Inspire, develop, and guide a winning organization.
Create visible workflows to achieve well-architected software.
Understand and use meaningful data to measure success.
Integrate and automate quality, security, and compliance into daily work.
Understand the unique values and behaviors of a successful organization.
LLMs and Generative AI in the enterprise.
An on-demand learning experience from the people who brought you The Phoenix Project, Team Topologies, Accelerate, and more.
Learn how making work visible, value stream management, and flow metrics can affect change in your organization.
Clarify team interactions for fast flow using simple sense-making approaches and tools.
Multiple award-winning CTO, researcher, and bestselling author Gene Kim hosts enterprise technology and business leaders.
In the first part of this two-part episode of The Idealcast, Gene Kim speaks with Dr. Ron Westrum, Emeritus Professor of Sociology at Eastern Michigan University.
In the first episode of Season 2 of The Idealcast, Gene Kim speaks with Admiral John Richardson, who served as Chief of Naval Operations for four years.
New half-day virtual events with live watch parties worldwide!
DevOps best practices, case studies, organizational change, ways of working, and the latest thinking affecting business and technology leadership.
Is slowify a real word?
Could right fit help talent discover more meaning and satisfaction at work and help companies find lost productivity?
The values and philosophies that frame the processes, procedures, and practices of DevOps.
This post presents the four key metrics to measure software delivery performance.
June 9, 2022
This post is adapted from the paper “Don’t Just Survive Your Audit, Thrive in It!” by Clarissa Lucas from the Spring 2022 DevOps Enterprise Journal.
When the auditors come knocking, some people cringe and brace for the worst. Others immediately switch to survival mode, seeing auditors as adversaries out to make them look bad in a battle of good versus evil. Auditors can get a bad reputation quickly. Over the years, some have viewed them as the corporate police who get paid by the finding or as robots following a mysterious, unchanging checklist, unwilling to listen to management to truly understand the area under review. No one in their right mind would throw open the door and welcome the knocking auditor with open arms in that scenario!
Now imagine you have a magic wand and can transform your relationship with your auditors and your experience during an audit. What would that look like? Perhaps you’d help the auditors understand what your team does, why it’s valuable to the organization, and what matters most to you and your team.
Some might wave the magic wand and create a world where auditors and auditees are on the same team working toward a collective outcome and, dare I say it, having fun. What if you could transform them from adversaries to trusted advisors who provide valuable insights? Maybe then when the auditors came knocking, you would be excited about their arrival.
Now what if I told you this wasn’t a fantasy to be conjured up only with the assistance of a magical relic? That it could be your reality? Don’t believe me? I get it. I’m an auditor. I’m skeptical by nature, and I can expect the same from my clients and readers as well.
That’s why I wrote this paper. It shows readers how to make this fantasy a reality by understanding the current and future states of internal audit processes and exploring ways readers can help their auditors along their journey to more value-added audits and stronger client relationships.
Before embarking on the journey to get to the fantastic utopian land of more engaging partnerships between auditors and management, we first need to understand how we got to a place where auditors and management are, at times, adversaries.
The Institute of Internal Auditors (IIA) defines internal audit as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Auditors must, by definition, be independent and objective. Organizations often achieve this by creating organizational separation between internal audit and management, often using the metaphor of the two sitting on opposite sides of a table. When an auditor has experience as both an auditee and an auditor, they are said to have experience sitting on “both sides of the table.”
Division is inherent in this model. Even the IIA’s former three lines of defense model refers to the three lines within an organization (management, risk management, and internal audit) as the first, second, and third lines of defense, which sometimes results in an “us vs. them” defensive mindset. These divisions can lead to auditors being set up as management’s adversaries.
The intent of this paper is not to discount or disregard the current way of auditing or the guidance supporting such. The three lines of defense model is incredibly important to the profession of internal auditing and to the organizations auditors support. It clearly explains how risk is managed throughout organizations and outlines accountabilities across multiple organizational layers.
In addition to creating clarity, the three lines of defense model creates an environment focused on avoiding duplication of efforts and coverage gaps. The objectives of this paper include exploring ways to build upon and improve existing ways of auditing and showing technology leaders how they can benefit from changes to the audit process and how to help their auditors on their journey of improvement.
It is increasingly important for internal auditors to audit what matters most (e.g., areas of highest risk or greatest impact to the organization). Incorporating Agile and DevOps practices into the audit process can help auditors challenge old ways of working and focus on what matters most to the organization (more on the specific DevOps practices to incorporate in an audit later). It can also result in the realization of additional benefits, including:
Do any of these benefits sound familiar? Many of them are part of the fantasy audit experience described at the beginning of this paper. Instead of using magic, these benefits can be achieved through Agile and DevOps practices.
What is agile auditing, and how is it going to bring about these benefits? Agile auditing, or auditing with agility, transforms the typical audit process from a waterfall approach to a more collaborative and iterative approach. In a typical audit, each stage (planning, fieldwork, and reporting) is completed prior to starting the subsequent stage(s). For example, the entire audit is planned before testing begins, and testing is completed before results are reported to stakeholders.
Agile auditing introduces a new way of working for auditors. Agile auditors value people over processes, delivering audit results over extensive documentation, collaborating with clients over negotiating with them, and responding to changes over strictly following a plan. If this sounds familiar to you, it should. These are Agile values modified for the audit process.
A quick item of note: Throughout this paper, the individuals audited in a traditional approach are referred to as auditees, as they are individuals an audit is performed on or to. Individuals outside of the audit team participating in an agile audit are referred to as clients. Instead of being audited, they are active participants in an agile audit, partnering with the auditors throughout the engagement. This will become clearer throughout the paper. Management is also a term used to reference individuals outside of the audit team. This is a more neutral term, referring to the first or second lines as depicted in the IIA’s three lines model. Management is referred to as an auditee or a client in this paper, depending on the way of working described (traditional or agile).
Agile auditors may incorporate practices familiar to technology organizations, including making work visible, pull vs. push method of assigning work, daily stand-ups, and working in sprints.
Continue reading for free in the Spring 2022 DevOps Enterprise Journal.
Clarissa Lucas is an experienced audit and risk management leader in the financial services industry. She is also the author of "Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices", has written articles on Auditing with Agility that have been published by the IIA, and has spoken at a number of industry conferences on this topic locally and internationally.
No comments found
Your email address will not be published.
First Name Last Name
Δ
"This feels pointless." "My brain is fried." "Why can't I think straight?" These aren't…
As manufacturers embrace Industry 4.0, many find that implementing new technologies isn't enough to…
I know. You’re thinking I'm talking about Napster, right? Nope. Napster was launched in…
When Southwest Airlines' crew scheduling system became overwhelmed during the 2022 holiday season, the…