Skip to content

March 23, 2023

Is Agile Auditing Enough?

By Clarissa Lucas

This post has been adapted from the Introduction to Beyond Agile Auditing: Three Practices to Revolutionize Your Internal Auditing Practices by Clarissa Lucas, coming in May 2023.

As we saw in a previous post, the traditional waterfall method of internal auditing worked for decades. But in today’s rapidly changing environment, the approach no longer serves the organization well in many instances. It is long, inflexible, and oftentimes drives adversarial relationships between two teams that should be working together.

The IIA’s 2018 North American Pulse of Internal Audit survey results emphasized the importance of adding agility to auditing. Internal Audit groups in every industry were looking to this idea of agility in auditing as a way to combat the novel challenges that had cropped up with the digital revolution, including the changing business landscape, increased velocity of risks, new and emerging risks, new technology, and increased uncertainty.

At the time of the survey, respondents indicated that although the importance of agility was clear, there were roadblocks to achieving the desired levels of agility in auditing, including resource challenges, organizational complexity, limited availability of the client for collaboration, and traditional expectations key stakeholders have of auditors.

It was also unclear how to achieve agility and what success really looked like. This isn’t uncommon with emerging concepts: the why is often clear, the what is somewhat clear, but the how is often unknown. This was no different. Auditors knew why they needed to change: the environment had changed, and traditional ways of working weren’t keeping up. They understood that agility and the ability to adapt to changes and keep up in the new environment was the answer (the what). What they hadn’t quite figured out was how. Enter the sprint-based delivery model known today as Agile Auditing.

What Is Agile Auditing?

To anyone in the manufacturing or software development industries, Agile should be fairly well known. Agile is defined by the Agile Alliance as “the ability to create and respond to change. It is a way of dealing with, and ultimately succeeding in, an uncertain and turbulent environment.”

Agile gained popularity as an approach to software development, anchored in values and principles to help teams navigate uncertainty and change. Because of the success the audit profession witnessed in other parts of their organizations where teams practiced Agile, auditors looked to apply Agile concepts to the audit process.

Agile Auditing became a project management framework that intended to provide a consistent or continual approach to auditing, performed iteratively in sprints instead of delivering only at the end of the audit. Organizations began experimenting with this approach in 2016, and it gained significant airtime in the industry beginning around 2017, with a number of papers published introducing the topic, including:

Articles in the IIA’s Internal Auditor magazine included articles on Agile Auditing from 2019 through today. These articles focused on delivering audits in sprints and leveraging Scrum concepts, such as sprint planning, daily stand-ups, and sprint reviews, during an audit. Industry webinars also focused primarily on performing audits in sprints as the go-to framework for Agile Auditing.

Today, most Agile Audits are performed by breaking the audit timeline into a number of sprints, typically lasting two weeks each. Each sprint includes elements of planning, fieldwork, and reporting, with results delivered at the end of each sprint. Agile Audits leverage daily stand-ups, where the team provides an update on the status of their work and communicates roadblocks or impediments to progress. Agile Audit teams perform a retrospective review at the end of each sprint to identify ways to improve in the next sprint.

Benefits of Agile Auditing

As my first experiment into Agile Auditing came to a close (which you can read about in my book Beyond Agile Auditing), I refocused on what the primary goal of Agile Auditing was. In my opinion, it mainly promised increased efficiency by reducing the amount of time spent during an audit, namely in the reporting stage of an audit (the time between the end of testing and when the final audit report is published). Because results during an Agile Audit are delivered iteratively throughout the audit rather than all at the end, the client is familiar with Internal Audit’s observations before the final report is drafted. This often results in fewer negotiations on the contents of the report and a faster or more efficient reporting stage.

In turn, this gets audit results into the clients’ hands sooner so they can start addressing the audit observations earlier. By the time the final report is published, the client has likely already begun making progress in addressing the observations, so auditors can include that progress in the final audit report, which in turn tells a much better story to the organization’s key stakeholders.

Thus, I find that another benefit of Agile Auditing is that it can create the opportunity for organizations to address risk exposures sooner. In my own personal experience, my clients made significantly more progress addressing gaps identified during the audit (i.e., my audit clients had accepted the risk or had a plan in place to address the risk, or better yet, they had already addressed the risk and closed the gap) as compared to an audit in the same space two years prior using the traditional waterfall approach.

Challenges with Agile Auditing

In 2018, the IIA surveyed 636 chief audit executives (CAEs). Only 45% of respondents (including representatives from financial services industries and nonfinancial services industries) indicated that they were “very” or “extremely” Agile. The IIA explains that this indicates a gap between what CAEs see as important and how much they’ve invested in addressing it.

In addition, AuditBoard indicated in 2020 that as a profession, auditors hadn’t made much progress in figuring out how to reap the benefits of agility:

A recent AuditBoard poll of over 1,000 internal auditors found that 82% say agile auditing has the potential to add more value to their work compared to the traditional project approach—although 45% reported a lack of knowledge or resources as the most significant obstacle to adopting agile.

Furthermore, Deloitte conducted a survey on the use of Agile Auditing and published the results of this survey in October 2021. According to the survey, 45% of the 181 organizations who responded to the survey were leveraging or considering Agile Auditing. Deloitte concluded, based on the survey results, that Agile Auditing is “helping functions to achieve better impact, faster insight, and happier and more engaged stakeholders.”

Based on these surveys, Agile Auditing had taken hold in less than half of survey respondents between 2018 and 2021. Those leveraging Agile Auditing reported experiencing clear benefits, such as greater impact, faster delivery of insights, and greater stakeholder engagement. Why, then, had more organizations not embraced Agile Auditing?

What’s Holding Agile Auditing Back?

The Deloitte paper postulates that sprint-based Agile Auditing may not be the best approach for all audits. It further explains various challenges survey respondents expressed in implementing Agile Auditing, including:

  • Forcing teams to implement Agile Auditing and resistance to change
  • Lack of clarity around the goal of Agile Auditing
  • Inconsistent application of Agile Auditing among teams

This survey clearly showed that while Agile Auditing had been successfully adopted by a number of organizations, many were lagging behind, likely due to taking an all-or-nothing approach to Agile Auditing paired with a lack of buy-in with the audit teams.

While strict, sprint-based Agile Auditing works incredibly well for some audits and some organizations, its challenges show that Agile Auditing isn’t a one-size-fits-all approach. Some teams may choose to implement this framework, while others may not. Still others may borrow some concepts from Agile Auditing and choose not to borrow other portions of it. Not one of these is the “best” way for everyone or for every audit. So if Agile Auditing wasn’t the silver bullet, what is?

Stay tuned as we look beyond Agile Auditing to what’s next in our next excerpt from  Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices by Clarissa Lucas. Coming from IT Revolution in May 2023.

- About The Authors
Avatar photo

Clarissa Lucas

Clarissa Lucas is an experienced audit and risk management leader in the financial services industry. She is also the author of "Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices", has written articles on Auditing with Agility that have been published by the IIA, and has spoken at a number of industry conferences on this topic locally and internationally.

Follow Clarissa on Social Media

No comments found

Leave a Comment

Your email address will not be published.



Jump to Section

    More Like This

    The Missing Link in Your Industry 4.0 Strategy: Industrial DevOps
    By Summary by IT Revolution

    As manufacturers embrace Industry 4.0, many find that implementing new technologies isn't enough to…

    The Original Disruptor of the Music Industry
    By Matt McLarty , Stephen Fishman

    I know. You’re thinking I'm talking about Napster, right? Nope. Napster was launched in…

    From Turbulence to Transformation: A CIO’s Journey at Southwest Airlines
    By Summary by IT Revolution

    When Southwest Airlines' crew scheduling system became overwhelmed during the 2022 holiday season, the…

    High Stakes Communication: The Four Pillars of Effective Leadership Communication
    By Summary by IT Revolution

    You've been there before: standing in front of your team, announcing a major technological…