Sprinting Ahead

With Agile Auditing

Contents
An Introduction To Agile Internal Audit 3

The Current State Of Internal Audit 5

A New Era Of Audit Is Emerging 6

A Brief History Of Agile 8

The Agile Manifesto 9

What Is Agile Audit, Exactly? 10

An Overview Of Agile Techniques 13

Why Adopt An Agile Audit Methodology? 14

Challenges Of Agile Audit 16

How To Transition To Agile Auditing 18

Your Get-Started Checklist 19

Conclusion 21

Further Learning & Resources 22

An Introduction
To Agile Internal Audit

Internal auditors must be nimble to navigate today’s complex

business world, where they’re expected to anticipate risks,
add value, provide assurance, and be more strategic than
ever before.
Audit teams are now continuously striving to do everything quicker and more efficiently, usually without enough
resources. In fact, 27% of CAEs cite lack of budget as the key challenge preventing their teams from making more of an
impact in their organizations.1
As new regulations emerge, cybersecurity and privacy threats introduce new risks, and organizations race to innovate
and disrupt, internal auditors need to be flexible and fast. They must become agile auditors.
First of all, it’s important to emphasize that agile internal audit isn’t about tossing out your existing approaches, nor will it
work in every situation. We want to look at an agile approach to audit not as an automatic replacement for what you’re
currently doing, but as a tool that helps you add even more value.
This eBook explores the benefits, challenges, and best ways to implement agile audit in your organization.

1 Deloitte, 2018, Global chief audit executive research survey

Ebook: Sprinting Ahead With Agile Auditing 3

Ebook: Sprinting Ahead With Agile Auditing 4
The Current State
Of Internal Audit

A lot has changed for internal auditors over the past couple of
decades.
Before the Sarbanes-Oxley Act (SOX), internal auditors could be less visible in an organization. However, once SOX came
into play in 2002, they needed to stand up, speak up, and provide more insight into audits.
Now, there’s no shortage of expectations from regulators, executives, boards, and audit committees. Organizations are
looking beyond simple assurance that controls are effective. The bar has been raised and internal audit is now expected
to be more strategic and forward-thinking.
A global survey of chief audit executives2 found that those internal audit groups with the most impact and influence in
their organizations also tend to be the most innovative. (Deloitte analyzed the digital fitness of internal audit functions
by looking at five dimensions: vision and roadmap, ways of working, operations, services model, and stakeholder
engagement.) Similarly, PwC’s 2019 survey3 of the audit profession revealed that organizations who are more “digitally fit”
better support their stakeholders when it comes to taking risks and making decisions.

“Traditional audit approaches and failing to adapt and

change will make audit teams obsolete. Being the best at
what we do is how we guarantee success—and agile auditing
is one of the tools to help us do that.”
­— Dan Clark, an internal auditor with over 30 years of experience

2 Deloitte, 2018, The innovation imperative: Forging internal audit’s path to greater impact and influence
3 PwC, 2019, State of the internal audit profession study

Ebook: Sprinting Ahead With Agile Auditing 5

A New Era Of Audit
Is Emerging

The profession is changing and internal auditors are experiencing

a number of shifts in how they complete their work.

TAKING A RISK-BASED APPROACH TO AUDIT

Traditionally, auditors have taken a controls-based approach to audit. The risk-based method of auditing starts
with business objectives and elevates the questioning of control effectiveness to strategy, process design,
implementation—and the validity of policy and procedures.
This means that organizations can be more insightful and holistic rather than just proactive, reactive, or linear in
their work. But to successfully implement risk-based auditing, an organization must have a solid risk management
framework in place.

USING DATA TO DRIVE AUDIT

Internal auditors now have huge amounts of data at their fingertips—they’re no longer limited to basing conclusions
only on manual controls and limited datasets. It’s easier to provide insights based on multiple data sources and
enhance sampling techniques to ensure statistical confirmation of exceptions.
From planning to fieldwork to reporting, a data-driven audit practice provides several benefits, including:
• Continuous monitoring of assessments, risk indicators, and process performance

• Timely identification of risk patterns and anomalies

• Automation of routine tasks

• Flexibility to scope emerging risk trends into audit plans

• Increased visibility with one-click reports and dashboards.

Ebook: Sprinting Ahead With Agile Auditing 6

BECOMING TRUSTED ADVISORS

Gaining stakeholder trust is paramount in your journey from assurance provider to advisor. Richard Chambers,
President and CEO of the Institute of Internal Auditors (IIA), states that trusted advisors must “provide insight and
foresight, not just hindsight.”4
According to PwC’s Internal Audit Advisory report, becoming a trusted advisor means “Providing value-added
services and proactive strategic advice to the business well beyond the effective and efficient execution of the
audit plan.” 5
By following a risk-based, data-driven path, internal auditors are already well on their way to becoming trusted
advisors. Add agile audit into the mix, and think of the possibilities!

4 Richard Chambers, 2017, Trusted advisors: Key attributes of outstanding internal auditors
5 PwC, 2017, Internal Audit Advisory: Confident and informed decision making for your third line of defense

Ebook: Sprinting Ahead With Agile Auditing 7

A Brief
History Of Agile
The agile approach can be traced to its roots in software
development, but it’s since transformed many business
functions, including internal audit.

Back in the early 2000s, software development teams were getting frustrated by the rigid methodologies available to
them. The waterfall approach was the most common, which is a sequential process that divides work into linear phases.
Using the waterfall method, developers would identify a problem and plan a solution, which could take months or even
years. As the team completed each step before moving on to the next, they would stick tightly to the project scope and
requirements.
As a result, products were being completed and delivered after long developments, but they no longer met customer
needs. There were also many unfinished projects, as teams would often abandon limping initiatives rather than see them
through to the end.
Business leaders recognized that the software industry wasn’t keeping up with the quick pace of technology and market
change, but what was the answer? It arrived in 2001, when a group of 17 developers met at a ski resort in Utah and
created what’s now known as the Agile Manifesto6 (see next page).
Following the manifesto’s creation, these thought leaders created the Agile Alliance, a non-profit organization with more
than 60,000 global members and subscribers who share agile-related resources and events.
Although the agile approach was originally created for software and IT, its framework is relevant and translatable across
every industry, including audit.

6 Principles behind the Agile Manifesto, https://agilemanifesto.org/

Ebook: Sprinting Ahead With Agile Auditing 8

The Agile Manifesto
We follow these principles.

Our highest priority is to satisfy the customer through early and continuous delivery of valuable software.

Welcome changing requirements, even late in development. Agile processes harness change for the
customer’s competitive advantage.

Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the
shorter timescale.

Business people and developers must work together daily throughout the project.

Build projects around motivated individuals. Give them the environment and support they need, and trust
them to get the job done.

The most efficient and effective method of conveying information to and within a development team is face-
to-face conversation.

Working software is the primary measure of progress.

Agile processes promote sustainable development. The sponsors, developers, and users should be able to
maintain a constant pace indefinitely.

Continuous attention to technical excellence and good design enhances agility.

Simplicity — the art of maximizing the amount of work not done — is essential.

The best architectures, requirements, and designs emerge from self-organizing teams.

At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior
accordingly.

Our highest priority is to satisfy the customer through early and continuous delivery of valuable software.

Ebook: Sprinting Ahead With Agile Auditing 9

What Is Agile
Audit, Exactly?

The main difference between agile auditing and traditional

auditing is flexibility. Instead of rigid, single-phase planning,
agile auditing centers around fluid, iterative planning on an
ongoing basis.
In traditional audit, the planning, fieldwork, review, and reporting stages can take up to eight weeks, and sometimes
even longer. But in agile audit, each phase is completed in a much shorter time frame. There’s a core focus on
collaboration and communication between the audit team and stakeholders throughout the entire experience.

Agile audit practices are gaining momentum: 55% of internal

audit groups are either using agile internal audit methods or
are considering adopting them.⁷

While audit quality is always a key consideration, the priority is on speed and efficiency over delivering a perfectly
polished project at the end.
This “try fast, fail fast” design accounts for the unexpected in case the team needs to suddenly shift gears. And while
everyone has a different role, the team is trusted to be self-organizing and cross-functional.

7 Deloitte, 2018, Global chief audit executive survey

Ebook: Sprinting Ahead With Agile Auditing 10

The Four Principles That Drive Agile Project Delivery.

People- Predictable
driven OVER process and
insight procedure

Client Audit
OVER
collaboration mandate

Responding “Not in
OVER
to change the scope”

Process
Flexibility OVER rigidity

Ebook: Sprinting Ahead With Agile Auditing 11

Ebook: Sprinting Ahead With Agile Auditing 12
An Overview Of
Agile Techniques
Scrum

This common agile methodology has small cross-functional teams work on audit projects for short periods of time
(usually two-week sprints). Teams track the progress of audit tasks using the following categories: backlog, to do, in
progress, done, and complete. The Scrum team is self-governing and determines what to tackle within each sprint.

Sprints

Tasks are completed during time-boxed intervals, which can include:

• Sprint planning: The team decides which product backlog (a prioritized features list) items to work on and plan
how to complete each.
• Daily Scrum: A 15-minute (often standup) meeting.
• Sprint review: The team holds an informal meeting.
• Sprint retrospective: The team meets to discuss how they’re doing and ways to improve.

MoSCoW

An acronym for “Must have, Should have, Could have, and Will not have.” This approach helps stakeholders prioritize
tasks to determine which audit activities will add the most value. It can be a challenge to use MoSCoW when auditors
are set in their ways of covering everything on a specific audit. ⁸

Kanban

A Kanban board is often used in scrum to visualize the team’s progress at various stages and to promote transparent
communication. A Kanban board displays cards and columns to help teams commit to and complete tasks.

Shu Ha Ri

This is a Japanese martial art concept that describes the progression of learning. Because the “student” first starts
learning and then gradually moves toward mastering a skill and letting go of old habits, it can be a good introductory
method for inexperienced agile audit teams. In a highly regulated industry (e.g., financial services or healthcare), this
method also means minimal to no changes in auditing methodology.

8 Imtiaz Hussain, 2019, Internal auditing the agile way

Ebook: Sprinting Ahead With Agile Auditing 13

Why Adopt
An Agile Audit
Methodology?
There are many ways that agile auditing can benefit your
organization.

1 Enhanced flexibility
The elastic planning cycle of agile audit allows teams to prioritize tasks based on risks and company needs.
Instead of following a rigid internal audit plan, there’s a continually updated backlog of audits and projects.
Communication is more frequent and informal.

2 More timely recognition of emerging risk

Because agile audit relies a lot on data analysis, the establishment of risk indicators and trend analysis will alert
the audit team to emerging trends that can be either positive or negative. Reacting to those trends as they start
to emerge can mitigate significant impacts much earlier than in traditional auditing techniques.

3 Increased ability to analyze data

Agile audit integrates data analysis more thoroughly into the audit process through routine indicator monitoring
and trend analysis. Because of that, auditors tend to have greater access to data, systems that house data, and
to line of business data experts. Through these interactions and use, the auditor naturally learns more about
analyzing data—and how to question what they see. As a result of working more closely with business data
management experts, the skill level of the audit team grows.

4 More comprehensive review of processes

Process indicators are typically scattered throughout a project and aggregated to represent overall
effectiveness. By reviewing these indicators, auditors can prove integrity by process segment as well as by
process itself. This allows for a more holistic analysis and understanding of results.

Ebook: Sprinting Ahead With Agile Auditing 14

5 Breakdown of functional or procedural divisions
Agility supports process improvement and development. Auditors can use change management techniques to
quickly review shifting plans and highlight impacts to the entire project, not just the segment being enhanced or
redesigned. A greater unity with the business team enables auditors to add real-time value, rather than waiting
until after changes have been fully implemented.

6 Limits financial losses by recognizing broken controls sooner

Through indicator monitoring and trend analysis, audit teams recognize potential control breaks—and the
financial ramifications—sooner. Whether it saves the company millions of dollars or isn’t a significant loss,
discovering control breaks early on allows for timely remediation/action.

7 Provides management with real-time risk analysis/confirmation of control effectiveness

When auditors are aligned to process changes or implementations as part of the agile audit approach, controls
can be tested immediately. Ineffective controls can be redesigned/enhanced and retested on the go, allowing a
process to continue to evolve while providing assurance to management.

8 Real-time assurance
Because you’re working with accelerated delivery cycles, you can reassess your work every two to three
weeks. This means that results and insights are realized more quickly, feedback is faster, and teams can
immediately incorporate their findings into ongoing development phases.

9 Improved engagement and transparency

Open communication is encouraged and welcomed, so issues are surfaced before they become blockers.
Management gaps are bridged by frequent and holistic reviews. All stakeholders are involved throughout the
entire process, so nobody is left out of the loop.

10 Customers are happier

With agile internal audit, there are no surprises. The more an auditor knows—and the sooner they know it—the
better they can help the business address potential control and risk issues. Because you’re limiting the negative
impact on customers or staff, management will also be pleased.

Ebook: Sprinting Ahead With Agile Auditing 15

Challenges Of
Agile Audit
Unfortunately, agile methodology isn’t a magic wand, and it
does come with its own challenges.
Despite its advantages, agile audit isn’t magically going to make your life easier, nor is it a breeze to implement. It takes
time and effort to transition to an agile mindset (more on how to do that later). For now, here are some of the obstacles
you could face as you start your journey to agile.

Regulators and external auditors

Regulators play a central role in industries like financial services, healthcare, government services, and
insurance. And external auditors are focused on financial accounting compliance. Both of these stakeholders
expect to rely on internal audit to do the traditional audit process and not be agile.

It can be an uphill battle to convince clients

Work habits are usually deeply ingrained. Management, the audit committee, and/or the board of directors
may struggle to see how audit can go agile, or fight changing “the way we’ve always done it.” A top-down
approach won’t work.
Agile internal audit relies on decentralized decision making, which can definitely cause growing pains. This
flexible framework is bound to fail if audit executives try to dictate its implementation and use.

Transforming culture and mindset

For agile to succeed, there needs to be an organization-wide shift. Executives and management must
understand and champion it, and audit leadership has to be the driver for change.

“Chains of habit are too light to be felt until they are too
heavy to be broken.”
— Warren Buffet

Ebook: Sprinting Ahead With Agile Auditing 16

Balancing agility and assurance
Becoming more agile isn’t about neglecting the necessary documentation to deliver results faster and better.
Internal audit is responsible for supporting the organization’s need for speed, but not at the expense of
providing assurance that appropriate controls are in place.

Inexperience is to be expected
There’s going to be a learning curve any time an organization introduces something new, and agile auditing is
no different. It’s going to take time for everyone to become fluent in the language of agile audit.

FROM EMPATHY TO IMPROVED AUDIT

Capital One conducted “empathy research” to learn how auditors

and auditees experienced the audit process. They then:
• Improved analytics

• Created new data visualizations

• Piloted “agile pods”—small cross-functional teams of auditors

and business partners assigned to a specific task and
related risk.

The results were improved relations with stakeholders, more

relevant audit reports, a highly engaged audit team, and the
attraction of top talent.⁹

9 Protiviti, 2019, Internal audit leaders adopt agile methods to meet next-gen audit expectations

Ebook: Sprinting Ahead With Agile Auditing 17

How To Transition
To Agile Auditing
Successfully implementing agile into your internal audit practice
begins with defining your organization’s manifesto, so to speak.
Whether your method is going to be Scrum with a Kanban board or utilizing Shu Ha Ri, you start by narrowing down an
approach. It’s also important to:

Understand that it isn’t all-or-nothing

Especially for heavily regulated industries, traditional audit steps are often required. It’s okay if agile doesn’t fit into
every internal audit activity.

Get management buy-in

To get off the ground with agile auditing, management and key stakeholders must first support it. A good place to
start is to share a roadmap that illustrates how agile will add value and to start with a trial or pilot to evaluate and
update as needed.

School your staff

Whether it’s bringing in a seasoned agile audit team or working with an agile coach, properly educating people
on upcoming changes and expectations is essential.10

Streamline project planning

An audit project canvas11 is a one-page planning document that’s developed by the audit team, product owner,
and key stakeholders. You can use it to succinctly communicate everything from cross-functional impact to value
drivers. It ensures everyone is aligned from the start and it can replace multi-page audit planning documents.

Stock your toolbox

There are plenty of online collaboration tools for task and workflow management—from online Kanban boards to
Scrum software. Diligent’s Audit Management™ is an audit management solution that can scale with you as you
transition to an agile mindset.

Know what to document

Internal auditors must understand which documentation matters and which doesn’t in an agile environment. Each
organization will have to define their requirements for project management and reporting documentation.

10 KPMG, 2019, Agile internal audit: Matching the pace of change

11 Deloitte, 2018, Mind over matter: Implementing agile internal audit

Ebook: Sprinting Ahead With Agile Auditing 18

 Your get-started
checklist.

Read more to further understand agile audit methodology.

Self-assess your own process to see where and how to tailor agile for fit.

Self-assess your current staff and determine adaptability.

Determine which agile methodologies and techniques (e.g., Kanban,

Scrum, etc.) will work best for your audit team.

Get the audit committee to sign off on change.

Get senior management buy-in.

Based on feedback above, develop an implementation plan for the

audit team.

Update middle management on forthcoming changes.

Develop an audit process and documentation requirements.

Pilot the process with one business leader.

Review the pilot, adjust the process, update your implementation plan
and go for it!

Ebook: Sprinting Ahead With Agile Auditing 19

Ebook: Sprinting Ahead With Agile Auditing 20
Conclusion
As internal audit strives to stay lean while keeping up with
changing business and risk environments, flexibility is a must.
Agile audit can minimize operational losses because:

• Issues are found, elevated, and resolved more quickly

• Control structures and processes become more efficient

• The organization’s overall risk exposure is reduced

We hope that this eBook has given you an integrated look at how agile auditing might make sense for your
organization.

Ebook: Sprinting Ahead With Agile Auditing 21

Further Learning
& Resources
AGILEALLIANCE.ORG
A non-profit member organization dedicated to promoting the concepts of agile software development, as outlined
in the Agile Manifesto.
https://www.agilealliance.org/

MIND OVER MATTER: IMPLEMENTING AGILE INTERNAL AUDIT

Although the concepts of agile internal audit, which emphasize fluidity over formality, are simple; putting them into
action has been more difficult than some audit functions have anticipated.
https://deloitte.wsj.com/riskandcompliance/2018/08/06/mind-over-matterimplementing-agile-internal-audit/

AN AGILE APPROACH TO INTERNAL AUDITING

An overview of how the values and principles behind agile software development apply to the field of
internal auditing.
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2018/an-agile-approach-to-internalauditing

WHAT AGILE MEANS FOR INTERNAL AUDIT

Before rushing to adopt agile methods, audit leaders must clearly define their objectives and their own willingness
to change.
https://www.gartner.com/smarterwithgartner/whatagile-means-for-internal-audit/

3 WAYS INTERNAL AUDIT CAN STRIKE A BALANCE BETWEEN PRODUCTIVITY & CONTROL
Internal audit must know how to respond when business process owners want to go faster and document less.
https://www.corporatecomplianceinsights.com/audit-business-process-documentation/

Ebook: Sprinting Ahead With Agile Auditing 22

Ready to find out how Audit Management
can help you add value, better manage your
audit workflow & deliver strategic insights?

About Diligent Corporation

Diligent is the leading governance, risk and compliance (GRC) SaaS provider, serving more than one million users from
over 25,000 organizations around the globe. Our modern GRC platform ensures boards, executives and other leaders
have a holistic, integrated view of audit, risk, information security, ethics and compliance across the organization.
Diligent brings technology, insights and confidence to leaders so they can build more effective, equitable and
successful organizations.

For more information or to request a demo:

Email: [email protected] | Visit: diligent.com

© 2022 Diligent Corporation. “Diligent” is a trademark of Diligent Corporation, registered in the US Patent and Trademark Office.
“Diligent Boards” and the Diligent logo are trademarks of Diligent Corporation. All third-party trademarks are the property of their
respective owners. All rights reserved.

Ebook: Sprinting Ahead With Agile Auditing 23

Diligent_eBook_SprintingAheadWithAgileAuditing_US_20220113