Check out my post from the IT Revolution's blog, which addresses common questions from the audience at the three book launch events they hosted for Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices!
Beyond Agile Auditing came out May 30th, and I have since had the pleasure of hearing from new readers. It is energizing to find so many people who are as excited about Auditing with Agility as I am.
To celebrate the book, IT Revolution hosted three online events over the last month. All three events were recorded, and you can watch them on IT Revolution’s YouTube channel.
One of the best parts for me was getting questions from the audience because those questions are a form of a feedback loop, which is a key practice associated with Auditing with Agility and is discussed in detail in Beyond Agile Auditing. I’ve compiled some of the most frequent or most interesting questions in this article. If you asked a question that I couldn’t answer live, look for it in this list!
What role do auditors play in an organization?
According to the Institute of Internal Auditors (IIA), “[I]nternal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” The IIA further explains that Internal Audit exists to “enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”
Internal auditors add value by bringing a fresh, impartial perspective, free from biases that may cloud the judgment of audit clients and other stakeholders who are closer to the work of achieving business objectives. Internal Auditors are impartial. That, paired with having shared goals with audit clients and the overall organization, uniquely positions internal auditors to add value.
Internal Auditors can provide assurance on whether policies are being followed, controls are effective, and the organization is operating as management intends. They can also provide forward-looking insights into emerging or evolving risks.
Is this just a book for auditors, or do you think it can help developers as well?
This book has two primary audiences: auditors and audit clients. What I mean by audit clients is anyone who works with auditors or is subject to audits. I know developers and others who are not auditors will benefit from reading this book. You might be wondering what developers and other audit clients can do to change the audit experience. There’s plenty you can do to influence a better audit experience.
For starters, check out this blog post that was recently published on IT Revolution’s blog that explains why the book isn’t just for auditors. Then start reading Beyond Agile Auditing for more ways to influence a better audit experience, regardless of which “side of the table” you represent.
How have you seen these theories play out in real life?
Not only have I learned through discussions with other audit leaders how they experienced the practices described in Beyond Agile Auditing playing out in their lives, but I also lived many of the experiences through my own work as an audit leader. Part of what makes this book unique is that it isn’t just theory. It certainly presents the theory necessary to audit with agility, but it also includes illustrative examples, as well as real-life case studies from a variety of organizations representing different industries.
This excerpt from Beyond Agile Auditing shows how some of the theories playing out in real life are represented throughout the book.
Who has impacted you the most in establishing your current position on Agile Auditing, and why?
This is tough to narrow down, as a number of individuals has impacted my personal journey. First, my direct leaders in internal audit had a huge impact on my journey and my resulting position on agile auditing and Auditing with Agility, as they created a safe space for me to experiment in. Had they not empowered my team and I to experiment with better ways of working we would have either reverted back to waterfall auditing all the time or been stuck trying to “do” Agile Auditing all the time. Instead, I developed ways to be agile through Auditing with Agility.
My team was also very impactful, as they humored me as I put out some crazy ideas and asked them to open their minds to trying new (and arguably crazy at the time) ways of working.
My audit clients were also very impactful in my journey. Some were well-versed in Agile and DevOps ways of working and were able to teach me about better ways of working. Others, who were not as experienced with Agile and DevOps ways of working, were open-minded about trying out different ways of working during internal audits (much like my team).
My own journey has been, and continues to be, highly collaborative. It’s difficult, if not impossible, to pinpoint one person who has been the most impactful.
Does your book cover ‘Auditing as a Service’ with an emphasis on automation and tooling?
The focus of Beyond Agile Auditing is on evolving people’s mindsets and supporting processes, rather than on specific tools. It acknowledges that leveraging automation and various tools in internal audit can increase effectiveness and efficiency; however, that’s not the focus of the book. Instead, it focuses on people and process enhancements. Once those fundamental building blocks are in place and have evolved, then audit organizations can determine which tools to implement and where automation should be pursued to further support that mindset and supporting processes.
Will the book address the audit of DevOps practices, considering segregation of duty? (e.g., a developer can’t change production without control)
While Beyond Agile Auditing does not specifically address how to perform specific audits, like auditing DevOps practices and segregation of duty (SOD) considerations, it does equip readers with the knowledge of how to apply a flexible approach to an audit and really understand emerging practices and better ways of working, like DevOps. The book helps auditors and audit clients partner together throughout the audit so the auditors don’t use old ways of thinking (like traditional SOD controls) in new ways of working (DevOps/controlling risk differently than traditional SOD controls).
Instead of focusing on how to audit specific practices (which may soon be yesterday’s practices), the book shows readers how to add value through audits regardless of what practices are in place in the area under review.
So if you and your auditors are trying to fit a square peg (traditional SOD audit tests) into a round hole (DevOps and better ways of working), start reading Beyond Agile Auditing today, and send a copy to your auditors as well.
You focused on partnering with clients to perform work. In the audit context of working with stakeholders, what are some ways you’ve found success doing that while maintaining independence and objectivity?
This question comes up A LOT. When my team and I were beginning our journey, we asked the same question of ourselves too. Independence and objectivity are critical to internal auditors. So much so that both “independent” and “objective” appear right at the beginning of the Institute of Internal Auditors’ (IIA’s) definition of internal auditing.
To preserve independence, you’ll want to maintain separate administrative reporting lines. Internal audit should still report to the Audit Committee of the Board (or another similar independent reporting line). A strong partnership between auditors and clients can absolutely occur while maintaining independent reporting lines. Keep in mind that the IIA clarified in one of their guidance documents that to be independent does not mean that you have to be isolated.
To preserve objectivity, auditors must maintain decision rights. If through collaboration with audit clients, the auditors feel like they should include something in the scope of the audit, even if the clients suggest they not include it in scope, the auditors retain the right to include the area in the audit’s scope.
Is there a way to map the audit with data points/data needed to verify the audit requirements?
I think this question stems from auditors asking for one type of evidence when there’s a more data-driven type of evidence that is more relevant to the area under review or the risk being audited. For example, auditors ask for access lists to determine whether access is set up to segregate duties in a particular process, but in reality, reviewing data from the development pipeline would more effectively show that the risk is appropriately mitigated. In this example, maybe the risk of promoting bad code to production (which had historically been mitigated through segregating duties via access roles) is mitigated through automated checks in the pipeline.
Integrated planning, which is explored extensively in Beyond Agile Auditing, shows auditors and audit clients how to work together during planning in a highly collaborative manner to identify these situations where a different approach to verifying control effectiveness and get everyone pointed in the right direction from the start.
As an auditor, one of the key things I hear is, “You can’t conduct an audit of XYZ because you’ll only tell us what we already know!” Any advice on responding to that to get a more positive outcome?
As an auditor, this is pretty discouraging to hear, right? It really isn’t much value to the organization for internal audit to tell key stakeholders what they already know. Besides, you’d probably rather spend your time doing work that your stakeholders will find insightful and valuable. Here’s where agility in the overall audit risk assessment and planning process is really helpful. First, it’s important to gain an understanding of what your clients already know.
If there are a number of initiatives they’re working on to enhance their key controls or to fix known gaps with key controls that cover the majority or all of your planned audit scope, maybe it’s not the right time to go in and do an audit in that space. So gain that understanding of what your clients already know with regard to the audit scope, and what they’re doing to address it. If they’ve got a good grasp of where the gaps are and are making progress on addressing them, and that completely overlaps with your planned audit scope, perhaps it’s time to shift your focus to another area of the organization. Meanwhile, stay close to those clients to keep on top of their progress, and partner with them when they’ve completed addressing the gaps or making those improvements to provide independent and objective assurance to them that the gaps are addressed as they expect (that’s when you’d come in and do your work in that space).
Maybe what your clients already know covers only a portion of the audit’s planned scope. If that’s the case, it might make sense to adjust the scope to include the areas where your clients don’t have as much visibility into the effectiveness of their controls and have a more targeted scope. You’ll still want to stay close to their progress on the areas that you exclude from the scope due to ongoing work they’re doing, and then you can help them validate that the work they’ve done has effectively managed the risk once they’re complete (in a subsequent audit activity).
If it turns out that the scope of your planned work is still focused on the areas that are most important to the organization, and what your clients already know isn’t within that same space as your planned scope, going through that exercise should help your clients understand that you’ll be providing assurance or advice that will be valuable to them and won’t tell them what you already know.
Thank you so much to everyone who was able to attend the events live or has taken the time to watch the recordings. I hope to see you all at future events! To stay up to date on upcoming events, subscribe to my newsletter at clarissalucas.com.