Agile Internal Audit: Transforming internal audit to add greater value

Your Presenters

John Romano, CIA, CPA, CITP, CFE, CSMPartner

Baker Tilly215.972.2277

[email protected]

Phil Schmoyer, CISA, CFE, CSMSenior Manager


[email protected]

Meet your presenters

2

Explain Agile principles and

Scrum framework and applicability to

internal auditing

Develop methods for bridging the gap from the current state audit approach mindset and

implementation of agile audit principles

Recognize how agile principles may be

applied to your organization’s internal

audit planning cycle and audit and advisory

engagements

Learning objectives

3

Describe the history of agile principles

and the scrum framework

4

Internal audit definition

The Institute of Internal Auditors (IIA) defines internal auditing as an independent, objective assurance and consulting activity that adds value to and improves an organization’s operations.

Insight Objectivity

Assurance

INTERNAL AUDITTHE PAST, PRESENT AND FUTURE

Trad

ition

al

audi

ting

Financial and operational focusedCompliance and policy and procedure focus, limited advisory activitiesTraditional audit plans, cycle audits and routine auditsLimited and minimal value internal audit KPIs> Percent of audit plan delivered> Tracking of issues opened and closed> Internal audit department budget to actual

PASTInternal audit

7

Trad

ition

al

audi

ting

Financial and operational focusedCompliance and policy and procedure focus, limited advisory acTraditional audit plans, cycle audits and routine auditsLimited and minimal value internal audit KPIs> Percent of audit plan delivered> Tracking of issues opened and closed> Internal audit department budget to actual

Ris

k ba

sed

audi

ting

– Risk based audit plans, usually updated annually

– Incorporation of ERM considerations and involvement in ERM

– Incorporating different levels of analytics and monitoring

– Consideration of strategic and emerging risks within audit plans

– Increased focus on talent development and technology enablement

PAST PRESENTInternal audit

8

Trad

ition

al

audi

ting

Financial and operational focusedCompliance and policy and procedure focus, limited advisory acTraditional audit plans, cycle audits and routine auditsLimited and minimal value internal audit KPIs> Percent of audit plan delivered> Tracking of issues opened and closed> Internal audit department budget to actual

Ris

k ba

sed

audi

ting

– Risk based audit plans, usually updated annually

– Incorporation of ERM considerations and involvement in ERM

– Incorporating different levels of analytics and monitoring

– Consideration of strategic and emerging risks within audit plans

– Increased focus on talent development and technology enablement

PAST PRESENT FUTURE

Agile

Aud

iting

– Internal audit strategy aligned with organizational strategy– Continuous risk based audit plans – evolving and updating real time– ERM and internal audit alignment– Technology adaption, analytics drive risk identification, disruption events

and reporting– Talent management transformation, IT auditing is not a separate skill set

or specialty but rather considered standard– Increased internal audit KPI’s and accountability

> Business unit cost savings/revenue enhancements identified and realized> Audit survey results> Subject matter expert utilization and effectiveness> Training, certification and CPE’s hours obtained> Emerging risks and opportunities monitored and reported

Internal audit

9

AG ILE‘a-j l/

adjective

e

.

Able to move quickly and easily.

Having a quick, resourceful adaptable character

Relating to or denoting a method of project management, used especially for software development, that is characterized by the division of tasks into short phases of work and frequent reassessment and adaptation of plans

1.)

2.)

3.)

Why agile?

Like the “past” internal audit

Plan… audit, issue comes up after audit… perform audit, issue

not addressed… audit…

Code and fix

Develop code and fix issues as they arise

Like “present” internal auditLimited

adjustment to audit plan

Audit program is usually developed

in advance of audit

Once fieldwork begins, usually

limited adjustment to audit program

Risks and value discussion from management is

sometimes limited

WaterfallRequirements > Design > Develop > Integrate > Test > Deploy> Leads to issues with working backwards once in stage (i.e., cannot go up a waterfall)> Schedule risk, hard to complete on time> Limited flexibility

11

Agile manifesto*

“We are uncovering better ways of developing software by doing it and helping others do it.”

Internal audit agile manifesto

“We are uncovering better ways of executing internal audits by doing it and helping others do it.”

over processes and toolsIndividuals and interactions

over comprehensive documentation

Working software

over contract negotiationCustomer collaboration

over following a planResponding to change

Through this work we have come to value:

over processes and toolsIndividuals and interactions

over extensive documentationInfluential audit reports

over audit report negotiationBusiness collaboration

over following a planResponding to change

Through this work we have come to value:

12

Agile principles Example agile internal audit principles

The highest priority is to satisfy the customer through early and continuous delivery of valuable software.

Highest priority is to satisfy the needs of the audit committee and add value through early and continuous identification of risks and value added influential audit reports.

Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage.

Welcome changes to audit approach , even late in fieldwork. Agile processes harness change for the auditors advantage to provide value to management and stakeholders.

Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.

Deliver impactful audits frequently, adjust audit plan continuously for maximum value

Business people and developers must work together daily throughout the project.

Auditors and business owners must communicate throughout the audit project.

Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done.

Trust your audit team, allow them to challenge conventional ways and trust them to get the results that address risk and value.

Working software is the primary measure of progress.Audit reports that address key risks, opportunity, and outcomes aligned with the organizations strategic objectives and business drivers is the primary measure of progress

The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.

The most efficient and effective method of conveying information between auditors and auditees is face-to-face conversation leveraging video conferencing technology where appropriate.

Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.

Agile processes promote sustainable auditing. Theauditors, auditees, and business should be able to maintain a constant pace indefinitely.

Continuous attention to technical excellence and good design enhances agility.

Continuous attention to outcomes and providing impactful results enhances agility

Simplicity — the art of maximizing the amount of work not done — is essential.

Impactful processes, testing, and results over thoroughness and documentation

13

2-4 weeks

Daily stand-up

Sprint

Minimum “shippable”

audit product / Definition of Done

Product backlog Sprint backlog

Scrum in a nutshell

Story 1

Story 2

Story 3

Legend:

14

Agile alignment tointernal audit delivery

Traditional internal audit plan development

− Annual risk assessment yields annual audit plan

− Point-in-time risk ranking

16

January February March April May June July August September

Audits planned full year in advance with calendared milestones and reduced likelihood of accelerating audits based on potential resource constraints.

Traditional internal audit plan…

Sales Operations340 hours

Financial Statement Close 450 hours

Change Management 300 hours

Cybersecurity 450 hours

Inter-company agreements200 hours

Planning and Budgeting 180 hours

Fixed Assets 180 hours

Information TechnologyKey: Operations Financial Compliance

Anti-money laundering 260 hours

17

…have transitioned to Continuous Risk Assessment

Agile methodology promotes iterative actions and enhancements.

Agile audit methodology could leverage iterative assessments of risk to populate audit backlog.

− Continuous risk dashboards− Risk analytics− Data driven risk assessments

18

Agile audit selection

20

Backlog Planning In process Reporting Complete

SOX and compliance audits override agile methodology based on need


21




22



New high risk area


23


New high risk area


24


New high risk area



Potential audit alignment

24

Legend:Epic = Audit/AreaStory = Risk/ObjectiveSprint = Collection of controls for testing

Epic

Sales discount process

Story

As an auditor, I want to verify sales authority limits are established so that discounts are awarded appropriately.

Alternatively:

Sales authority limits are not appropriately established to limit discounts.

Sprint

= IT control team

= Operational / Financial

control team

Dedicated pool of resources organized by

skillset/story to deliver sprints

1. Audit scoping –developed considering

systems, BUs, processes, etc. Planned to be audited in

sequence

2. Scope review is conducted with auditee and

sprint planning begins

3. Establish fixed amount of time for sprint (e.g. 2 weeks)

and execute on planned testing.

4. Daily meetings occur to understand what was done, what will be done and what

stands in their way. ScrumMaster removes obstacles as needed.

5. Sprint retrospective is completed considering auditee feedback and

considerations for the next sprint.

6. Iterative cycle continues with the next sprint, and

progresses until all key work has been completed.

Audit Fieldwork and “Scrum”

25

More frequent reporting

Length and # of Sprints are customized

Data analytics considered in Scrum in scoping and after retrospective

Flexibility due to team workflow and resource approach

Backlog In process Ready for review

Complete – no exceptions

Complete -exceptions

Assigned Tested Concluded ConcludedDoD

Technology audit team

Operational audit team

DoD = Control #1, 2, 5


Possible sprint

26

Backlog In process Ready for review

Complete – no exceptions

Complete -exceptions

Technology audit team

Operational audit team

DoD = Control #1, 2, 5, 4


Assigned Tested Concluded ConcludedDoD

Possible sprint

27

Example tools to facilitate Agile project management

28

Microsoft Planner

Trello Microsoft Excel Atlassian Jira Quickscrum

Picture below is depicted from and engagement using Microsoft Planner. Baker Tilly does not endorse any specific software or company.

Concerns and challenges with Agile adoption

30

Common myths to agile auditing

There is no planning

There is limited documentation

Agile only works for teams in the same location

Agile delivery results are gray and unknown

Agile is evolutionary and adaptive so planning and approach is changed throughout the project

Documentation is lighter than usual, however, documentation is more purposeful, risks strategies and solutions are documented efficiently

Agile focuses on team cohesion and collaboration and with the proper use of technology and communication agile methods can be effective

Agile focuses on outcomes rather number of findings or audit reports issued

Challenges

– Changing mindset

– Implementing with smaller teams

– Trying to do “agile auditing” all at once

– Executive buy in (internal and external)

– Obtaining comfort over less documentation

– Need for a scrum master/coach to support self organizing and empowered teams. Agile

audit

31

Discuss the agile manifesto as a team and assess your current state

Review the agile principles and align to your

teams priorities and resources

Try implementing

agile and scrum in a pilot audit

Revisit what worked well,

what didn’t and modify

Explore how you can be more

“agile” in audit planning, risk assessment, fieldwork and

reporting

Conduct an agile audit workshop

Shake it up a bit, keep learning and focus on

the value!

32

The road forward

.

Your Presenters

John Romano, CIA, CPA, CITP, CFE, CSMPartner


[email protected]

Phil Schmoyer, CISA, CFE, CSMSenior Manager


[email protected]

Connect with us

33bakertilly.com/internal-audit

The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments.Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. © 2019 Baker Tilly Virchow Krause, LLP

Disclosure

Agile Internal Audit: Transforming internal audit to add greater value · 2020-07-15 · Trust your...

Documents

Transcript of Agile Internal Audit: Transforming internal audit to add greater value · 2020-07-15 · Trust your...