Go beyond the buzzword to learn practical steps to implement agile ways of working in your audit department in this article by Laura Ganann, Sr. Director, Global Audit Solutions at Walmart Inc, originally delivered at the AuditBoard User Conference. Read on or watch the full on-demand recording to hear Laura Ganann share lessons from Walmart’s experience moving toward a more flexible and iterative approach to internal audit, and how to overcome impediments on your team’s journey.
When Walmart grew from a small mom-and-pop retail business by getting into the grocery and international space, we took on new risks. In recent years, we’ve added an additional level of complexity by getting into eCommerce, acquiring new companies and forging new partnerships to better serve our customers’ needs. As with many industries, staying relevant in retail means taking on new challenges, and doing it quickly.
One way we’ve dealt with this increased complexity is headcount — we’ve put auditors in each retail location with the language capabilities, market knowledge, and cultural understanding to keep on top of our risk landscape. But as our risk profile expands, we must find a way to operate without continuing to balloon our headcount numbers. So, we started to explore agile ways of working.
The internal audit industry is experiencing a shift. As the speed of change continues to accelerate, most companies are realizing there is a need to move faster and change the way audit partners with the business. Whether you call it agile audit, dynamic audit, or something else entirely, adopting an iterative and flexible approach improves interaction with audit customers and enables internal audit to prioritize the most important value-add work — which is critical to keep pace with change and serve our business partners. Many will say this is how we should have been working all along, and they are right. But how do we make the change?
This article suggests practical ways to move toward an internal audit team that operates more flexibly and iteratively based on our experience at Walmart, breaks down some myths about agile auditing, and considers how to overcome impediments on your team’s journey.
Why Change the Way You Work?
Walmart adopted a more flexible and iterative approach to auditing because it solves many common challenges audit departments face today. Here are four ways this framework has improved how our internal audit department works.
- Increased interaction with audit customers. It is critical to be in lockstep with our audit customers so we can serve their needs, and iterative, customer-focused work facilitates better and more frequent interactions with them to create a more engaging relationship. This is what our customers seem to want more than anything else, and poor communication often derails our work.
- Iterative delivery of work means faster issue resolution. With an ever-increasing rate of change in business, the risk landscape can often shift significantly between an audit project’s start and end — making results out of date before they are finished. Iterative work helps us get results to our audit customers faster so they can start solving problems faster.
- Constant reevaluation of priorities to ensure highest and best use of resources. The days of the annual audit plan that never changes are gone — we have to figure out how to put our resources where they’re needed most. A fundamental part of operating in an agile, dynamic way is continually evaluating the work on your plate and prioritizing the next most important thing.
- Teaming environment to strengthen collaboration: We needed something to keep people from working in silos, and an agile mindset has strengthened our focus on creating a teaming environment where specialized skill sets can be deployed across different business areas.
What is Agile Auditing?
Don’t get caught up in the word “agile” or think that you have to adopt everything about agile. We are auditors, not software developers. We operate in industries and with business customers who may do things differently than we do, and those things can impact how we change the way we work. Instead, focus on the outcomes you want to drive and figure out how you can best drive those outcomes. As a first step, let’s understand what agile is, and what it is not.
Agile IS a mindset that supports a way of working.
Before we could embark on a new model, our team needed to make an important shift in our auditor mindset. Our characteristic auditor drive for perfection can become a weakness in some cases. When we take the time to check every box and deliver every single element from our initial plan, we’ve likely wasted time on some deliverables that are less important or obsolete by the time they are completed. Changing the definition of done from “complete” to “complete enough” helps us get things done faster and know when we should move on to another project that would add more value.
Agile IS a project management framework.
It’s not a cure-all for everything that ails your department! Instead, it provides a framework that supports projects with customer-focused decision-making and communication, iterative results, and cross-functional collaboration. At the core is the view that we put the customer in the center instead of the work. Previously, we might have learned what the customer wanted at the beginning, checked in once along the way, and brought the results back at the end. The whole time in between, we auditors were focused on the work instead of the customer, and we created delays in communication by waiting until the end to present actionable results. Iterative results mean that audit customers get information about project status sooner, and they can start working on remediation more quickly.
Agile IS NOT an audit methodology.
Agile doesn’t fundamentally change the work of audit itself. Your core work — risk assessment, work programs, testing, audit findings, audit reports — remains the same. What does change is the timing, communication, and degree of perfection of the work — and hopefully improvements in customer engagement, resource use, and value add.
How is Iterative Auditing Different from Traditional Auditing?
Traditional Audit: Waterfall Approach
A traditional audit takes a rigid, structured approach with discrete phases. You make a plan at the beginning, then execute that plan — you perform fieldwork, do your review, and deliver your report to the customer at the end. In the meantime, the customer doesn’t know what’s going on. Following a traditional approach created a struggle to deliver audit results timely, and when we gave audit customers the draft report there were also delays getting management action plans at the end of a project. Our audit department turned to a more agile framework to keep up with the rapid pace of change.
Agile Audit: Flexible, Iterative Approach
Iterative auditing proceeds with the familiar audit phases, but in a different manner. Not much changes in the pre-planning phase — you still need to understand why the project is on the plan, meet with executives over this area, learn about the risk drivers, and establish what we want to achieve with this project.
During planning, you break up your work into manageable pieces, and you prioritize those pieces of work into sprints. For instance, you might decide that you will do three sprints, and each one will deliver one or two meaningful pieces of work that you could present to your customer to show actionable results at the end of the sprint. To the extent you can, work should be prioritized by the level of risk associated with the testing. This more frequent engagement enables business owners to start working on management action plans in the middle of the project instead of waiting until the very end, which solves some of the delay issues we were experiencing with the traditional waterfall approach. Delivering information this way can also help you realize when you have done enough work to identify the most essential risks and could shorten your audit project to move on to more valuable work.
Three More Practical Ways to Become More Flexible and Customer Focused
1. Continuous Risk Assessment & Iterative Audit Planning
Annual risk assessments are time consuming and may result in an audit plan that is not tied to the highest current risks or in failure to document risk-based audit plan modifications. Static annual plans are no longer viable in fast-changing industries.
As a part of our agile journey, we’ve digitized our risk assessments and created a dynamic audit plan. Once per year, our risk assessment is calibrated and the annual plan is developed. We’ve implemented a quarterly process to ensure we are documenting changes to the risk landscape and adjusting the audit plan as needed. We update our risk templates based on triggers such as key customer meetings, audit results, audit SME information, KRI review, and industry or other external information. Once per quarter we review how these changes impact our view of the overall risk environment and review the audit plan to see if adjustments are needed. Finally, we share the risk assessment changes with leadership for discussion and propose associated changes to the audit plan. This allows us to do the right work, at the right time.
Greenhouses are a way to take an objective that you need to achieve — internally or with your customer — and make it more interactive, visual, and collaborative. Or, to put it another way, greenhouses are really fun meetings. Here are a few greenhouse activities to get you started:
- Dot Exercises (decision making): This is a great way to do a scoping exercise with your audit business partners and get everyone on the same page. For example, in a planning meeting, everyone takes three Post-It notes and writes the top three problems/risks in their business today. When we put them on a wall, we’ll see that several issues were mentioned by more than one person. Then, everyone uses dot stickers to vote. At the end, we have a preliminary view of the top things to focus on from a project perspective.
- Event Storming (brainstorming and process understanding): An Event Storm is an interactive and physical way to think through a process. Normally when you start an audit you interview someone to understand their process, write a process narrative or put together a process map, then go back to the process owner to ask if you captured their process. In an Event Storm, we work with the customer to map the whole process on a wall using different colored Post-Its for a manual process, something done by a system or application, a dependency, a control, etc. We do have to formally document it — you can’t just put a wall of Post-Its in your audit papers — but we find it engages the customer and makes them feel more like they are part of the project than a traditional interview.
- Finding Organization (report writing): We’ve also used greenhouses internally to write audit reports with the whole team, which makes it a more collaborative and engaging experience than leaving someone to write a report at their desk.
3. Project Canvas for Collaborative Project Planning
Below, you can download a sample Audit Project Canvas, which supports an interactive activity we do with our audit customers to collaboratively establish the business objectives, risk drivers, and scoping for this project. If you take the time to sit down with the audit customer and discuss this together, you can get a lot of buy in and they will leave with a clear understanding of what the project will do and how it will add value for them. An added benefit is that if things go sideways during a project, everyone can go back to the Project Canvas and remember what you agreed to. If you have to make changes, you can do them deliberately and with a better understanding of where you’re having scope creep. This Project Canvas has become our engagement memo and planning memo — in a couple slides, instead of a 12 page memo.
Obstacles to Changing the Way You Work and Potential Solutions
The team will be excited about adopting a different way of working, but it will also be hard at first. Creating teams who are expected to work in new ways will test relationships and productivity. Set the expectation for the team that there will be disruptions and stay close to help resolve issues. Here are a few of the obstacles we faced and how you might avoid or overcome them.
- Learning Curve: This is a new way of working, which will require both your audit team and your audit customers to adopt some new terminology and project management approaches. It’s important to create an internal change management plan to help everyone understand the vision. Be very clear in your communication about what you want your team to adopt, while also listening to feedback about what wasn’t useful or getting an ROI.
- Finding the Balance: There is an art to planning far enough ahead to keep the project moving smoothly while avoiding both unnecessary work and unnecessary waiting. Expect to struggle a bit with finding the right balance in the beginning and try starting out with an internal project to figure out your sweet spot.
- Structure vs. Flexibility: Auditors love a process. At first we created a hugely burdensome agile playbook for exactly how to execute an agile project, and we ended up creating a robust, rigid, administrative, templatized way of working — the opposite of agile! Feedback from our auditors let us know that it was impeding their ability to be faster, more adaptable, and more flexible. So, don’t over engineer when you get started. Focus on outcomes over process, adopt only those things that will help you achieve those outcomes, and stay open to evolving.
True to agile, the change will be iterative. It’s probably not going to look the same for every department — even in software development, no one is implementing agile consistently across companies. Remember to focus on the objectives you want to achieve and remain flexible in your approach. You’ll need to figure out what is best for you and your department, but the change can open up exciting new ways of working. When your auditors are encouraged to be flexible and creative, they’ll come up with innovative activities that aren’t in any playbook — and it will be easier to recruit and retain auditors in a department that has strong relationships with audit customers and ample opportunity to take on interesting, challenging, and engaging projects that add value to the business. I hope that some of the quick wins outlined above will help you get started on your journey.
Want to hear more? Watch the full on-demand recording to hear Laura Ganann go deeper into lessons from Walmart’s experience moving toward a more flexible and iterative approach to internal audit.
Learn how AuditBoard's integrated suite of easy-to-use software (audit management software, SOX compliance software, risk management software, audit workflow software, and compliance management software) can empower your team.