Agile Auditing – A Chief Audit Executive’s (CAE) Perspective on Implementation to Unlock Value

Introduction:

Many Internal Audit (IA) teams are going agile these days, or at least contemplating it. It sounds daunting, with lots of new nomenclature to absorb – Sprints, SCRUM Masters, Retrospectives, Product Owners etc. However, once you get beyond the lingo, Agile is a progressive audit approach that can super-charge your IA team. In this article, I will explore the aspects of Agile, which we found very valuable when we implemented it in a large global IA team in 2020. In addition, I will share my views on aspects of Agile methodology and implementation that may require some fine-tuning in an internal auditing environment, to avoid pitfalls.?

Agile and agile auditing is all about adding value. As an audit approach, it allows IA to stop and periodically assess value (coming from the audit work); in its simplest form on each audit, there are 2 logical outcomes, either you keep going and execute an additional Sprint in the current audit, OR you stop the current audit and start a new audit (typically the next most valuable audit in the backlog / pipeline of audits).?

Agile Auditing Unlocks Value and Improves Internal Audit Risk Responsiveness

For me, the more valuable agile audit components are:

1 – Sprints.?Sprints are typically 2-week bundles of work; the time constraint helps to reinforce the ambition of finishing what you start each sprint. Typically, each sprint culminates in a sprint review session with your stakeholders; this meeting is open, transparent and covers the audit work (stories) covered in the sprint, exceptions, potential observations, and insights. This transparency builds trust. In addition, agile teams seek management input on each subsequent sprint in terms of value / areas to focus on (IA always retains the final call on scoping and testing to be clear), which is generally taken as helpful and commercial. The IA driven assessment of value each sprint in terms of GO (execute another sprint) OR NO GO (stop this audit and look to tackle the next most valuable audit in the backlog (pipeline) allows IA to be responsive to risk. Further, this constant value assessment at the end of each Sprint helps IA in reducing low-risk testing which is a great productivity driver. The Agile approach sharpens productivity as it “time-boxes” audit work (traditional approach tends to “scope-box”) audit work (the latter often results in completion of low-risk testing steps that may add little value to the overall audit outcome).

2 – Sprint Reviews help to make IA teams more accountable for their work and adds great transparency to audit work. The discipline of re-capping openly the progress made in the last 2 weeks, outlining test results, observations, insights remove the mystery of what is happening in the audit itself. Having a sense of rawness here is not a bad thing as there is real value in reflecting on the raw audit observations openly with the stakeholders. Many stakeholders have provided feedback to me that this is among the best parts of agile to them – complete transparency and having a voice all throughout the audit. I would often note during Sprint Review meetings, that management is getting the same audit update on Wednesday, that I as the CAE received on Tuesday afternoon. These aspects are critical to building trust with management.

3 – Retrospectives are shared team learnings after each Sprint facilitated by the Scrum Master.?Identifying incremental improvements regularly adds a lot of value over time and promotes a continuous learning culture. These improvements once agreed among the agile team members are put into effect for the next sprint. Retros as we called them were always useful; we reinforced what we all felt was working well and equally identified small incremental improvements that could be digested and implemented real time. There is a great collaboration tool we used called “Retrium” which allowed us to share a feedback board during our retros, and facilitated gathering our anonymous input, and active ranking and grouping of ideas, etc. (Scrum Master facilitated this).?

4 – Self Managed Teams / Flatter Team Structure – Agile teams must work closely together to achieve the shared objectives, and this supports a strong teamwork environment. Agile teams meet daily to assess progress and next steps and huddle together at the start of each Sprint to iron out available resource capacity and to size the stories (bundles of work) for the sprint. Value is ascribed to each story, and this helps the team focus on testing and tasks that matter most. This increases personal ownership among the agile team members and generally supports a flatter IA team structure with less hierarchical layers. In an agile audit team, there is nowhere to hide. If a team member does not progress the work, it becomes quite apparent during the daily team meeting/call. Obviously if there are impediments the SCRUM Master will jump in, as might other agile team members; everyone focuses on the 2 weekly deliverables for the sprint / sprint review, so this helps the team to be both productive and responsive to risk.?

Some Agile Auditing Concepts May Require Some Organizational Fine Tuning

If you implement Agile from a textbook, you may get quite frustrated, quite quickly. We did. We felt the textbook approach lacked practicality at times and we needed to fine tune some of our approaches over time, to better fit our global financial services environment. In hindsight, having some guidance from an Internal Audit consultant with practical experience here would have been a big help.?Some areas to watch out for and perhaps to really assess how to implement in your Audit organizations:

1 – Sprint Planning / Sprint Zero. All audits, even agile ones need planning and pre-work, particularly if you are executing a data-driven audit. We used to perform quite sophisticated data analysis and developed data hypotheses covering full data populations, on almost every audit. This requires sufficient preparation time to get access to the dataset and ensure it is normalized etc. Audits, particularly in large financial institutions, are complex undertakings and allowing sufficient time for critical pre-audit work is important. This is an area where it is hard for Internal Audit teams to be fully agile (compared with historic IT development environment) as audits can vary quite a lot in terms of risks being covered and technical expertise and datasets required. As sprints are typically numbered, we called our planning Sprint, Sprint zero (and on some very large, complex audits we sometimes needed 2 of them).?

2 – Level of Task Breakdown – Agile methodology expects that tasks are broken down into low-level items; this can be tedious, and the transparency benefit may be outweighed by the bureaucracy here.?This is an area where Audit teams can draw a reasonable line in the sand. Make it work for your team and apply common sense rules. We used a tool called Jira to house all our Agile audits – Audits (Epics), Objectives (Stories) and Test Steps (Tasks) and this tool is widely used. However, one drawback was apparent to us; how does Jira integrate without electronic workpapers system? We used TeamMate+ and initially there was no portability and in effect there was a sense that some activities were being replicated across the two systems e.g., test conclusions. This is an area to be mindful of. Again, you should be reasonable here and be clear how your Agile tool interfaces / supports your audit workpaper system.

3 – Organizational / Staffing Hierarchy. We used a SCRUM methodology to support our Agile implementation. Within each agile team, the role of the agile team members is quite generic as the agile team structure is quite flat. This can give rise to some friction as you may have tasks being performed by auditors who have varying levels of experience and have different corporate bands. To be honest, having the title Agile Team Member does not resonate as much to audit staff as being referred to as a Senior Auditor, Audit Manager, or In-Charge, etc. So, we kept our organizational banding to help differentiate performance and compensation expectations.?

4 – Moving to a Shorter Audit Planning Cycle is Not a Trivial Undertaking. Agile auditing has many benefits as outlined above and the drive to be more responsive to risks and to audit risks and topics that matter, leads many Internal Audit teams to develop a shorter audit planning cycle i.e., move from an Annual Audit Plan to a semi-annual or quarterly audit plan. Adopting a shorter audit cycle can support the focus on risk coverage, however, in practical terms you need to consider some critical factors. Firstly, any move away from an annual audit plan is a big change for your Audit Committee and for management. You will need to sell the benefits to the Audit Committee / Chair. We went from having an annual audit plan to having a quarterly audit plan. That was a big change, but we had our Audit Committee support.?Management also needs to get on-board as agile audits involve greater management participation and input, but much shorter notice periods (in our case notice of audits went from 12 months to 3 months and in many organizations this facet of becoming agile, often faces resistance from management).?Setting the right tone from the top is helpful when you adopt agile auditing, so for example having the CEO or Chairman openly support the case for change (i.e., generating greater organizational value from audits) will make the transition easier for both management and Internal Audit.

Secondly, moving to quarterly created significant reporting strain on the Audit team; not just the pressure to complete audits but also a lot of pressure to develop and present the plan for the next quarter, etc. to a strict Audit Committee reporting deadline. While we are all used to quarterly Audit Committee reports, we all can appreciate the work involved in developing the Audit plan, selling it to management, working through any business logistics or timing constraints, etc.

It took us several turns of the crank before we started to develop our quarterly audit planning rhythm. For example, we would develop our quarterly plan a quarter in advance.?Our Qtr 1 audit plan would be developed in October and presented to our Audit Committee in November for review and approval.?Our Qtr 2 plan would be developed in January and presented to the Audit Committee in February, etc.??It turned out to be a great improvement for us and allowed us to focus on risks that mattered here and now, rather than what we thought was important 12+ months ago, when we had an annual audit planning cycle. ?We maintained a long list of possible future audits in our Audit Backlog (Pipeline) and this was a living, breathing list of ideas that we added to and reprioritized regularly.?Further, we had a well-established calendarized stakeholder relationship meeting structure each quarter and these meetings were critical to us developing credible quarterly audit plans. So, on balance this was a big positive part of our agile implementation, however it requires a tremendous effort on behalf of the Audit team to keep on top of the stakeholder and Audit Committee reporting deadlines.

?Conclusion

Agile auditing will unlock a lot of value within your organization and is worthy of serious consideration in 2023, if you have not already gone down this path. Being agile means being progressive in your assessment of risks and providing assurance on risks and topics that matter to your organization, here and now. Implementing an agile Audit organization takes a lot of effort and requires open minds as it will change a lot of the existing status quo, resulting in a flatter less hierarchical team.?Agile ultimately was a good thing for us to adopt in a large multi-national company. Agile will not make your audits necessarily faster, but it can improve your risk responsiveness and Internal Audit proximity to risks that matter. Stakeholders will love the transparency and the Sprint / Sprint Review structure creates a sense of urgency. Risk coverage flexibility is increased, and Internal Audit can cover more risks while also eliminating low-level / low-value testing. Even if a full agile implementation is not on the cards, every Internal Audit team can adopt some agile practices to be more progressive (e.g., adopting Sprints / Sprint Reviews and Retrospectives is a great place to start).?

Want to learn more? – Check-out Shane’s 2022 Webinar with Chartered Accountants Worldwide Network USA on Auditing the Future – Where Does Internal Audit Go from Here?

?Here is the webinar link:?https://lnkd.in/eAT2d9e7

? Copyright – Shane Rogers FCA, MBA, all rights reserved.

Shane Rogers FCA, MBA is an independent risk and audit management consultant.?A former Audit Managing Director and US-based Chief Audit Executive with deep, partner-level, insurance, and investment banking experience globally, he has led progressive and agile Audit teams that thrive.?A Chartered Accountant and currently President of Chartered Accountants Worldwide Network USA, Shane has global experience working in large multi-national organizations, including, Swiss Re, Credit Suisse / First Boston and Price Waterhouse.?Shane has expertise setting and aligning organization Strategy, Vision & Mission, and conducting external Audit assessments (against IIA standards) and ERM team assessments and positions teams to optimize business impact and value-add.?He can be contacted via LinkedIn, or email [email protected].