Casual business meeting
Article

The Agile Internal Audit Journey: Part 3 – Scrum, Kanban and agile project management methods applied to internal audit

Published by John Romano and Phil Schmoyer

In this article series, Baker Tilly specialists define Agile, walk through its applications to internal audit and offer lessons learned through case study approaches. 

In Part 1 of our article series, we discussed the role of internal audit, introduced the history of agile, addressed some common misconceptions about agile auditing and set the baseline for the journey ahead. In Part 2 of the article series, we explored the agile manifesto and how agile principles can be applied to internal audit. In the current article, we will elaborate on methods defining and using the Scrum framework.

Download the PDF

arrowCreated with Sketch.

Setting a baseline

Agile internal audit is an evolutionary process. It is not that current internal audit and risk-based approaches are outdated; rather, it is a mindset to focus on incorporating continuous improvement and operating with agility. Agile auditing can be complementary to existing processes and is not necessarily a replacement to current auditing processes. As we explore different frameworks and project management methods, it is important to challenge and question where the methods best suit the audit or engagement and where the methods may not or will not be adopted due to lack of resources, budget, circumstances and/or skillset. 

Evolving traditional project management

Without oversimplifying the process, the traditional approach to internal audit includes planning, fieldwork and reporting. Employing the agile internal audit process (with the application of Scrum as a project management framework) also includes planning, fieldwork and reporting. The difference between the former and the latter is that the latter is an iterative process.

From a visual perspective, the traditional internal audit process can be depicted as follows:

Traditional internal audit process

The internal audit process depicted may be slightly different based on your organization’s policies, circumstances and reporting cadence, but overall – notwithstanding detail in between each of these processes – the internal audit activity would be managed and executed in this manner.

Today, as internal auditors we are trained and focused on risk-based auditing, constant communication, adjusting the audit procedures when appropriate and providing value to management and stakeholders.

In other words, a well-performed internal audit could have the following goals, actions and outcomes:

Is change necessary to the above process and outcomes? On the surface, no, everything works well.  The outcome achieved is a desirable one. Agile internal audit is “evolutionary”; it’s not necessarily always transformative. Agile auditing is not transforming the entire internal audit process. It is the guiding belief that if we apply certain principles and methods, focus on continuous improvement and adapt quickly as needed, we MAY achieve better or different results. It is about enhancing the process, not fixing it or implementing a completely new process that supplants solid existing risk-based auditing processes.

What agile internal audit can be considered is a mindset first and then introducing certain project management methods that may lead to positive outcomes for the team, for managers, the chief audit executive and, most importantly, management, the audit committee and stakeholders.

Incorporating Agile auditing using the Scrum project management framework

Below is an agile audit process using the Scrum framework in a simple depiction:

Through implementing agile internal audit principles and project management methods, one internal audit department experienced the following:

Where should you start when considering applying new or modified project management methods to your internal audit function? We recommend starting by understanding and exploring the Scrum framework.

The Scrum framework

Scrum is not a methodology[1]. The essence of Scrum is focused on a small dedicated team that is highly flexible and adaptive. Scrum is founded on empirical process control theory, or empiricism. Empiricism asserts that knowledge comes from experience and making decisions based on what is known. Scrum employs an iterative, incremental approach to optimize predictability and control risk.[2]

In other words, as depicted above in the agile audit process using the Scrum framework, a dedicated internal audit team would be continually adapting decisions on the audit based on experiences and knowledge gained in the particular sprint. The approach is iterative and incremental to planning, risk identification, testing and reporting. Scrum also has dedicated roles, and included below we have adapted the roles for internal audit.

The Scrum team

Product Owner

  • Audit Director, Chief Auditor
  • The Product Owner (audit director) is responsible for maximizing the value of the audit to the auditee and Audit Committee / Management. Responsible for managing the Product Backlog (i.e. Audit Plan) and focused on ensuring work done by team aligns with vision and strategy. For the Audit Director to succeed as “Product Owner”, the entire organization must respect his / her decisions and audit prioritization.

Scrum Master

  • Audit Manager
  • The Scrum Master is a servant-leader for the Scrum Team. The Scrum Master helps those interacting with the Audit (Scrum) Team to engage in interactions that maximize the value created by the Scrum Team. The Scrum Master assists the Audit Team through the removal of distractions and impediments to allow constant focus.

Audit Engagement Team

  • Audit team
  • A typical Scrum (audit) team consists of two to nine (2-9) people and generally includes the typical functional roles required to complete the project, but those titles are only relevant in establishing individual expertise.
  • The team acts collectively to determine how to achieve its goals. Tasks delivered are determined by the priority established by the product owner. Each team member self-assigns tasks from prioritized sprint backlog; a level of autonomy that is the cornerstone of Scrum. It encourages strong bonds between team members and helps create a positive working environment.

Events and artifacts

Implementing Scrum in internal audit also requires an understanding of key events and artifacts. Some of the events and artifacts can be modified to suit specific circumstances, team sizes and types of audits. Also, some of the events included, such as themes, initiatives, epics and user stories, are not considered Scrum but are well known and used in agile.

  • Themes: Organizational strategies that internal audit considers and can align the internal audit strategy. For instance, an organizational strategy of maintaining a quality reputation.
  • Initiatives: Internal audits universe alignment to the strategy. For example, customer service, claims processing and marketing.
  • Epics: Internal audits aligned to the initiatives.
  • Product (Audit Plan) Backlog: In internal audit the product backlog can be the audits identified to be addressed within the year. The backlog is dynamic, constantly being updated and is never considered complete. It is your risk-based audit plan.
  • Product (Audit) Backlog: The audit engagement backlog is comprised of your objectives, risks or controls. Depending on the type of the audit the backlog can be modified. For instance in SOX, it's most efficient to have the backlog be controls.
  • Sprint Planning: At the beginning of each sprint. The business owner discusses with the manager and team the primary objectives and risks. The sprint goal and sprint backlog is developed.
  • User Stories: Help the audit team understand key areas of risks from a stakeholder perspective. A statement that describes the value of the audit from a user's perspective.
  • Sprint Backlog: Includes tasks needed to achieve the sprint goal for the specific sprint.
  • Sprint: Time boxed intervals during which tasks must be completed.
  • Stand-Ups: 15-minute briefing on what was accomplished since the prior stand up, what are the goals until the next standup, and what are the hurdles that stand in the way of achieving the goals. Internal auditors find that standups two times a week and one overall project status meeting is effective. The auditee could also be invited to these standups when appropriate.
  • Definition of Done: Tasks under the user story has been completed. Testing is completed, reviewed and signed off.

Another key artifact is the Scrum or task board. The task board is essential to the project management function in implementing the scrum framework. There are many variants that exist, but a simple scrum board includes columns, uses sticky notes and tracks “to do”, “doing” and “done”. The task board is updated frequently, most commonly during the stand-up meeting, based on the team’s progress since the last update. The board is commonly “reset” at the beginning of each iteration to reflect the iteration plan.

A simple task board may look like the following:

A way to view the key events and artifacts as indicated above is in an organizational, hierarchal fashion as it applies to identifying and conducting the audits. Below, we have included an example of documenting from a theme to audit completion.

Documenting from a theme to audit completion

Scrum vs Kanban

There are different frameworks and methods utilized in agile. Another common reference is Kanban. Kanban is a visual system for managing work as it moves through a process. Scrum and Kanban have their benefits and pitfalls and are appropriate for different audits and situations. Below is a comparison of the two frameworks.

Scrum

Framework to address complex and adaptive problems

More appropriate for

  • Audits where auditee wants to be actively involved
  • New audits
  • Operational and complex audits
  • Difficult areas, trying something new

Scrum roles defined (PO, SM, ST)

Collaboration and team ownership

Time boxed

Work is planned and divided into sprints

Use of Scrum board

  • Product backlog (audit), Sprint backlog, Scrum board (like Kanban)
  • Facilitates focus on a shorter period of time (1-2 weeks)
  • Board resets after each sprint

Challenges

  • Shorter audits
  • Delay in receiving information
  • Commitment to process
  • Lack of training

Kanban

Lean method, aims to eliminate waste

More appropriate for

  • SOX
  • Control heavy testing
  • Routine audits

Just in time planning

No defined roles

Incremental but not iterative

Achieve state of continuous flow

Use of Kanban board

  • To Do, In Progress , Done
  • Board can be modified but is continuous
  • WIP is controlled by capacity
  • Used throughout life of the project/audit

Challenges

  • Board made  too complex or not updated frequently enough
  • No defined roles
  • Lack of timing because focus is on capacity not time to complete

With the information covered thus far, where should an internal audit organization start?

  • Conduct an agile audit workshop with your team facilitated by an agile coach or internally. An agile workshop can be beneficial and include discussion of current state auditing practices, goals for continuous improvement, and how agile principles and project management methods can be incorporated considering culture, resources and regulatory considerations.
  • Identify an audit to pilot some of the agile concepts discussed in our article series. Many internal audit organizations view agile auditing as a big undertaking and as a process alone. In our first and second articles, we discuss and elaborate on some of the theoretical and mindset changes that are imperative and a key part of operating with agility within your internal audit function. Conducting a pilot audit would start with identifying a dedicated team, led by a manager who is familiar with agile and scrum or Kanban project management concepts. The goal would be to conduct a pilot, identify the goals of the pilot and communicate outcomes and lessons learned to the rest of the team members.
  • Experiment with sprints and summary reporting after each sprint. A simple way to slightly modify your current process without incorporating a significant amount of change is to adopt the implementation of sprints in your next audit. Break your audit planning, fieldwork and reporting timeline into two to three week increments. Determine how you can accelerate the time to final reporting and distribution by providing management quicker insights of the audit progress, changes and results or sprint summaries after each sprint.
  • Educate management, senior leadership and the audit committee on the agile principles and methods that are being considered and implemented as part of your efforts for continuous improvement. Senior leadership and stakeholder buy-in is essential. Sometimes, there are preconceived notions about agile that could be positive or could be negative. It’s important to communicate and educate management and stakeholders that your internal audit function is exploring project management methods that will build upon your risk-based auditing methods, management integration and value proposition and reporting cadence. It is effective to conduct a pilot audit or pilot audits using sprints and quicker reporting, involving management throughout the entire process and discuss the benefits received, lessons learned and next steps.
  • Develop your incremental roadmap to continuous improvement and agile auditing implementation. Internal audit organizations are at various levels of maturity with agile principles and project management implementation. A few organizations are fully agile, indicating that agile principles and scrum and Kanban project management frameworks are engrained in the everyday processes. For the majority of organizations that are just beginning to research and consider agile principles and scrum project management framework, it is helpful to develop a roadmap with goals and expected outcomes.

For additional resources

  • Refer to our case study for an example of an implementation of agile audit processes
  • Revisit Part 1 and Part 2 of the article series

The next article in the series will build upon the information covered here with examples of implementing scrum in an audit, reporting best practices and addressing challenges and lessons learned.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.

[1] www.scrum.org

[2] Sutherland, J., & Schwaber, K. (2017, November). https://www.scrumguides.org/scrum-guide.html#definition. Retrieved from https://www.scrumguides.org/scrum-guide.html#definition

Download the PDF

arrowCreated with Sketch.
John Romano
Partner, CPA, CIA, CFE, CITP, CSM

Next up

The NAIC 2019 Fall Summary Continued