Agile Auditing E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

Tables and Figures

Foreword

Preface

Acknowledgments

About the Authors

RAVEN CATLIN

CECILIANA WATKINS

List of Acronyms

Introduction

Part 1: Building an Understanding of Agile and Auditing

Chapter 1: What Is Agile?

AGILE IS A FRAMEWORK

DEFINITIONS OF AGILE

THE AGILE MANIFESTO

AGILE FRAMEWORKS

SCRUM FRAMEWORK

RECIPE: EXPLAINING THE CONCEPT

NUGGETS

Chapter 2: What Is Audit?

DEFINING AUDIT

TYPES OF AUDITS

AUDIT CUSTOMERS

KNOWLEDGE AREAS FOR AUDITORS

SKILLS FOR AUDITORS

AUDIT PROJECT LIFE CYCLE

TRADITIONAL, WATERFALL AUDIT PROCESS: A REAL‐LIFE VIEW OF THE PROBLEMS

IDENTIFYING, ASSESSING, AND RESPONDING TO DELIVERY RISKS

RECIPE: BUILDING AUDITOR KNOWLEDGE AND SKILLS

NUGGETS

Chapter 3: Traditional Audit Processes and Practices

AUDIT JARGON

TRADITIONAL ENTITY‐LEVEL AUDIT PLANNING

TRADITIONAL AUDIT ENGAGEMENT PLANNING

TRADITIONAL AUDIT ENGAGEMENT FIELDWORK

TRADITIONAL AUDIT ENGAGEMENT REPORTING

NUGGETS

Chapter 4: What Is Agile Audit?

THE JOURNEY OF AGILE AUDITING

WHAT IS AGILE AUDITING?

OVERVIEW OF THE AGILE AUDIT PROCESS

SKILLS FOR AGILE AUDITORS

NUGGETS

Chapter 5: Why Agile Audit?

AVOID THE JURASSIC AUDITOR

WHAT'S YOUR WHY?

WHO IS USING AGILE AUDITING?

STARTING YOUR AGILE AUDITING CHANGE TRANSFORMATION

AGILE AUDIT FRAMEWORKS

WHAT ARE THE BENEFITS OF AGILE AUDITING?

CAN AGILE AUDITING HELP ME SOLVE PROBLEMS IN THE AUDIT PROCESS?

NUGGETS

Chapter 6: Creating the Agile Mindset

WHAT IS AN AGILE MINDSET?

BUILD A PASSION FOR BEING AGILE

START WITH AUDITOR SELF‐ASSESSMENTS

DO I NEED TO CALL IT AGILE AUDITING?

RECIPE: GETTING AUDITOR BUY‐IN

NUGGETS

Part 2: Implementing Agile Auditing

Chapter 7: Implementing Agile Auditing: Deciding Your Approach and Your Agile Audit Project Roles

CHOOSING YOUR IMPLEMENTATION STRATEGY

DEALING WITH TITLES

DEALING WITH PEOPLE CHALLENGES

NUGGETS

Chapter 8: Implementing Agile Auditing: The Audit Planning Process

NONTRADITIONAL AUDIT PLANNING (AGILE AUDIT PLANNING)

PRODUCT BACKLOG

RECIPE: PRIORITIZE AND SELECT YOUR USER STORIES

NUGGETS

Chapter 9: Implementing Agile Auditing: Planning Agile Audit Engagements

PLANNING AGILE AUDIT RESOURCES

SELF‐MANAGING TEAMS

AGILE AUDIT PLANNING STEPS

AGILE JARGON

USING AGILE AUDITING TO SOLVE ENGAGEMENT PLANNING PROBLEMS

NUGGETS

Chapter 10: Implementing Agile Auditing: Executing the Agile Audit

TESTING WITH THE AUDIT CLIENT

WORKPAPER DOCUMENTATION IN AN AGILE AUDIT ENVIRONMENT

MANAGING SCOPE CREEP

AUDIT FINDINGS

USING AGILE AUDITING TO SOLVE ENGAGEMENT EXECUTION PROBLEMS

NUGGETS

Chapter 11: Implementing Agile Auditing: Communicating Agile Audit Results

REPORT WRITING

DAILY MEETINGS TO COMMUNICATE “BUGS,” DEFICIENCIES, AND FINDINGS

SPRINT REVIEW

DO I STILL NEED A REPORT?

SPRINT RETROSPECTIVE

USING AGILE AUDITING TO SOLVE ENGAGEMENT COMMUNICATION AND REPORTING PROBLEMS

NUGGETS

Part 3: Special Considerations

Chapter 12: Agile Auditing in the “New Normal” Environment (Remote Auditing)

THE NEW NORMAL

EXISTING TECHNOLOGIES

NEW TECHNOLOGIES AND AGILE AUDIT

RECIPE FOR STARTING DATA ANALYTICS (DA)

NUGGETS

Chapter 13: Lean and Agile Auditing

WHAT IS LEAN?

ELIMINATING WASTE USING AGILE AUDITING

NUGGETS

Chapter 14: Exploring Kanban Agile Auditing

WHAT IS KANBAN?

WHEN CAN I USE KANBAN?

KANBAN PRINCIPLES APPLIED TO AGILE AUDITING

MANAGING WORKFLOW, THE KANBAN WAY

NUGGETS

Chapter 15: Merging Risk‐Based Auditing and Integrated Auditing with Agile Auditing

STOP CREATING KITCHEN SINK AUDITS!

WHAT IS RISK‐BASED AUDITING (RBA)?

CAN I STILL COMPLETE INTEGRATED AUDITS IN AGILE AUDITING?

NUGGETS

Chapter 16: Building the Auditor Toolbelt and Self‐Managing Agile Audit Teams

AGILE AUDITING AS A TOOL

SKILLS NEEDED TO BE AN AGILE AUDITOR

BECOMING AN INTEGRATED AUDITOR IN AN AGILE AUDIT WORLD

USING SCRUM VALUES TO CREATE SELF‐MANAGING AGILE AUDIT TEAMS

BENEFITS OF DEALING WITH SELF‐MANAGING TEAMS

CAUTIONS OF DEALING WITH SELF‐MANAGING TEAMS

NUGGETS

Chapter 17: Preparing Your Organization for Agile Auditing/Creating the Agile Culture

WHAT IS CULTURE?

CHANGING OTHERS' PERCEPTION OF AUDITORS

PARTICIPATORY AUDITING

INFLUENCING A CULTURE THAT SUPPORTS AGILE AUDITING

IDEAL CONDITIONS FOR AGILE AUDITING

NUGGETS

Chapter 18: Passing Your Quality Assessment Review in an Agile Audit Environment

GOVERNMENT AUDITORS

INTERNAL AUDITORS

EXTERNAL AUDITORS

AGILE AUDITING AND YOUR QAR

NUGGETS

Chapter 19: Nuggets for Agile Audit Success

Glossary of Terms

Appendix A: Appendix A:Product Backlog Template

Appendix B: Appendix B:Agile Audit Example

SECURITY/ACCESS CONTROLS: DEFICIENCIES IN THE USER PROVISIONING PROCESS FOR TERMINATIONS

Bibliography

Index

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 Views of Agile

Chapter 2

TABLE 2.1 Example of Proficiency Gap

Chapter 3

TABLE 3.1 Example Risk Scoring

Chapter 9

TABLE 9.1 Project Canvas

Chapter 17

TABLE 17.1 The Right Conditions for Agile Auditing

List of Illustrations

Chapter 1

FIGURE 1.1 Agile Umbrella

FIGURE 1.2 How Scrum Works

Chapter 4

FIGURE 4.1 Agile Auditing at a Glance

Chapter 12

FIGURE 12.1 Agile Auditing Adoption Life Cycle

FIGURE 12.2 Automation Continuum

Guide

Cover Page

Table of Contents

Begin Reading

Pages

ii

iii

iv

v

xiii

xv

xvi

xvii

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

1

2

3

4

5

6

7

8

9

11

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

265

266

267

268

269

270

271

272

273

275

276

277

278

279

281

282

283

284

285

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

Founded in 1807, JohnWiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding.

The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.

Agile Auditing

Fundamentals and Applications

Raven Catlin

Ceciliana Watkins

Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per‐copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750‐8400, fax (978) 750‐4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011, fax (201) 748‐6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762‐2974, outside the United States at (317) 572‐3993 or fax (317) 572‐4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging‐in‐Publication Data

Names: Catlin, Raven, author. | Watkins, Ceciliana, author.

Title: Agile auditing : fundamentals and applications / Raven Catlin and Ceciliana Watkins.

Description: Hoboken, New Jersey : Wiley, [2021] | Includes bibliographical references and index.

Identifiers: LCCN 2021015254 (print) | LCCN 2021015255 (ebook) | ISBN 9781119693321 (hardback) | ISBN 9781119693482 (adobe pdf) | ISBN 9781119693468 (epub)

Subjects: LCSH: Auditing. | Agile project management.

Classification: LCC HF5667 .C325 2021 (print) | LCC HF5667 (ebook) | DDC 657/.45–dc23

LC record available at https://lccn.loc.gov/2021015254

LC ebook record available at https://lccn.loc.gov/2021015255

Cover Design: Wiley

Cover Image: © Casper1774 Studio / Shutterstock

We dedicate this book to our families and all auditors in search of knowledgeand making the world a better place.

Tables and Figures

Table 1.1

Views of Agile

Table 2.1

Example of Proficiency Gap

Table 3.1

Example Risk Scoring

Table 9.1

Project Canvas

Table 17.1

The Right Conditions for Agile Auditing

Figure 1.1

Agile Umbrella

Figure 1.2

How Scrum Works

Figure 4.1

Agile Auditing at a Glance

Figure 12.1

Agile Auditing Adoption Life Cycle

Figure 12.2

Automation Continuum

Foreword

Serving as a chief audit executive and then CEO of The Institute of Internal Auditors (IIA), I have strived to learn new concepts, develop new ideas, and advocate for new ways to approach challenges and opportunities. Continuous learning is what brings me to this book, Agile Auditing: Fundamentals and Applications, by Raven Catlin and Ceciliana Watkins, two remarkable individuals who epitomize the internal auditors of today and the future. In this book, Raven and Ceciliana offer a fresh approach to what our profession must do to become and remain relevant to our stakeholders by adopting an Agile mindset.

I have discussed the importance of being nimble and turning problems into opportunities over more than a decade, through my books, in presentations around the world, and in my weekly blog Chambers on the Profession. To implement Agile auditing, internal auditors must demonstrate intellectual curiosity and open‐mindedness, two attributes discussed in my book Trusted Advisors: Key Attributes of Outstanding Internal Auditors. Additionally, Agile auditors must have the relational and professional attributes addressed in the book.

After reading Agile Auditing: Fundamentals and Applications, I gained new perspectives and reinvigorated my firm belief that, to be relevant, we must continuously evolve who we are as internal auditors and how we add value.

We are at a critical juncture in our profession. Being Agile also means being resilient amid every advancing risk. We must embrace fresh ideas and perspectives to execute bold, decisive, and Agile strategies to address the new frontier. Amid the COVID‐19 pandemic, the need for social distancing around the globe challenged the management of audit activities, from risk assessments to testing, reporting, and the administration of the audit activity, including recruiting, retention, and training.

In a virtual environment, internal auditors face myriad challenges in how they address and complete their work, from different methods of communications to limitations on travel and physical access. The pandemic has certainly tested the concept of Agile auditing, but the good news is that, amid a changing risk landscape, we've learned that it actually can be most effective.

I met Raven Catlin in 2002 at The IIA's Volunteer Instructor Development Program. Raven stood out. She successfully completed the program and impressed me as a knowledgeable, articulate, experienced, and innovative auditor. As an instructor, Raven presents an effective method to deliver concepts and influence others to adopt new practices. This book showcases those attributes. It offers a framework for audit functions to add value and remain relevant. I find Raven and Ceciliana's Agile audit framework to be distinct in that it is not a method that simply provides ideas. It is truly a framework that's adaptable and allows audit teams to incorporate practices and tools into an Agile audit methodology they create and customize.

Moreover, the framework provides a structure and guidance for greater collaboration with audit customers/clients, a critical tenet of internal auditing. It integrates clients as members of the team from day one, and it acknowledges that, without this fully involved engagement, the audit cannot proceed as an Agile audit. Further, the framework focuses on creating value from the audit client's perspective. It centers the Agile audit on the value proposition, which makes achieving organizational objectives a foundation point.

It also helps organizations increase overall resiliency, which is critical in this new normal. The audit must deliver results more quickly and provide insights that will help reduce detrimental risks and achieve objectives. The flexibility provided by implementing this Agile approach helps management and auditors collaborate in risk identification, resulting in better‐managed businesses and organizations. A vital aspect of this framework is that it uses a risk universe, rather than an audit universe, to determine priorities and an Agile audit plan.

As I have discussed in many of my blogs, tweets, and books, adapting and keeping an eye out for the most critical risk is crucial for our profession and our organizations. Continuous risk thinking is a lesson I learned early in my career and is vital to Agile auditing success. Conventional planning for internal auditing doesn't hold up in today's environment because it cannot deal with unexpected risks.

In 1990, I was in the middle of an old‐school, annual plan as chief audit executive for the U.S. Army when Iraq invaded Kuwait. Risks that very few saw coming had suddenly appeared. I had to toss my annual audit plan and assess risks continuously, so that I could identify and reset our internal audit priorities. Traditional methods and routines of conducting audits based on plans that are six months to a year old are in the past. We need to assess risk continuously, and we must have new information to keep our audit plan up to date.

I wish that I had had this book back in 1990 as a guide not only for myself but also for my audit department and colleagues. The framework and information provided in this book provide the tools and ideas to spark your creative juices to make your audit activities successful today and in the future. In turn, it will allow you to continuously set your antenna high and be better prepared to address new risks as they emerge within our industry and in the overall economy.

Finally, one of the most valuable lessons you will learn in this book is to deliver focused results faster. As presented in the framework, auditors complete each Agile audit in short, two‐week cycles – planning, performing, and communicating risk‐focused results. Applying Agile auditing consistently and maintaining a tight delivery cycle require innovative thinking on audit processes and deliverables. It creates a baseline, so each auditor and each team can measure their performance and become better and stronger with every audit.

I highly recommended Agile Auditing: Fundamentals and Applications by Raven Catlin and Ceciliana Watkins whether you are a seasoned auditor, new to the profession, or even in a different domain unrelated to audit. You will find that the framework, lessons, and principles better equip you to meet new challenges. This book is one of few written by audit professionals to improve our audit services and value to our organizations by being more responsive and a better team player. Reading this book will prepare you with the knowledge and skills necessary to become an Agile auditor, implement Agile auditing in your audit activity, and deliver more value to the organizations you serve.

—Richard Chambers

President and CEO of The Institute of Internal Auditors (IIA) January 2009 to March 2021

Author, Lessons Learned on the Audit Trail (2014),Trusted Advisors:Key Attributes of Outstanding Internal Auditors (2017), and The Speed of Risk: Lessons Learned on the Audit Trail, 2nd edition (2019)

Preface

From the beginning, it seemed natural that Ceciliana Watkins and I would form a friendship. We think alike as auditors, respect each other immensely, and have a passion for learning and sharing knowledge, not to mention sharing a huge passion for cooking and experimenting with “recipes.” On a warm summer night in 2011, just outside of Sacramento, California, we had dinner and talked about some of the pains and frustrations that we experienced in auditing. One of our frustrations is that many auditors work on multiple projects simultaneously and miss deadlines far too frequently. We continued our evening recognizing that we had to determine and fix the root causes of our problems, including audit clients (commonly referred to as “auditees”) frequently failing to deliver evidence when needed, constant and often unconscious scope creep, excessive audit workpaper documentation, and wordsmithing masked as elegant writing consistently clouding the message we really need to deliver to add value, improve processes, and help our organizations accomplish their objectives.

Please understand, my friend and co‐author Ceciliana is a life‐long learner, creator, and challenger. She is a project management professional and has dedicated her professional life to auditing. She challenges others to think better and do more to help improve the audit profession. As we discussed many audit‐related frustrations, my dearest friend asked, “have you ever researched Agile project management?” It was that dinner conversation, over home‐cooked corn tortillas, ceviche, and watermelon‐basil margaritas, that started my Agile auditing journey. On the plane back to Virginia, I started listing the problems faced in the audit process. The very next day, I purchased my first book on Agile and began learning about Agile, including Scrum and other frameworks. Moreover, I started tackling the list of frustrations and mapping Agile practices to the problems in a quest for solutions. I began the journey seeking answers to these questions:

Can the auditing profession use Agile frameworks?

How can auditing adopt Agile principles?

How can Agile tools help fix our audit process problems?

What needs to change in audit to be Agile?

What is the root cause of the audit problems and frustrations?

Can Agile frameworks and principles solve the root causes of our audit problems and symptoms?

I talked with Ceciliana about our journey, questions, and early conclusions. We realized that many of our problems are just symptoms of a root cause, poor audit client relationships. So, we looked for opportunities to use Agile frameworks to help resolve client relationship issues.

Since 2011, “I” became “we” as the Raven Global Training team expanded. Expert trainers joined, and courses increased, including courses on Agile auditing. Ceciliana was the first instructor we officially added to the team. We continually collaborate on many topics and bounce ideas off each other – it is a great partnership.

We concluded that the auditing profession can, and should, use Agile frameworks and that doing so can solve the root cause of many problems experienced in the audit life cycle, such as poor client relationships. But how? What would this look like? Would it look the same for every audit team? Can it work on every audit? What would we call it? The name Agile auditing felt right, and the rest of the story is provided for you in the pages of this book.

Successful Agile projects are those that recognize failure quickly, through constant inspection, and rapidly adapt to identified failures.

In 2013, we began offering keynote addresses on Agile auditing concepts at conferences. As we continued developing our Agile audit framework, we also sought opportunities to put the framework into practice. Our first client was up for the challenge in 2014, and we knew we might not get it right the first time. In fact, failing, and failing fast, is a collective mindset in Agile disciplines. It is okay to fail. Failure is even expected! Successful Agile projects are those that recognize failure quickly, through constant inspection, and rapidly adapt to identified failures.

Our first full‐day Agile auditing class was offered in Roseland, New Jersey, in September 2014. Back then, our Agile audit framework rigidly aligned the audit process and project management principles used in auditing to the Agile Manifesto, Agile principles, and Scrum framework. Our first Agile audit methodology was too rigid and didn't incorporate our personal auditing experiences. With our second Agile auditing class in Albuquerque, New Mexico, in January 2015, we changed the methodology to reflect more of a framework and incorporated Participatory Auditing principles, more client collaboration, and professional standards for the audit profession. For private sector internal auditing, we turned to the Standards for the Professional Practice of Internal Auditing issued by The Institute of Internal Auditors (IIA). For public sector auditing, we reviewed the Generally Accepted Government Audit Standards (GAGAS), commonly referred to as the Yellow Book. For audits of external financial reporting, we researched the Generally Accepted Auditing Standards (GAAS).

As Steven Denning points out in his book The Age of Agile, Agile started as a movement that took off in 2001 as a set of values and principles articulated by the Agile Manifesto of 2001. The manifesto spawned various management methodologies including Scrum and many others (Denning 2018). Over time, it evolved into a movement of people with a specific mindset that focuses on delivering continuous value to customers. As we started our journey in Agile, we soon realized the importance of distinguishing a framework from a methodology to facilitate the Agile auditing movement.

So, what is the difference between a methodology and a framework? According to the Cambridge Dictionary, methodology is defined as “a system of ways of doing, teaching, or studying something” (Cambridge Dictionary 2020b). Basically, a methodology is a systematic way of doing or accomplishing something. If we apply an Agile methodology, we must have systematic procedures. Methodologies are prescriptive – they tell us how to do something in a step‐by‐step manner. On the other hand, the term framework is defined as “a supporting structure around which something can be built” or “a system of rules, ideas, or beliefs that is used to plan or decide something” (Cambridge Dictionary 2020a). Therefore, a framework provides guidelines or a structure that we can work under. A framework allows us to be flexible and adaptive. While a framework has a general structure, the user is not guided through specific steps or processes to get to results. A framework has flexibility within its structure, enabling the user to be supple and to adopt responses to change without having to follow specific steps. Therefore, Agile auditing is a framework that provides options to develop your approaches, methods, practices, and techniques to complete audits faster, with minimal waste, while emphasizing risks and delivery of value to customers. In other words, we are providing an Agile audit framework for you to create your Agile audit methodology. Nonetheless, our experiences have shown us that auditors need something more methodical to start implementing Agile auditing and to increase the success rate with the Agile approach. Thus, we found providing special “recipes” to implement Agile have been of great assistance to auditors in their Agile journey. You will find these recipes at the end of various chapter, as appropriate.

We have made every effort to provide as much useful information as possible to help you find your success on your Agile auditing journey. Thank you for choosing this book. Please enjoy!

Acknowledgments

When we set out to write this book, we soon realized the immensity of the challenges and opportunities we were facing. No matter how vast our knowledge and experience and how many books we read, we could not operate alone: we needed our Agile team!

This book would not have been possible without the help of all our former bosses and audit teams who taught us about auditing. We are very grateful to our fellow audit professionals as a whole. Without them, we would not have had great examples of lessons learned and ideas on improving audit processes. We acknowledge that Agile auditing would not have been possible if it were not for the authors and practitioners who pioneered Agile frameworks in system development and other organizational initiatives. Additionally, the Agile auditing framework wouldn't be where it is if it were not for our Agile auditing clients, conference participants, and classroom students who challenged our thinking and confirmed our approach. The bosses, fellow auditors, authors, practitioners, clients, conference participants, and students are too numerous to list, but we thank them all.

We especially want to express our gratitude to the magnificent and supportive staff of our publisher, John Wiley & Sons. They know their business and do things right. Sheck Cho, Elisha Benjamin, and Susan Cerra, you made this book happen. You unknowingly helped us confirm that using the Agile framework, anything can be done. We thank our many colleagues, friends, and family members who have played a pivotal role in completing this book or learning key concepts, or both.

Raven is especially thankful for the following:

Ceciliana Watkins, friend and co‐author, for stepping in to help me write the book, editing the book, and sharing her unique expertise and perspective as a government auditor.

Carmen Catlin, sparkling daughter, for her beautiful smiles, warm hugs, encouraging words, and for being our delightful illustrator.

Jean Louk, Mom, for her endless love and support.

Christina Magargle, sister, for always knowing every one of my smallest thoughts and needs to finish the book even before I knew them.

Vicki McIntyre, friend, for being a voice of reason and encouragement and for her endless hours editing the book.

Ceciliana is especially thankful for the following:

Raven Catlin, friend and co‐author, for her sharing audit knowledge, believing in me, and providing opportunities to expand my creativity and brain.

Pheary Watkins, husband extraordinaire, for his never‐ending support and for making my dreams come true.

Helm Zinser‐Watkins, my marvelous child, for editorial skills, support, and love and kindness in all my pursuits.

Nancy Goldberg, friend and colleague with the biggest heart and support in all my pursuits, and through her deep thinking, logic, and thoughtful conversations throughout the years helped keep me focused on the right goals.

Kathleen Webb, friend and colleague, for her support, insightful advice, fantastic brain, and adroit teachings and conversations in Agile and Lean practices, invaluable to my thinking process.

Evelyn Calderon‐Yee, friend and colleague, for her continuous support and belief in all of my innovative ideas, and her effective implementation of our Agile auditing framework.

Judith W. Umlas, my kindred spirit, for her support and feedback and her unstoppable passion for helping the world become a better place by teaching how to be a grateful Agile leader and use the power of acknowledgment.

List of Acronyms

ACL – Audit Command Language

AI – artificial intelligence

AICPA – American Institute of Certified Public Accountants

AP – accounts payable

CA – chartered accountant

CAE – chief audit executive

CAO – chief administrative officer

CEO – chief executive officer

CFSA – Certified Financial Services Auditor

CGAP – Certified Government Audit Professional

CIA – Certified Internal Auditor

CISA – Certified Information Systems Auditor

COSO – Committee of Sponsoring Organizations

COVID‐19 – Coronavirus disease (formerly referred to as “2019 novel coronavirus” or “2019‐nCoV”)

CPA – Certified Public Accountant

CRMA – Certification in Risk Management Assurance

CSM – Certified Scrum Master

DA – data analytics

DSDM – dynamic systems development methodology

ELRA – engagement‐level risk assessment

ERM – enterprise risk management

ERP – enterprise resource planning

FASB – Financial Accounting Standards Board

FDD – feature‐driven development

GAAP – Generally Accepted Accounting Principles

GAAS – Generally Accepted Auditing Standards

GAGAS – Generally Accepted Government Audit Standards, commonly referred to as the Yellow Book

GAO – Government Accountability Office

GATAP – Generally Accepted Tax Accounting Principles

GRC – governance risk and compliance

GTAG – Global Technology Audit Guide

HIL – human interface layer

HR – human resources

IAASB – International Auditing and Assurance Standards Board

ICFG – Internal Control in the Federal Government, also referred to as the Green Book

IEEE – Institute of Electrical and Electronics Engineers

IFRS – International Financial Reporting Standards

IIA – Institute of Internal Auditors

IPPF – International Professional Practices Framework

ISO – International Organization for Standardization

IT – information technology

KPI – key performance indicator

KRI – key risk indicator

ML – machine learning

MVGV – mission, vision, goals, and values

OCBOA – other comprehensive basis of accounting

PBC – prepared by client

PMBOK – Project Management Body of Knowledge

PMI – Project Management Institute

PMP – Project Management Professional

PARC – potential audit report comments

QA/QC – quality assurance/quality control

QAR – quality assessment review

QA&IP – quality assurance and improvement program

RCM – risks and controls matrix

RDA – robotic desktop automation

RPA – robotic process automation

RUP – Rational Unified Process

SEC – Securities and Exchange Commission

SOX – Sarbanes‐Oxley

TAC

4

O – timely, accurate, clear, complete, concise, constructive, and objective

TOD – test of design

TOE – test of effectiveness

XP – Extreme Programming

Introduction

Agile auditing is perfect for all types of audits across any industry. As Agile audit grows in popularity, different Agile audit methodologies develop. From our point of view, Agile auditing is a framework, not a methodology. The Agile audit framework presented in this book can be used to develop your Agile audit methodology (as indicated in the Preface). There are five critical differences in our Agile audit framework that are distinct from other Agile audit methodologies that we read, discussed, and studied.

It is a framework, not a methodology

. It is intended to provide ideas and guidance for an audit team to quickly deliver value to audit clients and stakeholders. The framework allows audit teams to incorporate other practices and tools into an Agile audit methodology that they create.

The framework requires and provides a structure and guidance for more collaboration with audit customers/clients

. Audit customers and auditees are Agile team members from day one of the Agile audit. Agile audits cannot move forward without audit customer engagement.

The framework focuses on adding value from the audit client's perspective by centering the Agile audit on the value proposition

. The value proposition focuses on business objectives and business risks, not audit risks. More specifically, the Agile audit framework encourages adding value by helping audit clients evaluate whether they have put the right actions and controls to mitigate threats and risks to an acceptable level to help them achieve

their

objectives. This framework helps organizations increase resiliency; it enables auditors to more quickly deliver insights on whether business and management controls are working as intended to reduce risks and help achieve objectives. It provides flexibility to help management and audit clients articulate their objectives and articulate how each process aligns with the organization's strategy. Similarly, if management hasn't determined the risks that may affect their ability to accomplish objectives, the Agile auditing framework helps management and auditors to collaborate in risk identification.

The framework uses a risk universe, rather than an audit universe, to determine the upcoming priorities and an Agile audit plan

. We discuss the difference between the risk universe and audit universe in

Chapter 8

: Implementing Agile Auditing: The Audit Planning Process.

Each Agile audit is completed in two weeks

. Audit planning, audit execution, and final result communications are finished in just two weeks. We recognize that a defined two‐week project cycle deviates from Agile disciplines. We've discovered that this time constraint is the best way to get better at determining how much work each Agile audit team can complete. We also learned that to apply Agile auditing consistently, audit teams must think differently about traditional audit processes and deliverables. The two‐week cycle forces the necessary thinking and related practices.

This Agile audit framework is a drastic, disruptive change for many audit teams. It is a change that the audit profession needs. We recognize unique challenges in adopting the framework. In the spirit of continuous improvement, we accept and consider all challenges presented by students and audit leaders. We love it when audit practices across the globe incorporate our Agile audit framework. We love it even more when others challenge the framework, thoughts, practices, and methodologies. For example, in a 2015 class of 30 students, when we suggested that an audit team, even a team of one auditor, could complete an entire audit in a two‐week time frame one student called us “crazy.” We deliberately decided on a two‐week cycle to break the decades‐long auditing practices that created many of the problems encountered in nearly every audit. Others also felt that Agile auditing was vastly different from traditional auditing and would be “impossible” to implement. Each challenge resulted in a reevaluation of the framework and the creation of more choices in it. It's comical that the same “crazy” and “impossible” comments were made when Agile entered other disciplines. However, it has been fully adopted in many disciplines!

A few weeks after the 2015 class, it concerned us that others couldn't see the value in this approach to Agile auditing. Once again, we were back learning, thinking, and analyzing the framework, and we realized there was a problem. The problem was not necessarily with the Agile audit framework, but with audit approaches, perceptions, and assumptions, specifically:

Audits are supposed to be risk‐based; we pioneered Agile auditing, thinking that all auditors used a risk‐based approach. We were wrong.

We pioneered Agile auditing believing that all auditors already collaborated with audit clients to complete audit work. Again, we were wrong.

We assumed employees, auditors, and audit clients have a common goal: the organization's success. Unfortunately, there are many examples where the success of the organization is not a mutual goal.

We thought all auditors wanted and needed to feel liked by their coworkers. As much as we don't like to admit it, some auditors enjoy being feared and disliked by their coworkers even today.

We believed that if all employees understand the how and why of the audit process, audits can be improved.

We pioneered Agile auditing, assuming that audit clients wanted to build relationships with auditors and vice versa. We also believed that audit clients wanted to learn more about the why and how of audit processes. Again, we were wrong; well, we already knew this was wrong, but it was wishful thinking!

Why would we develop a framework with these assumptions? Because, based on our audit experiences until that time, those assumptions reflected how each of the 15 organizations we had worked with approached auditing. Additionally, it is how countless training clients wanted to approach their audits. Auditing practices learned throughout our audit careers have heavily influenced our Agile audit framework, including an emphasis on risk‐based auditing, Participatory Auditing, operational auditing, and relationship building. Our desire to overcome problems experienced in the audit process ultimately drives the Agile audit framework. We continue to adapt, champion, and encourage the implementation of an Agile auditing framework or methodology. Not every audit team may be able to implement a methodology exactly how a creator designed it. That is okay. We are giving you options for implementation in a framework, should you adopt Agile auditing. Using this framework and adapting it to fit your organization based on your cultures, experiences, governance practices, mindsets, client expectations, client interactions, and audit resources will lead to faster, better, and value‐added auditing.

We implore you to identify your assumptions. If you share the assumptions, you are well on your way to making Agile work for you. Should you find any assumption that doesn't fit for your organization, adapt Agile auditing to work for you. Every audit team can implement some Agile audit framework elements and recognize significant benefits when transforming to an Agile mindset. The most common benefits realized include more value‐add, more risk coverage, satisfied audit clients, increased confidence in audit results, streamlined audit practices, and happier auditors.

Adults learn through personal experience and the experiences and mistakes of others. We hope you learn from this book and the stories we share. As we've stated, our first several versions of our Agile audit framework weren't perfect. We made some mistakes, a concept accepted and promoted as a necessity to be Agile. We mentioned this earlier, but it needs emphasis: Agile is not about perfection. It is not about getting it right every time. Agile expects mistakes and errors, but you must identify and respond to the mistakes early and learn from them. We tried to help two organizations and a state government audit department implement Agile auditing without understanding what was necessary from an organizational and foundational standpoint. We learned about two essential fundamentals for Agile auditing success during those three attempts – the right culture and the proper communication. Chapter 17: Preparing Your Organization for Agile Auditing/Creating the Agile Culture is dedicated to these fundamental topics.

The ideas and stories presented in this book represent a collection of classroom, conference, and hands‐on work experiences and client interactions that began in 2011. We thank our clients and students for helping us evolve our once‐rigid Agile audit methodology into the flexible Agile auditing framework it is today. We continually adapt our Agile auditing journey and framework in response to new knowledge and an ever‐changing environment. This adaptation follows a fundamental Agile principle's expectations: as your knowledge increases, your needs change.

There is still more to learn. We read books, blogs, and white papers on Agile for different disciplines, frameworks, and industries. Classroom interactions challenge us to examine, reevaluate, and improve the Agile audit framework. Nearly every class we teach creates a new idea for Agile auditing. We recognize that Agile auditing is not perfect for every organization or every audit. As you start your Agile auditing journey, remember:

Your organization's Agile audit methodology must reflect your environment, culture, and audit practices.

Agile auditing is not a one‐size‐fits‐all methodology.

Even after your Agile auditing methodology and process is mature, look for continuous improvement opportunities, and adapt to your organization's constantly changing needs.

Perfection is a myth. Agile allows for failures, mistakes, and errors.

The Agile audit framework described in this book incorporates project management practices, Agile practices, Participatory Auditing, and end‐to‐end risk‐based auditing. Agile auditing begins with creating the audit plan by selecting audits of areas that pose the most significant risks to the organization and ends with communicating the results of an individual engagement based on which risks are not mitigated to an acceptable level; that is what we mean by “end‐to‐end risk‐based auditing.” We recommend using a holistic, risk‐based view of the audit process, even though you may elect to start with one piece of the audit process as you roll out your Agile audit methodology.

In this book, you'll find information about various organizations' Agile audit methodologies, attempts, failures, and successes to help you implement Agile auditing. Most importantly, you will gain knowledge to help you determine the right Agile auditing approach for your organization.

At the end of each chapter, we share “nuggets,” which are key takeaways, ideas, questions, suggestions, “aha moments” when the lightbulb comes on, and thoughts presented in the chapter. We want you to reflect on the content at the end of each chapter and encourage you to identify your nuggets.

Part I: Building an Understanding of Agile and Auditing acclimates the reader to Agile and auditing and consists of the following six chapters:

In Chapter 1: What Is Agile?, you will build an understanding of Agile and Agile project management so you are able to explain Agile to others. This chapter includes defining Agile and presenting the Agile Manifesto and its 12 principles. You will be introduced to the multiple frameworks under the Agile umbrella, including Scrum, the most popular framework, Scrum values, Scrum's three roles, three Artifacts, and five activities. You may even gain a thirst to obtain one of the Scrum certifications. You will also learn about using “recipes” for your Agile audit journey and explain how you can use the recipes provided in this book. You will find the Agile Manifesto, Agile frameworks, and recipe concepts to create your Agile methodology.

In Chapter 2: What Is Audit?, you will learn how to define an audit, describe the different types of audits, and list the professional standards for the different types of audits. This chapter clarifies the audit project life cycle activities and use of audit customers and audit stakeholders. You will obtain brief overviews of auditors' key knowledge areas, including governance, risk, control, finance/accounting, technology, and compliance and skills needed as a successful auditor. The brevity of the discussion of the knowledge and skills is necessary, as each can be a separate book. After reading this chapter, you will be able to explain auditing, audit customers, knowledge and skills needed to be an effective auditor, traditional audit project life cycle phases, and problems encountered in the audit process that contribute to delivery risks to interested parties. This chapter includes a recipe for building auditor knowledge and skills.

In Chapter 3: Traditional Audit Engagement Process and Practices, you will obtain information on tasks and activities in the traditional audit life cycle. Many of these activities were collected from work experiences and reviews of other audit methodologies and represent typical audit practices. Your specific traditional audit practices may vary, but you should see some similarities as well. This chapter helps you further understand the typical activities to complete audits in the traditional waterfall process and can be used to benchmark your current auditing practices. You will likely see the bottlenecks, redundancies, and inefficiencies created in the audit process and think of your Agile solutions as you read this chapter.

From Chapter 4: What Is Agile Audit? and Chapter 5: Why Agile Audit?, you will be able to describe what Agile auditing is and why it is beneficial to auditors and the organizations they serve. You will be introduced to the Agile audit framework and implementation options. You will discover some of the challenges encountered, the benefits of Agile, and how to get others to buy in to your Agile auditing methodology.

Chapter 6: Creating the Agile Mindset will help you develop a deeper understanding of Agile and the Agile mindset. You will also learn ways to assess if your auditors believe in your Agile Manifesto and discover ways to assess how strongly they feel about their ability to start an Agile process. This chapter also provides a recipe for how you can get your auditors to believe in your Agile Manifesto.

Part II: Implementing Agile Auditing provides ideas for and examples of techniques, methods, and practices for implementing Agile auditing and consists of the following five chapters:

In Chapter 7: Implementing Agile Auditing: Deciding Your Approach and Your Agile Audit Project Roles, you will learn about three different Agile strategies you can use for the implementation of Agile auditing, including full Agile, pilot Agile, and Agile lite. We will also cover Agile audit roles and responsibilities. In this chapter, you will discover challenges you can expect people to encounter as you implement your Agile audit methodology.

In Chapter 8: Implementing Agile Auditing: The Audit Planning Process, you will see a contrast of traditional annual audit planning using an audit universe and Agile audit planning using a risk universe. This chapter discusses three unconventional risk assessment methods: dynamic risk assessments, data‐driven risk assessments, and risk universe prioritizations. In this chapter, you will also learn more technical Agile jargon in the audit context. This chapter includes two recipes for helping you prioritize and select your user stories, depending on your selected approach to implementing Agile auditing.

Chapter 9: Implementing Agile Auditing: Planning Agile Audit Engagements explains how to plan your Agile audit resources with self‐managing teams. Further, you will review the Agile planning steps and discuss other Agile jargon specifically for planning activities. You will also learn how you can solve problems encountered during the engagement planning process with Agile auditing.

Chapter 10: Implementing Agile Auditing: Executing the Agile Audit includes discussing “testing with the audit client” during the execution phase. This chapter will explore workpaper documentation in an Agile audit environment and ideas on managing scope creep. Further, this chapter also discusses how audit findings are communicated in Agile auditing. You will explore and consider the different ways in which you can solve problems encountered during engagement execution or fieldwork process with Agile auditing.

In Chapter 11: Implementing Agile Auditing: Communicating Agile Audit Results, you will read of innovative means of communicating your audit results and will learn the different communicating activities that derive from Scrum, though applied to Agile auditing. You will have the opportunity to consider whether, with Agile auditing, you still need to write a formal report. You will review problems and explore the different ways you can solve problems encountered during the engagement communication process with Agile auditing.

Part III: Special Considerations provides valuable information regarding how new technologies are affecting the way we audit. You will explore using Learn and Kanban for Agile auditing. You will learn how to stop creating kitchen‐sink audits, merging risk‐based auditing and integrated auditing with Agile auditing. Part III consists of the following eight chapters:

Chapter 12: Agile Auditing in the “New Normal” Environment (Remote Auditing) presents in a thought‐provoking fashion how Agile audit in the “new normal” must adopt and embrace disruptive technologies (robotics process automation, machine learning, and artificial intelligence) to be prepared to deal with global changes including the 2020–2021 COVID‐19 global pandemic. You will explore how existing technologies, such as videoconferencing and data analytics (DA), change the way we communicate and perform our audits. Also, you will examine techniques for effective virtual conferencing. This chapter provides an introduction to DA terminology and a synopsis of the DA process. You can consider using it as your recipe for starting your DA journey. This chapter examines some of the differences between these technologies and how they affect the way we work.

In Chapter 13: Lean and Agile Auditing, and Chapter 14: Exploring Kanban Agile Auditing, you will learn how to use these two frameworks with the Agile auditing framework. It is important to note that these are not mutually exclusive, and audit teams may find a merger of frameworks most beneficial.

In Chapter 15: Merging Risk‐Based Auditing and Integrated Auditing with Agile Auditing, you will review different risk definitions. You will learn how to stop creating kitchen‐sink audits. You will learn about risk‐based auditing and will explore our extreme risk‐based auditing approach. Further, you will realize that Agile auditing does not preclude one from completing integrated audits.

In Chapter 16: Building the Auditor Toolbelt and Self‐Managing Agile Audit Teams, you will learn the importance of building an auditor toolbelt and filling it with the different skills to become an Agile audit. Also, you will see how using Scrum values can help create a self‐managing Agile auditing team.

Chapter 17: Preparing Your Organization for Agile Auditing/Creating the Agile Culture explores how behaviors, norms, and perceptions can influence the organization, so it supports Agile auditing. You will learn about the influence a Grateful Agile Leader can have on the organization's culture and the Agile team. You will also learn what the ideal conditions for Agile auditing are.

Chapter 18: Passing Your Quality Assessment Review (QAR) in an Agile Audit Environment discusses the four areas of most concern regarding your QAR when implementing Agile auditing (independence and objectivity, planning, documentation, and supervision). It also provides an overview of the standards used for the three types of audits covered in this book.

In Chapter 19: Nuggets for Agile Audit Success