Professional Documents
Culture Documents
Given that every organisation and their In Part 2, we elaborate on our experience
Internal Audit group is unique, Deloitte working with clients to implement Agile
has developed Agile Internal Audit (Agile IA and reflect on our conversations with
IA) as a flexible methodology for adapting various companies on the same journey.
Agile to the specific needs of an Internal It is a point of view (POV) we could not
Audit function and its stakeholders. This have written six months ago, when Part 1
document explains the methodology as it was drafted, because we were early in our
applies to internal auditing. journey. What better way to write a point of
view on Agile IA than using an iterative, Agile
This is not a solution in search of a problem. approach!
The problems are myriad as covered in Part
1 of this series—Understanding Agile IA. As
highlighted earlier in the series, Deloitte’s
research and experience have repeatedly
Here is a great way
found that organisations want and need to think about Agile:
more from Internal Audit. Piecemeal efforts Let’s say you’re a
that lack the context of a coherent, homesteader with a
methodical approach often fail in holistically bit of land and you
need some shelter. Do you spend
addressing the needs without the mind-set
months preparing blueprints; buying
change required. materials; hiring crews; and building,
finishing, and furnishing a five
Yet Internal Audit groups vary widely in bedroom, four bath house? Or do you
their capabilities, resources, skill sets, first pitch a tent, then set up a lean-to,
organisational charters, and readiness for and then, as you learn your family’s
requirements—and what you are
change. By the same token, organisations
doing—build a shack, then a cabin,
vary in their cultures, needs, and views of and then a house?
Internal Audit.
Agile would recommend the latter
Therefore, successful adoption of Agile in approach.
Internal Audit depends heavily on leadership
in the function, on the audit committee,
and among senior executives and business
partners.
2
Becoming agile | A guide to elevating Internal Audit’s performance and value
The impact of Agile IA • Empower Internal Audit teams to decide, However, take care as cafeteria-style picking
with stakeholders, what to do, how much across various methods, and choosing
Agile Internal Audit has the potential to: to do, and when to do it trends, does not work. Pick-and-choose
• Define a shorter path to more insightful approaches lead people to believe they
Adopting Agile IA calls for several shifts, as
results are implementing Agile IA when they are
indicated in Figure 1.
not. As a result, Internal Audit (along with the
• Engage stakeholders earlier and more organisation) may not only fail to reap the
Agile IA is not a one-size-fits-all
frequently benefits of Agile IA but may blame the
approach
• Generate less documentation and fewer methodology for not delivering targeted
words, but frequent communication There are multiple Agile methods based on benefits. It is a leading practice to build
Perfect communication after a iterative development where
long process requirements
Frequent communication during
your the process
foundations on a selected method,
• Accelerate Internal Audit
Rigidly cycle times
planned and
activities and solutions evolve through collaboration make changes
Quick, iterative based on your objectives and
activities
redeployment ofComprehensive
resources documentationbetween self-organising,
Timely, relevant cross-functional
reporting the culture of your organisation, and then
Established
• End an Internal Audit activityroles inpoint
at the teams. Examples
a hierarchical system include Lean, Scrum, and
Empowered roles in a more flexibleimplement
systemyour tailored approach. Trial and
Following
of diminishing returns a preset
(minimum Kanban, among others.
plan Responding to emerging needs
viable We have adopted learn as you go.
product) Scrum but find some methods from the
Auditing to Internal Audit resources Resourcing to audits and projects
other approaches, such as the use of
Control of the audit process Transparency in the audit process
Kanban boards, work well.
From To
¹ Refer to Part 1: Understanding Agile Internal Audit for a sample Agile Internal Audit manifesto; www.deloitte.com/us/becoming-agile
4
Becoming agile | A guide to elevating Internal Audit’s performance and value
• How does the business area align with the • Why is this project important to the business? • Key IT systems/reports supporting
• Why is it on the audit plan? Drivers from the
corporate strategy? and/or monitoring the business
risk assessment?
• What are the business’s objectives? • What is the value-add (relevance) to the process?
“As one of the world’s largest retailers, Walmart embarked on this Agile IA journey with Deloitte to better equip
our teams to maintain the speed of change at which our businesses are evolving. We are still on the journey to
adopt Agile IA, and some of our successes include:
• Tremendous enthusiasm at the staff and senior level to adopt a new and reenergised method to audit;
• Enhanced empowerment of the teams to engage the right level of stakeholders throughout the audit; and
• Quick wins - Deferring an audit within the first two weeks. Under the traditional audit approach it would have taken a much
longer time to reach the same conclusion; however, the mind-set of moving with speed to address risk and drive value and
quality empowered the team to make the right decision earlier.”
- Brandi Joplin, senior vice president and chief audit executive, Walmart
- Shondae LeGrand, senior manager, Walmart
- Mauri Myers, senior director, Walmart
5
Becoming agile | A guide to elevating Internal Audit’s performance and value
Key elements of a user story – Challenges/leading practices: ◊ Many teams use the first sprint
◊ There needs to be agreement between as a “discovery” sprint in order to
An effective user story is one that considers
the scrum team, product owner, and undertake preliminary work, such as
the risks, complexities, and relevance of
stakeholders that the project can start. defining needed data or gathering
the story. There are three key components
required information.
to a story – the actor, the action and the ◊ DoR should be viewed as the starting
outcome. Who is the responsible party line. Definition of Done (DoD): A DoD defines
(actor) for the key elements of the story, the value to be delivered in a sprint. It can
Sprints and time-boxing: When Internal
what are the concludable areas in the story be expressed as a level of assurance; a list of
Audit’s work begins, the user stories are
(the actions), and what are the expected end identified issues, risks, or recommendations;
grouped into sprints. Sprints—time-boxed
results (the outcome)? or a report or POV. DoD helps define when a
intervals in which specific tasks must be
story has been completed to the satisfaction
completed—provide a process, a structure,
The backlog may never be complete. The of the audit product owner and meets
and a cadence for the work. The time-box
team should continually revise and refine an objective of an audit. It should not be
should provide the motivation of a tight
user stories to ensure that the backlog is lengthy or complex or it will likely not work at
deadline to keep the teams focused.
prioritised and organised. the sprint level.
– Challenges/leading practices:
– Challenges/leading practices: – Challenges/leading practices:
◊ People sometimes do a poor job
◊ Creating a story that is small enough to ◊ Think of a DoD as a checkpoint rather
estimating time. Don’t expect the first
be completed within a sprint can be a than a destination to enable the team
sprint to be perfect.
challenge. Teams often want to bite off to modify or redirect the work as it
more than what can fit into a one- to ◊ On IT projects, industry experience proceeds.
two-week sprint. indicates that two-week sprints are the
◊ The DoD defines the level of assurance
norm, even for companies that have
◊ Make sure the story has concrete needed or the desired quality of the
tried longer ones. Internal Audit should
business value and is testable by itself, final product. Often, low levels of
shoot for one- or two-week sprints.
after which audit conclusions can be assurance or a quick review of certain
initially determined. ◊ Having a dedicated scrum master/ controls is all that’s needed. Other
coach is a leading practice. The “coach” times, higher levels of assurance and
◊ Involve the product owner in
role may be the most important part, deeper reviews are necessary.
understanding requirements and
as teams need someone who can
mapping the stories. Continue to ◊ As the objective source of assurance,
facilitate their learning.
stress to your teams that the initial Internal Audit has significant input
backlog will not be the final backlog; it’s into the DoD. The needs of the audit
ok to get started with some unknowns.
Definition of Ready (DoR): An item on the
audit backlog has a DoR when the product “At United, the Agile approach has positioned us to more
owner and stakeholders agree on what will frequently ask ourselves, ‘As a stakeholder, would this bring me
be tested, examined, or reviewed; on the value?’ The enhanced collaboration, iterative process, and story
goal of the work and expected value; and development force us to answer that question every day and
requirements for the auditee. When the DoR justify why we do what we do. In turn, this has generated focused work linked
has been met, the scrum team can begin to objectives, insightful and relevant outcomes, and a faster audit cycle-time
work on that audit or project. via time-boxed iterations.”
6
Becoming agile | A guide to elevating Internal Audit’s performance and value
committee and regulators, as well ◊ Miscommunication can occur if the stakeholders. And it should contain Internal
as those of the business, must be stakeholders are not involved at sprint Audit’s factual opinion on current state and
considered. closing and if there’s nothing provided contain insights to risks and exposures.
in writing.
Sprint closing: At the end of each sprint,
– Challenges/leading practices:
the scrum team holds a sprint closing ◊ A leading practice is the use of
◊ Final POVs should reflect “what you
meeting with stakeholders to review workflow visualisation boards
really think” and be supported by the
the backlog items that were completed displayed in the team working
facts. It should be tied to strategy and
(according to DoD). The aim of sprint closing area open to all stakeholders.
answer the question “so what?”
is to formally close out all activities related to This approach provides complete
a sprint. At this stage, teams often develop transparency for completed and ◊ A final POV is also a condensed
a sprint POV, a condensed understanding of backlog sprints. understanding of the area with a
the area with insights of the state of risk and summary of relevant insights into the
The final product: In Agile IA, the report is
controls as well as any observations that will state of risk and controls within it.
developed iteratively, just like planning and
require action by the stakeholder. ◊ The final POV is only as good as the
fieldwork. Upon completion of the sprints,
a final POV is developed to tie the sprints sprint POVs. Sprint POVs should drive
– Challenges/leading practices:
together (see Figure 4). A final POV provides your backlog refinement process,
◊ Use the sprint closing to document use
focus and articulates the relevance of the leading to the final POV.
of resources, cycle times and elapsed
work performed. It fuels brainstorming ◊ Waiting until the end to share anything
time, resourcing models, and other
and helps to obtain buy-in from various with stakeholders in writing can lead to
salient features of the audit or project.
challenges with acceptance.
PROJECT POV: This is the space for the project- RATING Summary observations, impact, and management
level POV, which is determined at the start of the action plans (MAPs)
project, updated throughout, and finalised at the Fill in
end based on project learnings. The project-level color Observation Impact MAP Rating
POV should connect with the strategic objectives.
Summary sentence Summary sentence Summary sentence
of the issue of realistic capturing the
3
(including applicable impact/risk if the essence of
control breakdown) issue noted persists. management’s
based on the results planned action.
of the review
2
Sept 2017
1
of the issue of realistic capturing the
Sprint POV 3 (including applicable impact/risk if the essence of
What did we learn based on the control breakdown) issue noted persists. management’s
hypothesis? How does what you learned based on the results planned action.
influence the project-level POV?
of the review
Sprint POV 2 Oct 2017
What did we learn based on the
hypothesis? How does what you learned Summary sentence Summary sentence Summary sentence
influence the project-level POV? of the issue of realistic capturing the
Sprint POV 1 (including applicable impact/risk if the essence of
What did we learn based on the hypothesis? control breakdown) issue noted persists. management’s
How does what you learned influence the based on the results planned action.
project-level POV? of the review
Nov 2017
Connect the POV to the
Identify applicable
company’s strategic
strategic objective Rating: High Moderate
objectives
7
75
Becoming agile | A guide to elevating Internal Audit’s performance and value
8
Becoming agile | A guide to elevating Internal Audit’s performance and value
• We have a team of seven full-time Agile coaches and Scrum masters, drawn from both Agile and IA backgrounds.
The sole focus of these colleagues is to support our Agile implementation—coaching audits, delivering training, and
facilitating lessons-learned sessions.
• We have delivered a half-day introductory training session for all of our 600+ auditors globally and are now rolling out a
two-day Professional Scrum Foundation training.
• We have not currently changed our BIA methodology—our focus has been the process, behaviors, and mind-set through
which we execute. We have not mandated an Agile approach. Instead, we encourage our audit teams to innovate their
audit approaches, try new things, review the success, and share learnings.
• A great example, innovated by one audit team, was to rethink the way in which we write audit reports. Historically,
the audit lead would draft an audit report, which would go back and forth in review for weeks—an inefficient and
demoralising experience. This audit team decided to get everyone in a room with a blank report template on a screen—
and collectively wrote the report in three hours. This created a collective ownership of the final report; increased the
quality and accuracy of its messaging; and reduced the time and effort required significantly. This example has been
shared with many other audit teams who have adapted this idea to fit their teams.
• Our office space is unrecognisable—we have Kanban boards on every available wall (and window!) to enable the teams to
visualise the work backlog for each audit. We encourage our audit stakeholders (auditees) to join us for our daily scrums
to better understand the audit focus, facilitate quick removal of blockers to our audit process, and to build trust and
openness.
• Beginning January 2018, our audit team structure and roles will change, with a far flatter audit team structure, facilitating
self-organising and stable teams.
We have seen tremendous benefits so far, from more engaged audit teams to an overall reduction of time spent per audit
by 10-20 percent already. We liked Deloitte’s incorporation of lean canvas in creating the audit canvas idea. It’s great to be
able to share ideas and collaborate with others in their journeys and we encourage that. We look forward to performing
more of our audits in an agile way and to our next discussion with Deloitte to share experiences.”
9
Becoming agile | A guide to elevating Internal Audit’s performance and value
Contacts
Please share your experiences with us or contact our team if you need help getting started
on your Agile IA journey.
Global contacts
Sandy Pundmann John Celi
US Managing Partner Internal Audit Principal
Deloitte & Touche LLP Deloitte Consulting LLP
Terry Hatherell Peter Astley Sarah Adams
+1 312 203 7000 +1.617 437 3032
Global and Americas Internal Audit Leader EMEA Internal Audit Leader Global IT Internal Audit, and Agile Internal
spundmann@deloitte.com jceli@deloitte.com
thatherell@deloitte.ca pastley@deloitte.co.uk Audit Leader
+1 416 543 8434 +44 20 7303 5264 saradams@deloitte.com
Sarah Adams Brian Wojick +1 713 982 3416
Porus Doctor
Managing Director Sandy Pundmann Senior Manager
Asia Pacific
Deloitte InternalLLP
& Touche Audit Leader United States Internal Audit Consulting LLP Neil White
Leader
Deloitte
podoctor@deloitte.com
+1 713 982 3416 spundmann@deloitte.com +1 404 631 2319 Global Internal Audit Analytics Leader
+91 226185 5030
saradams@deloitte.com +1 312 488 3790 bwojick@deloitte.com nwhite@deloitte.com
+1 646 436 3822
Ranjani Narayanan
UK contacts
Senior Manager
Deloitte & Touche LLP
+1 617 365 5174
Peter Astley Karl Williams
rnarayanan@deloitte.com
Partner and EMEA Internal Audit Leader Director, Corporate Internal Audit
pastley@deloitte.co.uk kdwilliams@deloitte.co.uk
+44 20 7303 5264 +44 121 695 5672
Owen Jackson
Director, UK Financial Services Internal Audit
ojackson@deloitte.co.uk
+44 2920 26 4297
10
11
This
Thisdocument
documentcontains
containsgeneral
generalinformation
informationonly onlyand
andDeloitte
Deloitteisisnot,
not,bybymeans
meansof
this document,
of this rendering
document, accounting,
rendering business,
accounting, financial,
business, investment,
financial, investment, legal, tax, or
legal,
other professional
tax, or advice oradvice
other professional services. This document
or services. is not a substitute
This document for such
is not a substitute
professional advice or services,
for such professional advice ornor shouldnor
services, it be used itasbe
should a basis
used asforaany
basisdecision
for any
ordecision
action that may affect
or action youraffect
that may business.
your Before
business. making
Before any decision
making anyordecision
taking any
or
action
takingthat
anymay affect
action thatyour
maybusiness, you
affect your should consult
business, a qualified
you should consultprofessional
a qualified
advisor. Deloitte
professional shall not
advisor. be responsible
Deloitte shall not beforresponsible
any loss sustained by any
for any loss person by
sustained who
relies on this who
any person document.
relies on this document.
AsAsused
usedininthis
thisdocument,
document,“Deloitte”
“Deloitte”means
meansDeloitte
Deloitteand
andTouche
ToucheLLP,
LLP,which
which
provides
providesInternal
InternalAudit;
Audit;Deloitte
DeloitteConsulting
ConsultingLLP,
LLP,which
whichprovides
providesAgile
Agile
transformations.
transformations.TheseTheseentities
entitiesare
areseparate
separatesubsidiaries,
subsidiaries,a asubsidiary
subsidiaryofofDeloitte
LLP. Please
Deloitte seePlease
LLP. www.deloitte.com/us/about for a detailed
see www.deloitte.com/us/about for adescription of our legal
detailed description of
structure.
our legal Certain services
structure. may
Certain not bemay
services available
not betoavailable
attest clients under
to attest the rules
clients under
and
theregulations of public accounting.
rules and regulations of public accounting.
Copyright
Copyright©©2018
2017Deloitte
DeloitteDevelopment
DevelopmentLLC.
LLC.AllAllrights
rightsreserved.
reserved.
J15099
J14390