Agile Internal Audit: How to Audit at the Speed of Risk

There’s never been a better time to be an internal auditor. The internal audit profession is being asked to respond to an ever-increasing set of issues that reside in technology, compliance, culture, risk and other emerging hot topics. The ability for internal audit functions to remain relevant and address the needs of their clients is incumbent upon using new tools and techniques, including the Agile methodology.  

Agile auditing provides an alternative to the traditional and sequential “waterfall” audit process: not changing what we do but how we do it. The Agile approach to audit is more flexible, responsive to changes, and based on transparent communication and engagement with business stakeholders.

At a recent Protiviti webinar, we discussed how Agile auditing can produce deeper insights, more responsive risk management, improved risk focus, and more timely and impactful reporting. I highlighted the characteristics of Agile audit in this post. Here I describe the core components and supporting elements of an Agile audit, as well as some of the risks and challenges and how to address them.

Core Components

There are three basic structural components to an Agile audit:

1. Backlog — Similar to an audit plan, the backlog is a collection of scoped items that must be reviewed by the audit team. Unlike an audit plan, scoped items can be removed or added to the backlog based on perceived risk and value add of the item. Rather than focusing on items that were predetermined during annual audit planning, auditors can address emerging issues that the stakeholders are currently experiencing, by using backlogs. Internal auditors and stakeholders must agree on how an item in the backlog will be tested, as well as the expected value from the test, prior to adding the item to the backlog.
2. Sprints — The tasks associated with a scoped item are divided into sprints. A sprint is a time period within which a task must be completed. Sprints are typically one to four weeks long, with two weeks being the average. Sprints ensure audit teams meet required deadlines through accelerated delivery cycles.
3. Scrums — Scrums are short and concise meetings, typically lasting 15 to 30 minutes, that are held daily between audit team members and key business stakeholders. The meetings cover 1) what was done yesterday, 2) what will be done today, 3) roadblocks to the current sprint and 4) potential issues.

Supporting Elements

To effectively apply these core components to an audit, three supporting elements must be considered:

1. Cross-functional teams — Each sprint team should be equipped with all of the skill sets (IT, compliance, operational, etc.) required to complete the assigned tasks. Close collaboration and continuous communication within the sprint team break down traditional silo walls, increasing efficiency and allowing the team to work with a sharper focus. This also strengthens relationships and builds trust between internal auditors and their business partners.
2. Continuous integration — Elements of the project from different groups should be pulled together on an ongoing basis to prevent any single element of the project from becoming a silo. Usually, this concept is associated with larger and more complex audit initiatives or projects.
3. Project information dashboard — Project information dashboards make project information available to the team and stakeholders on a real-time basis. They provide transparency to the project scope, status and results, and they facilitate collaboration within the team through information sharing. Agile principles focus on face-to-face or co-located interaction but have been necessarily augmented with technology, as teams are more frequently structured in a distributed manner.

Challenges and Risks

In our work helping clients implement Agile audit methodologies, we have experienced the full spectrum of challenges that may arise with a change of this magnitude. Here are some of the most common challenges that companies encounter, along with suggested ways to address them:

Adopting everything — Trying to adopt all aspects of Agile is counterproductive and goes against the core principles of Agile methodologies. Because Agile requires a culture and mindset shift, it’s best to introduce it in an iterative and staged manner. When applying Agile, it is best to pick and choose the practices that are most appropriate for that particular organization. Every organization will be different.

Top-down approach — It is similarly counterproductive for audit executives to try to dictate change, from the top down and all at once. Agile is, at its core, a flexible framework to be explored by teams and applied as circumstances require, in a phased manner, from the bottom up, to promote innovation and collaboration.

Abandoning core internal audit principles — Adopting Agile does not eliminate the need to meet internal audit standards or regulatory requirements related to providing assurance, quality of execution or reporting. Rather, implementing Agile components in a manner conducive to internal audit principles allows organizations to realize the benefits without compromising those principles while enhancing quality and adding value. Defining methodology and intended outcome on the front end of an audit will help ensure that all of the core internal audit principles are continuously followed.

Maintaining coverage — Flexibility within Agile requires increased transparency and ability to track coverage decisions. It may also require teams to rethink their coverage approach. Special care should be taken to ensure that this does not result in reduced risk coverage or documentation.

Skill sets — This is really focused on how to optimally structure teams so that all necessary skill sets are available on each team. As mentioned in the discussion of supporting elements above, ensuring that all of the individuals involved in a cross-functional team have the skill sets necessary to accomplish the team’s tasks will ensure efficiency and remove traditional silos.

While the core components, supporting elements and typical challenges are outlined rather neatly above, I would be remiss if I didn’t send readers away with a clear understanding of how much actual work is involved. It is not easy getting the right people on board and getting the right level of buy-in from the company. This is something that requires considerable time and energy. For example, one of our clients invested more than 18 months defining what its model will look like, going through a pilot and then deploying Agile in a thoughtful way.

Protiviti interviewed a number of organizations on how they have applied Agile methodologies to transform their internal audit functions. You can read these real-life examples in Internal Auditing Around the World, Volume 15.

Nick Russell, Associate Director with Protiviti’s IT Audit practice, and Simaren Sandh, Manager with Protiviti’s Internal Audit practice, contributed to this content.