Friday, December 20, 2019

What Exactly is An Agile Internal Audit?



Can Internal Auditing become Agile? Seven Keys to Thinking the Unthinkable.
 That was the title of a Forbes Article in 2017 written by Steve Denning the author of the book "The Age of Agile". Now that the unthinkable he referred to is becoming a reality for some internal audit functions and a wish list item for many functions around the world, I will in this post provide a simplified basic understanding of the agile concept for the benefit of those who are not yet familiar with it!


What is Agile?

According to the oxford dictionary, Agility means the “ability to move quickly and easily”. It is also defined as “the ability to think quickly and in an intelligent way” when it is referenced to the mindset.

Simply put, the agile methodology is a type of project management method and was mainly developed by the software development industry to reduce costs, time, and improve quality & delivery. It achieves this by breaking a project into several short incremental and repeatable tasks (known as sprints that are usually 1-4 weeks in length) and by seeking the collaboration of all stakeholders and by conducting daily scrum meetings.

Scrum is a popular agile framework (process) that helps teams work together. A simple definition of scrum is described by the Altasian website as” Scrum describes a set of meetings, tools, and roles that work in concert to help teams structure and manage their work”. It also explains the difference between agile and scum by describing agile as a “mindset” while scum is the framework that gets things done!

You will often come across the term “scrum master” which is equivalent to a “project manager” in a traditional project management environment. Other important terms you need to get familiar with are:
  • Backlog:: A changing list of product requirement based on customer's needs
  • Daily Scrum: A short daily meetings (10-15 minutes) to update plan
  • Point of View (PoV): A summary of the relevant insights gained from observations
  • Definition of Done (DoD):  A set of predetermined criteria that a product needs to meet in order to be considered as being done


  An agile manifesto was developed by 17 thought leaders in 2001 which consisted of 4         core values and 12 principles:


No.
Values
Principles
1.
Individuals and Interactions Over Processes and Tools
Customer satisfaction through early and continuous software delivery
2.
Working Software Over Comprehensive Documentation
Accommodate changing requirements throughout the development process
3.
Customer Collaboration Over Contract Negotiation
Frequent delivery of working software
4.
Responding to Change Over Following a Plan
Collaboration between the business stakeholders and developers throughout the project
5.
Support, trust, and motivate the people involved
6.
Enable face-to-face interactions
7.
Working software is the primary measure of progress
8.
Agile processes to support a consistent development pace
9.
Attention to technical detail and design enhances agility
10.
Simplicity
11.
Self-organizing teams encourage great architectures, requirements, and designs
12.
Regular reflections on how to become more effective


What Does it Mean to Have an Agile Internal Audit?

Now that you are familiar with the agile concept, let’s explore how the agile methodology applies to internal audit. Let’s start with the seven keys mentioned by Steve Denning in his above-mentioned article (these were based on a PwC report). According to the report, agile pioneers in internal audit embrace the following:

1.    active and broader involvement in disruption
2.    being prepared and adaptive
3.    assessing the risk of future disruption
4.    proactive involvement in disruptive events
5.    flexible talent management
6.    flexible planning
7.    meaningful collaboration with other lines of defense

Many articles and reports were written to discuss what an agile internal audit looks like. In general, there is an agreement that the characteristics of agile internal audit are:
  • Flexible & adaptable planning and execution of work
  • Continuous collaboration with stakeholders & daily scrum meetings
  • Performance of work in repeatable sprints
  • Less documentation
  • Visualization of work on scrum boards
  • Provision of incremental reporting
    
So, how does an agile internal audit compare to a traditional internal audit? A presentation by Deloitte included the following illustration which visualizes the difference: 


 




Many Internal audit manifestos were developed. Deloitte offered the following example:



Benefits of Agile Internal Audit

 There are many benefits of applying agile to internal audits which may include:
  • Higher- quality insights and faster insight generation
  • Increased customer satisfaction
  • Enhanced internal audit planning
  • Empowered internal audit teams
  • Faster responses to changing business needs
  • Less documentation
  •  Accelerated delivery cycle
  • Clearer outcome
It is important to understand that agile is not a call for internal audit to go rogue! Flexible planning, less documentation, and the empowerment of audit teams do not mean that there should be no discipline! It means that smarter use of time and resources are applied when and where most needed (i.e auditing what matters). And certainly, agile should not be interpreted as a call for internal audit to become "reactive”. The fact that internal audit shifts its focus to address emerging risks and disruptions does not mean that internal audit should be taken by surprise by an adverse event and struggles to react to it. Internal audit should anticipate such events, to the extent possible, and should be prepared to act quickly to address such issues in a timely manner.

  
Challenges of Agile Internal Audit

Obviously adopting and implementing an agile internal audit comes with challenges! An article published by Barclay Simpsons identified the following challenges:

  • Changing mindsets: Agile auditing overhauls existing processes, which often creates tension among teams resistant to change. 
  • Accessing support: Third-party coaching and development may be required to embed Agile methods into auditing functions effectively.
  • Preventing burnout: Agile audits can be intensive, which may lead to negativity and burnout if not properly managed. 
  • Apply Agile appropriately: Not all audits are suitable for the Agile approach. Businesses may need a hybrid framework to handle unique tasks rather than shoehorn every project through an Agile system.

Other challenges include appointing the right scrum master, adapting to less documentation, management buy-in, and most importantly the availability of skilled and capable internal auditors who are willing participants in agile auditing!

How to Start?

The first step of becoming agile starts with the internal audit function itself. To be precise, it starts with the mindset of the internal audit leadership to determine if it is ready for the change! Once this is accomplished, an evaluation of the capabilities and willingness of the audit team should be performed and a conclusion reached on the amount and type of outside help needed for the transformation. You may wonder if the agile approach is valuable for all internal audit shops? The chairman of the IIA Canada has answered this question as follows:

" I would say, yes. Most internal audit shops are within organizations that are currently exposed to disruption and significant change. The more a process or an auditable entity changes the greater the need for internal audit to have an agile approach to both planning and executing audits. Although, if internal audit is conducting compliance audits or audits related to an area with very little change since the last audit, choosing an agile approach may not add much value", 

The next step would be to educate the audit committee on the importance of the transformation to the agile methodology and to seek their support as well as the support (buy-in) of management.

Many experts advise that the agile approach be applied to a pilot project first. This can be used as a learning curve to evaluate and adjust agile to the company's needs. It may sound funny, but you need to apply the agile methodology to your agile transformation!

Agile requires continuous collaboration and feedback, so make sure that you seek feedback from all stakeholders and evaluate and implement them on a timely basis.

 In conclusion, an agile internal audit is…


The ability and willingness of internal auditors to leave their comfort zone and act swiftly and direct their efforts to risks and disruptions that matter through continuous risk assessment, timely & meaningful communications /collaboration with stakeholders, and utilization of available technology. The ultimate purpose is to provide management with real-time ( or at the speed of risk as some like to call it) insight, advice, and assurance needed to assist them with the decision-making process.





These are my thoughts, please share yours!



 



 ----------------------------------------------------------------------------------------------
 References:



Is Climate Change a Greater Risk in the Middle East than Geopolitical Risks?

  Is climate change a greater risk in the Middle East than geopolitical risks in the next three years? According to the 179 respondents to ...