You are here
Agile for audit
The recent ABMC article about the audit group at Suncorp adopting agile practices was heartening. Historically, agile and audit have gone together like oil and water, and as a former auditor the story struck a chord. In my experience, auditors tended to view agile suspiciously and as a ‘thing to deal with,’ rather than an opportunity for the broader organization, or, even, an opportunity for themselves. Indeed, while leading audit organizations have recently issued governance and best practices guidance for agile (see the UK NAO along with my former organization, the US GAO), stories of adopting such practices are rare.
Auditors, just like their auditees, auditors need to do more with less. Technology is changing, budgets are tight, decision cycles are speeding up. Organizations across the world, IT and non, have adopted agile as a way to tackle these challenges, and the Suncorp example demonstrates that it’s possible for audit to do so as well. By moving closer to the values of the Agile Manifesto, their audit group scored some great wins in terms of improved transparency, greater efficiency, and happier teams.
As the classic audit report would say, however, progress has been made but challenges remain. Organizations adopt agile because they value working software (over comprehensive documentation), but audit is only sipping the kool-aid, as it were. Organizations adopt agile in order to deliver value early and often, and correspondingly to burn down risk more quickly. This allows them to do more with less - keeping up with changing technology, delivering top priorities within a tight budget, and staying ahead of the decision cycle. If audit faces the same challenges, can’t audit adopt similar strategies to overcome them?
The answer, or part of it, may lie in the direction of continuous auditing and continuous assurance, which bear some striking resemblances to agile. These approaches emphasize breaking down and prioritizing the audit approach, with a continual pace of evidence collection and analysis driven by the nature of the underlying business. This allows the auditor to provide more real-time information about the control environment and deliver on-demand audit reports. Further, a key to continuous audit and assurance is the use of technology to automate testing where possible, as well as to document and integrate findings.
This should sound familiar. The continuous audit work and on-demand delivery of reporting parallels agile ideas about developing on cadence and delivering on demand. The emphasis on automated tools also bears great similarity to agile principles. And the corresponding benefit of a steady stream of value delivery, as opposed to big bang projects, also sounds rather agile-ish. Lastly, the conceptual picture of what this kind of delivery can do for a control environment is striking, as controls effectiveness is maintained over time rather than allowed to decrease during (potentially lengthy) periods between audits. ISACA has a great journal article that illustrates this point.
These are not new ideas, but nor are they oft implemented. While the approaches may be complex, one article found that there simply hadn’t been demand for their adoption. But there may be a great opportunity for audit to move in this direction. The critical step will be a rethinking of the assumption that audits should result in a lengthy report that can be tossed, with a satisfying thud, on to someone’s desk. Audit may need to reconsider what constitutes its “working software,” how to break it down into thing verticals or into MVPs, with an eye towards delivering early and often. Such an approach could provide better bang for the audit buck and improve control environments in the bargain.
Matt is an experienced IT analyst who has currently works in a small software company delivering association management solutions across the United States and Canada. He has previously worked on IT issues and with troubled IT projects across the U.S. federal government, providing in-depth analysis and key recommendations to the Congress as well as the federal agencies. He has experience and knowledge related to: agile development and adoption, cost estimation, project scheduling, and requirements management.