go of less significant aspects of the audit process.
The agile framework provides a foundation that requires customization to suit the unique needs of organizations and audit teams engaged in auditing. It acknowledges the importance of tailoring agile principles to the specific context of each auditing engagement, promoting flexibility and adaptability in the pursuit of changing audit objectives. Agile, viewed as a mindset, goes beyond specific processes and methods—it emphasizes harnessing the collective intelligence of stakeholders through interaction and collaboration. This shift redirects attention from adhering to rigid auditing processes to cultivating a culture and leadership style that empowers individuals to excel in their work.
Endnotes
1 Chicago State University, “Audit Process: Internal Audit,” Chicago, Illinois, USA, https://www.csu.edu/internalaudit/auditprocess.htm
2 Lessambo, F. I.; “Professional Standards: Independence, Integrity, and Objectivity,” Auditing, Assurance Services, and Forensics, 22 July 2018, p. 109–124, https://link.springer.com/chapter/10.1007/978-3-319-90521-1_7#chapter-info
3 Viewpoint, “PCAOB Proposes Significant Expansion of Auditor Responsibilities,” PwC, 28 June 2023, https://viewpoint.pwc.com/dt/us/en/pwc/in_depths/2023/in-depth-2023-05/id202305/pcaobauditorresp.html
4 Lucas, C.; “Agile Auditing Using Scrum Techniques,” Internal Auditor, 21 February 2022
5 Schwaber, K.; Sutherland, J.; The Scrum Guide, November 2020, https://www.scrumguides.org/docs/scrumguide/v2020/2020-Scrum-Guide-US.pdf
6 Bell, T.; “Internal Auditing with an Agile Scrum Approach,” ISACA, 11 September 2023, https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2023/internal-auditing-with-an-agile-scrum-approach
Thomas J. Bell III, PH.D., CISA, CRISC, COBIT 2019, LEAN SIX SIGMA GREEN BELT, ITIL V4, PMI-SP, PMP, PSM, PSPO
Is a professor of business administration at Texas Wesleyan University (Fort Worth, Texas, USA) with more than three decades of experience in IT systems. His expertise spans adaptive, predictive, and hybrid projects and audits, fields where he has played both participative and leadership roles. He has also peer-reviewed journal publications covering project management leadership styles, auditing behaviors, team dynamics, and certification pedagogy.