Internal Audits That Create Stakeholder Value: Adopting an Agile Mindset

Auditing exists in an environment of uncertainty and risk, and internal audits are meant to help organizations determine whether controls are in place that reduce risk in various operations and processes. However, there are ever-present auditing challenges such as a lack of senior management support, insufficient audit preparation time, difficult auditees and lack of time needed to write audit results. If auditing is to effectively identify inconsistencies, inefficiencies and regulatory compliance issues, relationship building is necessary through ongoing stakeholder engagement activities. A solution to this challenge is the Agile Scrum mindset. Agile Scrum is a lightweight framework that promises to significantly improve internal audits by creating a mindset that generates stakeholder value through adaptive solutions for complex auditing problems.

The Agile Scrum mindset supports a collaborative small team approach and avoids the us-vs.-them trap of imposing detailed instructions that often do not account for complex auditing environments. Instead, an Agile mindset generates value by suggesting adaptive and incremental solutions to complex problems based on transparency that enables process inspections. The inspections facilitate the necessary feedback and change that creates benefit realization or value as perceived by the stakeholders.

Organizations are facing unprecedented changes and pressures in today’s enterprise landscape; therefore, internal audits must keep leaders informed and aware of potential risk. The Agile Scrum mindset places a strong emphasis on stakeholder engagement by actively involving stakeholders in the internal audit process and seeking feedback and collaboration throughout the audit engagement, which can improve communication and collaboration, resulting in better audit outcomes.

The Traditional Approach to Internal Auditing

Internal auditing generally uses a structured, traditional Waterfall approach that consists of several linear stages that flow from preplanning, planning, fieldwork, reporting and follow-up with no substantive provisions for backtracking.¹ The benefits of this approach to auditing are the extensive documentation and definition of requirements up front with a phased development cycle that clearly defines starting points and conclusions, which helps manage and monitor project status. Cost estimates are enhanced with defined requirements and phased development.

One shortcoming of this approach is that clients may need help conceptualizing the audit scope in terms of functional specification requirements. Other issues are the need for more flexibility to cater to new developments or changes in conditions that may occur after the initial consultation. Changes due to various factors or market influences may not be considered when planning is done up front.

Rather than provide people with detailed instructions, the rules of Agile guide relationships and interactions between the Agile elements.

The Agile Framework

Unlike the traditional Waterfall approach, Agile is highly responsive to feedback and change.² The Agile framework facilitates auditors in addressing multifaceted adaptive issues while productively and creatively delivering product increments with the highest possible client value.

Agile is not a prescriptive approach, methodology or body of methods or procedures. It is a purposely incomplete framework consisting primarily of values and principles. The Agile framework explicitly avoids the specification of particular techniques or processes. Instead, it is used as guidance for choosing methods and procedures that will work best for the audit team.

Agile values and principles do not prescribe how an audit team should work. The focus is on helping the audit team think and interact in ways that favor agility. Agility is the ability to continually adapt and make improvements as soon as they are needed. If Agile were a methodology, it would be less able to adapt to the specific circumstances experienced by audit teams.

Therefore, Agile does not explicitly mandate what to do; it only establishes values and principles that the audit team should consider when deciding what to do. Rather than provide people with detailed instructions, the rules of Agile guide relationships and interactions between the Agile elements. The Agile framework is loosely defined, only describing the elements required to implement an Agile practice. Agile is built on the collective intelligence of the people using it.

Agile Scrum is one of the most popular Agile frameworks for developing products and services. Other Agile practices include Kanban, Lean, Dynamic Systems Development Method, Extreme Programming, Crystal and Feature-Driven Development (figure 1).³ While many Agile practices exist, it is important to choose the best framework to meet the auditing needs of the organization.

Source: Project Management Institute (PMI), Agile Practice Guide, USA, 2017, https://www.pmi.org/pmbok-guide-standards/practice-guides/agile. Copyright and all rights reserved. Material from this publication has been reproduced with the permission of PMI.

It is well worth the time required to investigate the different types of Agile practices and their pros and cons through a collaborative discussion between audit teams, organizational leaders and other stakeholders focused on which are most appropriate for the audit project.⁴

Agile Scrum Practice

The word “scrum”, which was adopted from rugby, refers to a small team working collaboratively toward a common goal.⁵ While the scrum concept was initially used in the software development industry, it has expanded across multiple organizations, areas and projects. Agile Scrum is a project management philosophy that is incremental and iterative. Scrum is an Agile practice that is ostensibly well suited for internal audits.⁶ It is founded on empiricism and lean thinking. Empiricism affirms that knowledge comes from experience and that decision-making is improved based on what is observed. Lean thinking eliminates or reduces process waste and focuses on the essentials.

Agile Scrum is an effective way of applying Agile’s values and principles; however, it should be noted that following Scrum constructs (e.g., daily stand-up meetings, fixed-length sprints, product demos and retrospectives) does not make an audit team Agile. An audit team uses Scrum concepts because it helps them align an audit engagement with Agile values and principles. Teams that embrace Agile principles and values are better positioned to leverage change in a way that creates competitive advantages by providing opportunities for improvement, identifying better procedures and applying corrective actions to achieve conformance.

Agile Values Manifesto

The Agile Manifesto documents the values underlying the Agile philosophy and facilitates adoption of a mindset that promotes more efficient and sustainable teamwork.⁷ The manifesto’s four core Agile values are:

1. Individuals and interactions over processes and tools
2. Working software over comprehensive documentation
3. Customer collaboration over contract negotiation
4. Responding to change over following a plan

This manifesto advocates continual incremental improvement through small and frequent releases, coupled with ongoing stakeholder collaboration superseding processes. The four fundamental values in the Agile Manifesto guide audit engagements through application of the 12 Agile principles; and each principle provides more detailed advice on applying the Agile values. 

Agile Principles

The 12 Agile principles can support the streamlining of audit cycles to achieve better results through flexible, reactive and cooperative efforts. Suppose the Agile principles are applied appropriately with timely stakeholder feedback with incremental developments. In that case, clients may receive the finished audit reports sooner with more valuable feedback that informs management decision-making efforts without surprises.⁸

The 12 Agile principles establish the core tenets of the Agile mindset. They should not be viewed as a set of rules for practicing Agile, but as guidelines for developing an Agile mindset. The emphasis is on setting a mental model for conducting an internal audit that focuses on stakeholders, collaboration and continuous improvement without prescriptively detailing the audit process. The application of the Agile principles varies based on stakeholder needs and audit scope. The 12 principles are:

1. Our highest priority is to satisfy the customer through early and continuous delivery of valuable software—The term “working software” should not be interpreted literally. Although Agile Scrum was originally developed for software development projects, the concepts can be applied to any high-uncertainty project with high rates of change, complexity and risk. By reducing the time between audit planning, reporting and soliciting feedback, audit teams can focus on high-priority issues, resulting in delivery of what the client wants even if that is different than what was planned.
2. Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage—The strength in an Agile mindset lies in the ability to pivot as needed without continually reinventing the wheel. Audit teams should embrace change even when it occurs late in the process. Needed adjustments should be addressed immediately in the next sprint iteration. Sprints, which typically start every two or four weeks, are container events that include sprint planning, daily Scrum meetings, sprint review and sprint retrospective. These events are specifically designed to enable transparency, which enables inspection. Inspection facilitates adaptation. Each event in Scrum is an opportunity to inspect and adapt Scrum product increments.
3. Deliver working software frequently, from a couple of weeks to a couple of months, with a preference for the shorter timescale—To embrace change, one must relinquish the etched-in-stone schedule and create a shorter timeline for completing tasks. This is often achieved by eliminating the unnecessary documentation that is typically part of the traditional internal auditing process. Having a documented paper trail does not necessarily create value—it may only bog down the process.
4. Business teams and developers must work together daily throughout the project. When using an Agile Scrum method, stakeholders create value through their collaborative efforts and exchanges of ideas. Communication and ongoing stakeholder feedback builds a bridge between the auditors and the client, which is crucial to any audit engagement success.
5. Build projects around motivated individuals. Give them the environment and support they need and trust them to get the job done—The success or failure of an audit hinges on the collective efforts of the people involved. A project should allow people’s talents to flourish without micromanagement. Audit teams should be empowered, self-managed and self-organized and, therefore, should be trusted to do the work. The best possible audit teams should be assembled and left to do what they can.
6. The most efficient and effective method of conveying information to and within a development team is face-to-face conversation—Documenting conversations and creating email threads have their place, but the meaning and understanding gleaned through face-to-face communication are paramount for effective communication. Such communication incorporates body language, tone and spoken words. Understanding all three aspects of face-to-face communication is necessary to retain meaning.
7. Working software is the primary measure of progress—The software (or other product or audit process deliverable) should functionally work; it should not be theoretical or conceptual. Audit team members should be willing to take on different roles and responsibilities as needed to deliver a working product that will incrementally meet sprint goals. A working product increment allows the team to inspect and adapt the audit to meet the client’s needs. An inspection enables adaptation.
8. Agile processes promote sustainable development. The sponsors, developers and users should be able to maintain a constant pace indefinitely—Timeboxed sprints of activity are a fixed period of time during which a sprint task must be accomplished, usually two or four weeks. These short durations create a development cadence to help the team maintain focus and motivation without being overtaxed. Team burnout may jeopardize the quality of the audit.
9. Continuous attention to technical excellence and good design enhances agility—The goal of any process should be continuous improvement. Specifically, sprint retrospective events focus on ways to increase quality and effectiveness. The audit team inspects how the last sprint went regarding individuals, interactions, processes and tools. Topics discussed may include what went well during the sprint, what needs improvement and how issues were (or were not) solved.
10. Simplicity, the art of maximizing the amount of work not done, is essential—Keep it simple. Making tasks easy to understand without providing too much detail helps teams stay focused. Tasks that are easier to understand are more likely to be adopted and improved. Simplicity often offers the best route to a quick win.
11. The best architectures, requirements and designs emerge from self-organizing teams—A capable audit team should be afforded the autonomy to act and think independently. Self-managed, self-organized audit teams are empowered to adapt and change quickly. This trust conveys a sense of empowerment, facilitating creativity and innovation in the team’s efforts to address issues and resolve them.
12. At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly—The audit team needs to be engaged and look for ways to improve the audit’s productivity. Team members must not be constrained to follow protocol blindly but allowed to think through the intricacies of the audit and adjust when necessary. An empowered audit team can stop, reflect and adapt processes throughout the audit.

When using an Agile Scrum method, stakeholders create value through their collaborative efforts and exchanges of ideas.

Agile Mindset: Stakeholders’ Engagement

Understanding and applying Agile values and principles create a mindset, or set of beliefs, which shapes the audit team’s view of audits (figure 2).

Source: Project Management Institute (PMI), Agile Practice Guide, USA, 2017, https://www.pmi.org/pmbok-guide-standards/practice-guides/agile. Copyright and all rights reserved. Material from this publication has been reproduced with the permission of PMI.

The Agile mindset is manifested through many different practices such as Scrum, Kanban and XP, and the appropriate Agile practice should be selected based on the team’s skills, client involvement, organization culture, audit nature and constraints.

The core aspects of an Agile audit are organizing work into manageable components and empowering audit teams.

But another main aspect of the Agile framework is to create an engaged, small team (fewer than 10 individuals) that is assigned to a sprint and holds regular meetings to discuss work completed, work in progress and any progress impediments. Such visibility creates focus, helps to resolve challenges early, and fosters creativity and accountability within the team.⁹

Teams are then well positioned to address stakeholder feedback, which is critical input for creating stakeholder value. Unlike the traditional approach to auditing, the Agile framework encourages stakeholder engagement more often and throughout the sprint cycles. This engagement creates stakeholder buy-in and satisfaction by providing timely insight into issues discovered during the audit.

Stakeholder engagement should occur early and often throughout the audit, establishing a precedent that stakeholder involvement is expected and essential. To reinforce this concept, stakeholders should collaborate on the audit requirements discussions to share their value perspectives.

This inclusivity engenders a sense of cohesion and collaboration in Agile teams. Stakeholders tend to be attentive to issues that involve them. Helping stakeholders understand the importance of their roles in the audit process increases their knowledge of the audit’s benefits and their involvement with the Agile team.

Understanding and applying Agile values and principles create a mindset, or set of beliefs, that shapes the audit team’s view of audits.

Active stakeholder engagement is necessary for high-quality internal audits. Stakeholders should actively participate in audit priority discussions with the Agile team since they are integral to decision-making. Their feedback is invaluable for creating shared benefit realization. Listening to feedback reassures stakeholders that their opinions are heard and valued. Ensuring their involvement early and often in the auditing process will significantly improve audit quality. The cadence of sprints and the ongoing emphasis on collaboration, assessment and prioritization also mean that when new or evolved risk surfaces, the audit team is able to adapt appropriately and respond quickly.¹⁰

Unlike the traditional audit methodology, an Agile audit emphasizes people over processes and tools and features quick iterative planning and task prioritization in response to change.

Conclusion

The Agile Manifesto documents the fundamental values and principles behind the Agile philosophy and facilitates a mindset that allows teams to work more efficiently and sustainably.¹¹ This manifesto advances ideas that encourage continuous incremental improvement through small and frequent releases coupled with the core principle that ongoing stakeholder collaboration should supersede processes. Unlike the traditional audit methodology, an Agile audit emphasizes people over processes and tools and features quick iterative planning and task prioritization in response to change.

Agile’s adaptive approach mindset is applicable in several other areas beyond internal auditing, including DevOps and cybersecurity. But in audit, Agile means faster delivery of insights to the business, and an internal audit team that is nimble and client-focused adds value by adopting a mindset that focuses on adapting and responding to the client’s needs. The benefits include timely assurance, better anticipation of risk, early insights and visual audit reports that are impactful, readable and relevant. Internal auditors must prioritize requirements while collaborating with stakeholders and addressing their needs instead of enforcing rigid process activities.

Endnotes

¹ Pitt, S.-A.; Internal Audit Quality, John Wiley and Sons, USA, 2014, https://onlinelibrary.wiley.com/doi/10.1002/9781118777213.ch11
² Kagermann, H.; W. Kinney; K. Küting; C. Weber (eds.); Internal Audit Handbook, Springer, Germany, 2008, https://doi.org/10.1007/978-3-540-70887-2_6
³ Project Management Institute (PMI), Agile Practice Guide, USA, September 2017, https://www.pmi.org/pmbok-guide-standards/practice-guides/agile
⁴ Cobb, C.; Making Sense of Agile Project Management, John Wiley and Sons, USA, 2011, https://doi.org/10.1002/9781118085950.ch2
⁵ Blankenship, J.; M. Bussa; S. Millett; “Managing Agile Projects With Scrum,” Pro Agile .NET Development With Scrum, Apress, USA, 2011, https://doi.org/10.1007/978-1-4302-3534-7_2
⁶ DeRoche, T.; “Defining Agile Audit,” Agile Audit Transformation and Beyond, CRC Press, USA, 2022, https://doi.org/10.1201/9781003201571-1
⁷ Hazzan, O.; Y. Dubinsky; “The Agile Manifesto,” Agile Anywhere, SpringerBriefs in Computer Science, USA, 2014, https://link.springer.com/chapter/10.1007/978-3-319-10157-6_3
⁸ Williams, L.; “What Agile Teams Think of Agile Principles,” Communications of the ACM, vol. 55, iss. 4, 2012, https://doi.org/10.1145/2133806.2133823
⁹ Bibik, I.; “Agile Scrum Deep Dive,” How to Kill the Scrum Monster, Apress, USA, 2018, https://doi.org/10.1007/978-1-4842-3691-8_3
¹⁰ Bigley, J.; K. Walters; “Agile Scrum Pedagogy: Leveraging Collaborative Corporate Practices to Enhance Engagement,” Journal of Humanities and Social Sciences, vol. 4, iss. 2, 5 November 2021, https://www.opastpublishers.com/open-access-articles/agile-scrum-pedagogy-leveraging-collaborative-corporate-practices-to-enhance-engagement.pdf
¹¹ Yi, L.; “Manager as Scrum Master,” 2011 AGILE Conference, USA, August 2011, https://doi.org/10.1109/agile.2011.8

THOMAS J. BELL III | PH.D., CISA, CRISC, COBIT 2019 FOUNDATION, LEAN SIX SIGMA GREEN BELT, ITILV4, PMP, PMI-SP, PSM, PSPO

Is a professor of business administration at Texas Wesleyan University (Fort Worth, Texas, USA). He has more than 30 years of experience in IT systems and has participated in and led adaptive, predictive, and hybrid projects and audits. He also has peer-reviewed journal publications on project management leadership styles, auditing behaviors, team dynamics and certification pedagogy.