Setting a baseline
Agile internal audit is an evolutionary process. It is not that current internal audit and risk-based approaches are outdated; rather, it is a mindset to focus on incorporating continuous improvement and operating with agility. Agile auditing can be complementary to existing processes and is not necessarily a replacement to current auditing processes. As we explore different frameworks and project management methods, it is important to challenge and question where the methods best suit the audit or engagement and where the methods may not or will not be adopted due to lack of resources, budget, circumstances and/or skillset.
Evolving traditional project management
Without oversimplifying the process, the traditional approach to internal audit includes planning, fieldwork and reporting. Employing the agile internal audit process (with the application of Scrum as a project management framework) also includes planning, fieldwork and reporting. The difference between the former and the latter is that the latter is an iterative process.
From a visual perspective, the traditional internal audit process can be depicted as follows:
The internal audit process depicted may be slightly different based on your organization’s policies, circumstances and reporting cadence, but overall – notwithstanding detail in between each of these processes – the internal audit activity would be managed and executed in this manner.
Today, as internal auditors we are trained and focused on risk-based auditing, constant communication, adjusting the audit procedures when appropriate and providing value to management and stakeholders.
In other words, a well-performed internal audit could have the following goals, actions and outcomes:
Is change necessary to the above process and outcomes? On the surface, no, everything works well. The outcome achieved is a desirable one. Agile internal audit is “evolutionary”; it’s not necessarily always transformative. Agile auditing is not transforming the entire internal audit process. It is the guiding belief that if we apply certain principles and methods, focus on continuous improvement and adapt quickly as needed, we MAY achieve better or different results. It is about enhancing the process, not fixing it or implementing a completely new process that supplants solid existing risk-based auditing processes.
What agile internal audit can be considered is a mindset first and then introducing certain project management methods that may lead to positive outcomes for the team, for managers, the chief audit executive and, most importantly, management, the audit committee and stakeholders.
Incorporating Agile auditing using the Scrum project management framework
Below is an agile audit process using the Scrum framework in a simple depiction:
Through implementing agile internal audit principles and project management methods, one internal audit department experienced the following:
Where should you start when considering applying new or modified project management methods to your internal audit function? We recommend starting by understanding and exploring the Scrum framework.
The Scrum framework
Scrum is not a methodology. The essence of Scrum is focused on a small dedicated team that is highly flexible and adaptive. Scrum is founded on empirical process control theory, or empiricism. Empiricism asserts that knowledge comes from experience and making decisions based on what is known. Scrum employs an iterative, incremental approach to optimize predictability and control risk.
In other words, as depicted above in the agile audit process using the Scrum framework, a dedicated internal audit team would be continually adapting decisions on the audit based on experiences and knowledge gained in the particular sprint. The approach is iterative and incremental to planning, risk identification, testing and reporting. Scrum also has dedicated roles, and included below we have adapted the roles for internal audit.