The Essentials of Agile Auditing: Tools and Building Blocks
With business risks rapidly transforming and increasing in complexity, internal auditors are struggling to adapt their audit plans and work programs to keep pace. Audit projects are often months-long affairs, with auditors remaining on-site for weeks at a time. For some large enterprises, audit work occurs year-round. As auditors, our primary task is to add value to the business by providing assurance over governance, risk, and controls, but it’s impossible to do so effectively if we can’t pivot our focus, or don’t have enough audit cycles or team members to cover all necessary regulatory and internal audit function needs.
Adopting agile principles into audit practices is a trend sweeping across the internal audit world, yet many auditors and internal audit teams are unsure where to get started.
Agile audit processes can save time and yield benefits for many internal audit teams. Read on to learn more about the agile auditing fundamentals, key benefits, and how an agile approach enables auditors to adapt quickly to new information and shifting priorities.
What Is the Agile Methodology — and What Is Agile Auditing?
Agile is a term used to describe a set of principles and methodologies that were initially formed for use in software development and popularized by the Agile Manifesto for Software Development in 2001. This included the four values below and12 principles that focus on delivering continuous delivery and collaboration. The values shown here recognize that while all elements are needed, those in bold should take precedence over those italicized.
- Individuals and interactions over processes and tools.
- Working software over comprehensive documentation.
- Customer collaboration over contract negotiation.
- Responding to change over following a plan.
Agile Methodology
Agile software development emerged as a response to traditional project management methodologies that were more linear, like the Waterfall Method. These processes prevented revisiting previous steps and allowed bottlenecks to form in the development process. Rather than a cycle, software development was treated like a straight line. Agile project management systems, like Scrum and Kanban, allow project teams to focus on delivering value to customers and producing results quickly. The motto of “try fast, fail fast,” applies to agile methods, with the intent of sussing out bugs, errors, and problems early. There are several different frameworks and styles of agile, and they differ depending upon what business function you are applying them to. We’ve mentioned Scrum and Kanban, but there are also Lean and XP frameworks.At the core of agile project management is a focus on continuous collaboration and continuous improvement within defined timeboxes.
Image: Example Kanban Board
Since its inception nearly two decades ago as a development philosophy, agile methodologies have been adopted in virtually every business sector and department, including audit departments.. Though as auditors, we love nothing more than processes, following a plan, and comprehensive documentation — and adopting agile ways of working may initially cause a bit of panic — making the move to agile can provide numerous benefits. Risk management functions, including cybersecurity risk management, can take advantage of the speed of agile approaches to deal with incidents in real time — which is essential to combating modern cyber-attacks and the emergence of threats.
What Is Agile Auditing?
Agile auditing takes the principles and values of agile methods and applies them to auditing and risk management. Agile internal audit is a new and innovative avenue that even The IIA (Institute of Internal Auditors) has covered and promoted. While a traditional audit process may be necessary in some cases such as regulatory purposes, reporting, and certifications, taking an agile approach to certain audit projects strategically reduces the burden on your audit team and encourages cross-functional communication.
Agile auditing usually starts with a risk assessment to identify the areas of highest risk or priority. Then, audit professionals looking to implement agile methods into their audit approach should start by choosing the agile framework that best suits the project and the team. Each framework has its benefits and drawbacks. Internal audit teams may want to consider Kanban or Scrum as starting points. The following agile techniques and practices could benefit audit teams and their workflows:
- Using time-boxed sprints in chunks of 2-3 weeks to complete audits over one business process or area. After the sprint is over, the audit team should perform a detailed sprint retrospective, iterate on their process, and plan for the next sprint.
- Setting up regular stand-ups to encourage cross-functional collaboration and keep audit projects moving. Many agile approaches involve daily, 15-minute stand-ups to provide updates on project progress. This is a great practice to incorporate into your organization’s audit methodology as it encourages stakeholders to meet and celebrate team achievements while discussing and removing blockers. The cadence of meetings can be adjusted to accommodate your team’s needs.
- Making flexible audit plans that can change as your organization’s priorities and circumstances change. Flexibility and responsiveness to change are central to the agile mindset.
- Delivering insights and information in real time, rather than waiting until the full reporting and audit cycle are complete. Although reports must be written and delivered, making management aware of significant issues proactively is a key benefit of agility, enabling response and recovery to occur in real time.
As audit departments and audit executives become more familiar with agile methods and agile auditing, the team’s overall competency will rise and add increasing value to the organization. It will become easier to identify opportunities to apply agile audit processes, and where traditional audit methodology is more appropriate.
Benefits of Agile Auditing
Adapting agile can be an intimidating prospect. It’s a buzzword that feels like it should be reserved for dev teams and startups. It can seem like a threat to our auditors’ order of citations, clauses, criteria, and documentation. Audit teams don’t usually receive training in agile principles, and it can be hard to learn them when you’re used to traditional audit methods. Implementing agility in auditing doesn’t have to happen all at once, or overhaul everything in an audit department. The best use of agile principles in auditing is to take advantage of the methods that work and discard those that don’t quite apply to the field of auditing. Documentation may never go away, or be comprehensive enough, for one. However, there are a lot of lessons and tactics to learn from agile software development that can truly improve the quality and efficiency of audits.
Agile auditing helps teams put together results more quickly without being stuck to a static audit plan. It ensures better stakeholder communication and collaboration and prevents silos from forming. Some of the key benefits of agile auditing include: :
- Less time spent on planning the audit: This could mean shaving a one- or two-month-long planning phase down. Instead of spending weeks on planning documents and presentations, planning a sprint takes days or even hours.
- Combining all planning, fieldwork, and reporting elements: Agile’s short, time-boxed iterations of work enable audit teams to deliver these project phases together in an iterative cycle. Planning happens as one sprint ends and another begins; fieldwork is part of the sprint; and reporting happens in a matter of weeks instead of every six months or more.
- Increased collaboration and interaction: Agile methods favor face-to-face conversation as the most effective means of conveying information, and encourage frequent, but brief meetings between stakeholders, usually no more than 15 minutes. These stand-ups can occur daily, every other day, or at the cadence that makes sense for your team. Meeting regularly facilitates cross-functional collaboration and active problem-solving.
- Flexibility in audit focus and updating scope: Agile gives internal audit an opportunity to update the audit scope or even modify the audit’s focus altogether based on newly available information. Enabling your audit department to take on audit projects that are relevant rather than rote adds more value to the organization at the end of the day.
- Timely sharing of findings and remediation: With an agile approach, audit report results and findings are shared with stakeholders as they emerge, instead of waiting for the end of the audit. Learning of issues early makes a big difference, even if the audit report doesn’t change. It gives companies time and forewarning to mitigate risks and protect their business and their customers..
- Abbreviated audit plans: Agile auditing puts the emphasis on the quarter rather than on the year, homing in on what’s coming up in the next three months as opposed to the next nine to twelve.
- Tackling the backlog: Every business unit has projects that they’ve shelved, put on the back burner, or said that they’d handle “someday.” Many of those never see the light of day again. Agile frameworks encourage tackling project backlogs actively, and as part of the planning process, ensuring that even low priorities get resolved.
What Are Four Common Challenges Agile Auditing Can Solve?
Thesuccessful implementation of agile ways of working can help solve many common audit challenges, including:
- Developing a valuable and relevant audit plan: Unless your audit plan consists entirely of routine compliance or checklist-based activities, your audit plans presented to the Audit Committee at the start and end of the year may not align. Agile helps internal audit teams adjust to business conditions as they arise.
- Updating the audit scope and effectively using resources: Agile methodology provides the ability to update the audit scope as needed. By constantly reevaluating audit scope and priorities, internal audit maximizes resource use.
- Improving teaming and interaction with customers: Agile empowers your audit client and enables stakeholders to provide relevant feedback and collaborate during testing. By strengthening collaboration, agile helps identify issues and risks during the fieldwork, meaning audit stakeholders will have already started working on remediation by the final report phase.
- Improving work delivery: The agile way of working involves breaking down larger bodies of work into smaller, more digestible chunks that can then be delegated and tracked. Discrete tasks are easier and simpler for team members to handle, and can speed up testing workflows considerably.
Implement Your Agile Auditing Strategy with Internal Audit Management Software
Agile is rapidly becoming an essential methodology for audit teams. By improving time requirements and strengthening stakeholder interaction, collaboration, and engagement, internal audits can solve ubiquitous challenges. Taking sprint-based approaches to the audit process when appropriate keeps information and insights relevant for real time decision-making.
Agile in audit makes a lot of sense, yet can be difficult to implement. Keeping track of stand-ups, issues for remediation, sprint progress, and planning can be difficult without the right “home base” for your team. AuditBoard’s internal audit management software allows collaborators to work together in-platform and leverage agile methods as they execute audit projects. Gain the benefits of purpose-built internal audit technology, and try AuditBoard today!.
Frequently Asked Questions About Agile Auditing
What Is Agile — and What Is Agile Auditing?
Agile started as a software development methodology based on four values and twelve principles. Agile auditing applies agile methods to audit processes, such as time-boxed sprints, continuous improvement through retrospective feedback, and a flexible, responsive approach to planning.
What Are The Top 4 Common Challenges Agile Auditing Can Solve?
Agile auditing can solve the challenges of developing a valuable and relevant audit plan; updating the audit scope and effectively using resources; improving teaming and interaction with stakeholders; and improving work delivery.
Aaron Wright is a Director of Product Solutions, UK&I at AuditBoard. Before joining AuditBoard, Aaron was an Internal IT Audit Advisor at Cardinal Health, where he managed a risk-based audit plan and led internal audit projects focused on infrastructure, cybersecurity, and applications. Connect with Aaron on LinkedIn.