Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Agile Auditing Simplified

This project management methodology can increase audit transparency, communication, and accountability.

Comments Views

The Agile methodology can be transformative for an internal audit department. A few years ago, while working at one of the largest banking institutions in the U.S. with global operations, I had the opportunity to pilot Agile auditing, and then successfully rolled it out within my global audit team. Since then, I have also implemented Agile auditing at a smaller financial institution. 

When the methodology is executed correctly, it provides accountability and transparency that enables audit processes to be performed more efficiently, while empowering staff. Internal audit departments that haven’t yet adopted Agile auditing should learn more about the tools and processes.

Applying Agile to Audits

As a project management methodology, Agile can apply a consistent approach to audits — essentially projects — providing staff members with tools for success, and thereby decreasing the risk that audits will be poorly managed.

Short, Efficient Cycles Agile breaks the audit down into small chunks of work that are delivered within short cycles — such as two weeks — of work called sprints. Each sprint has a series of meetings or events that facilitate the management of work.

Sprints begin with a planning meeting, where the team agrees on what work will be completed within the sprint. This is followed by short, daily “stand-up” meetings, where team members discusses their work to ensure that it can be successfully delivered.

As the audit progresses, new information or findings may be identified that require adapting the audit approach or audit work. “Storytime” meetings, held as needed, provide the flexibility to update the work to be completed within the audit or the sprint.

The audit team leverages a sprint review at the end of the cycle to showcase its sprint achievements, explain any tasks that were not completed, and add any tasks it identified during the sprint to the backlog. It holds a retrospective meeting to help the team continuously improve by asking what went well, what could be done better, and what should be implemented in the next sprint — whether it’s continuing something that worked or fixing something that didn’t.

Capturing the Work to Be Performed At the beginning of the audit, the audit team captures and prioritizes all the tasks or activities to be performed in the form of a backlog, which is updated, as needed, throughout the audit. This backlog comprises user stories that are defined in the format:

  • As a [User: Who is the task for?]
  • I want [What needs to be done?]
  • So I can [Why does user want this?]

User stories ensure expectations and deliverables are clearly captured and agreed upon before execution. Capturing the “why” helps provide a consistent understanding of the purpose of the audit work. Each task has a definition of “Done” so everyone knows what must be delivered. Each user story or task is also sized relative to the others. Sizing the work (extra small, small, medium, large, extra-large) helps track the level of effort required for each user story/task and provides visibility into the level of effort required to complete the audit.

The audit team is empowered to size the user stories in the initial audit planning meeting where the user story backlog is reviewed and prioritized. CAEs should think ahead about how this backlog may be broken down into sprints throughout the audit.

In the sprint planning meeting, the audit team should break user stories down into smaller tasks if they are more than a few days of work and describe them in detail so the task and deliverable are clear. During this meeting, auditors also can choose what user stories/tasks they will work on. The task owner is recorded so it is clear who is responsible for ensuring the user story/task is being delivered within the sprint. See “Example High-level User Story Backlog” below for a starter list that can be tailored to any audit. 

Transparent Tracking During the sprint, the team tracks work using a sprint board or task board with columns labeled “Sprint Backlog,” “In Progress,” “Blocked,” “Review,” and “Done.” Initially, the sprint board captures all the tasks to be performed during the sprint in the sprint backlog column. Audit team members work on one task at a time and move it from “In-Progress” through “Review” to “Done.”

A team member will only begin work on the next task when the user story/task he or she is working on is “Done” or “Blocked,” meaning the task cannot be worked on anymore and action is required to move the audit work forward. This helps reduce the time auditors spend context switching between different tasks — remembering what they were doing so they can start working on a task again — and enables them to focus completely on one task. Capturing blocked tasks enables timely communication about where action or escalation is needed to complete audit work. The daily stand-up meetings also provide the auditor in charge visibility into where an auditor might need additional assistance, as it helps monitor how long the team member has been working on a user story or task. The auditor in charge can follow up with the team member offline if a task is taking longer than expected. The team should only move tasks on the sprint board during one of the events (Agile meetings: planning, daily stand-ups, storytime, or sprint review).

With the sprint board approach, the team reviews work in real time, so it can identify any complications with execution early and spread reviews of audit work throughout the audit, rather than compressing them at the end of the audit.

Common Concerns

As with any change, adapting to Agile auditing can be challenging, especially for auditors accustomed to the traditional audit approach or a less structured project approach. Here are a few of the concerns I have heard in Agile audit training sessions and from new Agile audit adopters.

Agile Does Not Fit Our Audit Methodology Because Agile is a project management methodology, its principles can be adopted in any audit department and with any audit methodology. Audit work is performed and documented in line with the internal audit department’s existing audit methodology. Although internal audit functions often implement Agile auditing alongside a move to a dynamic risk management audit methodology, they can benefit from Agile without a dramatic audit methodology change.

Daily Meetings Take Too Long and Are Hard to Manage Globally A common mistake in daily stand-up meetings is having detailed discussions that should be taken offline. They are purely touch points and should last no longer than 15 minutes. These meetings can take as little as five minutes when they are limited to answering Agile daily stand-up questions, and they still provide visibility and support. Stand-up questions include: What did you do yesterday? What are you going to do today? Are there any blocks to delivery (i.e., anything hindering delivery)? Have you identified any exceptions?

Meetings are easier when the audit team is based locally and can stand around and update a physical storyboard. However, these meetings still add value with remote working. With a global team, it is best to set a time when everyone can attend and to have a virtual storyboard. Where this is not possible, auditors who cannot attend simply send in their updates before the meeting. The auditor in charge can follow up with them after the meeting, if needed. Remote staff can view the virtual storyboard to see the team’s status so they still feel part of the team.

With the current remote working environment due to COVID-19, a virtual storyboard that can be accessed by the audit team is essential. It is helpful to have user stories in the same file as the storyboard. As the audit is broken down into small tasks, Agile provides visibility into remote working productivity. The audit management team also can access the board to stay close to the audit and see how it is progressing.

Stakeholders Don’t Want Daily Meetings With Audit Stakeholder engagement in the daily stand-up meetings is optional. Often, the auditor in charge will have daily catch-ups with the client’s audit liaison, so the information from the daily stand-up meetings is valuable to help resolve any blocks to completing audit work. Some audit clients prefer to have weekly status updates.

Other clients like the daily meetings, as they provide some oversight of the audit. In this case, the client meeting should take place immediately after the audit team’s daily stand-up meeting so it does not stop the audit team from raising concerns openly.

Agile Auditing Makes Sense

Agile auditing empowers audit team members to choose what they work on and to better understand why they are performing their work. By allowing staff members to select what tasks they work on, it is easier for them to manage their time and consider their other commitments, such as other audits. Agile project management methodology tools provide visibility without micromanaging. Best of all, Agile auditing helps spread out audit work, creating less pressure at the end of the audit to deliver everything at once. To put it succinctly, Agile auditing formalizes good project management practices, improving productivity, efficiency, collaboration, and communication.

Amanprit Kaur Kaller
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Amanprit Kaur KallerAmanprit Kaur KallerAmanprit Kaur Kaller, ACA, CISA, CIPP/US, CISSP, is an audit director in New York.<br>


Comment on this article

comments powered by Disqus
  • AuditBoard-May-2021-Premium-1
  • Awareness-Month-May-2021-Premium-2
  • Virtual-IC-May-2021-Premium-3



Thanks, We Already Know That, We Already Know That
U.S. SEC: Environmental, Social, and Governance Risks Better Be on Your Radar SEC: Environmental, Social, and Governance Risks Better Be on Your Radar
Six Data Privacy Predictions for 2020 Data Privacy Predictions for 2020
Public Servants Are Vital to Defeating COVID-19 Servants Are Vital to Defeating COVID-19