Traditional audits are often awash in wasted time, unnecessary conflict, and incorrect assumptions. Active auditing is a form of Agile auditing that was developed in a major utility company to eliminate, or at least substantially decrease, these kinds of wasteful activities. The term active auditing was, in fact, coined because it is the antonym of passivity and waiting.
Lean — often synonymous with the Toyota Production System — is a change-making methodology. Agile is an IT project management approach. Active auditing borrows concepts from both disciplines to create a more efficient way to run audits. The catalog of material describing both Lean and Agile principles is vast, so active auditing borrows only what is needed to create an audit system that can work better than a traditional one. The system can best be explained by breaking it down into three pillars.
Pillar One: Energetic Collaboration
Lean and Agile both preach that there can be only one team, and that team members must work together throughout the project. However, the reality is often two teams — the audit client and auditors — facing each other across a battlefield even while proclaiming their intent to work collaboratively. Active auditing recognizes that both teams work for the board, and the board has the right to expect both to behave as a single, combined team.
Collaborating energetically is a choice to which both auditors and audit clients must commit. Without deliberate and overt commitment, both groups tend to fall back into bad habits. Once committed, the two develop shared ground rules — defining what’s nonnegotiable for each of them and how they want to work together. Personal connection is critical for collaboration, so information should be shared early, often, and in person, as much as possible.
Beyond the practical steps, auditors must lead in making themselves open and vulnerable. This can be a scary step, as auditors typically are so accustomed to maintaining professional distance that laying their cards on the table may not come naturally. Auditors must be the first to extend an authentic, though likely uncomfortable, hand to the audit clients to collaborate. And they must mean it — in everything they say and do.
When teams energetically collaborate, better information is offered, rather than extracted; far less time is wasted; there are fewer misunderstandings; clients grow to believe the auditors understand them; there is less conflict, which is good for clients and auditor; and the audit can be fun.
Pillar Two: Iterative Audit Execution
Agile as a software development methodology was created to counter traditional sequential Waterfall techniques. Waterfall is how most construction projects are managed — by planning, designing, building, and implementing. It relies on high-quality requirements-gathering at the beginning of a project and an acceptance that changes midstream are unwelcome. In contrast, Agile embraces flexibility and change. To manage this flexibility, Agile breaks the work down into iterations, or sprints. An iteration is a mini-software project, with a specified beginning and end, that is structured to produce working and sellable software at its completion. If a typical large software project takes two years, an Agile project will produce perhaps 12 instances of sellable code over that time, whereas a Waterfall project will produce one.
The overall risk of the project is reduced because the Agile project tests the market frequently, while the Waterfall project hopes its grand unveiling two years from now is still what the market wants.
Active auditing borrows from the concept of iterations — breaking down the audit program into mini-audits. The typical steps of an audit — from risk assessment to workpaper approval — still occur, but in smaller chunks. And they are completed before moving to the next iteration.
Active auditing starts by building an overall audit program, which is the best initial guess at the right control objectives and fieldwork steps. Then, using engagement planning sessions, the work is assigned to time-boxed iterations. Time-boxing establishes start and end dates that auditors and clients commit to work within. It’s best to keep an iteration to between two and four weeks, but that choice depends on the fieldwork. After each iteration, the single, combined team pauses to reevaluate and ask:
- Based on what’s been learned, what needs to change?
- Is the risk assessment still valid?
- Are all the fieldwork steps required to assess the con-
- trol objective?
- Are the right people involved?
- Where are the bottlenecks?
Both Lean and Agile teach internal auditors to welcome change to their audit program as they learn more and reassess risk. They can’t assume initial planning was perfect, so they should embrace an evolving audit. In return, when audits are executed as smaller mini-audits, they become easier to manage because work is done in digestible bites, countermeasures to address problems can be applied in the next iteration, and the audit can be stopped after an iteration and still have useful results.
Pillar Three: Visual Management
A central principle of Lean is to make waste visible. When waste is visible, the people involved can work together to eliminate it. Frequently, “waste” appears in audit work in the form of waiting, unnecessary motion, rework, and overproduction. Active auditing uses visual management techniques borrowed from Lean to allow the combined team to fully understand the audit’s progress and each member of the combined team’s part in it.
The greatest waste in auditing involves waiting. Waiting for data to be provided, emails to be returned, interviews to be scheduled, and so on. Internal auditors compensate by shifting their focus to other things, but that means rework as they have to reeducate themselves on the subject when they return to that work. Making lost time visible using visual management tools drives wait time down.
As often as every day for 15-30 minutes, auditors and clients should hold a standup meeting around a visual control board (VCB). The VCB consists of panels that show progress on the audit program, assigned tasks, a “dog house” for tasks that aren’t getting done, a shared master calendar, and a “hearts & minds” board to capture shared expectations and concerns. Because Lean is inherently a change-making methodology, it provides techniques for helping build mutual purpose, and daily standup meetings with the audit clients in front of the VCB are an important example. VCBs can be as large as an entire purpose-built wall or as small as an 11x17 piece of paper taped to a conference room whiteboard. Visual management can ensure:
- Every member of the single, combined audit–client team is constantly updated on status.
- Problems are visible long before they manifest; waiting actions — such as data or report requests — are visible to the entire team, and therefore can be expedited.
- The human aspects of an audit (anxiety, mistrust, etc.) are addressed openly and treated as legitimate risks to the project.
Celebrate the Audit
Active auditing borrows two additional important concepts from Agile. The first is retrospectives. In an Agile software project, after each sprint, the team gets together to examine what went well and what should change. This is a critical aspect of improvement and it should occur at the end of every audit, and often at the end of any sizeable iteration. Ceremonies and celebrations are the second concept borrowed from Agile for the conclusion of the audit. The team members come together to celebrate, perhaps with food, and take a moment to reflect on the work they did together.
Audit Without Limits
It can be difficult to implement all three pillars at once. The best first step is to start holding frequent, but brief, standup meetings with audit clients and auditors. It will quickly become clear that the standups are more effective with some form of visual management tool. The VCB should be developed early and expanded and refined over time. As standups progress, it should become easier to collaborate more effectively by developing ground rules and acknowledging the human side of the auditor–client relationship.
In the end, the three pillars of active auditing work in concert. Energetic collaboration allows visual management to function smoothly to manage the audit work. Tight monitoring of progress through visual management allows the audit to execute iteratively. Timely and frequently completed audit work is the outcome of internal auditors and the audit clients working as a single team. The specific techniques used are likely to vary among companies and even across audits, but the core concepts contained in each pillar are universal and can be implemented anywhere.