This post is adapted from the paper “Don’t Just Survive Your Audit, Thrive in It!” by Clarissa Lucas from the Spring 2022 DevOps Enterprise Journal. 

When the auditors come knocking, some people cringe and brace for the worst. Others immediately switch to survival mode, seeing auditors as adversaries out to make them look bad in a battle of good versus evil. Auditors can get a bad reputation quickly. Over the years, some have viewed them as the corporate police who get paid by the finding or as robots following a mysterious, unchanging checklist, unwilling to listen to management to truly understand the area under review. No one in their right mind would throw open the door and welcome the knocking auditor with open arms in that scenario!

Now imagine you have a magic wand and can transform your relationship with your auditors and your experience during an audit. What would that look like? Perhaps you’d help the auditors understand what your team does, why it’s valuable to the organization, and what matters most to you and your team.

Some might wave the magic wand and create a world where auditors and auditees are on the same team working toward a collective outcome and, dare I say it, having fun. What if you could transform them from adversaries to trusted advisors who provide valuable insights? Maybe then when the auditors came knocking, you would be excited about their arrival.

Now what if I told you this wasn’t a fantasy to be conjured up only with the assistance of a magical relic? That it could be your reality? Don’t believe me? I get it. I’m an auditor. I’m skeptical by nature, and I can expect the same from my clients and readers as well.

That’s why I wrote this paper. It shows readers how to make this fantasy a reality by understanding the current and future states of internal audit processes and exploring ways readers can help their auditors along their journey to more value-added audits and stronger client relationships.

How Did We Get Here?

Before embarking on the journey to get to the fantastic utopian land of more engaging partnerships between auditors and management, we first need to understand how we got to a place where auditors and management are, at times, adversaries.

The Institute of Internal Auditors (IIA) defines internal audit as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Auditors must, by definition, be independent and objective. Organizations often achieve this by creating organizational separation between internal audit and management, often using the metaphor of the two sitting on opposite sides of a table. When an auditor has experience as both an auditee and an auditor, they are said to have experience sitting on “both sides of the table.”

Division is inherent in this model. Even the IIA’s former three lines of defense model refers to the three lines within an organization (management, risk management, and internal audit) as the first, second, and third lines of defense, which sometimes results in an “us vs. them” defensive mindset. These divisions can lead to auditors being set up as management’s adversaries.

The intent of this paper is not to discount or disregard the current way of auditing or the guidance supporting such. The three lines of defense model is incredibly important to the profession of internal auditing and to the organizations auditors support. It clearly explains how risk is managed throughout organizations and outlines accountabilities across multiple organizational layers.

In addition to creating clarity, the three lines of defense model creates an environment focused on avoiding duplication of efforts and coverage gaps. The objectives of this paper include exploring ways to build upon and improve existing ways of auditing and showing technology leaders how they can benefit from changes to the audit process and how to help their auditors on their journey of improvement.

Where Are We Going?

It is increasingly important for internal auditors to audit what matters most (e.g., areas of highest risk or greatest impact to the organization). Incorporating Agile and DevOps practices into the audit process can help auditors challenge old ways of working and focus on what matters most to the organization (more on the specific DevOps practices to incorporate in an audit later). It can also result in the realization of additional benefits, including:

• stronger collaboration between audit and management, with both parties working together toward a shared objective
• greater understanding of the area being audited and the value it brings to the organization
• increased team engagement
• integration of audit work into management’s daily work
• iteratively bringing people together and communicating results sooner
• reduction of scope creep; focused on key risks
• having fun

Do any of these benefits sound familiar? Many of them are part of the fantasy audit experience described at the beginning of this paper. Instead of using magic, these benefits can be achieved through Agile and DevOps practices.

What is agile auditing, and how is it going to bring about these benefits? Agile auditing, or auditing with agility, transforms the typical audit process from a waterfall approach to a more collaborative and iterative approach. In a typical audit, each stage (planning, fieldwork, and reporting) is completed prior to starting the subsequent stage(s). For example, the entire audit is planned before testing begins, and testing is completed before results are reported to stakeholders.

Agile auditing introduces a new way of working for auditors. Agile auditors value people over processes, delivering audit results over extensive documentation, collaborating with clients over negotiating with them, and responding to changes over strictly following a plan. If this sounds familiar to you, it should. These are Agile values modified for the audit process.

A quick item of note: Throughout this paper, the individuals audited in a traditional approach are referred to as auditees, as they are individuals an audit is performed on or to. Individuals outside of the audit team participating in an agile audit are referred to as clients. Instead of being audited, they are active participants in an agile audit, partnering with the auditors throughout the engagement. This will become clearer throughout the paper. Management is also a term used to reference individuals outside of the audit team. This is a more neutral term, referring to the first or second lines as depicted in the IIA’s three lines model. Management is referred to as an auditee or a client in this paper, depending on the way of working described (traditional or agile).

Agile auditors may incorporate practices familiar to technology organizations, including making work visible, pull vs. push method of assigning work, daily stand-ups, and working in sprints.

Continue reading for free in the Spring 2022 DevOps Enterprise Journal.

- About The Authors

Clarissa Lucas

Clarissa Lucas is an experienced audit and risk management leader in the financial services industry. She is also the author of "Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices", has written articles on Auditing with Agility that have been published by the IIA, and has spoken at a number of industry conferences on this topic locally and internationally.

Follow Clarissa on Social Media

• 
•