Home > Risk > An agile audit function needs an agile leader

An agile audit function needs an agile leader

My post on agile/Agile internal auditing has attracted a lot of attention, most in support but some have differing opinions.

I want to point you to the thoughts of three individuals.


The first is James Patterson. He is the author of Lean Auditing: Driving Added Value and Efficiency in Internal Audit (I was honored to write the foreword).

James was asked by one of the readers of my post to share his thoughts, which he did at Lean and Agile Auditing. I recommend reading the entire article, but I will excerpt his closing:

In summary, as I see it, lean & agile internal auditing (small a) is about professional auditing that:

I) Understands how internal audit adds value (e.g. via the kano[1] framework);

II) Is clear who internal audit is adding value to (and it should not just be the person who is being audited);

II) Delivers assignments with less waste (e.g. muda[2], rura[3] and muri[4]), on a timely basis,

IV) Delivers insights (e.g. through root cause analysis and benchmarking good practices)

V) Communicates with impact (e.g. killer facts)

.. All of which is set out clearly in an assignment methodology that will pass an IIA EQA[5]..

And above everything all techniques – lean, agile, continuous auditing, data analytics etc., etc. should be seen as simply tools and frameworks that support progressive internal auditing, and not be seen as an end in themselves. 


The second individual is Mark Williams. While he has not been an internal auditor himself, he coaches internal auditors on agility. He says:

Being agile is a means to an end. The end goal being a better auditor. As a coach and trainer I love helping people be the best they can, and I’ve seen that being agile-minded will help you be a better auditor (or leader in IA).

Mark leads a class on being an agile auditor (which he says is sold out for the next several months) and I like the diagram he uses to describe it:

Mark Williams Agile Auditor


He shared with me an article (one of several he is writing for Wolters Kluwer), Leading for agility: Key behaviors of an agile-minded internal audit leader. Here are a few excerpts:

  • Being more agile-minded will help you capitalize on the collective skill and capabilities of your department – and help you become a better leader.
  • To deal with unknowns and complexity, we need to be responsive to change and course correct. Agile-minded leaders make this real by building and incorporating rapid feedback loops. It’s more than regular engagement and collaboration; think of it as a repeatable loop.
  • Undertake rapid feedback loops with stakeholders (audit committee, senior management, risk function, etc.) on the department’s audit plan on a real-time or continuous basis (away from a monthly, quarterly, or annual frequency). Note: The frequency of these feedback loops is a healthy debate as we are in such a dynamic and volatile environment with many uncertainties and new risks emerging. Is what you’ve always done rapid enough for an ever-changing environment? Is a monthly or quarterly feedback loop responsive and rapid enough to highlight changes and challenges so they can be fed into your plans and audit delivery?
  • Conduct a rapid feedback loop with first and second-line management on a continuous or rolling monthly frequency (not on an ad hoc, quarterly, or annual basis).
  • Agile-minded leaders actively practice and promote servant and intent-based leadership:
    • Encouragement, support and development of your people
    • Enable, remove blockers, resolves conflict
    • Intellectual authority, foresight
    • Collaborates, shares, coaches
    • Listens, trusting, humble and self-aware
    • Sets intent rather than micro-manages
  • Being more agile-minded requires new behaviors and for people to think differently about what they work on and how they work on it.


While I prefer small, focused, and agile audits to those that are so long you need to sprint from one stage to another, I have a great deal of common ground with Mark.

I would add some additional points:

  • Understand what you want to accomplish before you start. For example, are you intending to do sufficient work to form and then express an opinion? What is the opinion on and how do you intend to share it?
  • What options do you have for accomplishing your goal? Which is the best? For example, is there technology that would help you do it faster and better? Who would be the best person to do the work?
  • Where is the value in the project? Is it in assurance, advice and insight, or both?
  • Can you do the work in a way that will challenge and excite the staff performing it? See this post from 2019: The Wonder and Joy of Internal Auditing.
  • How can you limit your own time on the project, so you are there when needed and not there when you are not?
  • How can you work with management so that they will want the project done and look forward to its results? How will you communicate with them and discuss (not simply report) what you are seeing so management can take prompt action?
  • What steps can be eliminated without harming the result? (In other words, eliminate any wasted motions or muda.)
  • How will you work with the management team and the audit committee so that they anticipate and welcome your agility?
  • Do you have the right people on your team, the best people, to perform agile auditing? Can they think? If not, what are you going to do about it?


The third person I want to refer you to is Hal Garyn, recognized by Richard Chambers as one of the top ten internal audit thought leaders of 2020. In Managing Internal Audit – It’s a Brave New World, he comments on how a CAE has had to adapt to a world shaped by COVID and working from home. But that is not the only driver of change he discusses. He says:

  • Some have gone so far as to hypothesize that the way we work has changed for good and how we deal with managing, motivating, evaluating, and interacting with the people we are responsible to lead altered permanently as a result. And that new way of working may not even be because of fully embracing a WFA (work from anywhere) practice, but certainly a more modified remote working reality into the foreseeable future.
  • If anyone is waiting around for a return to normal, or a new normal, they might have a long wait. What is certain seems to be that the prior state of how we approach our work and how we interact with each other in the workplace has changed forever. And, what we used to consider normal is no longer what will be the case either. Regardless, it will be new, and it will not feel normal. We, as a profession of internal auditors, have adapted to the current state and we will adapt to the new state of things. It will require a level of use of technology, nimbleness, flexibility, and interpersonal interaction that we have never deployed at any time in our careers. But all these changes were always on the horizon. It is just that factors conspired to accelerate those changes. We are ready, willing, and able.


We must not only be willing to change as our environment changes, but our leaders have to be flexible and agile as well.

Unfortunately, many who have been to my presentations tell me that the greatest obstacle to progress in the internal audit function is the CAE.


I welcome your thoughts.

[1] Kano is a prioritization framework.

[2] Anything the customer wouldn’t gladly pay for, including the waste of time (such as auditing areas that are not critical to the enterprise), excessive communication (such as sharing information they don’t need to know), or the waste of an opportunity (such as not demanding every auditor think for themselves).

[3] I think this is a typo and James meant Mura, which is a lack of uniformity or consistency. It relates to uneven supply of materials to a workstation, so I am not sure how it applies to internal auditing.

[4] Overburden, or asking somebody to do more than they can. One example I have seen is a CAE having her staff perform all the SOX testing in Q4, leading them to work 10–12 hour days, 6-7 days a week. None stayed with the firm.

[5] External quality assessment

  1. Hal Garyn
    May 4, 2021 at 2:50 PM

    Hi Norman. Thanks for the shoutout. I would not have known you referenced me and some of my thinking (although the specific reference is not directly related to agile) if not for the fact that someone brought this blog of yours to my attention. Thanks!

  2. May 4, 2021 at 11:14 PM

    Norman – thanks for the call out and also the builds around lean, especially: muda (waste), mura and muri.
    I refer to mura because smoothing the flow of assignments is often important. An audit committee / senior management team may want assignments to be delivered just in time, but also they normally don’t want 5 reports in one meeting and 15 in another ..
    So the smoothing here is about scheduling work to avoid “bunching up” assignments just before a key meeting or – worst of all – with lots of assignments rushed towards the end of the year ..
    As you know, its about adopting a project mindset and working backwards from a deadline to decide when to start and how best to tackle the assignment..
    Couple of final points, linking to points you make:
    > Agile has a lot to offer internal audit, but there is a depth to lean (which inspired agile ways of working) that many auditors overlook, as well as a complementarity (which you point out in your comments to Mark about watching waste etc.)
    > I agree that old generation CAEs can find lean/agile to be challenging. I sense the tide is turning, but what is key is to change without taking our eye off the ball of IIA standards/regulatory requirements..

  3. Mark Williams
    May 5, 2021 at 12:29 AM

    Norman, I am extremely flattered, thank you.

    Over the years, I’ve found a strong correlation between greater agility being successfully adopted & genuine support** from the leadership team.

    Whilst the phrase “tone from the top” is bit of a clichéd and empty platitude these days, it’s critical. I agree, we absolutely need agile leaders.

    **personally practicing and promoting it.

  4. May 5, 2021 at 1:57 AM

    Norman, thanks for this analysis. Agile auditing is for me another tool, a kind of top of the pyramid of the IA’s portfolio of techniques, that appears when the context is ready for it. Conditions are the IA leader’s maturity and the acceptance by the management of that kind of new role endorsed by their IA function.

  5. Bill Spoehr
    May 5, 2021 at 8:23 AM

    My experience as a CAE is that the greatest resistance to change / agility / getting away from old habits comes from the Directors/Managers one layer down – i.e., front line leadership. I can “set the tone”, train, challenge, and encourage all I want, but if there is no buy in to change from the lower levels (for whatever reason), it becomes a much more challenging proposition. Some people are too stuck in their ways and beliefs to change. Sadly, it’s time for them to move on to the next phase of their life’s work because the “agile” train is already rolling.

  6. May 5, 2021 at 12:36 PM

    Norman, I would add to your last additional point: constantly train and motivate internal audit staff. However agile the CAE might be, if the staff are still in the last century or, if they were external auditors, still haven’t understood internal audit is different, then the whole department will be wading around in treacle.

  1. May 4, 2021 at 3:15 PM
  2. May 13, 2021 at 12:53 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: