Next-Gen Internal Audit: What Do We Mean When We Talk About Agile Audit?

Liz Berger, Director Internal Audit and Financial Advisory

As businesses focus on digital transformation for speed and service, they tend to put more emphasis on individuals and interactions than processes and tools. In the process, rigid hierarchical business processes are being replaced with collaboration, iterative processes and constant communication across the enterprise.

These new methodologies are borrowed from software development, where they were codified in the so-called “Agile Manifesto.” They are being applied to a variety of corporate functions, including governance, to ensure that the entire organization is structured in a way that supports this more flexible mindset, behaviors, skills and capabilities.

I recently co-hosted a webinar on how Agile methodologies can be adapted most effectively to next-generation internal audit practices. In this blog, I want to take the opportunity to define what we mean by “Agile” as it applies to internal audit.

Broadly, Agile auditing can be defined as working collaboratively with stakeholders on a series of mini-projects and continuous audits, in which feedback is provided on an ongoing basis, earlier in the process, and is used to add value to the audit. Agile internal audit allows the internal audit function to focus on stakeholder needs, accelerate audit cycles, drive timely insights, reduce wasted effort, and generate less documentation. In an Agile internal audit, internal auditors and stakeholders are able to determine upfront the value to be delivered by an audit or project. As the internal audit function considers its specific challenges and contemplates a custom solution, Agile helps prioritize audits based on risk and the readiness to undertake the work. This differs from the traditional approach where the role of audit is to provide a corrective historical perspective. Below is a comparative overview of the two approaches:

Audit plan: In the traditional audit approach, auditors work off an audit plan that is prescriptive and the audit involves a hierarchical chain of reviews. By contrast, an Agile plan is flexible to allow for a broader scope; is focused on audit value; is tailored to changing business landscapes so that the plan is never stale reducing the need to defer, delay or cancel audits; and seeks active involvement from process owners.

Audit fieldwork: Traditional audit teams work on pre-assigned focus areas, following a pre-determined scope. Audit teams work independently by performance area, follow a rigid timeline, and report findings up to their project leads who validate them in status meetings. In an Agile audit, fieldwork is integrated, with work performed in short “sprints,” with tasks assigned and status and roadblocks identified in daily “scrums.”

Review: In a traditional audit, the audit report goes through various levels and iterations of internal review, with business owners reviewing the report near the end of the process and auditors delivering an overall opinion and findings based on activities that occurred during the audit period. In an Agile audit, business owners are involved in the audit report process early on as they review and react to sprint findings daily. Viewpoints are consolidated in a collaborative process between auditors and business owners into an audit report focused on future insights.

As we define what Agile auditing is, it is also important to understand what it is not. First and foremost, as noted above, Agile audits are not prescriptive. This can be a difficult adjustment for established internal audit functions accustomed to fixed deliverables and checklist-style audit reports. On the other hand, although they are more flexible, Agile audits are not an excuse to reduce documentation, eliminate planning or reduce budgeting.

Communication is key, so auditors practicing Agile methods must communicate what they are doing and why and take the organization along with them. They won’t always be successful. The organization might not be ready, or the project might not be right. The important thing is to be flexible — apply the framework and see what works. Remember, adopting an Agile audit approach in internal audit is not a one-size-fits-all proposition.

Protiviti profiled a number of organizations that are applying Agile audit methodologies in Internal Auditing Around the World, Volume 15. You can read about some of the more notable examples in this post.

Agile auditing, like the Agile methodologies on which it relies, is an iterative process. Auditors need to be prepared to try and fail, and to try again. Adopting an Agile audit approach requires a mindset shift. The benefits of Agile audit brings — deeper insights, more responsive risk management, improved risk focus, and more timely and impactful reporting — are well worth the effort.

2 comments

  • Nice work. I’d add that to be agile the auditor must understand the business objectives being pursued By the first line of defense and be committed to contributing to them. That means a willingness to sacrifice independence for relevance. Assurance without performance is useless.