Common Misconceptions About Agile Auditing

Before the pandemic disrupted our lives, I attended a fascinating webinar in which the head of a very large internal audit shop shared lessons learned from the department’s Agile journey. Much to my surprise, it wasn’t about how the group evolved over an initial transition period and then suddenly declared itself an Agile shop. That’s not how it works! It made me realize I had mistakenly fallen for some of the seemingly popular myths about becoming more Agile in internal auditing when I first heard the buzzword.

Let’s face it – there are not a lot of Agile internal audit examples available yet to inspire us. And it’s downright scary to put forth effort toward such a mysterious vision that undoubtedly looks quite different across audit functions. However, this should not stop us from exploring the use of techniques from the Agile software development world; it’s the right path to take, plain and simple. Despite our natural skepticism as internal auditors, I’d like to tackle what The Mako Group believes are the top three misconceptions related to going Agile.

Myth #1: Agile is a silver bullet
Agile remains an elusive term that many internal auditors have not yet been exposed to. For others, it’s not difficult to be deceived into thinking that going Agile will solve all problems within their internal audit department. While numerous benefits can be realized by becoming more Agile, full-blown Agile is not necessarily for everyone, even for very large internal audit shops. This means that utilizing an Agile framework may apply easily to some areas, like assurance engagements, but it may not make as much sense to implement for other areas, such as external audit assignments. And what has worked well for one audit department may not be successful for another. What’s important is to keep an open mind and be willing to try new things.

Since Agile comes from the software development field, half the battle is determining how to interpret Agile concepts in the context of internal auditing. A common mistake right off the bat, even for software developers, is viewing Agile as a methodology rather than a framework. Yes, there’s a difference! Agile provides an approach and expectations for managing the process but not formal prescriptions for performing the work. Therefore, adopting Agile will not magically solve a department’s lack of proper training on audit fundamentals for inexperienced or rotational staff, as an example. Nevertheless, Agile values should give direction to the actions and behavior of internal audit leadership.

Myth #2: Agile requires a rigid process
Internal auditors like to avoid reinventing the wheel whenever possible, as we often conclude there’s no point in creating something new if it already exists. Agile challenges this way of thinking, and that’s why many of us are so intimidated by the notion! As a framework, Agile provides only a loose structure that leaves options for different practices and tactics to play the game. Thus, we cannot expect to become more Agile solely by acquiring fancy new tools and templates. The truth is that Agile is much more about our attitude than it is about the process. That’s why a department’s ability to demonstrate conformance to The IIA’s Standards, for example, should not be impacted.

Because Agile is a mindset, there’s a steep learning curve that must be accounted for when embarking on an Agile journey. While Agile can certainly result in some quick wins, it may be startling to many internal auditors that it’s perfectly normal to experience an initial decrease in productivity. Even for small internal audit shops, it takes time to understand key Agile terminology, not only for the audit staff but also for the auditees. There may be a tendency to overengineer the process, but flexibility is what’s truly required to find a healthy balance of agility for an internal audit department.

Myth #3: One must go Agile or go home
If a company’s IT strategy already embraces Agile values, the internal audit department may not have much trouble proceeding with an Agile framework, regardless of the group’s size. On the other hand, pursuing an Agile approach to internal auditing without tangible support from the board or senior management may appear to be an undertaking doomed to failure. The good news is that the possibilities are endless, whether the desire is to go all-in or only dabble in Agile techniques. A true Agile transformation is iterative, which is why it cannot happen overnight. Rest assured, though, that small changes over time ultimately lead to larger waves of improvement.

Agile: It’s not just a buzzword
There’s no time like the present to explore what it means to be Agile in internal auditing, especially since many of us working safely through the pandemic are seeking additional ways to stay connected. In fact, I recently conducted an Agile training session via conference call to highlight my company sprint retrospective events, which, among other things, can help ensure every team member’s voice is heard. Besides increased team productivity, becoming a Certified ScrumMaster (CSM) has also empowered me as an Agile leader. I highly recommend taking an Agile class to those auditors who have the opportunity. Otherwise, feel free to reach out to The Mako Group, as certified Agile resources in internal auditing are hard to come by.