job Kvalitet og metode

A practical take on agile auditing

Agile auditing, when translated into practical terms, is a simple and straightforward approach to deliver efficient and effective internal audit products.

Executive Summary

The expanding risk environment for companies, non-governmental organizations, and government entities has broadened the scope of internal audit functions. Innovative internal audit approaches such as Agile auditing, are introduced to respond to the demands. Unfortunately, presentations of Agile auditing have mostly focused on more theoretical and superficial aspects of the approach which has led to IA functions’ reluctance in adopting the new approach.  

Agile auditing, when translated into practical terms, is a simple and straightforward approach to deliver efficient and effective internal audit products. The approach is suitable for some projects and less so for others. This article aims to provide examples of projects and circumstances where the approach is not only suitable, but also very effective in assessing internal controls and providing clients with added value and timely implementation of corrective action. 

Background

Automation, global connectivity, and dynamic risk environments have challenged the traditional internal audit (IA) functions’ focus on offering assurance around business-process risks and controls. Operational, financial and reputational risks have increased and become more complex with the introduction of new regulatory regimes, for example, related to information security, finance and banking, and environment, social and governance (ESG) reporting.

Consequently, IA functions have been tasked with broadening their scope of work, developing more innovative methodologies, improving their rate of production and increasing stakeholder involvement in the audit process to manage emerging risks in real time. As the risk landscape becomes more complex, IA functions have also been challenged to review their traditional risk-based process involving a ‘waterfall approach’. The linear progression of the waterfall approach, which often includes planning, preliminary research, fieldwork, reporting, evaluation and follow-up, generally restricts the start of one phase before the previous phase is completed. This approach is often criticized for its rigidity and delay in providing management with the necessary recommendations to improve the area under audit in a timely manner.

Given these criticisms of the traditional IA approach, Agile project management, originally used in software development, has emerged as an alternative approach and is increasingly applied in various functions of organizations and companies, including their internal audits. Advocates of Agile auditing argue that the approach provides a more flexible and dynamic system for internal auditing and requires a paradigm shift and a change in mindset for companies looking to adopt this approach. The main values of the Agile project management approach include:  

  • Individuals and interactions over processes and tools
  • Working software (product) over comprehensive documentation
  • Customer collaboration over contract negotiation
  • Responding to change over following a plan

Over the past few years much has been written about the adoption of the Agile approach by IA functions, the comparisons between traditional IA waterfall and Agile audit methodologies, and corresponding benefits derived from embracing the Agile approach.

Tekstboks: Figure 1: Comparison of traditional waterfall vs Agile approach.       Source: KPMG White Paper on working Agile within Internal Audit Functions, part I, Introducing working Agile, June 2020
Figure 1: Comparison of traditional waterfall vs Agile approach.
Source: KPMG White Paper on working Agile within Internal Audit Functions, part I, Introducing working Agile, June 2020

One such publication, espouses two distinctive approaches to Agile internal auditing, one being a “macro-level mindset focused on improving internal audit engagements and activities in a way that minimizes waste and is responsive to providing timely insights nimble enough to accommodate the dynamic risk environment.” And the other “a specific, defined approach to executing internal audit engagements that enhances value to stakeholders.”

Other narratives interpret the two approaches leading to the same benefit, meaning that by achieving an improved IA process, IA functions can be seen to provide enhanced value and therefore better address the needs of its customers. One such example states “Agile Internal Audit is the mindset and method that an IAF (internal audit function) uses to focus on the needs of stakeholders; accelerating the audit cycles, providing timely insight and reducing the waste of resources.

According to advocates of the approach, in addition to more insightful and more efficient audit outcomes, some of the benefits often associated with Agile IA are:

  • Risk agility: Which allows for flexibility in responding to dynamic risk
  • Efficiency: Reduce audit cycle times and delivery of (sub) products
  • Focus on continuous prioritization of key areas and thereby providing relevant insight
  • More interaction between the audit team and the auditee, which improves the management of expectations
  • Increased audit quality

Challenges

For companies and IA functions that are considering implementing the Agile approach, the idea of introducing and adopting a revolutionary new approach by overhauling a functioning IA system and an established organizational “mindset” is often overwhelming. It requires more frequent management and board engagement, elimination of annual planning in relation to resources, training all IA staff in new technique, developing or hiring experienced Scrum Masters and coordinating with internal or external subject matter experts for every audit. This is especially true of global companies with a large number of IA staff who need to be trained or replaced in order for the company to adopt this new approach.

While all IA functions should strive to enhance the efficacy of their methodologies to better respond to emerging risks in their sectors, the rationale and expectation to restructure their entire approach is often viewed as unnecessary or met with skepticism and reluctance.

Most of the literature advocating for the adoption of Agile auditing focuses on the theoretical and superficial aspects of the approach. For instance, aspects such as audit backlog, definition of ready, various ceremonies during audit sprints, daily stand-ups, definition of done and sprints retrospective are often given the primary focus of how this is a vastly different approach to the traditional approach. Unfortunately, there is insufficient explanation of the practical aspects of an Agile audit methodology, combined with a lack of specific examples of Agile audits and guidance on circumstances in which the use of Agile is most suitable.

Solution

To adopt the useful aspects of the Agile approach, companies need to better understand, in practical terms, the methodological differences between the two approaches and when they can conduct Agile audits without having to fundamentally overhaul their IA functions:

1. What, in practical terms, differentiates an Agile audit methodology from a traditional one, and how can audit companies adopt these changes?

At its core, Agile is not a revolutionary approach to auditing but rather a faster system to deliver audit products and increase stakeholder engagement in the audit process. The idea that in order to adopt the Agile approach, an IA function must go through a significant transformation is based on some assumptions that are not entirely applicable to most current IA functions. For example:

a) Set or rigid methodology for every audit: Faced with expanding risk profiles, most mature IA functions use flexible IA methodologies in order to achieve audit objectives.  Furthermore, while the subject area and objectives of an internal audit often remains consistent, audit teams often have enough flexibility to adapt to new developments or focus on risk areas previously not included within the objectives of the audit.

b) Risk dynamics: Although risk profiles for IA functions have significantly expanded over the years, the risks within the focus area of most internal audits are not as rapidly changing during the course of an audit, as some advocates of Agile IA suggest. As for the dynamic risks that a company faces, there are few, if any, IA functions that would not review an immediate and significant risk because it was not initially included in their annual audit plan (more on this in point 2. below).

c) Increased involvement of the auditee: The concept of increased involvement of the auditee in an audit is great in theory, however years of conducting audits have shown us that time and resources of most functions being audited are limited and that staff prefer to focus on their daily tasks rather than be continuously involved in the internal audit.

As we see it, implementation of an Agile auditing framework does not require revolutionizing the client’s entire work system or its IA function but rather adopting some of Agile’s useful aspects and principles that can increase productivity and flexibility and ultimately deliver better quality IA products.

2. If the essence of the Agile approach is the ability to change focus and direction quickly without causing disruption to the whole structure, then how can companies adopt the approach without having to overhaul their already functioning IA processes?

The Agile IA process, which uses a Scrum Framework, “generally flows according to beginning, middle, and end segments that represent distinct Agile IA process activities.” The Agile methodology uses iterative planning and conducts internal audits in sprints. However, each sprint, if examined closely follows the same traditional linear approach. This distinction is key in adopting some of the useful ideas from Agile audit approach without subjecting an established IA function to unnecessary transformation or change in mindset.

For example, conducting a project or portfolio management audit lends itself perfectly to using the Agile approach. Management of Portfolio (MOP) by AXELOS, considered by many as the best practice in this field, defines portfolio management as: “A coordinated collection of strategic processes and decisions that together enable the most effective balance of organizational change and business as usual.”

Tekstboks:
Figure 2: Key activities required to successfully define and deliver a portfolio of change. Source: Management of Portfolios, by Axelos

Using this as the criteria for assessing a portfolio, an audit team can break down the portfolio into prioritized processes, and plan audit sprints according to that prioritization. 

Each process is then reviewed using regular, albeit more flexible, audit methodologies to develop its findings and recommendations in relatively short periods (sprints). Before moving on to the next sprint, the audit team can also use the ‘sprints retrospective ceremony’ to assess and adjust their methodology and, if needed, prioritize areas of higher or more immediate risks as identified during the completed sprint.

Tekstboks: Figure 2: Key activities required to successfully define and deliver a portfolio of change. Source: Management of Portfolios, by Axelos
Figure 3: Example of a Sprint for a Portfolio Management audit. Source: KPMG Norway

Similarly, there is a case to be made that IA functions need more flexibility in their annual, or otherwise, audit planning to respond to changes in the risk profile within their industries, their social and environment context, and geopolitical areas of operation.

This is another area where the Agile approach can be applied very effectively. For example, the recent political developments in places like Myanmar and Belarus have presented unexpected risks for companies operating in these countries. An IA function, using internal or external resources, can quickly mobilize a team that includes auditors, data and security analysts, sanctions and due diligence professionals, and ESG experts, without having to disrupt their annual audit plan. Using the Agile approach and subject matter experts, the team can assess the company’s internal controls in mitigating new and developing financial, security, and reputational risks while providing stakeholders with relevant information and recommendations for corrective measures in real time.