Читать книгу Agile Auditing - Raven Catlin - Страница 15

Agile auditing is perfect for all types of audits across any industry. As Agile audit grows in popularity, different Agile audit methodologies develop. From our point of view, Agile auditing is a framework, not a methodology. The Agile audit framework presented in this book can be used to develop your Agile audit methodology (as indicated in the Preface). There are five critical differences in our Agile audit framework that are distinct from other Agile audit methodologies that we read, discussed, and studied.

1 It is a framework, not a methodology. It is intended to provide ideas and guidance for an audit team to quickly deliver value to audit clients and stakeholders. The framework allows audit teams to incorporate other practices and tools into an Agile audit methodology that they create.

2 The framework requires and provides a structure and guidance for more collaboration with audit customers/clients. Audit customers and auditees are Agile team members from day one of the Agile audit. Agile audits cannot move forward without audit customer engagement.

3 The framework focuses on adding value from the audit client's perspective by centering the Agile audit on the value proposition. The value proposition focuses on business objectives and business risks, not audit risks. More specifically, the Agile audit framework encourages adding value by helping audit clients evaluate whether they have put the right actions and controls to mitigate threats and risks to an acceptable level to help them achieve their objectives. This framework helps organizations increase resiliency; it enables auditors to more quickly deliver insights on whether business and management controls are working as intended to reduce risks and help achieve objectives. It provides flexibility to help management and audit clients articulate their objectives and articulate how each process aligns with the organization's strategy. Similarly, if management hasn't determined the risks that may affect their ability to accomplish objectives, the Agile auditing framework helps management and auditors to collaborate in risk identification.

4 The framework uses a risk universe, rather than an audit universe, to determine the upcoming priorities and an Agile audit plan. We discuss the difference between the risk universe and audit universe in Chapter 8: Implementing Agile Auditing: The Audit Planning Process.

5 Each Agile audit is completed in two weeks. Audit planning, audit execution, and final result communications are finished in just two weeks. We recognize that a defined two‐week project cycle deviates from Agile disciplines. We've discovered that this time constraint is the best way to get better at determining how much work each Agile audit team can complete. We also learned that to apply Agile auditing consistently, audit teams must think differently about traditional audit processes and deliverables. The two‐week cycle forces the necessary thinking and related practices.

This Agile audit framework is a drastic, disruptive change for many audit teams. It is a change that the audit profession needs. We recognize unique challenges in adopting the framework. In the spirit of continuous improvement, we accept and consider all challenges presented by students and audit leaders. We love it when audit practices across the globe incorporate our Agile audit framework. We love it even more when others challenge the framework, thoughts, practices, and methodologies. For example, in a 2015 class of 30 students, when we suggested that an audit team, even a team of one auditor, could complete an entire audit in a two‐week time frame one student called us “crazy.” We deliberately decided on a two‐week cycle to break the decades‐long auditing practices that created many of the problems encountered in nearly every audit. Others also felt that Agile auditing was vastly different from traditional auditing and would be “impossible” to implement. Each challenge resulted in a reevaluation of the framework and the creation of more choices in it. It's comical that the same “crazy” and “impossible” comments were made when Agile entered other disciplines. However, it has been fully adopted in many disciplines!

A few weeks after the 2015 class, it concerned us that others couldn't see the value in this approach to Agile auditing. Once again, we were back learning, thinking, and analyzing the framework, and we realized there was a problem. The problem was not necessarily with the Agile audit framework, but with audit approaches, perceptions, and assumptions, specifically:

 Audits are supposed to be risk‐based; we pioneered Agile auditing, thinking that all auditors used a risk‐based approach. We were wrong.

 We pioneered Agile auditing believing that all auditors already collaborated with audit clients to complete audit work. Again, we were wrong.

 We assumed employees, auditors, and audit clients have a common goal: the organization's success. Unfortunately, there are many examples where the success of the organization is not a mutual goal.

 We thought all auditors wanted and needed to feel liked by their coworkers. As much as we don't like to admit it, some auditors enjoy being feared and disliked by their coworkers even today.

 We believed that if all employees understand the how and why of the audit process, audits can be improved.

 We pioneered Agile auditing, assuming that audit clients wanted to build relationships with auditors and vice versa. We also believed that audit clients wanted to learn more about the why and how of audit processes. Again, we were wrong; well, we already knew this was wrong, but it was wishful thinking!

Why would we develop a framework with these assumptions? Because, based on our audit experiences until that time, those assumptions reflected how each of the 15 organizations we had worked with approached auditing. Additionally, it is how countless training clients wanted to approach their audits. Auditing practices learned throughout our audit careers have heavily influenced our Agile audit framework, including an emphasis on risk‐based auditing, Participatory Auditing, operational auditing, and relationship building. Our desire to overcome problems experienced in the audit process ultimately drives the Agile audit framework. We continue to adapt, champion, and encourage the implementation of an Agile auditing framework or methodology. Not every audit team may be able to implement a methodology exactly how a creator designed it. That is okay. We are giving you options for implementation in a framework, should you adopt Agile auditing. Using this framework and adapting it to fit your organization based on your cultures, experiences, governance practices, mindsets, client expectations, client interactions, and audit resources will lead to faster, better, and value‐added auditing.

We implore you to identify your assumptions. If you share the assumptions, you are well on your way to making Agile work for you. Should you find any assumption that doesn't fit for your organization, adapt Agile auditing to work for you. Every audit team can implement some Agile audit framework elements and recognize significant benefits when transforming to an Agile mindset. The most common benefits realized include more value‐add, more risk coverage, satisfied audit clients, increased confidence in audit results, streamlined audit practices, and happier auditors.

Adults learn through personal experience and the experiences and mistakes of others. We hope you learn from this book and the stories we share. As we've stated, our first several versions of our Agile audit framework weren't perfect. We made some mistakes, a concept accepted and promoted as a necessity to be Agile. We mentioned this earlier, but it needs emphasis: Agile is not about perfection. It is not about getting it right every time. Agile expects mistakes and errors, but you must identify and respond to the mistakes early and learn from them. We tried to help two organizations and a state government audit department implement Agile auditing without understanding what was necessary from an organizational and foundational standpoint. We learned about two essential fundamentals for Agile auditing success during those three attempts – the right culture and the proper communication. Chapter 17: Preparing Your Organization for Agile Auditing/Creating the Agile Culture is dedicated to these fundamental topics.

The ideas and stories presented in this book represent a collection of classroom, conference, and hands‐on work experiences and client interactions that began in 2011. We thank our clients and students for helping us evolve our once‐rigid Agile audit methodology into the flexible Agile auditing framework it is today. We continually adapt our Agile auditing journey and framework in response to new knowledge and an ever‐changing environment. This adaptation follows a fundamental Agile principle's expectations: as your knowledge increases, your needs change.

There is still more to learn. We read books, blogs, and white papers on Agile for different disciplines, frameworks, and industries. Classroom interactions challenge us to examine, reevaluate, and improve the Agile audit framework. Nearly every class we teach creates a new idea for Agile auditing. We recognize that Agile auditing is not perfect for every organization or every audit. As you start your Agile auditing journey, remember:

 Your organization's Agile audit methodology must reflect your environment, culture, and audit practices.

 Agile auditing is not a one‐size‐fits‐all methodology.

 Even after your Agile auditing methodology and process is mature, look for continuous improvement opportunities, and adapt to your organization's constantly changing needs.

 Perfection is a myth. Agile allows for failures, mistakes, and errors.

The Agile audit framework described in this book incorporates project management practices, Agile practices, Participatory Auditing, and end‐to‐end risk‐based auditing. Agile auditing begins with creating the audit plan by selecting audits of areas that pose the most significant risks to the organization and ends with communicating the results of an individual engagement based on which risks are not mitigated to an acceptable level; that is what we mean by “end‐to‐end risk‐based auditing.” We recommend using a holistic, risk‐based view of the audit process, even though you may elect to start with one piece of the audit process as you roll out your Agile audit methodology.

In this book, you'll find information about various organizations' Agile audit methodologies, attempts, failures, and successes to help you implement Agile auditing. Most importantly, you will gain knowledge to help you determine the right Agile auditing approach for your organization.

At the end of each chapter, we share “nuggets,” which are key takeaways, ideas, questions, suggestions, “aha moments” when the lightbulb comes on, and thoughts presented in the chapter. We want you to reflect on the content at the end of each chapter and encourage you to identify your nuggets.

Part I: Building an Understanding of Agile and Auditing acclimates the reader to Agile and auditing and consists of the following six chapters:

In Chapter 1: What Is Agile?, you will build an understanding of Agile and Agile project management so you are able to explain Agile to others. This chapter includes defining Agile and presenting the Agile Manifesto and its 12 principles. You will be introduced to the multiple frameworks under the Agile umbrella, including Scrum, the most popular framework, Scrum values, Scrum's three roles, three Artifacts, and five activities. You may even gain a thirst to obtain one of the Scrum certifications. You will also learn about using “recipes” for your Agile audit journey and explain how you can use the recipes provided in this book. You will find the Agile Manifesto, Agile frameworks, and recipe concepts to create your Agile methodology.

In Chapter 2: What Is Audit?, you will learn how to define an audit, describe the different types of audits, and list the professional standards for the different types of audits. This chapter clarifies the audit project life cycle activities and use of audit customers and audit stakeholders. You will obtain brief overviews of auditors' key knowledge areas, including governance, risk, control, finance/accounting, technology, and compliance and skills needed as a successful auditor. The brevity of the discussion of the knowledge and skills is necessary, as each can be a separate book. After reading this chapter, you will be able to explain auditing, audit customers, knowledge and skills needed to be an effective auditor, traditional audit project life cycle phases, and problems encountered in the audit process that contribute to delivery risks to interested parties. This chapter includes a recipe for building auditor knowledge and skills.

In Chapter 3: Traditional Audit Engagement Process and Practices, you will obtain information on tasks and activities in the traditional audit life cycle. Many of these activities were collected from work experiences and reviews of other audit methodologies and represent typical audit practices. Your specific traditional audit practices may vary, but you should see some similarities as well. This chapter helps you further understand the typical activities to complete audits in the traditional waterfall process and can be used to benchmark your current auditing practices. You will likely see the bottlenecks, redundancies, and inefficiencies created in the audit process and think of your Agile solutions as you read this chapter.

From Chapter 4: What Is Agile Audit? and Chapter 5: Why Agile Audit?, you will be able to describe what Agile auditing is and why it is beneficial to auditors and the organizations they serve. You will be introduced to the Agile audit framework and implementation options. You will discover some of the challenges encountered, the benefits of Agile, and how to get others to buy in to your Agile auditing methodology.

Chapter 6: Creating the Agile Mindset will help you develop a deeper understanding of Agile and the Agile mindset. You will also learn ways to assess if your auditors believe in your Agile Manifesto and discover ways to assess how strongly they feel about their ability to start an Agile process. This chapter also provides a recipe for how you can get your auditors to believe in your Agile Manifesto.

Part II: Implementing Agile Auditing provides ideas for and examples of techniques, methods, and practices for implementing Agile auditing and consists of the following five chapters:

In Chapter 7: Implementing Agile Auditing: Deciding Your Approach and Your Agile Audit Project Roles, you will learn about three different Agile strategies you can use for the implementation of Agile auditing, including full Agile, pilot Agile, and Agile lite. We will also cover Agile audit roles and responsibilities. In this chapter, you will discover challenges you can expect people to encounter as you implement your Agile audit methodology.

In Chapter 8: Implementing Agile Auditing: The Audit Planning Process, you will see a contrast of traditional annual audit planning using an audit universe and Agile audit planning using a risk universe. This chapter discusses three unconventional risk assessment methods: dynamic risk assessments, data‐driven risk assessments, and risk universe prioritizations. In this chapter, you will also learn more technical Agile jargon in the audit context. This chapter includes two recipes for helping you prioritize and select your user stories, depending on your selected approach to implementing Agile auditing.

Chapter 9: Implementing Agile Auditing: Planning Agile Audit Engagements explains how to plan your Agile audit resources with self‐managing teams. Further, you will review the Agile planning steps and discuss other Agile jargon specifically for planning activities. You will also learn how you can solve problems encountered during the engagement planning process with Agile auditing.

Chapter 10: Implementing Agile Auditing: Executing the Agile Audit includes discussing “testing with the audit client” during the execution phase. This chapter will explore workpaper documentation in an Agile audit environment and ideas on managing scope creep. Further, this chapter also discusses how audit findings are communicated in Agile auditing. You will explore and consider the different ways in which you can solve problems encountered during engagement execution or fieldwork process with Agile auditing.

In Chapter 11: Implementing Agile Auditing: Communicating Agile Audit Results, you will read of innovative means of communicating your audit results and will learn the different communicating activities that derive from Scrum, though applied to Agile auditing. You will have the opportunity to consider whether, with Agile auditing, you still need to write a formal report. You will review problems and explore the different ways you can solve problems encountered during the engagement communication process with Agile auditing.

Part III: Special Considerations provides valuable information regarding how new technologies are affecting the way we audit. You will explore using Learn and Kanban for Agile auditing. You will learn how to stop creating kitchen‐sink audits, merging risk‐based auditing and integrated auditing with Agile auditing. Part III consists of the following eight chapters:

Chapter 12: Agile Auditing in the “New Normal” Environment (Remote Auditing) presents in a thought‐provoking fashion how Agile audit in the “new normal” must adopt and embrace disruptive technologies (robotics process automation, machine learning, and artificial intelligence) to be prepared to deal with global changes including the 2020–2021 COVID‐19 global pandemic. You will explore how existing technologies, such as videoconferencing and data analytics (DA), change the way we communicate and perform our audits. Also, you will examine techniques for effective virtual conferencing. This chapter provides an introduction to DA terminology and a synopsis of the DA process. You can consider using it as your recipe for starting your DA journey. This chapter examines some of the differences between these technologies and how they affect the way we work.

In Chapter 13: Lean and Agile Auditing, and Chapter 14: Exploring Kanban Agile Auditing, you will learn how to use these two frameworks with the Agile auditing framework. It is important to note that these are not mutually exclusive, and audit teams may find a merger of frameworks most beneficial.

In Chapter 15: Merging Risk‐Based Auditing and Integrated Auditing with Agile Auditing, you will review different risk definitions. You will learn how to stop creating kitchen‐sink audits. You will learn about risk‐based auditing and will explore our extreme risk‐based auditing approach. Further, you will realize that Agile auditing does not preclude one from completing integrated audits.

In Chapter 16: Building the Auditor Toolbelt and Self‐Managing Agile Audit Teams, you will learn the importance of building an auditor toolbelt and filling it with the different skills to become an Agile audit. Also, you will see how using Scrum values can help create a self‐managing Agile auditing team.

Chapter 17: Preparing Your Organization for Agile Auditing/Creating the Agile Culture explores how behaviors, norms, and perceptions can influence the organization, so it supports Agile auditing. You will learn about the influence a Grateful Agile Leader can have on the organization's culture and the Agile team. You will also learn what the ideal conditions for Agile auditing are.

Chapter 18: Passing Your Quality Assessment Review (QAR) in an Agile Audit Environment discusses the four areas of most concern regarding your QAR when implementing Agile auditing (independence and objectivity, planning, documentation, and supervision). It also provides an overview of the standards used for the three types of audits covered in this book.

In Chapter 19: Nuggets for Agile Audit Success, you are encouraged to summarize your new or refreshed knowledge from the book and identify your nuggets (which can be anything meaningful to you: an idea, a question, something to research later, something to tell someone else, an aha moment, or even a thought related to the content discussed). This chapter provides 10 nuggets for Agile auditing success.

Appendix A: Glossary of Terms, provides definitions of key words, concepts, and notes provided in this book.

Appendix B: Product Backlog Template, includes the business risks (with likelihood/impact assessments), value proposition, cross‐functional dependencies and relationships to other risks, priority or projected date for the completed audit, resource requirement estimates, and an estimate of the effort to complete the Agile audit.

Appendix C: Agile Audit Example. This example consists of the Agile Audit time‐lapse activities conducted during a one‐week period for an Agile audit of remediation activities for a Security/Access Controls audit finding: Deficiencies in the user provisioning process for terminations.

Bibliography. Our journey as we wrote this book included reading over 100 books, reports, scholarly and trade journals, white papers, articles, interviews, and research papers on Agile, Agile frameworks, and Agile methodologies. The Bibliography includes references to many of the learning and discovery aids we have used in this book. We encourage our readers to seek these references, as well as many more.

Good luck, and let's start your Agile auditing journey.