Agile Auditing: Three Pillars for Effective Implementation
Publication Date: May 14, 2024
With the changing landscape of both internal and external audit environments, industry researchers are eager to suggest that the traditional waterfall approach to conducting audits needs to be adjusted to make way for a more flexible, responsive, transparent, and engaged audit process. G.L. Joshi belives agile auditing, when implemented effectively, can “elevate the performance and value of internal audits.” Agile auditing is based on the principles and values from agile methodologies used extensively in software development. It consists of focusing on individuals and interactions, working products and services, customer collaboration, and responding to change.
This methodology adapts to focus on the needs of the stakeholders, expedite audit cycles, reduce effort and time, and create less unnecessary documentation. Liz Berger, former Director at Protiviti, explained that as an alternative to the traditional and sequential waterfall process, agile auditing does not necessarily change what auditors do, but how an audit is done. Agile auditing can offer opportunities to evolve auditing with the times. Agile auditing’s application to audit, risk, and compliance, and effective implementation relies on three pillars: risk-based audits, stakeholder management, and agile ceremonies.
Risk-Based Audits
A crucial step for internal auditors is to prioritize and audit the highest risk to the organization. Auditors need to focus on the areas most likely to impact the organization’s business objectives. Effective audits result from the application of key aspects in risk-based auditing including risk identification and assessment, risk-based audit plan, testing and evaluation, and reporting and communication.
Spiros Alexiou explained in an ISACA article that agile models involve the bare minimum required documentation, making the process more streamlined. This, in turn, gives the auditors an opportunity to focus on the “insights, risks, and opportunities that stakeholders need,” according to Galvanize (now Diligent). Joshi also emphasized that agile auditing enables auditors to become more flexible and adaptive as they are able to check their progress in short intervals instead of waiting until the whole audit process has been completed, thus increasing value and risk-specific insights. When applied to higher education audits, for example, an agile audit can improve risk management practices across the institution. Agile audit practices can enable colleges and universities to identify, assess, and mitigate risks more effectively, safeguarding the institution’s assets, reputation, and compliance with regulatory requirements.
Stakeholder Management
There is an art and a science in managing both internal and external audit stakeholders. Identification and prioritization of impacted stakeholders is an important step. The level of stakeholder influence and interest in the audit process can influence the success or failure of an audit. Hence, it is important to manage expectations proactively by fostering collaboration and engagement. There needs to be a clear and timely communication channel tailored to each stakeholder’s specific needs and information level. Most importantly, auditors need to invest time in building and maintaining positive relationships with key stakeholders using skills such as regular engagement, professionalism, and empathy when addressing stakeholder concerns.
For agile auditing to be implemented successfully, KPMG cites the vision must be shared by top management and leadership, auditors, and clients. DBS, the largest bank in Singapore and Southeast Asia, was one of the early adopters of agile auditing. According to DBS, the secret to their success implementation was the supportive tone from management across the board, auditors who fully immersed themselves in the methodology, and clients who were knowledgeable of agile auditing, which allowed for close collaboration. As a result, the DBS Internal Audit team was able to boost the number and gravity of the risks they found, which improved the level of audit assurance they were able to provide to their stakeholders. In the bigger scheme, the process does not really change, but auditors become more equipped and knowledgeable about where to look harder.
Agile Ceremonies
The ceremonies within agile auditing facilitate effective communication, collaboration, and planning within Agile Teams. The four main Agile ceremonies are: Sprint Planning, Daily Stand-up, Sprint Review and Sprint Retrospective/Lessons Learned.
- Sprint Planning’s goal is to prioritize the highest risks, define the scope for the upcoming schedule/sprint and requires audit teams to estimate the work according to their personal velocity and bandwidth.
- Daily Stand-ups help the audit team identify roadblocks and adjust plans as needed. Each team member focuses on three main questions: what I worked on yesterday, what will I work on today, and what roadblocks prevent me from completing assigned audit work.
- Sprint Review showcases the completed work and gathers feedback for completed audit workpapers and reports. This allows the audit management team to strategize and define the next audit work to be completed.
- Sprint Retrospective allows the team to identify areas for improvement and agree on action items for implementation in the next sprint.
KPMG describes how a global banking institution implemented agile auditing by doing organizing daily stand-up meetings within the audit teams. This allowed them to evaluate whether the execution and performance corresponded with planning. These daily stand-up meetings gave the teams an opportunity to check for bottlenecks, assess prioritization, and provide feedback. They also organized a bi-weekly “market place” where sprint reviews were evaluated and discussed with all the teams involved so they could review the total audit plan’s progress and provide mutual feedback.
Agile auditing is more than the ceremonies, as it also must work hand-in-hand with risk-based audits and effective stakeholder management. Success in agile auditing requires an agile mindset, dedicated to continuous improvement.
References
Joshi, P. L. (2021). A review of agile internal auditing: Retrospective and prospective. International Journal of Smart Business and Technology, 9(2), 13 – 32.
KPMG. (2020, October). Agile internal audit. White paper on working Agile within internal audit functions. https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2020/10/agile-internal-audit-white-paper-on-working-agile-within-internal-audit-functions-part-2.pdf
Deloitte. (2017). Becoming agile: A guide to elevating internal audit’s performance and value. https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/finance/deloitte-uk-understanding-agile-ia.pdf
Berger, L. (2020, January 2020). Agile internal audit: How to audit at the speed of risk. Protiviti. https://blog.protiviti.com/2020/01/27/agile-internal-audit-how-to-audit-at-the-speed-of-risk/
Galvanize. (2019, April 23). An overview of agile auditing. Galvanize. https://www.wegalvanize.com/audit/an-overview-of-agile-auditing/#:~:text=The%20main%20difference%20between%20agile,work%2C%20and%20increased%20collaboration).
Alexiou, S. (2017). Agile audit. ISACA Journal (2), 27 – 35. https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/agile-audit
AUTHOR TEST
About the Author
Carl Canlas
Dr. Carl Canlas is a Senior Auditor at the Church of Jesus Christ of Latter-day Saints and an Adjunct Professor at Brigham Young University Marriott School. Currently, his research focuses on agile project management, cybersecurity audits and artificial intelligence. Dr. Canlas also speaks frequently at conferences, including the 2023 ACUA AuditCon in Miami, Florida.
From This Issue
- Research Security Resources and Best Practices
- Letter from the Editor
- Letter from the President
- ACUA Committee Updates
- How Did ACUA Begin?
- Tips for New Internal Auditors
- On the Merits of Subtraction, a Discussion of Audit Documentation
- Emerging Risks of Higher Education that Auditors Need to Know
- New Global Internal Audit Standards Released