Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​A Blended Approach

Active auditing — combining Lean and Agile techniques — can drive down wasted time and transform the auditor–client relationship.

Comments Views

​Traditional audits are often awash in wasted time, unnecessary conflict, and incorrect assumptions. Active auditing is a form of Agile auditing that was developed in a major utility company to eliminate, or at least substantially decrease, these kinds of wasteful activities. The term active auditing was, in fact, coined because it is the antonym of passivity and waiting.

Lean — often synonymous with the Toyota Production System — is a change-making methodology. Agile is an IT project management approach. Active auditing borrows concepts from both disciplines to create a more efficient way to run audits. The catalog of material describing both Lean and Agile principles is vast, so active auditing borrows only what is needed to create an audit system that can work better than a traditional one. The system can best be explained by breaking it down into three pillars.

Pillar One: Energetic Collaboration

Lean and Agile both preach that there can be only one team, and that team members must work together throughout the project. However, the reality is often two teams — the audit client and auditors — facing each other across a battlefield even while proclaiming their intent to work collaboratively. Active auditing recognizes that both teams work for the board, and the board has the right to expect both to behave as a single, combined team. 

Collaborating energetically is a choice to which both auditors and audit clients must commit. Without deliberate and overt commitment, both groups tend to fall back into bad habits. Once committed, the two develop shared ground rules — defining what’s nonnegotiable for each of them and how they want to work together. Personal connection is critical for collaboration, so information should be shared early, often, and in person, as much as possible.

Beyond the practical steps, auditors must lead in making themselves open and vulnerable. This can be a scary step, as auditors typically are so accustomed to maintaining professional distance that laying their cards on the table may not come naturally. Auditors must be the first to extend an authentic, though likely uncomfortable, hand to the audit clients to collaborate. And they must mean it — in everything they say and do.

When teams energetically collaborate, better information is offered, rather than extracted; far less time is wasted; there are fewer misunderstandings; clients grow to believe the auditors understand them; there is less conflict, which is good for clients and auditor; and the audit can be fun.

Pillar Two: Iterative Audit Execution

Agile as a software development methodology was created to counter traditional sequential Waterfall techniques. Waterfall is how most construction projects are managed — by planning, designing, building, and implementing. It relies on high-quality requirements-gathering at the beginning of a project and an acceptance that changes midstream are unwelcome. In contrast, Agile embraces flexibility and change. To manage this flexibility, Agile breaks the work down into iterations, or sprints. An iteration is a mini-software project, with a specified beginning and end, that is structured to produce working and sellable software at its completion. If a typical large software project takes two years, an Agile project will produce perhaps 12 instances of sellable code over that time, whereas a Waterfall project will produce one. 

The overall risk of the project is reduced because the Agile project tests the market frequently, while the Waterfall project hopes its grand unveiling two years from now is still what the market wants.

Active auditing borrows from the concept of iterations — breaking down the audit program into mini-audits. The typical steps of an audit — from risk assessment to workpaper approval — still occur, but in smaller chunks. And they are completed before moving to the next iteration. 

Active auditing starts by building an overall audit program, which is the best initial guess at the right control objectives and fieldwork steps. Then, using engagement planning sessions, the work is assigned to time-boxed iterations. Time-boxing establishes start and end dates that auditors and clients commit to work within. It’s best to keep an iteration to between two and four weeks, but that choice depends on the fieldwork. After each iteration, the single, combined team pauses to reevaluate and ask: 

  • Based on what’s been learned, what needs to change? 
  • Is the risk assessment still valid? 
  • Are all the fieldwork steps required to assess the con-
  • trol objective? 
  • Are the right people involved? 
  • Where are the bottlenecks? 

Both Lean and Agile teach internal auditors to welcome change to their audit program as they learn more and reassess risk. They can’t assume initial planning was perfect, so they should embrace an evolving audit. In return, when audits are executed as smaller mini-audits, they become easier to manage because work is done in digestible bites, countermeasures to address problems can be applied in the next iteration, and the audit can be stopped after an iteration and still have useful results.

Pillar Three: Visual Management 

A central principle of Lean is to make waste visible. When waste is visible, the people involved can work together to eliminate it. Frequently, “waste” appears in audit work in the form of waiting, unnecessary motion, rework, and overproduction. Active auditing uses visual management techniques borrowed from Lean to allow the combined team to fully understand the audit’s progress and each member of the combined team’s part in it. 

The greatest waste in auditing involves waiting. Waiting for data to be provided, emails to be returned, interviews to be scheduled, and so on. Internal auditors compensate by shifting their focus to other things, but that means rework as they have to reeducate themselves on the subject when they return to that work. Making lost time visible using visual management tools drives wait time down. 

As often as every day for 15-30 minutes, auditors and clients should hold a standup meeting around a visual control board (VCB). The VCB consists of panels that show progress on the audit program, assigned tasks, a “dog house” for tasks that aren’t getting done, a shared master calendar, and a “hearts & minds” board to capture shared expectations and concerns. Because Lean is inherently a change-making methodology, it provides techniques for helping build mutual purpose, and daily standup meetings with the audit clients in front of the VCB are an important example. VCBs can be as large as an entire purpose-built wall or as small as an 11x17 piece of paper taped to a conference room whiteboard. Visual management can ensure: 

  • Every member of the single, combined audit–client team is constantly updated on status. 
  • Problems are visible long before they manifest; waiting actions — such as data or report requests — are visible to the entire team, and therefore can be expedited. 
  • The human aspects of an audit (anxiety, mistrust, etc.) are addressed openly and treated as legitimate risks to the project.

Celebrate the Audit 

Active auditing borrows two additional important concepts from Agile. The first is retrospectives. In an Agile software project, after each sprint, the team gets together to examine what went well and what should change. This is a critical aspect of improvement and it should occur at the end of every audit, and often at the end of any sizeable iteration. Ceremonies and celebrations are the second concept borrowed from Agile for the conclusion of the audit. The team members come together to celebrate, perhaps with food, and take a moment to reflect on the work they did together. 

Audit Without Limits 

It can be difficult to implement all three pillars at once. The best first step is to start holding frequent, but brief, standup meetings with audit clients and auditors. It will quickly become clear that the standups are more effective with some form of visual management tool. The VCB should be developed early and expanded and refined over time. As standups progress, it should become easier to collaborate more effectively by developing ground rules and acknowledging the human side of the auditor–client relationship.   

In the end, the three pillars of active auditing work in concert. Energetic collaboration allows visual management to function smoothly to manage the audit work. Tight monitoring of progress through visual management allows the audit to execute iteratively. Timely and frequently completed audit work is the outcome of internal auditors and the audit clients working as a single team. The specific techniques used are likely to vary among companies and even across audits, but the core concepts contained in each pillar are universal and can be implemented anywhere. 

Prescott Coleman
Sandra Kasahara
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Authors

 

 

Prescott ColemanPrescott Coleman<p>Prescott Coleman, CIA, CISA, is the author of <em>Active Auditing — A Practical Guide to Lean & Agile Auditing</em> and the global IT audit director for IHS Markit in Englewood, Colo.<br></p>https://iaonline.theiia.org/authors/Pages/Prescott-Coleman.aspx

 

 

Sandra KasaharaSandra Kasahara<p>Sandra Kasahara, CIA, CPA, is a consultant with Umbrella Field LLC in Denver.<br></p>https://iaonline.theiia.org/authors/Pages/Sandra-Kasahara.aspx

 

Comment on this article

comments powered by Disqus
  • Fastpath_Oct 2019_Premium 1
  • IIA CPA_Audit_Oct 2019_Premium 2
  • IIA Certification_Oct 2019_Premium 3