Learn how the values and principles behind agile software development help accelerate the internal auditing process and build trust with management.
Internal auditors have seen an uptick in the term “agile,” with agile software development becoming increasingly popular as companies transition from traditional development methodologies, such as the waterfall model, to a value-driven agile approach.
Like any auditable area, this requires internal auditors to understand the key concepts, evaluate the risks, and determine how to audit the process effectively based on predefined objectives.
In this blog, we’ll cover how the values and principles behind agile software development apply to internal auditing.
The Agile Foundation
Companies that have adopted agile development practices recognize the urgency to adapt quickly to changing technology and deliver enterprise-class software in a short amount of time. Otherwise, they run the risk of becoming extinct.
Agile is an overarching term for various software development methods and tools, such as Scrum and Scaled Agile Framework (SAFe), that share a common value system. Developed in 2001, the Agile Manifesto provides a set of fundamental principles that agile teams and their leaders embrace to successfully develop software with agility.
The top benefits of agile development are the following:
- Accelerated product delivery.
- Improved project visibility.
- Increased team productivity.
- Better management of changing priorities.
Why Apply Agile to Internal Audits?
Applying agile concepts to an internal audit function is not new, but it has never been more crucial than in our current environment. Like the companies that internal auditors aspire to protect through objective assurance and advice, internal audits must be able to address emerging critical risks and provide relevant insight in a timely fashion.
In fact, applying agile practices to risk assessment accelerates the audit process. Indeed, agile auditing seeks to perform shorter audits that evaluate the most failure-prone business processes and the controls intended to resolve the most serious and likely risks whenever they occur.
However, despite auditors’ best intentions, many audit departments still develop long-term plans they cannot easily change and often employ antiquated audit methodologies. Internal auditing must evolve to add significant organizational value and be a trusted partner with management, and agile techniques can help you do that.
Agile Internal Audit Tactics
Just as companies are scaling agile software development based on the size, capabilities and culture of the organization, the extent of an internal audit function’s agility will vary widely from one group to another.
Nonetheless, we have narrowed our focus to three key areas that every internal audit department should consider when becoming more agile.
Planning and Prioritizing
Agile development teams use a backlog as the single authoritative source of work items to be completed, which must be continually prioritized. Items in the backlog are removed if they no longer contribute to the goal of a product or release, whereas items are added to the backlog if a new essential task or feature becomes known at any time.
Similarly, your internal audit function should maintain a backlog of areas to audit that are regularly evaluated and updated based on risk exposure. Instead of committing to a rigid audit plan, this approach allows for the timely inclusion of new risks or auditable areas throughout the year.
We cannot overstate the importance of collaborating with stakeholders during the planning and prioritization process. Before auditors begin work on a task or feature in the backlog, they must define explicit and visible acceptance criteria based on end-user requirements. This is called the “definition of ready.”
This definition is met for an item on the audit backlog when the internal audit has the necessary resources available and agrees with the stakeholders up front on the scope and goal of the project and the value to deliver.
Streamlining the Process
Iterations are one of the basic building blocks of agile development.
Also known as a sprint, each iteration is a standard period, usually one to four weeks, during which an agile team delivers incremental value in usable and tested software. Ultimately, items that move off the backlog must be divided into sprints, providing a structure and cadence for the work.
The fieldwork associated with an internal audit should be broken into fixed-length activities that are appropriately sized to promote the achievement of a tight deadline without stressing the resources in place.
Because the goal is to be quick and iterative versus confined to a predetermined plan, eliminating unnecessary resources and efforts is instrumental to an audit team’s successful completion of the work within a sprint. Whenever possible, gathering evidence independently, which alleviates the burden on stakeholders, is an excellent way for internal auditors to be more efficient.
Typical examples of waste in the audit process include:
- Distributing requests for evidence that are too vague.
- Sending emails back and forth when making a phone call or in-person meeting would be more productive.
- Exhaustively explaining every step taken when concise documentation could achieve the same effect.
Soliciting Continuous Feedback
One of the most practiced agile techniques is a daily stand-up meeting, normally lasting no longer than 15 minutes, in which an agile development team discusses each member’s contributions and any obstacles. To be truly effective, internal audit team members must regularly check in with each other and not hesitate to raise questions or issues as soon as they arise. Rather than waiting until completing the fieldwork to start internal reviews, teams should build quality assurance into their daily audit activities.
Furthermore, internal auditors must not wait until the end of an audit to provide results. Early and frequent communication with stakeholders means that the final report or presentation should simply reflect a visual summary of the insights already discussed. You should identify opportunities to enhance an organization’s operations and continuously improve your audit processes.
The scrum master plays a crucial role in an agile team to help foster an environment of high performance and relentless improvement. Acting as the coach of an internal audit team, a Scrum Master would ensure the team follows the agreed upon agile process and encourage a good relationship among team members and with others outside the team.
Case Study: Using Agile in Internal Auditing
In an IT risk and compliance department for a Fortune 500 Company, applying agile practices reduced time spent per audit cycle by nearly 35 percent over a year.
Below are some of the most notable agile efforts and related results:
- Left room for unknowns in the annual audit plan and revisited the plan at the beginning of each quarter to make any necessary updates.
Ongoing results: Greater flexibility to focus on the right areas and account for changing priorities.
- Discussed audit details among the team members during brief and frequent meetings before finalizing the work instead of having the audit lead provide a list of corrections after a formal review.
Ongoing results: An empowered audit team and more efficiency.
- Communicated potential audit issues immediately upon discovery through informal management discussions and articulated the final report in a meaningful format.
Ongoing results: Increased trust and openness with stakeholders.
An Agile Mindset: Transparency Builds Trust
Successful adoption of Agile in internal auditing depends heavily on leadership in the function and generally requires a shift in mindset among the group members.
In an agile model, transparency builds trust, which drives performance and innovation. No matter the level of agility, internal auditing needs an agile recipe to evolve and ultimately produce the value and transparency that stakeholders expect.