To state the obvious, we’re trying to move away from executing the audit with little prioritization of the work or starting with the easiest work first.
Most critical work first enables:
- those observations to be reviewed sooner with audit clients.
- the audit team and internal audit management to stop when:
- no further value is added (and the law of diminishing returns starts to apply).
- major problems are found with a key or critical control, so that work on an associated but less critical control(s) becomes valueless or irrelevant.
Better organized and more focused
Over the years of working with auditors, I have found that breaking down the work is the key to being better organized (improved project management). The audit manager or leader will still create and maintain an indicative high-level plan and audit backlog for budgeting and reporting purposes, but should not spend too long on it as things will change. As you can see here, we aim to break down the work to a decreasingly smaller size.
Each iteration starts with some planning. At the start of each sprint, the team meets to break down the work into days or half days of activity. The audit manager/lead sets the sprint objective and helps the team prioritize and plan in detail for a week or two of work.
It’s relatively simple. Sprint planning is the interlock between a) available time and b) the work. I always suggest a simple four-step agenda for the meeting.
- What is each person’s availability (approximate number of hours) for the next week (or two)?
- What’s the rough overall sprint objective for the next week (or two)?
- Break down the work. Typically, the task or activities are captured for the sprint on a visual task board (or Kanban board). This provides transparency to the work and a visualization of the progress. The ultimate measure of progress is “done”, which is what the Kanban shows.
- Can we commit to that? Is it doable? If not, discuss and refine. If it is, let’s go. We have our focus for the next iteration!
Communicate and share as we go
At the heart of an agile approach is taking an audit, big and complex, and delivering it in bite-sized chunks, communicating and sharing as we go. This is what we ask at the end of each iteration:
- What have we done?
- What have we learned? And, therefore,
- What’s next (accepting change if needed)?
Take a “no-surprises” approach because:
- Bad news does not age well. Let’s communicate and share as we go.
- It gives our audit clients the opportunity and time to respond with any mitigating evidence.
- It typically reduces the reporting period because we’ve had detailed and sensitive conversations as we proceed, not at the end.
From my experience, the sprint review can take many forms.
- Simply a conversation with audit clients and internal audit management (nothing written).
- Same as number 1, but with an agenda based on potential topics for further conversation.
- A discussion based on an A4 summary (often useful for communication and cascade, up and down the audit client’s management or internal audit’s management).
- A discussion based on an actual section of the audit report, written close to the final form but presented as “draft” or “potential” observations.
Note on sprint reviews: The best sprint reviews I’ve attended included everyone on the team. That way, the people closest to the data are there to answer questions. Also, include internal audit management. Either update them before the meeting or, better still, ask them to attend the sprint review. Remember, it’s about regular communication. We want their input as we go, not at the end.
I have learned from experience that it is essential to signpost this approach upfront to our audit
clients. To say that we will share as we go, but in return, our thinking will mature over time.
- Breaking work into sprints ensures teams prioritize work appropriately, and enables auditors to obtain more input from audit clients as they navigate unfamiliar or complex areas.
- Similarly, breaking work into sprints ensures teams prioritize work appropriately, and enables auditors to obtain more timely input and mitigate actions from audit clients.
- High-quality conversations, even during planning, are vital. I always suggest working in iterations or sprints on the full audit, from start to finish, from planning to draft report, not just fieldwork, because you will always see high-quality conversations with audit clients take place during planning. Indeed, some audit departments just sprint on fieldwork, although, in my view, that’s an opportunity missed.
In my experience, most auditors prefer weekly sprints because it’s easier to plan a week’s work, and most audit clients are happy to meet once a week. Two-week sprints are also common and work brilliantly in internal audit, but I would always try to steer a team away from anything longer. Three or four weeks is too long of a feedback loop. Remember, working in a more agile way is all about rapid feedback loops. One other point - sprints don’t necessarily need to run Monday to Friday. Many internal audit teams often prefer midweek to midweek.
Improve as we go
The final meeting at the end of iteration or sprint is for just the auditors. Its objective is continuous improvement for the team during the audit, not at the end of the audit when it’s too late.
In the retrospective, the team reflects on the sprint, how well they worked together, and actions to improve. It’s not another opportunity to talk about the audit itself but about better ways of working together. From my experience, it’s as simple as asking the team:
- What went well? Let’s do more of that!
- What did not go so well? Let’s do less of that - or what actions can we take to improve?
Add those self-volunteered actions to the next sprint planning meeting.
Four communication meetings each iteration – it’s simply habit and behavior forming
I must mention that I think it is misguided for people in the context of internal audit to talk about an “agile audit methodology” in the same way that almost all internal audit departments have a mandatory audit methodology (often with their own quality assurance process):
“Methodology” implies rigid and governing.
“Framework” implies flexible, adaptable, and agile by nature.
Summary and some words of warning
Deliver an audit in iterations to:
- Deal with unknowns, complexity, uncertainly, or unpredictability by incorporating weekly or two-weekly feedback loops (what have we done, what have we learned, and therefore, what should we do next?)
- Tackle the most critical work first.
- Deliver our observations faster to our audit clients (reducing time to value).
- Work in a more coordinated and organized way.
- Communicate and share as we go, not at the end of a stage or the audit itself.
- Get better at what we do, as we do it (not at the end, when it is too late).
- Last but certainly not least, it’s an energizing, engaging, and, therefore, more motivating way to work.
Based on what I’ve experienced, working this way will not make us massively more efficient (the typical data indicates about 10 percent). I’ve repeatedly found that efficiency is a by-product of high-quality work, with the added bonus of less re-work. However, we will work on the right things that deliver more value, faster, with better feedback from audit clients and happier, more engaged auditors.
Just don’t forget the number 1 rule: You or your team should not attempt to work on several audits simultaneously (more than two at worst). With multiple audits going at the same time you’re already burdened with lower productivity due to the amount of context switching and lack of focus. And working in iterations will only add to your woes because your productivity will also suffer from spending too much time in meetings (e.g., I’m an auditor working on five different audits (and pseudo teams) - that’s five sets of sprint events weekly or bi-weekly). For iterative audit delivery to
work best, it requires focused teams.
I would welcome your feedback on this article. Please email me at [email protected]
Further related reading from this author:
How best to get started being agile in internal audit