In this article series, The Agile Internal Audit Journey, Baker Tilly specialists define Agile, walk through its applications to internal audit and offer lessons learned through case study approaches.
In the first article, Agile auditing: transforming internal audit to add greater value, we discussed the role of internal audit, introduced the history of Agile, addressed some common misconceptions about agile auditing and set the baseline for the journey ahead. Progressing forward in our journey, we explore the Agile manifesto and how Agile principles can be applied to internal audit.
An example agile internal audit manifesto:
We are uncovering better ways of executing internal audits by doing it and helping others do it. Through this work we have come to value:
Individuals and interactions over processes and tools
Influential audit reports over extensive audit documentation
Business owner collaboration over audit report negotiation
Responding to change over following a plan
While there is value in the items on the right, we value the items on the left more.
In understanding the manifesto, the items on the right are very important, but the focus should be on investing more time, and determination of greater “value,” on the items on the left (in bold).
Uncovering better ways of executing internal audits through agile auditing
The first part of the manifesto focuses on a mindset, a dedication to continuous improvement. It’s the adherence to a culture of not accepting the status quo, not being complacent with the usual audit programs, or utilizing the same audit testing approach just because “that’s what’s worked”. More importantly, it also focuses on helping others. As an internal partner, the goal is not just to execute but to train, develop and help improve internal audit processes. Consider the following key questions about your internal audit department:
Do you set aside time to discuss better ways of executing internal audits as a team, function or group?
Do you have a center of excellence or committee within internal audit that exists to identify, develop, implement and monitor the impact of your changes and improvements?
Have you aligned your training and talent needs to emerging risk identification?
If using a shared services model for internal audit, do you ask your provider the questions above and do they provide continuous improvement?
If co-sourcing, do you have takeaways and key learnings from your provider that are institutionalized for future efficiencies?
Individuals and interactions over processes and tools
Many internal audit departments focus on efficiency and consistent delivery and communications amongst team members related to various stages within the audit planning, fieldwork and reporting cycle. Such actions include implementation of systems, governance risk compliance (GRC) software, internal audit software and tools and templates. The use of systems and processes are foundational to an efficient means of completing and communicating audit results. Nonetheless, the manifesto value statement intentionally focuses more on the relationships, embracing more face time, understanding that the human element of meaningful interactions drive progress, solutions and agreement. It’s not the GRC system or the templates that helped create an effective and valuable audit. It’s the interactions, the relationship and common understanding with the business process owner, the collaboration on recommendations and communication throughout the audit that drives success and value.
Influential audit reports over extensive audit documentation
There are misconceptions that being agile means less documentation. That is not necessarily the case and should be clarified. Being agile in internal audit can mean focusing on the minimum required documentation of information that is sufficient, reliable, relevant and useful and that will support the engagement results and conclusions.
The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) Standard 2330 – documenting information states, “Perhaps most importantly, work papers contain sufficient and relevant information that would enable a prudent, informed person, such as another internal auditor or an external auditor, to reach the same conclusions as those reached by the internal auditors who conducted the engagement.”
In considering the manifesto, place more value on the “organizational value” of the results of the documentation and conclusions reached. Consider the following key questions in evaluating this part of the manifesto and where efficiencies in documentation can be gained:
Have you reviewed your work paper documentation process and considered assessing where excess or redundancies exists?
Have you received feedback on your reports from management and the audit committee on your report style?
Have you held a brainstorming session and received internal audit report examples from other vendors or companies on how information can be better and more concisely presented?
Does management respond the majority of the time in agreement to your audit recommendations?
Business owner collaboration over audit report negotiation
Consider how the role of internal auditor can add value to and improve the organization’s operations. Management is ultimately responsible for its action plans and implementation of action plans determined to address internal audit findings. However, when internal audit is providing consulting and advisory engagements, you are creating a clear path and alignment to business owner collaboration and improving the organization.
The IPPF Mandatory Guidance Core Principle 10 is promoting organizational improvement. Released in August 2019, the Supplemental Practice Guide to the IPPF “Demonstrating the Core Principles for the Professional Practice of Internal Auditing, Enablers and Key Indicators” elaborates on the Core Principle 10:
“Although the internal audit activity may provide assurance, it may fail to provide consulting/advisory services and may miss opportunities to recommend ways the organization could increase efficiency or streamline the provision of assurance services, ultimately conserving resources and reducing costs. The internal audit activity may also fail to identify root causes, thus leaving the organization open to risks that could have been mitigated”
The opportunities to increase efficiency and streamline assurance is implemented through action taken by business owners. We as internal auditors would agree that when we are collaborating with management before, during and after the audit there is more value gained, a better relationship established and more buy-in from management to the value added.
Responding to change over following a plan
As businesses continue to evolve and expand and find new ways to navigate and manage strategic risks and disruptions – whether it's new technologies, new innovation, or just new product offerings – the pace of change continues to accelerate.
Internal audit is changing. Risk-based audit plans have evolved so they are now updated more frequently and are integrated more with enterprise risk management (ERM) groups to align the view of risk across the organization. Moving to agile auditing will link the internal audit strategy to the organization strategy so that the work that audit is doing can pivot and adapt at any time as business needs or challenges change over the course of time.
The most important aspect of the manifesto statement is the mindset that we are in a position to respond to change, to update the audit plan on a more frequent basis and to be in a position during audits to quickly adapt and shift our fieldwork approach as needed.
Agile principles
The original Agile manifesto authors developed 12 guiding principles that support the values of the manifesto. We have included the original 12 principles below and transformed them into agile internal audit principles:
Focus on outcomes, meeting the needs of the audit committee, executive management and key stakeholders, trusting your team, moving quickly and efficiently. The principles drive a different mindset and culture shift and support self-enablement of teams, creativity and being able to adapt before, during and after an audit.
While the principles above are only examples, consider reviewing the manifesto and the principles. Discuss them with your internal audit department and how they can be modified and adapted to fit your specific needs and facilitate a successful agile internal audit journey.
In the next article we will elaborate on methods using the Scrum framework and how to adapt sprints, iterations, quicker reporting and dedicated team resourcing to your audit fieldwork. We will compare and contrast the difference between traditional auditing and agile auditing.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.
