Agile: How to

Make IT Audit More

Dynamic and Efficient
Start Small | Test Early | Fail Fast | Apply Lessons Learned

Business is changing faster than ever,
making it nearly impossible for IT auditors
to predict when and how disruptions will
create the need to rapidly pivot to address
new enterprise needs. Adopting Agile
principles is becoming essential to help
IT auditors address these challenges and:
• Better meet stakeholder needs
• Accelerate audit cycles
• Improve delivery of timely assurance and
beneficial insights
• Strengthen governance
Agile: How to Make IT Audit More Dynamic and Efficient
Originally created to improve results for complex software
development projects, Agile methods help enhance the planning,
execution and reporting of IT audits by keeping the focus on
prioritizing IT audit work that delivers the highest value to
stakeholders in the shortest amount of time.
To do this, IT auditors can use Agile methods to develop highly
adaptable plans. Even small Agile approaches can lead to large
business improvements, including timely results and nimble
responses to unexpected changes.
Attitude vs. Process
Agile methods challenge many traditional ways of thinking about
and completing IT audits. They focus mainly on allowing options
for practices and tactics, rather than rigid step-by-step
instructions and strict templates.
While this can be intimidating at first—and it does require
discipline—having a resourceful attitude and embarking on a
flexible Agile pathway can result in more successful and beneficial
IT audit engagements. This helps IT auditors further solidify their
role of providing actionable insights and advice to the enterprise.
Benefits for Auditors and Stakeholders
Every audit department and every enterprise is unique, so benefits
will be unique, too. Most departments that begin to adopt Agile
methods find that they achieve rapid audit results, avoid
siloed audit and auditee teams, communicate in real time, and
collaborate more closely with customers and stakeholders.
More specifically, Agile contributes to improved audit
engagements via:
REDUCED END-TO-END PLANNING due to condensed sprint
cycles and a small-scale, iterative approach
STREAMLINED AUDIT ENGAGEMENTS that combine planning,
fieldwork and reporting phases
DIRECT CUSTOMER COLLABORATION in an Agile scrum,
giving all key stakeholders a seat at the table
FLEXIBLE AUDIT SCOPE, which enables real-time adjustments
as new information comes to light
REAL-TIME AUDIT FINDINGS or control weaknesses that are
shared as they are uncovered
FREQUENT UPDATES providing the opportunity for audit
plans to be revisited and revised more frequently to adjust to
business conditions
2
Does Agile Compromise Audit Standards?
Agile is not intended to replace or disregard proven international HOW AGILE COMPLEMENTS OR SATISFIES ITAF
standards such as the ISACA Information Technology Audit
Framework (ITAF™) or the Institute of Internal Auditors® (IIA®)
INDEPENDENCE Agile techniques encourage communication PROFICIENCY Scrum meetings and sprint cycles enhance the
International Professional Practices Framework (IPPF), which
and involvement, which reflects auditors’ independence. They development of audit staff and increase collaboration with audit
have long underpinned successful audit functions. Instead, Agile
also allow audit to leverage subject matter expertise to allow customers.
helps achieve the mandated business objectives of audit and
expedient agreement on audit findings.
can directly help adhere to these standards.

OBJECTIVITY Agile audit functions retain their professional ACCEPTANCE OF RISK The collaborative processes leveraged
skepticism and ability to make final decisions. by Agile help ensure disclosure to executive management of any
accepted risk taken by audit customers.

DUE PROFESSIONAL CARE The audit backlog is prioritized more QUALITY ASSURANCE The Agile sprint retrospective helps
often under Agile. Audit management retains its right to conclude audit teams to analyze how each sprint has delivered on
on key matters of each audit engagement. executed processes, audit tools and the definition of done.

Agile: How to Make IT Audit More Dynamic and Efficient 3

Getting Started
Getting Started
1 Identify stories. Large projects, or epics, should be carved into prioritized stories. This enables
teams to focus on the most desired and valuable business benefits and is where big ideas are
“ We found we were not speaking the same
turned into actionable deliverables. language as our customers when planning
and conducting audits, which caused
2 Ensure the stories are timebound. Long gone are the days of giving an audit team an assignment
and sending them off for months to complete the whole project. In an Agile environment, an
numerous efficiency issues and frustrated both
experienced team leader or project manager—often called a scrum master—identifies the stories the customer and us…The primary benefits we
that can be completed in short sprints, usually of about two weeks.
experienced were very efficient communications,
3 Keep the stories focused. Bite-sized stories can yield results in a short period. Even if any of these
direct engagement from auditees throughout
steps doesn’t work as planned, the project team knows within the sprint period and can quickly the audit, increased customer appreciation and
pivot. This is called “failing fast” and is considered a valuable part of the project. Each sprint
provides a learning opportunity for the ongoing long-term outcomes.
improved audit outcomes on both sides.”

Meet regularly. A scrum master will usually organize brief daily meetings to evaluate progress and
‒Dawn Vogel, Director of IT Audit, Nelnet, Inc.
4
quickly identify and resolve roadblocks. These meetings are short and kept to the main points Source: Destination: Agile Auditing
with only the necessary participants. The focus is to enable the scrum master to learn if team
members are being pulled in other directions or if key stakeholders are not cooperating—basically
anything that might affect their ability to deliver results on time and on budget.

5 Hold retrospectives. The end of every sprint should include a meeting facilitated by the scrum
master. Here the team can review completed stories, ask questions, share lessons learned and
identify insights that can be applied to future stories. It also is a good time to recognize the
contributions of the team members and provide encouragement for the next sprint.

Agile: How to Make IT Audit More Dynamic and Efficient 4

Agile Terms to Know
AGILE The origin of what today is referred to as Agile comes from the Manifesto for Agile Software
Development , created by software developers searching for more efficient and effective ways to
achieve their work. It represents a variety of practices to achieve work goals.
AGILE AUDIT Adapted from Agile software development tools and techniques, Agile for IT audit
provides adaptable processes to deliver the highest value to customers in the briefest time.
AGILE AUDIT MANIFESTO A public statement of intention including high-level objectives, values,
objectives and guiding principles
AGILE ROAD MAP A planning tool that enables phases such as audit planning, fieldwork and
reporting to be split into manageable units of work
AUDIT BACKLOG includes all epics and stories required to be completed to fulfill audit project
objectives.
AUDIT CANVAS A one-page planning document that summarizes goals for the audit project
DEFINITION OF DONE (DOD) Criteria used to determine if stories have concluded satisfactorily
and are considered done
DEFINITION OF READY (DOR) Criteria that must be met prior to testing controls
Agile: How to Make IT Audit More Dynamic and Efficient
EPIC Used for managing a large body of work that is segmented into smaller work units, often known
as stories or issues
RETROSPECTIVE A meeting after the conclusion of a sprint; deliverables often include a list of what
went well, improvement areas, the next areas of focus and action plans to achieve desired outcomes
SCRUM Taken from the term for teamwork required for rugby, Scrum is a specific methodology used
in an Agile framework to facilitate projects in a complex environment
SCRUM MASTER An experienced leader who facilitates projects in an Agile environment
SPRINTS Typically a two-to-four-week period within an epic used to complete a stated amount of
work; often a story
STANDUPS Short and to-the-point meetings lasting no more than 15 minutes, usually daily, for key
individuals to highlight work completed since the prior standup and to discuss any assistance that
may be needed
STORIES The smallest work unit in Agile audit; usually a brief description of the desired outcome
TIMEBOX A defined period of time within which a goal or activity should be completed; often on a
tight deadline to keep a project moving forward quickly
5
Top tips from experienced Agile professionals
• Avoid fixating on new acronyms and methodologies, and simply start the journey.
• Implement one Agile process at a time, which helps newer team members to ask questions
and receive real-time coaching.
• Focus on fewer tasks to deliver results at more frequent intervals (i.e., sprints).
• Incorporate planning, fieldwork and reporting into each timebox, for greatest efficiency.
Applying Agile methods and other digital transformations is never a
one-and-done activity. The increased transparency and faster project
cycles are solid steps forward, but will always need to be reviewed and
revised as each enterprise and the business environment changes and
matures. The increased velocity of business change will always pave
the way for additional opportunities to improve.

• Share findings as they emerge, and use new information to update the audit focus and scope
(with appropriate input and approvals). Audit professionals who are seeking additional learnings to build their
Agile competency have many options including professional courses,
• Plan and work in shorter intervals—weeks and quarters instead of years.
certification programs and online materials from reputable sources.
• Estimating time needed for tasks, e.g., timeboxing, takes experience. Don’t expect to always get it
right on the first go-round.

• Ensure the team leader, or scrum master, is experienced and ideally certified. They will provide the
direction and help keep the teams on track, time and budget.

• When possible, adapt audit processes to the tools and processes used by customers to improve
customer communications, engagement, appreciation and outcomes.

RESOURC ES

• “Agile Audit Practice,” by Spiros Alexiou (ISACA Now blog)

• Destination Agile Auditing (free ISACA white paper)
• “Is Agile Auditing a Sure Thing for Internal Audit?”, by Robin Lyons (ISACA Now blog)

1
https://agilemanifesto.org/