An Agile Internal Audit Approach

Learn how an agile approach accelerates the internal audit process and builds trust with management.

Auditors have seen an uptick in the term “agile internal audit,” with agile software development becoming increasingly common. Many companies have transitioned from traditional development methodologies, such as the waterfall model, to a value-driven agile approach.

Agile internal audits require auditors to understand the agile approach, evaluate risks, and determine how to audit processes effectively based on predefined objectives.

In this blog, we’ll cover how the values and principles behind agile software development apply to the agile internal audit process.

The Agile Approach

Companies that implement agile development practices recognize the urgency to adapt quickly to changing technology. They also feel the urgency to deliver enterprise-class software in a short amount of time. Otherwise, they run the risk of becoming extinct.

Agile is an overarching term for various software development methods and tools, such as Scrum and Scaled Agile Framework (SAFe). They all share a common value system. Developed in 2001, the Agile Manifesto provides a set of principles that agile teams and their leaders embrace when developing software.

The top benefits of agile software development are the following:

• Accelerated product delivery.
• Improved project visibility.
• Increased team productivity.
• Better management of changing priorities.

Why Apply Agile to Internal Audits?

Applying agile concepts to internal audit processes is not new. But it has never been more crucial than in our current environment. To protect companies, internal auditors must address emerging risks and provide relevant insights in a timely fashion.

In fact, applying agile practices to risk assessment accelerates audit processes. Agile internal auditing seeks to perform shorter audits that evaluate the most failure-prone business processes. They also evaluate the controls intended to resolve the most serious and likely risks whenever they occur.

However, despite auditors’ best intentions, many audit departments develop long-term plans they cannot easily change. These departments often employ antiquated, traditional audit methodologies. Internal auditing must evolve to add significant organizational value and be a trusted partner with management. Agile techniques can help auditors do just that.

Agile Internal Audit Tactics

Companies scale agile software development based on the size, capabilities and culture of their organization. So too will the extent of an internal audit function’s agility vary from one group to another.

We have narrowed our focus to three key areas that every internal audit department must consider when becoming agile.

Planning and Prioritizing

Agile development teams use a backlog as the single authoritative source of work. It includes items to be completed, which must be continually prioritized. Items in the backlog are removed if they no longer contribute to the goal of a product or release. Items are also added to the backlog if a new essential task or feature becomes apparent.

Your internal audit function should maintain a backlog of audit areas that are regularly evaluated and updated based on risk. Instead of committing to rigid audit plans, this allows for the timely inclusion of new risks or audit areas yearlong.

We cannot overstate the importance of collaborating with stakeholders during the planning and prioritization process. Before auditors begin work on a task or feature in the backlog, they must define explicit and visible acceptance criteria. These criteria must be based on end-user requirements. This is called the “definition of ready.”

This definition is met for an item on the audit backlog when the internal audit has the necessary resources available. Audit must agree with the stakeholders up front on the scope, goal, and value of the project.

Streamlining the Process

Iterations are one of the basic building blocks of agile development.

Also known as a sprint, each iteration is a standard period, usually one to four weeks. During a sprint, an agile team delivers incremental value in usable and tested software. Ultimately, items that move off the backlog must be divided into sprints, providing a structure and cadence for the work.

The fieldwork associated with an internal audit should be broken into fixed-length activities. These should be appropriately sized to promote the achievement of a tight deadline without stressing the resources in place.

The goal is to be quick and iterative versus confined to a predetermined plan. Eliminating unnecessary resources and efforts is instrumental to an audit team’s successful completion of the work within a sprint. Whenever possible, gathering evidence independently. This alleviates the burden on stakeholders and is an excellent way for internal auditors to be more efficient.

Typical examples of waste in the audit process include:

• Distributing requests for evidence that are too vague.
• Sending emails back and forth when making a phone call or in-person meeting would be more productive.
• Exhaustively explaining every step taken when concise documentation could achieve the same effect.

Soliciting Continuous Feedback

One of the most practiced agile techniques is a daily stand-up meeting, normally lasting no longer than 15 minutes. During this time an agile development team discusses each member’s contributions and obstacles. To be effective, internal audit team members must regularly check in with each other. They should not hesitate to raise issues as soon as they arise. Rather than waiting until completing fieldwork to start internal reviews, teams should build quality assurance into daily audit activities.

Furthermore, internal auditors must not wait until the end of an audit to provide results. Early, frequent communication with stakeholders means that the final report should simply reflect a visual summary of the insights already discussed. You should identify opportunities to enhance an organization’s operations and continuously improve your audit processes.

The Scrum Master plays a crucial role in an agile team, fostering an environment of high performance and relentless improvement. Acting as the coach of an internal audit team, a Scrum Master ensures the team follows the agreed upon agile process. They also encourage good relationships among team members and others outside the team.

Case Study: Agile Internal Audit in Action

In an IT risk and compliance department for a Fortune 500 Company, applying agile practices reduced time spent per audit cycle by nearly 35 percent over a year.

Below are some of the most notable agile audit efforts and related results:

1. Left room for unknowns in the annual audit plan and revisited the plan at the beginning of each quarter to make any necessary updates.
   Ongoing results: Greater flexibility to focus on the right areas and account for changing priorities.

2. Discussed audit details among the team members during brief, frequent meetings before finalizing the work instead of having the audit lead provide a list of corrections after a formal review.
   Ongoing results: An empowered audit team and more efficiency.

3. Communicated potential audit issues immediately upon discovery through informal management discussions and articulated the final report in a meaningful format.
   Ongoing results: Increased trust and openness with stakeholders.

An Agile Approach: Transparency Builds Trust

Successful adoption of Agile in internal audit depends heavily on leadership in the function and requires a shift in mindset among the group members.

In an agile internal audit model, transparency builds trust, which drives performance and innovation. No matter the level of agility, internal auditing needs an agile approach to evolve and ultimately produce the value and transparency that stakeholders expect.