Check out my post from the IT Revolution's blog, which includes a sneak peek at the introduction to my upcoming book, Beyond Agile Auditing!
This post has been adapted from the Introduction to Beyond Agile Auditing: Three Practices to Revolutionize Your Internal Auditing Practices by Clarissa Lucas, coming in May 2023.
Auditing is not always everyone’s favorite activity, especially when you’re the one being audited. Imagine this scenario. You lead a team responsible for a key business process or technology product. Your organization depends on this process or product for its survival. Perhaps your team is responsible for running the process that services customer accounts or for maintaining the technology product with which your organization’s customers interact. Your organization is counting on your team’s success to achieve its objectives.
It’s a typical Monday, until your first afternoon meeting gets underway. In this meeting, you learn the internal auditors will be starting an audit of your process/product in the next few weeks. You immediately break out in a cold sweat, panic and anxiety washing over you as your mind races. You wonder what questions the auditors will ask, what evidence they’ll request, and what they’ll report to their leaders.
You think, “The enforcers are here with their outdated checklists, looking for problems to shine a light on, wanting to make me look bad!”
The problem is, auditors don’t understand your processes or what’s really important to you and your team. How are you supposed to get your actual work done when the auditors are setting up a million meetings, endlessly asking irrelevant questions, and requesting documentation that doesn’t even reflect the current process?
An audit adds work to your plate without bringing much value. And then, at the end of it all, they’ll hand you a report that doesn’t help you or your team deliver value any faster or better.
The auditors use the same approach they’ve been using to audit for years. Everyone else in the organization is changing to stay ahead of the change curve, but it seems like the auditors aren’t even trying to keep up.
Now imagine yourself on the other side of the table. You’re the internal auditor responsible for assuring the organization’s key stakeholders that risks are managed appropriately and the organization is set up to achieve its objectives. It’s a typical Monday for you as well.
In your first meeting after lunch, you explain to your client that the Internal Audit department will begin an audit of the client’s process/product soon. Before you even finish your sentence, the clients across the table cross their arms and exchange uneasy looks with one another, glancing nervously around the room. You can tell they’re already getting defensive and shutting down.
“Here we go again,” you think, trying not to roll your eyes. “We haven’t even begun, and we’re already off to a rough start.”
You’re only trying to help protect the organization that employs everyone in the room, but the people on the other side of the table already see you as an adversary. Don’t they understand that your job is to help them? That the purpose of Internal Audit is to help deliver value and improve processes?
You try to change the attitude in the room by asking about the team’s current process. After all, as an auditor, you’re an expert in risks and controls, not an expert in every business process at your organization. You can’t do your job effectively if the team doesn’t help explain what they do and why they do it. However, instead of engaging in the conversation, the clients clam up and give you the most basic answers to your questions without elaborating. It feels like they’re purposefully trying to hide information or obstruct your audit. It’s clear they want you to be done…or at least gone.
And, when it comes to setting up time to meet with you, the team says they’re too busy. You barely get a regular fifteen-minute meeting on the books before they’re out the door.
Don’t they care about risks and what could go wrong? The success or failure of the organization affects everyone, after all. They seem to be more focused on inventing the next new product or delivering the coolest new feature, when they should care about a strong control environment!
This scenario might feel overly simplistic, but time and time again this is the adversarial, even combative, nature of many internal audits. It often seems that both sides (auditors and those being audited) are bracing themselves for the worst. There has to be a way these two groups can work together, right? Or are we destined to be lifelong adversaries? How did we end up in this horrifying nightmare in the first place?
From Adversaries to Partners
For nonauditors reading this book, especially those in the technology sector, this scenario might look very similar to another example of organizational adversaries: software developers versus operations teams. For years, software developers and operations teams were at odds. They were not incentivized to work together. There was a proverbial wall built up between the two organizations, as has famously been illustrated.
The developers would write the code and then throw it over the wall to the operations team, who then had to deal with operating that code without knowing how and why the code was written in the first place. Developers were incentivized by the business to deploy “features and changes into production as quickly as possible,” while operations teams were charged with “providing customers with IT service that is stable, reliable, and secure, making it difficult or even impossible for anyone to introduce production changes that could jeopardize production,” as Gene Kim et al. illustrate in The DevOps Handbook. These two silos were routinely in conflict, resulting in slow delivery of value, low quality of code, and a lot of unhappy people.
Throughout the past decade, a new way of working called DevOps has brought these two roles together. They learned that by working as a single team with a common goal, they could deliver value sooner, safer, and happier.
I’m simplifying here. There are many excellent books, presentations, and articles written on the success of DevOps, and we’ll discuss DevOps a bit more later in the book. What I want you to take away from this brief description is the idea that adversaries don’t have to remain adversaries. There is a better way of working.
Let’s think back to the scenario presented at the beginning of this introduction. Once again, we have two teams separated by a proverbial wall (or table). They are both working for the same organization, so shouldn’t they be on the same side? Shouldn’t they be working together instead of against each other? How did we get here?
In short, it’s because the world around us has changed and, notably, the way organizations deliver value to customers has changed, but the way we conduct audits hasn’t kept up with the change curve. Auditors perform their work using the same approach that has been around for decades. While this way of auditing has historically been successful, the current environment and landscape have changed drastically over the past few years. Furthermore, auditors apply that same approach in every situation, without accounting for unique attributes of a process, product, or situation that may drive the need for a different approach.
Auditors using the same way of working from decades ago without adapting to today’s dynamic environment will find themselves pitted against their clients rather than working with them. The result is the adversarial scenario presented earlier.
If you’re reading this book, you’ve likely experienced this. I know I have. While I’ve spent most of my career as an auditor, I have also been on “the other side of the table.” I have been part of a team being audited. I can testify that being audited wasn’t my favorite experience by any stretch of the imagination. And from my time as an auditor, I can tell you that it isn’t any fun for the auditors when clients see us as the bad guy or the antagonist.
Regardless of whether you’re an auditor or someone who works with auditors, I’m here to tell you that you aren’t doomed to be adversaries forever. There is a better way—a way for auditors and their clients to work together toward a shared goal. A way to audit with more agility, without slowing your team down, without the headaches and the hair pulling. A way for us to see one another as teammates instead of adversaries on the battlefield and to add more business value together. A way to get more value out of an audit. A way to help the organization deliver better value, sooner, safer, and happier.
A New Way of Auditing
We can all agree that we want a less painful and more valuable audit experience. Despite the barriers we all know exist, the real problem is seeing the audit process as it always has been rather than as it should be. Yet we can agree that change is inevitable. We need to modify our mindset and approach to get more value from an audit and create a better audit experience.
Imagine what that better audit experience looks like:
- Auditors and their clients work together toward a shared outcome and common goal.
- Auditors help their clients see risks, both those present today and those coming up on the horizon or around the corner.
- The client proactively reaches out to auditors for help addressing risk before it’s too late and manifests into actual losses.
- Auditors’ questions and requests are addressed sooner.
- Auditors are more efficient with their client’s time and help their clients find ways to increase efficiency.
- Instead of the auditors getting in their clients’ way, and clients getting in the auditors’ way, the two groups help each other achieve a common objective, all while preserving the auditors’ independence.
- Auditors not only remain relevant to their organization, they become essential to the organization’s success.
- Finally, imagine both auditors and audit clients having fun during the audits.
Luckily, you won’t have to rely on imagining this scenario much longer. You can work together toward a shared goal, and you can do it today. You need to look beyond what your relationship is and think forward to what it could be in the future…and be willing to radically change your way of thinking and working through an audit.
Some organizations have taken steps toward improving the audit process through incorporating “Agile Auditing.” This has been a huge step in the right direction, but it hasn’t come without its faults and downfalls. In auditing, as in the software community, Agile has been conflated with a strict set of practices that every organization, despite their unique culture and needs, must adhere to.
This doesn’t sound very agile to me. This strict adherence to the idea that you can simply follow steps 1, 2, and 3 and suddenly be a high-performing agile organization has led to an inability to truly become agile and failed attempts at greater value through agility. As a result, many organizations have experienced slower time to value, unhappy employees, and lower quality products…or at the very least, a shiny new label on the same old behaviors and outcomes.
Agile Auditing, I fear, is headed in the same direction. Too many organizations see it as a quick fix: an easy framework they can implement to suddenly disintegrate the adversarial audit experience and ring in a new era of Agile Auditing.
Internal Audit cannot stop here. Strict adherence to a rigid, one-size-fits-all Agile Auditing framework isn’t getting us to the promised agility, speed, quality, and happiness we need. We need to continue to push for more improvements. We need to go beyond Agile Auditing and approach internal audits with an agile mindset, not an Agile checklist.
Auditing with Agility, as I like to call it, is far different from the strict framework-focused world of Agile Auditing. Instead of trying to fit everyone in an organization in a single process, it teaches auditors a way of working that focuses on a value-driven, integrated, adaptable approach to the internal audit. Let’s take a look at each of these three core components.
- Value-driven: In a value-driven audit, the scope of work is driven by what adds the most value to the organization. Each organization and team may define value differently, but generally, it could be areas of greatest risk or greatest opportunity for the organization. Value-driven auditors determine the audit’s focus by leveraging the expertise and perspective of the team being audited. Internal Audit is not looking to hand down edicts. We are here to help the organization deliver value.
- Integrated: An integrated audit aligns the audit work with the client’s daily work and integrates continuous improvement into the audit process. For you auditors out there, think of this as “Integrated Auditing 2.0.” The first version of integrated auditing was integrating the technology audit work with the operational or financial audit work, rather than performing that work in silos or in separate audits. This book takes that concept a step further by integrating audit work into the clients’ daily work. The audit should be something the client participates in and happens with them, rather than something that happens to them.
- Adaptable: In the context of this book, adaptable auditing focuses on improving the audit team’s ability to respond to change and add flexibility into the audit process. It is a mindset and a way of working rather than a framework to implement. This element of adaptability is essential in today’s world of rapid change, where organizations need to react with speed to survive. Internal Audit can’t be the blocker to change; rather, they must learn to adapt with change.
Implementing these three core components results in a better audit experience for everyone involved (for the client, the auditors, and the organization). It moves teams from an audit framework focused on outputs to an outcome-driven approach.
An output is what is produced. Examples of audit outputs include audit observations and an audit report. While observations and audit reports are important, alone they don’t help the organization achieve its objectives.
Outcomes, on the other hand, truly bring us closer to success. Outcomes are the “why” behind the actions, the expected improvements, or the measures of success. Examples of audit outcomes include better alignment of audit activities with emerging risks or greatest risks, stronger relationships and increased collaboration between auditors and audit clients, expedited delivery of more valuable results, and elevated awareness of and ability to address risk exposures.
Although this may all sound daunting, moving toward a practice of Auditing with Agility is worth the investment. And this isn’t just a dream or fairytale. There are organizations today, such as Walmart, Barclays, Nationwide Insurance, and Capital One, that are working toward this goal right now…and succeeding.
In my own experience with Auditing with Agility, my clients and I experienced delivery of results sooner, fewer surprises (audit work became planned work for my clients), and more engagement from both auditors and clients (we had fun during the audit!). Another organization you’ll read about later on experienced shorter audit cycles and more timely delivery of results through Auditing with Agility.
Another topic prevalent in discussions about Internal Audit’s evolution in today’s digital world is the use of artificial intelligence (AI) and machine learning (ML). AI is the use of technology to perform tasks that have historically required human cognitive thought. ML is a type of AI where the technology adapts its knowledge or “learns” based on additional data. Leveraging these advances in internal audit strategy and execution can increase the audit organization’s effectiveness and efficiency. For example, teams leveraging AI and ML to evaluate risks can target their efforts in areas where the organization is currently at greater risk or is anticipated to experience greater risk.
While these tools can yield many incredible benefits, AI, ML, and specific tools are not the focus of this book. This book focuses on practices and process enhancements. Once those core elements are in place, then audit organizations can determine which tools can further assist in their evolution.
Not Just a Book for Auditors
It’s tempting to think that this book is just for those in the audit profession, but this book is also for anyone who works with auditors or is subject to audits and yearns for a better experience. Change cannot come solely from one side of the table. If only developers had read books on DevOps, the practice would never have taken off. Both developers and operations teams needed to embrace DevOps for it to be successful. This book is for those on both sides of the table. And for the auditors reading this book, this isn’t just for IT auditors. It’s for IT auditors and non-IT auditors alike. Both will find incredible value waiting for them in this book.
This book is for auditors who want to revolutionize their way of working to become strategic differentiators and increase the value they bring to the organization.
It’s for teams who want to improve their relationships with their auditors.
It’s for auditors who are fed up with common labels and stereotypes placed on those in this profession.
It’s for audit clients who are at their wits’ end with the current audit experience, who need to get more value from the time they invest with their auditors.
It’s for auditors who, instead of going stagnant, want to keep up with today’s pace of change, who are unwilling to let the profession’s value proposition become a thing of the past. And for the business executives who want to gain the edge over their competitors and who don’t want to make headlines for the wrong reasons.
It’s for anyone who wants to help their organization continuously improve ways of working, leading to better outcomes, and those who want to understand how auditors can help along that journey.
Stay tuned for more excerpts from Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices by Clarissa Lucas. Coming from IT Revolution in May 2023.