Looking Beyond Agile Auditing

This post has been adapted from the Introduction to Beyond Agile Auditing: Three Practices to Revolutionize Your Internal Auditing Practices by Clarissa Lucas, coming in May 2023.

As we saw in the last post, Agile Auditing has both tangible and measurable benefits, but it also presents some challenges. One of the pitfalls of Agile Auditing is taking an all-or-nothing approach. In other words, many organizations turn what should be a mindset or cultural shift into yet another strict and rigid framework (so-called checklist Agile). Other Agile Auditing mistakes include applying a rigid approach in every situation without accounting for the unique attributes of each area under review (i.e., assuming one size fits all); forcing teams to adopt a methodology, resulting in a resistance to change; focusing on the framework itself rather than the intended outcomes; and failing to consider the client’s working style.

To truly reap the benefits that Agile Auditing promises us, we must move beyond the idea that Agile Auditing is a framework we can push onto our teams. We must move beyond the strict confines of Agile Auditing and toward that of, what I call, Auditing with Agility. This subtle distinction is intentional and deserves some air time.

Agile Auditing vs Auditing with Agility

Agile Auditing is often interpreted as a thing to do. Teams want to do Agile or do Agile audits. But with better ways of auditing, including Agile Auditing, what you do shouldn’t change. Internal Audit should still provide assurance on existing risks and consult on emerging risks. Instead of something you do or a framework or method to employ, Auditing with Agility outlines ways to do what you do better. Using the phrase “Auditing with Agility” makes it more clear that what you do stays the same—you’re still auditing. How you go about auditing is what changes, and it might not always be exactly the same in every instance.

You’re not “doing” Agile, you’re being agile.

“Doing” Agile is an output-focused approach, like measuring success by the number of audits performed in sprints or the number of audits that leverage daily stand-ups. Those measures don’t directly correlate with value to the organization. Instead, being agile is a way of working focused on achieving outcomes, like increased ability to respond to change, delivery of results sooner, better alignment between audit activities and the most relevant or emerging risks, and increased ability to stop auditing when appropriate rather than continuing on the set path regardless of what the team learns along the way.

You can implement Agile tools and practices without being agile. It’s important to change your mindset (and your organization’s mindset) to one of agility (changing the way of working and thinking to enable adaptation to change) rather than a mindset focused on a single methodology.

The real benefits of Auditing with Agility are realized when you operate in an agile, adaptable manner, not necessarily when you implement a specific tool without modifying your processes to become more agile. What the digital revolution taught us is that an organization’s ability to adapt to change is the number one differentiator on the market. It is the difference between failure and survival, as well as between surviving and thriving. If you’re rigid and set in your ways, then change is a disruptor, sometimes with catastrophic results. However, if you’re part of an adaptable organization, then change simply presents a new and welcome opportunity. This is what you live for. It doesn’t have to be any different for internal audit.

Instead of every audit following the exact same waterfall approach, or every audit following the exact same Agile Auditing sprint formula, Auditing with Agility throws assumptions and strict frameworks out the window, and instead focuses on three core components: value, integration, and adaptability. I’m going to get into this more in the next chapter, but by focusing how we work on those three things, Internal Audit can face any change that’s on the horizon.

Remember, this is only a change in how Internal Audit works, not in what Internal Audit does. Auditing with Agility still delivers independent, objective assurance and consulting services to add value and improve an organization’s operations. Now we’ll do it sooner, safer, and much happier.

Some organizations make a rapid switch from traditional ways of auditing straight to Agile Auditing, and as I stated earlier, some of these organizations fail in their transformations. Others, particularly those seeking to audit with agility rather than “doing” Agile Auditing, approach the transition as more of a journey. I was fortunate enough to be in one of those organizations.

In my third experiment with Agile Auditing (which you can read about in my book Beyond Agile Auditing) my team looked at the challenges from our previous two experiments and took things a bit further, including bringing in DevOps ways of thinking.

Bigger Than a New Framework

After performing the third Agile Audit leveraging these better ways of working, I knew we were on to something bigger than just a new framework or methodology. We were going beyond Agile Auditing and discovering something new.

We continued experimenting with these tactics to varying degrees on subsequent audits. Some were delivered in sprints (using consistent timeboxes for delivery) and some were delivered in iterations where the time between delivery varied—triggered by something other than the expiration of a timebox. Yet others held delivery of finalized results until the end of the audit, with discussion of results with frontline client leaders throughout. During some audits, we integrated ourselves with the client and our work into the client’s work more so than during others. Essentially, we chose the techniques and methods that would work best in each unique situation based on our desired outcomes.

For example, to enable more fluidity of staff between audits, we modified our task board to make our work more visible at a holistic, portfolio level rather than at the individual audit engagement level. To increase efficiency, the auditors joined the client’s biweekly team meetings to request additional information and discuss results with clients in real time, without adding more meetings to the clients’ calendar. To reduce disruptions caused by unplanned work, we worked with our clients to add audit-related tasks to their task board so they could consider those tasks during their backlog refinement sessions and plan for the audit work with their normal work.

As my team and I continued adopting better ways of working, we shared our stories with others in our organization and with auditors in other organizations. I also attended webinars and conference sessions devoted to Agile Auditing.

From these discussions, webinars, and sessions, I picked up on a pattern: the auditing industry assumed that Agile was synonymous with Scrum, and that Agile Auditing meant only performing audits in sprints. Further, the industry confused sprints with manageable chunks of work when in reality, sprints are timeboxes that may or may not have a one-to-one match with manageable chunks of work.

My team and I wondered whether the audit profession’s assumption that Agile = Scrum was correct, so we experimented with adding agility to our work and integrating audit work into the client’s work, without delivering in sprints or following a strict Scrum or Agile Auditing framework. From this experimentation, we learned that while Agile Auditing is one way to add agility to audit work, it is not the only way.

To help create clarity on this, I started referring to our way of working as “Auditing with Agility” rather than Agile Auditing. I wanted our team to shift from thinking this is something you do (Agile Auditing seems to trigger thoughts of something you do) to thinking about it as a way of working (auditing in a manner that incorporates agility and leads to better outcomes).

We shifted from Agile = Scrum to Auditing with Agility = auditing in a way that improves the ability to respond to change and makes the audit process flexible.

Thanks to one of my mentors, I also realized that what we were doing went beyond agility by also incorporating the concept of performing value-driven work and integrating that work into the client’s daily work.

Audit and Client Working Together

In 2022, I presented at DevOps Enterprise Summit, a conference for technology leaders. This time I didn’t copresent with one of my audit teammates, as I had in prior years. Instead, I copresented with one of my clients. That’s right, an auditor and a technology leader presented together—and had fun doing so.

Gene Kim, coauthor of The Phoenix Project and founder of DevOps Enterprise Summit, reached out to me and my copresenter to express how startling he thought our presentation was. He shared that he thought we were on the “frontier of revolutionizing internal audit practices for the entire profession.” He likened it to the presentation given by John Allspaw and Paul Hammond at the 2009 Velocity conference. That 2009 presentation, titled “10 Deploys per Day: Dev and Ops Cooperation at Flickr,” first introduced an operating model where technology developers and operations teams were no longer adversaries, but instead shared common goals and made technology development and operations part of both teams’ work.

After watching that historic 2009 presentation, the parallels between that operating model and the one described in my 2022 presentation became clear:

The parallels between the two presentations were stunning, even though I hadn’t seen the 2009 presentation until after submitting my own. Gene was right…we were on to something big.

All of this made me realize the need for a book to accomplish the following:

• Clarify what it truly means to audit with agility (and that it does not mean simply performing audit work in sprints) and how to go about doing so.
• Provide auditors with the insights necessary to perform value-driven, integrated, adaptable audits.
• Provide clients with actionable advice on how to improve their next audit experience.
• Teach auditors and clients how to improve their working relationship, resulting in greater value to the organization.

In my book Beyond Agile Auditing, I dive deeper into the key practices of value-driven, integrated, adaptable auditing (or just Auditing with Agility for short). You’ll learn about the theory behind these practices and see them in action in practical, relatable examples. Many of these practices can be incorporated immediately, without having to undergo a department-wide or organization-wide transformation. The practices don’t always have to be auditor-driven. Audit clients and auditors alike can influence a better audit experience through these practices.

- About The Authors

Clarissa Lucas

Clarissa Lucas is an experienced audit and risk management leader in the financial services industry. She is also the author of "Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices", has written articles on Auditing with Agility that have been published by the IIA, and has spoken at a number of industry conferences on this topic locally and internationally.

Follow Clarissa on Social Media

• 
•