Home > Risk > Is agile auditing the latest fad or a really great practice?

Is agile auditing the latest fad or a really great practice?

I started talking about an agile internal audit practice many years ago. In fact, I still have the deck from a presentation I gave to my local IIA (San Jose) chapter in 2002 entitled “The New Age of Internal Audit”.

I said, for example:

    • The greatest risk is typically at the edge

…..where things are happening

…..where there is change

…..where management’s tolerance for risk is highest

    • Put IA resources where the risk is

$ Provide Assurance
$ Add Value by helping Manage the Risk

    • Audit at the speed of the business (and at the speed of risk)
    • Risk is constantly changing
      • Continuous risk assessment
    • Confront the risk
      ….the core of the risk
      ….the politically risky risk
      head on

XX

The idea was that internal auditors need to be prepared to rise to the challenge of turbulent change (driven primarily by technology) and modify our traditional practices. Risk is greatest where there is change and we must be responsive to those changes, providing assurance on what matters most (where the risk to objectives is greatest) when it matters (not taking weeks to complete a full audit and not then taking additional weeks or longer to report the results). Continuous risk assessment and the agility to change our plans at speed are essential.

XX

In 2014, I presented to IIA Malaysia on “The Agile Audit Department”. I quoted Richard Chambers:

“..executives face extraordinary headwinds spawned by a turbulent environment in which risks materialize virtually overnight. Just this year, global financial and business markets have been rocked by spectacular cybersecurity breaches, geopolitical instability in the Middle East and Eastern Europe, refugee crises, and more.”

Then I shared what Jack Welch, former CEO of GE, said:

“If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”

My point was that if we are not prepared to change when everything around us is changing, we are doomed. Just because we have been successful in the past doesn’t mean that the same practices will make us successful today and tomorrow.

I shared a quote from “Creating an Agile Organization” by Peter Cheese, Yaarit Silverstone, and David Y. Smith:

“The new business environment will favor those companies able to execute strategy faster, with more flexibility and adaptability, and move their companies ahead briskly.”

Then I asked if we, internal auditors and CAEs especially, are agile.

  • Are we able to execute faster, with more flexibility and adaptability, and help move our companies ahead briskly?
  • Are we constantly adapting so we can audit what is important now and will be tomorrow, or are we continuing to audit what was the risk when we put the annual audit plan together?
  • Are we helping leaders manage the business at the speed of risk? Are we auditing at the speed of the business – and of risk?

I explained that the agile internal audit department has these attributes:

  1. Focuses on providing assurance that matters, on what matters, when it matters.
  2. Has moved from hindsight to foresight + insight.
  3. Performs nimble, focused audits.

XX

Let’s fast forward to 2021.

AuditBoard reports:

Adopting agile principles into one’s audit practice is a trend sweeping across the internal audit world, yet many auditors are unsure where to get started. A recent AuditBoard poll of over 1,000 internal auditors found that 82% say agile auditing has the potential to add more value to their work compared to the traditional project approach — although 45% reported a lack of knowledge or resources as the most significant obstacle to adopting agile.

They also say, in a different article:

When we talk about how to improve the internal audit function as a value-add function rather than just a cost center in the business, we frequently hear “agile” and “relevant” tossed around as vague cure-all concepts. When you hear these words in connection with audit, what comes to mind?

Did you think of the word “relevant” as being “pertinent, applicable, appropriate, suited, fitting, important”? A relevant audit team is one that audits activities that align with business objectives and is an important department within the business. All valuable things!

Today, “agile” is a buzzword that too often just signifies “fast,” and our present use doesn’t encompass what the word truly means or the potential for improving audit. Agile actually means an action that is “nimble, limber, spirited, sharp, active, clever, acute.” Clearly, an internal audit department that encompasses these qualities will be better able to anticipate and respond effectively to changing business risk profiles than one that is simply “fast.”

This begs the question: Can audit be relevant without being agile? Probably not, and an audit department should try to be both. CAEs need to break out of their historical frame of reference to embrace agility in pursuit of relevance. If the internal audit department functions without both agility and relevance, audit may follow a prescribed routine, potentially missing emerging risks and delivering a suboptimal customer experience.

While those two excerpts are valid, I would not recommend following any of the actions the company goes on to recommend. For example, they have “internal audit as a rotation” as their #1 action – and I would not place that in my top twenty. The closest recommendation I would make is the inverse of theirs: hire people who have line operations experience, whether in finance, marketing, IT, engineering, or other function. The intent is not to make them better auditors when they return to their line position, but to ensure auditors understand and have a business perspective when they perform their work.

XX

PwC UK tells us that agile auditing (their version) can lead to “a 20% time saving on regulatory audits” and “a 10% time saving on less standard audits”.

However, they are talking about audits that require, on average, 5 people. Planning alone, which requires the involvement of everybody on the team, is two weeks.

Many of the audits my team performed were just two or three weeks, from planning to reporting! I bet I could save more than 50% of the time spent on every audit compared to the PwC approach!

XX

I prefer the way that my friend Sandy Pundmann or Deloitte describes agile internal audit in an article published by the Wall Street Journal.

Agile IA is a flexible methodology for adapting Agile to the specific needs of an internal audit function and its stakeholders. Originally a software-development methodology, Agile aims to reduce costs and time to delivery while improving quality. Specific characteristics of the Agile methodology include delivering tested products in short iterations and involving internal customers during each iteration to refine requirements.

Agile IA has many potential benefits, but implementing it calls for shifts in the function’s approach, such as that from rigidly planned activities to fast, iterative activities, and from following a preset plan to responding to emerging needs.

XX

However, the urge to adhere to principles and practices that have proven to work in software development is a distraction.

Discard the idea of scrums, etc. (techniques in Agile) and focus on the goal:

Provide assurance on what matters, when it matters, and help the organization succeed.

I agree with AuditBoard that this requires an internal audit function that is “nimble, limber, spirited, sharp, active, clever, acute.”

XX

How do you get there?

Here are my suggestions, proven in a couple of decades of world-class practice (and described more fully in my highly rated Auditing that Matters):

  1. Make sure that you are auditing the issues (both risks and opportunities) that matter to the success of the organization. What has to happen, or not happen, for enterprise objectives to be achieved? Can you add value by auditing the controls that ensure those things happen or not happen, or by providing related advice and insight?
  2. Leverage the organization’s ERM program (after auditing it for reliance purposes) but don’t be limited by it.
  3. Make sure you are not auditing issues that don’t matter! Eliminate from the scope or each audit any area where, should there be breakdowns, there would be minimal or no real impact on the achievement of the objectives of the enterprise. In other words, make sure you are auditing what matters to the enterprise rather than to local management.
  4. In fact, eliminate from the audit plan projects that don’t meet the criteria in #2.
  5. Only perform sufficient work to reach an opinion. Work doesn’t have to ‘expand to fill the time available’ (contrary to Parkinson’s law – a fine book, by the way). Once you have formed a professional opinion, STOP auditing and move to close!
  6. But if you run across an issue that would be significant but wasn’t in scope, consider adding it to the scope of the audit. Don’t get trapped by the belief that you are limited to what was initially planned.
  7. Similarly, if you find you need more time to address an important area, consider adding time to the audit or scaling back another, lesser issue. This is called ‘Stop and Go” auditing.
  8. Make sure your team has the experience, imagination, flexibility, and confidence to retain focus on what’s important, even when the target might be moving. Hire the best people to do the right work, rather than doing the work your people are capable of.
  9. Don’t be an obstacle to an agile, nimble, focused audit. For example, allow your team to adjust without always having to go to you for permission.
  10. Ensure documentation, working papers and so on, are no more than necessary. We are not judged by the quality of our working papers, but by the assurance, advice, and insight we provide. Challenge yourself to find the value of every hour of documentation and stop documenting where there is no real value. How many times do you ever refer to the working papers from a prior audit?
  11. Target no more than 100 hours for any audit, with exceptions justified carefully. That will keep you focused. Don’t fall into the trap that awaits Agile users of scope creep, where local management and the audit team find other ‘stuff’ that is interesting and even valuable to local management. (Obviously, if you truly have multiple areas of great significance in a single location, and you can only visit once – and I question that – then you will need more than 100 hours. But make sure that you really need all that time to reach an opinion on each area of significance to the enterprise.)
  12. Encourage fast and nimble audits that are completed as soon as possible, as every hour that is saved is one that can be used on another audit. There are always more issues that merit our attention!
  13. Communicate, communicate, and then communicate again. Discuss issues with management as soon as they surface and work with them to effect valuable change, identifying agreed action items rather than trying to look good by writing reports with recommendations. Listen, listen, and then listen again as management has (or at least should have – if not, that’s another issue) a better understanding of the business, risks, and opportunities.
  14. Incent your team to use their professional judgment, always thinking about what they see and what it means. Encourage them to feel empowered. Hire people who can and are able to think.
  15. Remember at all times that our job is not to write reports or identify findings: it is to help the organization succeed at speed.
  16. It is not about us: it is about the company we work for. Enjoy and savor its success, as we are contributing to it.
  17. Be sufficiently agile to change and do so quickly and with no regrets.

XX

By the way, if your audit projects need scrums and sprints, they are giant mammoths rather than agile beings.

XX

Capital A Agile internal auditing is a fad and should be ignored.

But small A agile internal auditing is not just a great practice, it is essential.

XX

I welcome your thoughts.

  1. April 30, 2021 at 10:40 AM

    You lost me after 10 seconds! Sorry get to your point..

    • Norman Marks
      April 30, 2021 at 11:54 AM

      LOL: while this may not be an ‘agile’ post, you won’t read much in 10 seconds, Mike.

  2. April 30, 2021 at 2:49 PM

    Great to see and agree it is essential.

    Please may I add the importance of context. For many internal audit departments, some of the Capital A Agile tools are indeed helpful (and I have the empirical evidence). For example, audit teams working in Sprints or timeboxed iterations are enabled by this way of working to produce regular and incremental sharing of observations with stakeholders.

    I agree that a number of the Capital A agile tools are out of context in IA and don’t make much sense or add any value. The mandating of one set of prescriptive practices, department-wide, is often combined with the capital A Agile and capital T Transformation. It’s widely understood and acknowledged that big-bang, imposed Agile Transformations are expensive and less likely to succeed as they should be undertaken in exactly the opposite manner (small experiments, low cost, with volunteers, invited not imposed).

    As ever, I’d welcome any thoughts on this.

    • Norman Marks
      April 30, 2021 at 4:19 PM

      Thank you, Mark, but I would never have an audit so lengthy that sprints were either necessary or useful. In the (increasingly) old days, we would have end of day discussions among the team and at least weekly updates with management – immediate if an issue was found, so we could agree on action and get it started promptly.

      • Mark Williams
        April 30, 2021 at 11:32 PM

        Yes I get that and agree in a perfect world. I think it’s all in the context : every business, IA department and auditor is different, and have their own unique system of work. In my experience most IA departments have a 3month average lead-time (crude, but good metric: audit team start date to final report published date). Other way around, some even have a 90day target. So delivering findings weekly or fortnightly (as you’ve described), rather than at the end or stage end is of huge benefit (again as you’ve described).

        I think a large part of the cause of longer audits is a lack of focus such that teams and auditors have many long and thin audits running at the same time. Limiting audit work in progress (WIP) is a key part of what I talk about (start less to finish more, my mantra).

        • Norman Marks
          May 1, 2021 at 6:43 AM

          Mark, the idea of a three-month audit boggles my mind. Sorry, but I can’t see why it takes that long when you are focused on the risks to the enterprise instead of the risks to a process or location.

          • Mark Williams
            May 1, 2021 at 8:51 AM

            Understood. For once it also make a nice change for me to be the one saying “slow down, Rome was not built in a day” – evolution not revolution. That said, you have been banging the drum on this since 2002 ! Thank you.

  3. Bertrand
    May 3, 2021 at 4:17 AM

    Very good post Norman. Indeed we must not try to replicate exactly the IT agile approach. Otherwise it becomes a kind of project management methodology with also independence issues. The 3 months mentioned by Mark are probably including the issuance/validation delays. Sometimes they exceed fieldwork by far (granted this is still not good, however internal audit is not the only culprit). As you mentioned all the scopes cannot be performed in just 100 hours especially if they are very technical, include important risks, numerous locations and if the audit team is not highly experienced in this area. Therefore as you have said we should also not hesitate to increase the budget / scope in case of need. In my experience I have also witnessed numerous too quick and superficial “check-list audits”, overcrowded audit plans with no planning. Therefore the 100 hours criteria should always be compared with the added value obtained during the mission. It is also possible to fall into the opposite excess (botching the mission).

  4. Pankaj Mehta
    May 3, 2021 at 11:41 AM

    Very relevant and most practical statements. Dont love your issues which drag your efficiency and which are only important to local management.
    Time wasted there must be watched carefully and should get negative marks in KRA of those internal auditor.
    Current risk should not become headline of tomorrow should be the tag line for auditor.
    Very important article ……..

  5. Tommaso Lizier
    May 4, 2021 at 8:53 AM

    I believe the article testifies that Agile Auditing is so popular because it is seen as one of the tools by which organizations try to respond to the speed of environmental change. Personally, I agree with the underlying message that the goal: being agile (with a lower a) is the most important thing in order to be responsive to ever changing risks. In any case, specific techniques or best practices can certainly help in driving a proactive way of auditing. I really agree on many of your suggestions (1, 3, 8, 13, 14, 15 etc.) and I see them in line with Agile principles and approaches.

  1. April 30, 2021 at 11:00 AM
  2. May 4, 2021 at 2:23 PM
  3. May 4, 2021 at 3:15 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: