Organizations are continuously challenged in preparing for and performing an audit. Audits are commonly performed in large blocks of effort and treated like a project. Significant time and resources are often allocated to audit projects. To make things more challenging, audits are often time-bound and must be completed by a specified date. Additionally, audits are performed on top of the day-to-day activities of those involved.
The typical audit approach places strain on those involved with the audit. To reduce the pressure on those involved, performing an audit in an efficient and effective manner is critical. Is there an alternative approach to performing an audit? There is, and it is called agile auditing.
Agile auditing is a modern approach to completing audit activities. The goal of an agile audit is to perform audits in manageable incremental efforts with the ability to quickly adapt to organizational risk.
For example, when preparing for a Service Organization Controls (SOC) audit, readiness efforts can be broken down into smaller chunks of effort. This instead organizations to prioritize and focus on audit preparation activities. The agile approach often reduces stress as efforts feel manageable. This is opposed to the traditional approach, where audit prep activities are often performed simultaneously, leading people to feel overwhelmed and burdened.
What is Agile?
To understand what agile auditing is, we must first understand what agile is. In February of 2001, a group of individuals, frustrated with the software development processes used at the time, gathered and created what is known as the Manifesto for Agile Software Development.
At its core, agile consists of twelve principles and four values. To paraphrase, the goal of agile development is to build software quickly and simply.
The principles of Agile software development established an umbrella by which many frameworks were created to develop software. Those frameworks include but are not limited to: Scrum, Kanban, Extreme Programming (XP), and Lean. Organizations and individuals deploy and utilize these frameworks in different ways. At the end of the day, everyone’s goals are the same. Provide value by building software quickly and simply.
Atlassian defines agile as “an iterative approach to project management and software development that helps teams deliver value to their customers faster and with fewer headaches. Instead of betting everything on a ‘big bang’ launch, an agile team delivers work in small, but consumable, increments. Requirements, plans, and results are evaluated continuously so teams have a natural mechanism for responding to change quickly.”
The Agile Alliance defines agile as “the ability to create and respond to change. It is a way of dealing with, and ultimately succeeding in, an uncertain and turbulent environment.”
What are the Objectives of Agile Auditing?
Built on the roots of agile software development, the objective of an agile audit is to improve the audit process to be more efficient, effective, and flexible. Have you ever heard of an auditor being agile/flexible?
A key component of the agile approach is to perform activities in an iterative manner, or sprints, where audit work is performed in small manageable chunks. When scheduling audit fieldwork in the traditional audit approach, auditors schedule audit fieldwork for a period of time near the end of the audit period. For example, if an audit period is from January 1 to December 31, the auditor typically schedules fieldwork in November or December.
Depending on the scope and size of the organization, an audit may be scheduled for several weeks or months. For example, audit fieldwork for Amazon Web Services (AWS) vs. a startup software as a service (SaaS) organization will be dramatically different. Fieldwork for AWS may take several months to perform. Whereas fieldwork for the startup SaaS organization may take a week or two. Learn more about AWS and how it relates to SOC 2 by checking out these articles:
- Leveraging the AWS SOC 2: How to Build a SOC 2 Compliant SaaS
- How to Simplify SOC 2 Compliance with AWS Security Tools
An agile audit approach breaks the audit into multiple smaller efforts of work. The audit work is then typically scheduled to be performed and completed throughout the year.
What are the Benefits of Agile Auditing?
Performing an agile audit requires commitment and planning by all parties involved in the audit. Done well, an agile audit can greatly improve the audit experience for everyone. The agile audit approach provides benefits by:
- Providing a positive audit experience and exceptional customer service as Auditors and clients are better aligned and communication is improved.
- Empowering clients in the audit process and improving the auditor-client partnership.
- Allowing auditors to provide informal assurance throughout the audit. As audit issues, control exceptions, or questions arise, the auditor brings those items to management’s attention as they arise. Rather than waiting to the end of the audit as done in the traditional audit approach.
- Breaking fieldwork down into increments that are manageable, reducing the strain on audit resources.
- Allowing the audit fieldwork timing to be flexible for alignment to client needs and audit risks. Clients can better plan for and assign resources to support the audit that better fits their needs. Audit risks can arise throughout the year. An iterative approach allows auditors to adjust audit procedures as well as provide client feedback as risks arise.
- Allowing for audit scope changes to be quickly addressed and audit procedures amended as client environments change.
What are the Challenges of Agile Auditing?
To fully achieve the benefits of agile auditing, organizations should be aware of the challenges that accompany the agile approach. By understanding the challenges of agile, organizations can take steps to mitigate the challenges. Several common challenges with the agile approach are:
- Creating the agile audit schedule requires proper planning. Designing the audit scope activities in meaningful audit sprints requires upfront planning.
- Resource planning is more complex. Rather than scheduling an audit for a block of time, as in the traditional audit approach, resources are scheduled in sprints, typically spread throughout the year. Scheduling both organizational and auditor resources in advance with compatible times takes proper planning and more effort.
- Executing audit activities timely and staying on schedule is imperative. In an agile audit, work is intended to be broken down into small and manageable tasks. Organizations typically do not assign or dedicate resources to audits. As such, completing audit activities timely can be challenging. Audit tasks that are incomplete can cause a delay in the audit. Organizations must be prepared to prioritize and complete agile audit activities as they are scheduled.
- Adequate audit documentation and evidence may not be present. Auditors are required to collect audit evidence and properly document their findings based on the evidence provided. Due to the iterative nature of an agile audit, documentation and audit evidence may be incomplete as items under audit are still processed. Auditors may receive partial documentation but will need to follow up to obtain the remaining documentation and evidence.
- Audits may feel ongoing and never-ending. The agile audit approach spreads audit sprint activities throughout the audit period. Organizations may become resentful as they feel as if they are under constant watchful eye and audit.
Agile auditing can be implemented in all audit types, including, internal audits, external audits, financial statement audits, operational audits, compliance audits (i.e. HIPAA compliance), etc. Both auditors and organizations can benefit from implementing an agile audit approach.
Moving from the traditional audit approach to an agile approach is not easy as behaviors and processes must change. With proper planning, focus, and prioritization the agile mindset can be obtained providing an improvement in audit efficiency and effectiveness.
If you have any additional questions regarding the use of SOC 2 automation tools or are interested in attaining the audit services of Linford & Co, please don’t hesitate to contact us.
Ben Burkett is an experienced auditor for Linford & Co. Starting his career at KPMG in 2002, Ben has extensive experience in the business of Information Technology (IT). As an auditor, he drove IT risk management and compliance efforts. As the head of an IT Project Management Office and a Technology Business Management (TBM) function, he sought to drive and maximize the value of IT.