For the exclusive use of M. CUHK, 2022.

SMU Classification: Restricted

SMU134

AGILE AUDITING AT DBS: EMBRACING THE FUTURE

The biggest hurdle to change is getting people to think differently. DBS Group Audit had
received an excellence award for its performance. Both continuous and predictive auditing
model implementations by the Group had been immensely successful. But then to say that there
is actually another benchmark (agile auditing) - and that we have to attain and demolish what
we have learnt in the past in order to adopt this radical new methodology - required a lot of
hard work and perseverance on our part.
- Jimmy Ng, Head of Group Audit, DBS Bank

It was October 2017, and Jimmy Ng, Head of Group Audit at DBS Bank, Singapore, was
celebrating his first day of work with his team at their newly-renovated office at Level 13 of the
Marina Bay Financial Centre. Dressed in bright-red Formula One pitwall crew attire, the entire
team looked radiant and full of enthusiasm. The transformation of their previously staid office
space into a lively activity-based workspace had taken two months to complete, and symbolised a
key milestone in terms of what Group Audit had achieved in the last five years in their journey
towards the Future of Auditing. The workspace was designed to house everything that they had
accomplished, including the introduction of a new approach in auditing: agile auditing.

DBS Group Audit had been one of the first internal audit departments of a bank in Asia to have
successfully piloted agile auditing as an integral part of their framework. This was a feat in itself, as
not many banks worldwide had yet adopted agile principles and discipline in their auditing
approach.

Group Audit in DBS had continually evolved as a function within the organisation, and the
後果
introduction of agile auditing was yet another feather in their cap. As an aftermath of the 2008
global financial crisis, strict regulatory requirements to implement and control risk mitigation
常年壓力
controls and strategies were introduced for banks. There was also a perennial pressure from
regulators on audit departments to increase scope, frequency and sampling size of audits in order to
derive greater assurance over the adequacy of internal controls in banks. DBS Group Audit
responded to regulatory demands by introducing Continuous Auditing in 2013, a process which
involved the usage of computer-assisted audit techniques (CAATs) to enable automation of audit
steps. This process reduced the need for manpower in mandatory audits, enabled re-usability of
audit scripts and eliminated manual data extraction. It also allowed the auditing of key controls to
be performed continuously instead of only when due. By 2017, DBS Group Audit had amassed
over 1,000 continuous auditing scenarios automated for various business functions and support
units across all DBS core markets.

In addition to coping with regulatory requirements, Group Audit had to also stay relevant in the
ever-changing business landscape and be able to predict risks proactively. The need for a process
that could predict risks, including emerging risks, geared DBS Group Audit to adopt Predictive
Auditing, a methodology used to efficiently and effectively identify risks and any ensuing trends by

This case was written by Professor Foo See Liang and Lipika Bhattacharya at the Singapore Management University. The
case was prepared solely to provide material for class discussion. The authors do not intend to illustrate either effective or
ineffective handling of a managerial situation. The authors may have disguised certain names and other identifying
information to protect confidentiality.

Copyright © 2017, Singapore Management University Version: 2017-05-10

This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

leveraging on data analytics and machine learning predictive modelling to sift through large
quantities of data or big data.

Despite making efforts at leveraging automation and innovative technology for increased efficiency
and effectiveness, DBS Group Audit still faced several challenges because of the limitations of the
traditional auditing methodology. Multiple iterations during the issue discussion and reporting
stages in traditional auditing methodology inevitably resulted in a blame game after the audit
results were shared with stakeholders. Inflexibility of the audit scope and rigidity of the traditional
audit process made it difficult to cope with late changes, causing consternation within the
organisation. Moreover, traditional auditing methods were scope-bound and lengthy because of the
inflexible scope and prolonged issue discussions.

Group Audit recognised the need for a new approach that could enable them to move away from
these limitations, especially from the scope-bound audit approach. In early 2016, when Ng saw the
opportunity to adopt the agile auditing approach, he immediately realised that it could be the
靈丹妙藥
panacea for many of the issues that arose with the traditional audit process. Agile auditing
techniques involved execution of an audit in short bursts of activity of a few weeks with increased
stakeholder involvement and frequent discussion of day-to-day findings followed by reporting and
follow-up.

In mid-2016, Ng and his team launched a pilot programme to introduce agile principles and
discipline into internal audits. The first few pilot audit projects conducted using the agile auditing
approach proved to be very successful, and the board and senior managers took note of the team’s
success. This eventually led to an overall acknowledgement that DBS would implement the agile
methodology organisation-wide across various functions.

Looking around at the new activity workplace, Ng mulled over how the team could further improve
and streamline their current agile practices for successful adoption of a full-fledged agile auditing
process. What areas could they improve to make a smooth transition into a full-fledged agile
practice? How could they make further adjustments to their processes to create a perfect balance
between routine work and short and intensive agile audit cycles?

DBS Bank: Journey of Group Audit

DBS Bank was incorporated in 1968, three years after Singapore’s independence, and commenced
operations the same year. The bank assisted in the establishment of manufacturing and processing
industries in Singapore, and contributed to the general development of the Singapore economy over
the years. In 1998, DBS acquired the Post Office Savings Bank (POSB), the oldest operating bank
in Singapore established by the British colonial government. 1

Over the decades, DBS grew from being a local Singapore bank to a leading Asian bank with more
than 250 branches in 18 markets. 2 DBS was recognised as the Bank of the Year Asia (2012) by The
Banker, a member of the Financial Times Group. It was also recognised as the Best Bank in Asia-
Pacific (2016) by Global Finance. The bank had also been named as “Safest Bank in Asia” by
Global Finance for seven consecutive years from 2009 to 2015. 3

1
History SG, Establishment of the Development Bank of Singapore, http://eresources.nlb.gov.sg/history/events/e1efcbf8-6287-4c50-
b7a2-1a9ae51c064f, accessed June 2017.
2
DBS Bank, about us, Footprints in Asia, https://www.dbs.com/about-us/default.page, accessed June 2017.
3
DBS Bank, Awards & Accolades, https://www.dbs.com/awards/default.page, accessed June 2017.

2/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

The Evolution of Group Audit

Group Audit was an independent function in DBS that reported directly to the organisation’s Audit
Committee. Its primary function was to evaluate the bank’s risk management and internal control
systems in terms of reliability, adequacy and effectiveness. Its scope of work covered all business
and support functions in the DBS Group, both in Singapore and overseas. All audit offices in the
Group across all global locations followed a consistent set of code of ethics. 4

DBS Group Audit had used a conventional audit approach which relied on checking if standardised
operating processes were followed rigorously (refer to Exhibit 1 for Traditional Audit Process).
However as an assurance provider to the bank, they were committed to continuous improvement to
stay relevant to their stakeholders. In 2008, to meet the demand of Taiwan’s regulatory
requirements, Group Audit industrialised the use of computer-assisted audit techniques (CAATs)
that provided continuous auditing in real-time, at the press of a button and enabled the automation
of mandatory audits. 5

The Three Lines of Defence

DBS’ risk governance had been structured along the three lines of defence with clear roles and
responsibilities. The business management, in partnership with support functions, acted as the first
line of defence and was primarily responsible for identification, assessment and management of
risk within the approved risk appetite and policies. Corporate oversight functions (such as Risk
Management Group and Group Legal & Compliance) acted as the second line of defence and were
responsible for the establishment and maintenance of risk management frameworks. Group Audit
acted as the third line of defence, providing assurance on reliability, adequacy and effectiveness of
the Group’s system of internal controls, risk management procedures, governance framework and
processes.

Digital Disruption

The past decade had seen exponential advancements in technology. Digital disruption had become
現狀
the status quo in almost every industry including the banking and financial services sector. 6
Uncertain economic and geopolitical events had created a business environment of volatility,
uncertainty, complexity and ambiguity (VUCA). Banking and financial institutions therefore
needed to restructure and reframe their three lines
串聯
of defence and build a more integrated
framework that could enable them to move in tandem with the ‘speed of risk’. In this context, it
was essential for DBS Group Audit to utilise technologies supported by artificial intelligence, data
analytics, continuous and predictive auditing, machine learning and other supporting technologies
and approaches to provide an even better assurance to the organisation. Their risk-based auditing
process was cyclical in nature, and was based on past data and hindsight. Moreover the risk-based
audit was based on sampling and did not cover the entire function due to resource constraints, and
was therefore scope-bound.

Group audit also discovered that their key stakeholders, i.e., audit committee, senior management
and regulators had increased expectations of them amidst the changing business environment to
provide added assurance on the adequacy, effectiveness and completeness of the bank’s internal

4
DBS Bank, Support Units, https://www.dbs.com/careers/take-your-career/our-support-units/default.page, accessed June 2017.
5
For further details on DBS continuous audit techniques, please refer to SMU, Centre for Management Practice, Case, “Innovation in
Assurance: Doing More, and More Effectively, With Less”, 2016, SMU-16-0003 [DBS CA].
6
Sue Marquette Poremba, The Digital Disruption Revolution, “IT Business Edge”, August 29, 2016,
http://www.itbusinessedge.com/articles/the-digital-disruption-revolution.html, accessed June 2017.

3/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

controls. Group Audit understood that if they failed to provide this added assurance, they could
potentially become irrelevant to the organisation in the long run, and it was this realisation that
motivated the team to start on a journey of self-exploration and hunt for an approach which could
incorporate flexibility of scope and enable them to capture the ‘speed of risk’ more affectively. 7

Perception of Group Audit function

In 2013, the Group Audit team began a transformation journey which was based on the four P
approach of being productive, proactive, predictive and preventive. It was called the Future of
Auditing initiative (refer to Exhibit 2 for Future of Auditing roadmap). It began with a survey
amongst key stakeholders, with the aim of understanding the perception of Group Audit, held by
other functions within the organisation. Talking about the survey results, Ng explained,

People thought we are like the policeman hiding behind trees trying to catch them and give
them speeding tickets. And at best some thought we are like doctors.

After the survey, the senior members of the Group Audit team met to discuss their vision, and the
perception that they wanted their stakeholders to have of them. Ng reiterated that the key to
building an improved perception was to build trust between Group Audit and its stakeholders.
Becoming trusted advisors on risk control matters could enable Group Audit to work
collaboratively with their stakeholders and deliver value just by the ‘way they worked’. They also
focused on creating a vivid image of Group Audit among their stakeholders as it could help them
communicate their purpose and foster a shared vision among all their stakeholders. 8

Interestingly, DBS came across the Formula One imagery where racing cars in a circuit performed
under high stress, very much like the frontline functions of the bank - whereas Group Audit was
more like the support function which monitored the cars’ performance over the track, looking out
for impending dangers (refer to Exhibit 3 for the DBS Group Audit F1 Pitwall crew imagery).
Elaborating on the imagery, Ng said,

The Formula One imagery got us thinking about who we are.—the pitwall crew at the
backroom looking at streams of data flowing in, analysing road conditions, weather conditions,
tyre conditions, engine conditions and deducing the impending risks. Firstly the pitwall crew
needs data, so it is data driven. Secondly it is real time; it is foresight and not hindsight. If we
want our stakeholders to see us as the pitwall crew, how could we go about achieving that?

The improved value proposition

With the imagery of a pitwall crew and the objective of changing the perception of their
stakeholders, DBS Group Audit embarked on the next step of the ride, marking their new vision
and mission statement. 9

Through their iconic continuous auditing process with automated audit test steps, Group Audit had
managed to be proactive. By adopting data analytics and machine learning, Group Audit had
enabled themselves to be predictive. Co-developed by the Group Audit team and I2R, the DBS

7
The Three Lines of Defense in Effective Risk Management and Control, IAA Position Paper, January 2013, https://www.theiia.org/3-
Lines-Defense, accessed June 2017.
8
Andrew Carton Chad Murphy and Jonathan Clark, “A (Blurry) Vision of the Future: How Leader Rhetoric about Ultimate Goals
Influences Performance”, Academy of Management Journal, 2014, 57(6), 1544-1570., 57(6), 1544-1570, accessed June 2017.
9
For further details on revised DBS audit mission statement, please refer to SMU, Centre for Management Practice, Case, Data
Analytics Journey at DBS Group Audit: The Future of Auditing is Auditing the Future, “The Evolution of Group Audit”, 2016, SMU-
16-0023 [DBS Analytics].

4/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

predictive model of auditing had garnered many accolades from the organisation’s senior
management due to its effectiveness in projecting the likelihood of risk events. 10,11 Explaining the
initial journey of self-discovery and drive for excellence, Ng said,

We were able to capture some trading anomalies using our predictive model that led to further
investigations, one in December, and one in February. When we found the first one, people
within the organisation thought we were lucky, but when we found another one, the CEO was
amazed. The positive feedback from higher management cemented our reputation.

Group Audit’s Future of Auditing transformative journey included other initiatives as well. There
was the Audit Mobility Initiative, which had introduced several tools to enhance efficiency and
productivity, so that audit project duration could be reduced and resources could be efficiently
utilised. There was also the Cyber Security Audit Framework to enable Group Audit to move in
tandem with the banks digitisation strategy and fulfil the preventive P of the 4P’s. But in addition
to having a comprehensive overarching umbrella of initiatives combining the 4P’s under the Future
of Auditing transformation, there was also a need for an actual audit execution methodology that
was more efficient than the traditional risk-based scope-bound approach. Ng explained,

Our traditional audit method actually seemed to follow the typical waterfall SDLC cycle
(software development lifecycle). But, we realised, there was something fundamentally wrong
with our audit report; it came out very late, after the projects were almost complete. Hence, we
had a lot of arguments and finger-pointing with our stakeholders at that stage, and sometimes
the fight went all the way to the CEO. So it was quite a painful process. We realised we needed
to be more involved in the product lifecycle from the beginning to be able to raise alerts in a
timely manner. We also realised the need to develop capabilities to respond to disruptive events
as they unfolded, rather than depending entirely on the capabilities of continuous and
predictive auditing.

Auditing at the Speed of Risk

It was necessary for DBS Group Audit to engage with the digital disruption and frequently
occurring risks and constantly evolve their audit plans and coverage as new potential risks surfaced.
A traditional methodology for internal auditing was rigid and not designed to deal with unexpected
risks or scope changes, and therefore adopting a methodology that would allow Group Audit to
design flexibility in their auditing became crucial (refer to Exhibit 4 for video on Digital
Disruption).

Moreover, Group Audit in DBS was geared towards the objective of providing value to its
stakeholders, so getting Group Audit into its rightful place at the management table was a key
priority for the team. After stakeholder surveys and several brainstorming sessions, the Group
Audit team in DBS realised that this required a fundamental change in the mindset of the team, and
the way they worked to deliver value.

Explaining their initial moment of insight, Ng said,

Our IT department had started embarking on agile development. I loved the idea, and thought
this is something we could possibly adopt in our audit process. It allows flexibility and was in
10
For further details on DBS predictive audit techniques, please refer to SMU, Centre for Management Practice, Case, Data Analytics
Journey at DBS Group Audit: The Future of Auditing is Auditing the Future, “The Evolution of Group Audit”, 2016, SMU-16-0023
[DBS Analytics].
11
ASTAR Company, DBS and A Star’s Institute for Infocomm Research (I2R) in Joint Lab Partnership,
https://www.computerworld.com.sg/tech/industries/banking/dbs-and-astars-i2r-in-joint-lab-partnership/ , accessed June 2017.

5/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

line with our objective of providing value to our stakeholders. If it helped solved the challenges
faced in a regular waterfall software SDLC development cycle, it could potentially solve our
problems as well.

The whole idea of adopting agile auditing became a possible reality when Group Audit conducted a
study trip to Brisbane, Australia in early 2016, and visited organisations which had implemented
agile methodology, with the aim of understanding more about agile practices. Adopting an agile
audit approach seemed a plausible solution as Group Audit had limited resources (both in terms of
budget and people), time constraints (including ad hoc demand from regulators), and scope-based
constraints. Flexibility in audit scope was one area where an agile approach could help immensely,
considering the fact that both time and resource constraints were more or less fixed.

Benefits of Agile Auditing

There were several benefits of adopting the agile auditing approach. One of the primary benefits
was the collaborative approach which helped in identifying and ranking focus areas, and helped
keep the entire team updated in a timelier manner. Another benefit was the transparency in the
execution of the audit itself, because of the active involvement of all stakeholders. Speed of
executing audits was yet another key benefit as audits were typically time-boxed, and prioritised
focus areas promoted an environment of fast decision making whenever change in scope was
required.

There were several downstream benefits of adopting agile auditing as well. Firstly, the technology
division in the bank was already heading towards large scale agile adoption, and an agile auditing
approach would help Group Audit execute their projects more efficiently. Secondly, the early
engagement of stakeholders (e.g., management and process owners) in the audit value-chain could
help in timely and collaborative resolution of audit issues. Thirdly, agile adoption could also
potentially minimise audit surprises which in turn could facilitate the cultivation of an environment
of trust between internal audit and their stakeholders. Another potential benefit was building
opportunities for internal audit to share their knowledge and render timely advice to the auditees on
risk and controls matters. From the organisation’s perspective, it not only enabled building
improved risk management controls, but also enhanced collaboration within cross- functional teams
for improved response to change.

Pilot Project

During their study trip to Australia, the major inference that the Group Audit team gathered was
that if there was already a flawed workflow built in, there was no point in auditing it as it was far
too late to fix it at that stage, and they were already part of lessons learned. The DBS Group Audit
team started to figure out how they could adopt the agile method in their audit processes, such that
they could be pre-emptive (refer to Exhibit 5 for Agile Terminologies). 12,13,14

The first pilot agile audit that the team did was for the Technology and Operations (T&O) division.
The pilot was a huge success, and all stakeholders, including the management, took notice of it.
The pilot audits helped in providing an end-to-end view of the audit, and gave an overview of
where the problems were. The scope was discussed collaboratively upfront with stakeholders
during the planning phase, thereby aligning key areas of risk and perspective. Audit teams could
also ask for more specific and targeted information, rather than having extensive documentation.

12
Suncorp, About Us, https://www.suncorp.com.au/about-us/, accessed June 2017.
13
KPMG, About Us, https://home.kpmg.com/xx/en/home/about.html, accessed June 2017.
14
KPMG, KPMG Agile, https://home.kpmg.com/au/en/home/services/enterprise/growing-your-business/agile.html, accessed June 2017.

6/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

There was less finger pointing, and issues were discovered and discussed earlier, without surprises
at the tail-end of the audit-engagement period. A report was presented daily to all stakeholders to
avoid unnecessary confusion and arguments about identified issues.

The success of the first pilot audit project was phenomenal, and the 360-degree visibility to the
auditors, project owners, and all other stakeholders helped a lot in identifying and pre-empting risks.
In an agile audit, the audit plan could be flexible, and could be adapted to constantly changing
business scenarios and requirements. It also allowed audit teams to closely monitor changes in the
environment and suggest timely intervention.

Reflecting on the choice of areas for the first few pilots, Ng said,

We chose areas that would have the least resistance for our first few pilots, areas who were
quite familiar with agile and understood the framework, like stand ups, kanban board and so
forth. Our first agile audit was a T&O project, as they were the forerunner of agile and they
understood how agile could be applied to audit. The objective was to successfully test the
methodology, and be able to showcase the benefits, and then let our stakeholders sell our story.

The DBS agile auditing framework

The agile approach essentially had five steps: a) Firstly, create a prioritised wish list, b) secondly,
decide on the cycle (sprint) duration to complete the work, c) thirdly, provide audit findings on a
day-to-day basis, d) fourthly, discuss fixes to cater to the audit findings, e) fifthly, produce a sprint
review and retrospective report.

MosCoW
The DBS Group Audit team used the MosCoW prioritisation method to plan their audits effectively.
This method allowed internal audit to reach a common understanding with stakeholders on the
importance they placed on the delivery of audit tasks that could provide the greatest and most
immediate business benefits early. The acronym MosCoW stood for Must have, Should have,
Could have and Won’t have. ‘Must have’ referred to a minimum usable subset (MUS) of
requirements which the project guaranteed to deliver, and defined the most essential deliverables
and tasks that had to be completed by the target date. ‘Should have’ denoted tasks that were
important but not vital, essentially tasks that were painful to leave out, but the solution without
them was still viable. ‘Could have’ items were wanted or desirable items or tasks but less important,
as they had less impact if left out. ‘Won’t have’ were requirements which the project team had
agreed during the planning not to deliver.

MosCoW helped in prioritising critical areas and in conjunction with an agile audit approach
helped engage all stakeholders in identifying critical risk areas with key tangible findings at the end
of the audit that the business would need to address as a matter of priority. The benefits of
prioritisation not only enabled efficient scope management by focusing on key issues but also
empowered the audit team to do more efficient resource allocation and manage their time better.

Scrum
DBS Group Audit had chosen to adopt Scrum as their agile tool. An iterative and incremental agile
framework, Scrum used a feedback-driven approach. The scrum methodology was based on the
three pillars of transparency, inspection and adaptation.

Each agile cycle in the scrum framework was referred to as a sprint, and the team executing it was
referred to as the scrum team. The DBS internal audit sprints were for a set period of time

7/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

(typically of two to four weeks). A sprint team, unlike a traditional project team, comprised
members from all stakeholder teams. Stakeholders in a sprint included product owner, scrum
master (facilitator for sprint), project manager, user, team members, process improvement
executives and last but not least the auditor (refer to Exhibit 6 for Role of Scrum Master) 15.

DBS agile audit end-to-end

The DBS agile audit end-to-end was typically of six to eight weeks. It began with a pre-planning
phase which covered a lot of pre-work by auditors based on preliminary focus area. This was
followed by a planning phase which was typically referred to as Sprint 0. It facilitated process
walkthroughs and the audit plan was finalised during this time. The Fieldwork Sprint was when the
actual audit execution took place, with twice a week stand-ups, demos on Thursdays followed by
prioritisation the following Tuesday. Auditors requested for missing evidence during the sprint, and
discussed conformities, non-conformities, findings, and observations with the team in the stand ups.
They also discussed progress and brainstormed on solutions to challenges. Once the evidence was
revised, the auditor would explain to the scrum team the non-conformities or observations found
during the audit process in the sprint demo. Based on the audit findings, the scrum team would
maintain a product backlog of tasks and ranked focus areas to resolve non-conformities or
observations. The final phase was reporting, referred to as Sprint N where auditors prepared the
draft report and conducted a retrospective meeting (refer to Exhibit 7 for an overview of the DBS
agile audit process).

Yik Yeng Yee, Chief Operating Officer, DBS Group Audit, explained that typically the audit team
would first hold an initiation discussion with the scrum master and other stakeholders in the scrum
team to determine the “success criteria” for the agile audit sprint. Typically stakeholders comprised
representation from the project team, the management team, as well as other process owners
relevant to the project or function being audited. This ensured that all the individual and collective
needs of stakeholders were taken into account at the beginning of the audit. Explaining the role of
the internal auditor during an agile internal audit execution cycle/sprint, Yik said,

An auditor is assigned to an entire sprint. The auditor is primarily the observer who asks
pertinent questions and enables two-way communication in the team for better understanding of
issues at hand. An audit report and recommendations are presented at the sprint retrospective
meeting.

Kanban
The DBS audit team also used Kanban Boards in conjunction with their scrum sprints, to monitor
and plan their tasks during the sprints. Kanban was a simple board of post-it notes, used originally
in supply chain management for inventory control. Its primary objective was to provide a simple
method of tracking work done and provide end-to-end visibility of the entire workflow. The auditor
would break down audit tasks into small pieces and add them to the audit backlog prioritised by the
organisations risk priorities on the Kanban board. They then set roughly estimated limits on work
in progress (WIP) for each task. Limiting the amount of WIP not only helped improve throughput
but also reduced the amount of work “nearly done” by forcing the team to focus on completing
tasks in smaller sets. Additionally, WIP limits helped highlight bottlenecks in the team's delivery
pipeline, if and when the limits exceeded. Hence it helped encourage work “done” and made
bottlenecks more visible (refer to Exhibit 8 for a sample DBS Group Audit Kanban Board).

A combination of agile tools, early on involvement of all stakeholders, and a collaborative

approach helped auditors create greater transparency on uncertainties and encouraged faster

15
Scrum, Scrum Alliance, Scrum Guide, https://www.scrumalliance.org/why-scrum/scrum-guide, accessed June 2017.

8/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

response to an action item rather than following a set plan (refer to Exhibit 9 for a snapshot of a
DBS Agile Internal Audit in action).

Changing the perception of the Group Audit function

Stakeholders within the organisation who had always believed that the Group Audit function of
DBS was the ‘police officer’ who monitored risks more as a post-mortem of projects already
executed changed their perception with the adoption of agile. Now the audit team in DBS was
involved in the projects early on, and had taken on a more active role. They were advising business
on potentially disruptive events, either before their occurrence, or as they were occurring.

There was an increased stakeholder involvement in the internal audit process as the agile
methodology enforced the formation of cross-functional teams with multiple stakeholders. Areas
for audit coverage were jointly identified and prioritised. The audit execution process served as a
forum for knowledge sharing among the stakeholders, without compromising audit’s independence.
There was also increased transparency within the team during the audit process with twice-a-week
stand-up meetings and open discussions. In addition, the Kanban board helped visualise the status
of audit tasks and highlighted blockers. Issues were debated openly. The entire team was
consistently in sync and participants were working toward a common goal to complete the audit
review. Since agile audit sprints were typically of a much shorter duration than traditional audits,
speed of audit execution was another inherent benefit of the agile approach.

The Group Audit team did a survey of the agile audit process within the organisation, and
interestingly their ratings had increased dramatically. 92% of those surveyed thought that the
flexibility of the agile methodology had exceeded their expectations while more than 80% of those
surveyed thought that agile auditing had helped increase competency, simplified and promoted
better communication and added value much more than their expectations. Stakeholders felt that
agile auditing created better understanding between stakeholders and auditors, and communication
tools like Kanban board were very useful in promoting increased transparency within the audit
process. The auditors felt that there was greater end-to-end clarity of process due to their early
involvement, and also such audits were great opportunities for identifying new avenues for
continuous auditing. Agile audits also helped them do better time management due to the time-
boxing of each sprint.

It was not just the findings from agile audits that were impressive. It was the entire value
proposition that the new audit methodology brought to the table that made the difference. The
feedback confirmed that agile auditing practices created greater engagement between stakeholders
and auditors, and action on retrospective learning’s further propagated the involvement of Group
Audit in providing valued service through integrated involvement.

Group Audit’s pilot audit projects based on the agile auditing approach continued to gather
momentum in 2016 and 2017 (refer to Exhibit 10 for the DBS Agile Auditing framework). In 2016,
the team completed four audit projects, and the stakeholder responses for those projects were
positive. The Group Audit team had continued in their agile journey through 2017, and had
completed several audit projects by June 2017. The target was to complete at least 25 agile audit
projects by early 2018, across their global offices (refer to Exhibit 11 for DBS Agile Auditing
timeframe).

The success of agile adaption by DBS Group Audit was applauded by the board and senior
management of the organisation. This was remarkable in many ways. One was the fact that an

9/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

internal function of the organisation had propelled a transformation as opposed to a business-

facing function. Group Audit had been one of the first proponents of agile methodology, and being
one of the first movers had helped build a good reputation for the team. Also, the Group Audit
function was no longer a mere monitoring team in the organisation assessing adherence to
regulations, but trusted advisors who provided proactive and value-adding insights. Explaining the
advantage of being a first mover in a change proposition within an organisation, Ng explained,

Outside of T&O, we were the first adopters of the agile methodology. Now the management has
started using us as the role model on how we adopted agile. The best part of being the early
adopter is that there are a lot of resources available. Now we have taken agile auditing to the
next level and are embedding it within the process, as agile projects, which is quite different
from enabling it for the BAU (business as usual).

A known fact was that the ‘speed of risk’ was always challenging for organisations to keep tabs on.
With Group Audit performing audits in shorter timeframes and suggesting improvements during
the course of the project, the ‘speed of risk’ could be tackled in a more efficient way. The agile
approach of audit had provided Group Audit the string that could help them tie their Future of
Auditing transformation into a cohesive strategy. It had helped them make their paradigm shift
complete, like fitting the final piece to a jigsaw puzzle.

Ng reiterated the transformational aspect of DBS Group Audit’s agile adoption. DBS had adopted
agile with minimal disruption to their existing setup within teams; hence their change management
policies had worked better compared to other organisations that went straight into full scale agile
adoption, which was fairly disruptive. Another innovation of the agile methodology at DBS was the
creation of agile workspaces. The agile workspace to promote an agile working culture was being
pilot tested across global locations of Hong Kong, Taiwan, India and Singapore. Ng elaborated,

We will be moving into our agile workspace soon. Additionally, more scrum coaches are being
trained and the agile auditing framework has been implemented in global offices outside
Singapore in collaboration with the Singapore team. Communication tools like video-
conferencing are being used to work seamlessly with global offices by creating virtual real time
interaction round the clock.

The adoption of agile workspaces was a best practice that co-located agile teams (refer to Exhibit
12 for collocated workspace ideas from DBS Group Audit team). Group Audit had chosen to opt
for an Activity Based Workspace (ABW) to fulfil their agile needs. Space design ideas from all
team members were collated to create these new activity-based spaces. ABW implied a broader
workspace with a variety of predetermined activity areas that enabled team members to conduct
specific tasks including learning, focusing, collaborating and socialising.

Improvement possibilities

Agile auditing benefits were many, but there was a need to strike that perfect balance where
stakeholders could effectively contribute between their routine work and audit review within a
fixed time period. Since agile auditing was more targeted, focused and intensive due to time-boxed
sprints, this balance was sometimes hard to achieve. As the duration of each Sprint was short but
the involvement intensive, stakeholders felt frustrated when they had to spend more time than they
had planned for on a sprint. The challenge was to keep sprints short and sharp and at the same time
retain the maximum benefits from the sprint. Another aspect was the physical kanban boards,
which were difficult to read due to their size, and the teams had to start getting used to the bank’s
enterprise electronic Kanban board for stand-ups.

10/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

Transitioning Forward

The Group Audit function in DBS had successfully conducted several pilot agile audits by mid-
2017, and had been able to demonstrate to the DBS Audit Committee and the organisation’s senior
management including the CEO that Group Audit was a valuable function to the organisation. The
transformative journey of Group Audit from an internal function and the third line of defence to a
‘trusted advisor’ taking a lead in an organisation-wide transformation was unique, especially since
agile had not been adopted yet by the entire organisation. Facing the challenge of ‘speed of risk’
head-on with the agile methodology was something the organisation wanted to promote group-wide,
and Group Audit had become a role model in that transformation agenda.

DBS as an organisation could benefit immensely from a company-wide implementation of agile.

As Ng stated, it was not about using agile tools but about a mindset change. An agile environment
within the organisation not only promised smooth communication between teams and across
functions but also a quick adaptability to change which was an essential factor for an organisation’s
success in the current business environment. What was notable was the fact that both Technology
and Group Audit functions within the organisation had adopted agile practices successfully. This
was a feat in itself for the organisation, as not many organisations had been able to adopt agile
within their internal functions.

But there was more to be done. The bank was now geared toward gradually adopting agile across
all functions. From Group Audit’s perspective, the next step was to convert the physical workspace
into an agile space to support a collaborative and innovative environment, and further train their
team to embed agile auditing as an integral part its Group Audit methodology. They had already
designed a space based on feedback from all employees and stakeholders, and had just moved into
their new agile workspace. The purpose of having agile workspace was to foster collaboration and
establish efficient communication techniques to further benefit from agile auditing practices.

A flexible work space, an adaptive and proactive methodology, and active engagement of
stakeholders were just some features of the agile transformation that Group Audit had gone through
in the past year. Key to the transformational change was the shift in mindset and the value Group
Audit had brought to the table by helping the board and management of the bank meet the
organisation’s strategic and operational objectives by ensuring that the bank’s risk and control
processes were adequate and effective.

It was an exciting and dramatic change, but DBS Group Audit had never been shy of incorporating
change for the better. The question that remained was, how could DBS Group Audit continue to
deliver value in accordance with their vision? How could they better prepare themselves to adopt
agile on a larger scale (i.e., for all key audits and across all geographical boundaries)? How could
they, as the forerunners of agile auditing in their organisation, create a model of excellence that
other divisions within the organisation could emulate?

11/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

EXHIBIT 1: CONVENTIONAL/TRADITIONAL AUDIT PROCESS

Source: Research Chromatic, Internal Audit Process, http://www.researchomatic.com/Internal-Audit-71348.html ,

accessed July 2017.

EXHIBIT 2: DBS FUTURE OF AUDITING ROADMAP

Source: Company data

12/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

EXHIBIT 3: DBS GROUP AUDIT PITWALL CREW IMAGERY

Source: Company Data

EXHIBIT 4: TECHNOLOGY DISRUPTION IN INTERNAL AUDIT

The link to a video on LinkedIn done by DBS Group Audit: https://www.linkedin.com/company/dbs-

innovates/comments?topic=6188560841072316416&type=U&scope=6413056&stype=C&a=uCbK

Source: Company Data

13/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

EXHIBIT 5: AGILE TERMINOLOGIES

AGILE TERMINOLOGIES
Scrum is a widely used agile framework. It is comprised of short iterations,
Scrum called sprints.
In an agile Scrum framework, a product is built in a series of short time
periods called Sprints. A Sprint is a fixed time period, from one to four
Sprint weeks, with a preference toward shorter intervals.
The Scrum Master is a facilitator for the team and product owner. The
Scrum Master is a "servant leader", helping the rest of the Scrum Team
follow their process. The Scrum Master must have a good understanding
Scrum Master of the Scrum framework and the ability to train others in its subtleties.
The user story is the atomic functionality of what the user wants to achieve
User Story by delivering the business value under system constraints.
Kanban board is used for its ability to visualise work and flexibility of use.
Kanban lets you write everything going on in the sprint on a board.
Writing everything at one place gives you a bigger picture of things going
Kanban on. It also lets you identify the bottlenecks plaguing the sprint.
A fifteen-minute daily meeting for each team member to answer three
questions:
"What have I done since the last Scrum meeting? "
"What will I do before the next Scrum meeting?"
Stand up / Daily Meeting "What prevents me from performing my work as efficiently as possible?"
The sprint retrospective meeting is held at the end of every sprint after the
sprint review meeting. The team and Scrum Master meet to discuss what
went well and what to improve in the next sprint. Retrospective meetings
are useful to identify the ways of continuous improvement of an Agile
Retrospective meeting team.
Scrum includes three essential artifacts, the Product Backlog, the Sprint
Backlog, and the Product Increment. The Product Backlog is the ordered
list of ideas for the product, kept in the order we expect to build them. The
Sprint Backlog is the detailed plan for development in the next
Sprint.Product backlogs are related to the tasks to be done for the overall
product while sprint backlogs are the ones that need to be completed in the
Backlog current sprint.

Task A task is generally a completely broken down form of a user story.

Source: Scrum Alliance, glossary, https://www.scrumalliance.org/community/articles/2007/.../glossary-of-scrum-

term, accessed June 2017.

14/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

EXHIBIT 6: ROLE OF SCRUM MASTER

Product Owner Development Team

Scrum Master
servent leader
coach & facilitator
framework custodian

Source: Scrum Alliance, Scrum Roles, https://www.scrumalliance.org/agile-resources/scrum-roles-demystified,

accessed June 2017.

EXHIBIT 7: THE DBS AGILE PROCESS OVERVIEW

Source: Company data

15/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

EXHIBIT 8: PICTURE OF SAMPLE GROUP AUDIT KANBAN BOARD

Source: Company Data

16/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

EXHIBIT 9: DBS AGILE INTERNAL AUDIT IN ACTION

Source: Company Data

EXHIBIT 10: DBS AGILE AUDITING FRAMEWORK

Deliver Deliver Deliver Next

Phase

Source: Company Data

17/18
This document is authorized for use only by MSc ITM CUHK in 2022.
 For the exclusive use of M. CUHK, 2022.
SMU Classification: Restricted

SMU-17-0018 Agile Auditing at DBS: Embracing the Future

EXHIBIT 11: DBS AGILE AUDITING TIMEFRAME

2016 30 June 2017 31 Mar 2018

Completed 4 audit projects Completed 6 audit projects based on Agile To complete at least 25 projects, or at least
during experimentation stage Auditing approach; 14 audit projects in 1 audit project per location, per functional
progress team in SG & HK

Stakeholders’ Feedback
 Enhances 2-way communication
between stakeholders & auditors
 Creates better understanding with
auditors
 Communication tools eg. eKanban
board, are very useful
 Increased transparency

Auditors’ Feedback
 Greater clarity of End-to-End process
 Better teamwork
 A good avenue to identify new
opportunities for Continuous
Auditing
 Better time management e.g time-
boxing each Sprint

Source: Company Data

EXHIBIT 12: COLLATED WORKSPACE IDEAS

Source: Company Data*

*Activity Based Working (ABW) is different from traditional cubicle style workspace and involves creating environments
where space is flexibly shared among employees to encourage collaboration.

18/18
This document is authorized for use only by MSc ITM CUHK in 2022.