Friday, December 20, 2019

What Exactly is An Agile Internal Audit?

Can Internal Auditing become Agile? Seven Keys to Thinking the Unthinkable.
 That was the title of a Forbes Article in 2017 written by Steve Denning the author of the book "The Age of Agile". Now that the unthinkable he referred to is becoming a reality for some internal audit functions and a wish list item for many functions around the world, I will in this post provide a simplified basic understanding of the agile concept for the benefit of those who are not yet familiar with it!

What is Agile?

According to the oxford dictionary, Agility means the “ability to move quickly and easily”. It is also defined as “the ability to think quickly and in an intelligent way” when it is referenced to the mindset.

Simply put, the agile methodology is a type of project management method and was mainly developed by the software development industry to reduce costs, time, and improve quality & delivery. It achieves this by breaking a project into several short incremental and repeatable tasks (known as sprints that are usually 1-4 weeks in length) and by seeking the collaboration of all stakeholders and by conducting daily scrum meetings.

Scrum is a popular agile framework (process) that helps teams work together. A simple definition of scrum is described by the Altasian website as” Scrum describes a set of meetings, tools, and roles that work in concert to help teams structure and manage their work”. It also explains the difference between agile and scum by describing agile as a “mindset” while scum is the framework that gets things done!

You will often come across the term “scrum master” which is equivalent to a “project manager” in a traditional project management environment. Other important terms you need to get familiar with are:
  • Backlog:: A changing list of product requirement based on customer's needs
  • Daily Scrum: A short daily meetings (10-15 minutes) to update plan
  • Point of View (PoV): A summary of the relevant insights gained from observations
  • Definition of Done (DoD):  A set of predetermined criteria that a product needs to meet in order to be considered as being done

  An agile manifesto was developed by 17 thought leaders in 2001 which consisted of 4         core values and 12 principles:

Individuals and Interactions Over Processes and Tools
Customer satisfaction through early and continuous software delivery
Working Software Over Comprehensive Documentation
Accommodate changing requirements throughout the development process
Customer Collaboration Over Contract Negotiation
Frequent delivery of working software
Responding to Change Over Following a Plan
Collaboration between the business stakeholders and developers throughout the project
Support, trust, and motivate the people involved
Enable face-to-face interactions
Working software is the primary measure of progress
Agile processes to support a consistent development pace
Attention to technical detail and design enhances agility
Self-organizing teams encourage great architectures, requirements, and designs
Regular reflections on how to become more effective

What Does it Mean to Have an Agile Internal Audit?

Now that you are familiar with the agile concept, let’s explore how the agile methodology applies to internal audit. Let’s start with the seven keys mentioned by Steve Denning in his above-mentioned article (these were based on a PwC report). According to the report, agile pioneers in internal audit embrace the following:

1.    active and broader involvement in disruption
2.    being prepared and adaptive
3.    assessing the risk of future disruption
4.    proactive involvement in disruptive events
5.    flexible talent management
6.    flexible planning
7.    meaningful collaboration with other lines of defense

Many articles and reports were written to discuss what an agile internal audit looks like. In general, there is an agreement that the characteristics of agile internal audit are:
  • Flexible & adaptable planning and execution of work
  • Continuous collaboration with stakeholders & daily scrum meetings
  • Performance of work in repeatable sprints
  • Less documentation
  • Visualization of work on scrum boards
  • Provision of incremental reporting
So, how does an agile internal audit compare to a traditional internal audit? A presentation by Deloitte included the following illustration which visualizes the difference: 


Many Internal audit manifestos were developed. Deloitte offered the following example:

Benefits of Agile Internal Audit

 There are many benefits of applying agile to internal audits which may include:
  • Higher- quality insights and faster insight generation
  • Increased customer satisfaction
  • Enhanced internal audit planning
  • Empowered internal audit teams
  • Faster responses to changing business needs
  • Less documentation
  •  Accelerated delivery cycle
  • Clearer outcome
It is important to understand that agile is not a call for internal audit to go rogue! Flexible planning, less documentation, and the empowerment of audit teams do not mean that there should be no discipline! It means that smarter use of time and resources are applied when and where most needed (i.e auditing what matters). And certainly, agile should not be interpreted as a call for internal audit to become "reactive”. The fact that internal audit shifts its focus to address emerging risks and disruptions does not mean that internal audit should be taken by surprise by an adverse event and struggles to react to it. Internal audit should anticipate such events, to the extent possible, and should be prepared to act quickly to address such issues in a timely manner.

Challenges of Agile Internal Audit

Obviously adopting and implementing an agile internal audit comes with challenges! An article published by Barclay Simpsons identified the following challenges:

  • Changing mindsets: Agile auditing overhauls existing processes, which often creates tension among teams resistant to change. 
  • Accessing support: Third-party coaching and development may be required to embed Agile methods into auditing functions effectively.
  • Preventing burnout: Agile audits can be intensive, which may lead to negativity and burnout if not properly managed. 
  • Apply Agile appropriately: Not all audits are suitable for the Agile approach. Businesses may need a hybrid framework to handle unique tasks rather than shoehorn every project through an Agile system.

Other challenges include appointing the right scrum master, adapting to less documentation, management buy-in, and most importantly the availability of skilled and capable internal auditors who are willing participants in agile auditing!

How to Start?

The first step of becoming agile starts with the internal audit function itself. To be precise, it starts with the mindset of the internal audit leadership to determine if it is ready for the change! Once this is accomplished, an evaluation of the capabilities and willingness of the audit team should be performed and a conclusion reached on the amount and type of outside help needed for the transformation. You may wonder if the agile approach is valuable for all internal audit shops? The chairman of the IIA Canada has answered this question as follows:

" I would say, yes. Most internal audit shops are within organizations that are currently exposed to disruption and significant change. The more a process or an auditable entity changes the greater the need for internal audit to have an agile approach to both planning and executing audits. Although, if internal audit is conducting compliance audits or audits related to an area with very little change since the last audit, choosing an agile approach may not add much value", 

The next step would be to educate the audit committee on the importance of the transformation to the agile methodology and to seek their support as well as the support (buy-in) of management.

Many experts advise that the agile approach be applied to a pilot project first. This can be used as a learning curve to evaluate and adjust agile to the company's needs. It may sound funny, but you need to apply the agile methodology to your agile transformation!

Agile requires continuous collaboration and feedback, so make sure that you seek feedback from all stakeholders and evaluate and implement them on a timely basis.

 In conclusion, an agile internal audit is…

The ability and willingness of internal auditors to leave their comfort zone and act swiftly and direct their efforts to risks and disruptions that matter through continuous risk assessment, timely & meaningful communications /collaboration with stakeholders, and utilization of available technology. The ultimate purpose is to provide management with real-time ( or at the speed of risk as some like to call it) insight, advice, and assurance needed to assist them with the decision-making process.

These are my thoughts, please share yours!



Sunday, October 20, 2019

The Internal Auditor- A Short Novella

I Like to read and I enjoy fiction books! I have read hundreds of them over the years. I am a fan of John Grisham and I have enjoyed his earlier books such as The Firm, The Client, The Partner, and others. I have also enjoyed the writings of other authors especially those who have created interesting characters such as Lee Child's Jack Reacher and Vince Flynn's Mitch Rapp. These characters were from many professional backgrounds such as Lawyers, Law enforcement, Military, Medical professionals and almost every other profession except for internal audit! I decided to take the initiative and change that!

My passion for the profession coupled with my passion for reading ,and occasionally writing, inspired me to write the first novella depicting a Chief Audit Executive as the main character! I have faced challenges in writing the novella, first of which was the fact I am not a professional writer and that I have never written a book before. The second challenge was that English is a second language to me which may have limited my ability to convey my thoughts and messages as intended! Nevertheless, these challenges did not stop me from writing and self publishing the book. I recognize  that the novella is far from perfect, but it is a start!

The title of the book is " The Internal Auditor". You can read an excerpt here. 

If you are interested in buying the book, it is offered at a nominal price at Amazon  or you can read it for free if you are a kindle subscriber. Alternatively,  you can buy it directly from my website

The story was also converted into a training session to edutain internal auditors. The idea is to entertain them while we educate them. It includes reading the story as a prerequisite. During the session, we discuss the lessons learned from it and what could the CAE have done differently. The training is available on demand.

I am writing my second Novella " The Retirement " and hope to publish it soon!

Saturday, July 20, 2019

The Proposed Internal Audit Code of Practice: A Necessity or A Duplication?

The Chartered Institute of Internal Auditors has published for consultation a draft of a proposed Internal Audit Code of Practice. According to the Institute, the 30 recommendations included in the draft are aimed at enhancing the overall effectiveness of internal audit, and its impact, in the UK and Ireland. The recommendations can be regarded as a benchmark of good practice against which organizations can assess their internal audit function.
The Institute emphasized that the code should be applied in conjunction with the existing International Professional Practices Framework (IPPF). It continued to mention that the code builds on the IIA standards and seeks to clarify expectations and requirements needed to strengthen the effectiveness and impact of internal audit.

The 30 principle-based recommendations cover the following areas:
·  Role and mandate of internal audit
· Scope and priorities of internal audit
· Reporting results
· Interaction with risk management, compliance and finance
·  Independence and authority of internal audit
· Resources
 The recommendations range from identifying the primary role of internal audit to calling for the internal audit to have sufficient and timely access to key management information and right of access to all of the organization’s records.
The code which is described as “voluntary” is written in the context of a reasonably sized organization operating in all private sector organizations within the UK and Ireland. Modifications may be needed to accommodate the size, scope, risk profile and complexity of operations of various organizations.

 After reading the recommendations, do you think they:

  1.        Duplicate  the IIA standards and add little value
  2.       Complement the IIA standards
  3.        Add significant value to the IIA standards .

 Also, do you think other countries should adopt similar code through the  IIA chapters?

 Please share your thoughts.


Friday, May 3, 2019

Internal Audit as A Disruptor!

Disruption has been one of the most used words in the last few years. It has been used by people who understand its true nature and meaning, and by those who do not. It has been used as an excuse to justify failure and as a means to motivate people and corporations to do better and rise to the challenge. But what is disruption about?

What is Disruption?
The Cambridge English Dictionary defines the verb “disrupt” as follows: to prevent something, especially a system, process, or event, from continuing as usual or as expected.

In business, the term “disruption” and the theory behind it took off with the definition offered by Harvard Business School’s Clayton Christensen in his 1997 book “The Innovator’s Dilemma
”. He explained it as follows:
“Disruptive Innovation describes a process by which a product or service takes root initially in simple applications at the bottom of a market and then relentlessly moves up market, eventually displacing established competitors.

A Harvard Magazine article provided more explanation of the concept:
“Disruptive products are typically “cheaper, simpler, smaller, and, frequently, more convenient to use.” They tend to reach new markets, enabling their producers to grow rapidly and—with technological improvements to eat away at the market shares of the leading vendors.”

It is important not to confuse disruption with innovation! There is a wide agreement that all disruptors are innovators, but not all innovators are disruptors. Examples of disruptive products and services include Netflix, Amazon, Skype, Laptops, cellular phones, and Wikipedia. On the other hand, Uber is considered by most experts and scholars as innovative but not disruptive.

While the term “disruption” is mostly used to refer to technological advancement, it is certainly not limited to it. Disruption could come in the form of new regulations & laws, new business models, financial challenges, cybersecurity threats, and others.

Internal Audit & Disruption
Many experts and thought leaders have shared their views on how Internal Audit should handle disruption. Here are some examples of what they have said:

An IIA publication entitled “Internal Audit in the age of disruption” summarizes the role of internal auditors as:

“The great challenge for internal audit executives today is to perceive disruptions in their true form. Recognizing what’s coming and providing insight to the organization on how to harness that disruptive power is truly valuable. This is nothing new for internal audit. Insight is core to the Mission of Internal Audit — to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”

The publication provided tips and techniques for internal auditors to rise to the challenge of disruption. These are:
- Keep focus on assurance: Internal audit should continue to focus on what it does best
- Engage with Stakeholders and Subject Matter Experts: Align internal audit’s work with the expectations of internal audit’s key stakeholders. Work closely with subject matter experts who are implementing disruptive technologies and focus on the most relevant and significant issues.
- Invest in Training on Disruptive Technologies: Constantly pursue training to learn about new technologies and the complex and emerging risks being introduced to the organization.
- Put New Technologies to Work: Embrace and leverage new technologies in performing internal audit work. Internal Auditors must take advantage of machine learning and data analytics in their audit processes — real-time auditing should be a requirement as organizations implement new business processes"

It also provided the following closing thought:
“There may be a lack of synergy between internal audit and innovators or creative thinkers in the organization, but with regard to disruptive events that the organization either generates or reacts to, internal audit should be there from the beginning. 
By focusing on assurance, engaging with subject matter experts, investing in training and disruptive technologies, putting new technologies to work, and providing insight into emerging risks and opportunities, internal audit may be seen as a key asset in helping the organization to harness the power of disruption.”

An EY publication  entitled  Does a disrupted Internal Audit function mean a stronger strategic partner?” offered the following view of the internal audit function of the future:
“In light of the pace of disruption and resulting changes occurring in business today, IA needs to change what it does, how it does it and who actually performs the work.

The mandate will remain substantially the same; however, it will demand a shift in focus and IA functions must:
- Be highly connected, agile, proactive and forward-looking
- Continue to assess and challenge the efficiency and effectiveness of internal controls
- Be involved in the most strategic activities of the organization
- Harness emerging technology for better and more predictive risk mitigation outcomes
- Challenge the risk framework and view to also account for upside and outside, in addition to downside risks.”

A PwC article entitled “ It’s time for Internal Audit to disrupt itself”, called on Internal Audit to be agile in order to help anticipate and respond quickly to disruptive events:
Agile Internal Audit functions are relevant across many disruptors, including rapidly emerging risk areas, not just those areas traditionally addressed by internal audit or compliance functions.”
It has identified some features which are needed for helping Internal Audit functions to be agile and better equipped to support businesses in dealing with disruptions:
- Much tighter collaboration across three lines of defence, driving more clarity in the overall risk management process
- Investing in both business and technical IQ, formally including training on the business as part of Internal Audit learning and education.
- Creating more flexible Internal Audit processes and reporting that not only capture different approaches but also drive relevant and timely reporting to address the immediate business needs.

The above clearly demonstrated the need for Internal Audit to embrace and embed technology in its operations. Unfortunately, this is not the case today for many internal audit functions. According to PwC’s 2018 State of the Internal Audit Profession Study,  internal audit  falls into these three categories when it comes to adopting technology:
- Evolvers: 14% of internal audit functions are advanced in their technology adoption
- Followers: 46% of internal audit functions are taking notice and following the Evolvers’ technology adoption—but at a slower pace.
- Observers:37% of internal audit functions are still Observers when it comes to technology adoption. They may be constrained by lack of technology, be held back by poor quality of data within the business or have insufficient resources to invest, or the organization may simply not be ready culturally. That last group has only basic or even no technology use.

Be the Disruptor!
There has been no shortage of calls for Internal Audit to disrupt itself. This was not only triggered by the current disruption factors facing businesses, but also as a reflection of the poor stakeholders’ perception of internal audit and its ability to add value.
I add my voice and call on Internal Audit to be a disruptor! To be clear, I am calling on internal audit to be a “constructive disruptor” and to avoid by all means being a “destructive disruptor”! 

Destructive Disruptor
By doing nothing and continuing to perform its routine tasks without regard to the disruptive factors coupled with the unwillingness to leave its comfort zone, internal audit becomes a destructive disruptor. Not only will it miss the opportunity to improve itself and leave the state of inertia, but it will also hinder the rest of its stakeholders from performing by denying them access to information and insight needed to enable them to make the right decisions.

Constructive Disruptor
To become a constructive disruptor, Internal Audit needs to disrupt itself first. While there is no one-size-fits-all approach, Internal Audit may consider these suggestions:

Mindset Reset:
The first step towards becoming a disruptor is to disrupt the mindset of internal auditors. A blog post written by a PwC global GRC and IA leader explains the mindset change as follows:
“What we need to do most urgently as a profession is to retool our own business model, to access new capabilities and technologies, and be more adaptive and timelier in the way we go about doing our job. For most internal audit functions, this means adopting a much more agile resourcing model. To provide the right advice, you need to be able to access a diverse array of skills, quickly. But it also means adopting a new mindset. A mindset that says, ‘not only do we have permission to be more proactive, our stakeholders need us to be. It’s a change in thinking that may be hard, but it’s one we need to make. If we do it, not only will we deliver greater value, but it will make our jobs more rewarding and our profession more attractive to tomorrow’s leaders.”

The change of the Internal Audit mindset is not an easy task because people, including internal auditors, tend to resist change. To effect change, there is no substitute for a strong and courageous Chief Audit Executive (CAE). He/she should be forward-looking, adaptable, agile, sees the big picture, and surrounds himself/herself with staff who share his/her values, objectives, and mission. A disruption of the Internal Audit function requires an honest and continuous assessment of its capabilities and needs. The CAE will need to objectively assess the current skillset and mindset of his/her staff and determine if they are suitable for the future of his/her function as a disruptor. If necessary, a drastic restructuring of the function should be executed and a clear practical plan should be developed for the improvement of the hiring and training practices. The human factor is essential in the transformation of the internal audit mindset in the digital age because digital transformation is a way of thinking according to a publication issued by Protiviti. The publication explains this and the role of technology in the transformation process as follows:
To become a leader in the digital age, it is essential to reinvent the business at its core. Beyond technology and process changes, this means the way people think and act in everything that they do needs to substantially evolve. The people aspects are much more important than the technology. That is not to say that technology is not important, but it should not be the driver nor the destination. Fundamentally, digital transformation is about people transformation.”

No More Hiding behind Independence:
Part of being a disruptor is to strike a practical balance between the assurance and advisory roles. Internal Audit can disrupt itself by breaking the habit of hiding behind the “independence” issue and come forward to offer objective and unbiased consulting services in accordance with the IIA standards and guidance. Do not be shy to go beyond the standards, if necessary, if doing so adds real value to your organization!

Adopt a New Culture:
Internal Audit can also disrupt itself by adopting a culture that demands that internal auditors learn a new “thing” every day and to invest in themselves. The recent IIA PublicationAPPROACHES TO UPSKILLING FOR INTERNAL AUDITORS” has a useful explanation of self-investment:

During his tenure as The IIA’s Global Chairman of the Board (2016‒17), Larry Harrington, CIA, QIAL, CRMA chose “Invest in yourself” as his theme. He urged internal auditors to enhance their value by undertaking professional development opportunities. Too often, employees believe that it is the sole responsibility of their employers to first determine the skills necessary for them to succeed, and second, to make the investment in and for them. This is risky thinking. Self-investment provides one of the best returns on investment. Smart professionals use the resources and guidance available to them through their employers, but ultimately realize that they own their own careers.”

 The culture should also break the circle of fear if it exists, (fear of technology, fear of upsetting stakeholders, fear of the unknown, fear of failure ...etc.). The culture should embrace real change and determination to become a disruptor. A few years back some Internal Auditors used to call themselves “agents of change” but, they changed very little if any. Thus, internal auditors should be encouraged to innovate and use their imagination to improve the way they do things. Innovation is the product of imagination, determination, and empowerment! Unleash the imagination and creativity of internal auditors, push them to think outside the box and they will disrupt everybody!

Market Internal Audit as A Disruptor:
Do not be shy about it! If you want to be a disruptor, let your stakeholders know about it. Discuss your disruption plans with the audit committee and management and seek their support. Let them realize the additional value internal audit can add when it becomes a disruptor. It may not be an easy sell, but if done effectively you can reasonably ensure that your stakeholders will not disrupt your disruption activities!

Educate Stakeholders:
I consider educating the Audit Committee and management on the latest trends in technology, risk, assurance, and other emerging issues a disruptive act because it helps them to reconsider how they approach issues and make decisions. Educating them may take many forms from a flash newsletter to a formal training session. The education venue should be customized to adapt to what works for the stakeholders.

Last Words
One of my favorite quotes is by Shirley Chisholm, she said: “If they don't give you a seat at the table, bring a folding chair.” In my opinion, this quote in a way summarizes and simplifies the concept of disruption. Bringing a chair to the table, even if it is a folding one, and disrupting the status quo is a much better approach than waiting to be given a seat. To become a disruptor, Internal Audit should first have the desire to play this role, take initiatives and invite itself to the party!

At the end of the day, the greatest challenge facing Internal Audit is to disrupt its stakeholders’ perception of its value and services!

About the Author:
Wa’el Bibi, CPA, CIA, CISA is a seasoned Audit Executive and the founder & President of Bibi Consulting (, a Canadian firm that provides Internal Audit & Management Consulting Services worldwide. He is also the CEO of AdapGility Consulting, a firm connecting CAEs with Organizations ( His blog posts are available at ( and he can be contacted at

Are you getting the most from the ethics mandatory hours?

 Like many of you at this time of year, I have been looking to take the mandatory two hours of ethics training to comply with the IIA cpe  r...