Las Vegas 2023
Beyond Agile Auditing — The Path to a Better Audit Experience
Beyond Agile Auditing — The Path to a Better Audit Experience
CL
Clarissa Lucas
Author, Thought Leader, and Internal Audit Leader, Beyond Agile Auditing
Transcript
<silence>
Over the years, uh, we asked the community about the top obstacles, the things, uh, you want to achieve. And, uh, for many years, the top obstacle is audit. It is audit that strikes the most feared, dread, uh, frustration, regret, uh, because of the special power they have to generate findings that are seen at the highest levels of the organization and, uh, sometimes their use of decades old audit practices. So I'm personally grateful for all the work that Clarissa Lucas has done, uh, to ameliorate this. She is, uh, currently a director of technology audit, and for years, for reasons I didn't quite fully understand, she presented at this conference with some incredibly specific and useful advice to people on how to work with audit. And amazingly, she and her team have shared, uh, uh, some very specific techniques on overcoming audit issues like separation of duty change, approvals, and so forth.
So last year, uh, to my utter shock and surprise, she co-presented with someone in technology leadership at Nationwide Insurance, which is to put it mildly, something that is just normally not done. Um, so earlier this year, her book, uh, beyond Agile auditing was released. And I genuinely believe that this will reshape how auditors engage, uh, with their colleagues inside of large complex organizations. And I, uh, don't say this lightly, as I've seen decades of audit talks, uh, from audit communities. So here to give us some advice on how to better work with auditors, our new best friends is Clarissa, you
Get, thank you, gene.
When I was here last year, I asked, how many of you brought your auditors with you? And the only people that made noise to say yes to that were my clients, the people that I audit. So let me try that again. I'm gonna ask you to make some noise if you either brought your auditors with you or you're an auditor yourself. Okay. All right. So <laugh>, those are not my clients, so we've made some progress. Give yourselves a round of applause for that. We've made some progress and we still have some work to do, but luckily you're all in the right place. So in this session, you're gonna get some tangible takeaways that you can use to strengthen the partnership with your auditors, get more value out of an audit, have fun, and hopefully bring them here next year. So it's not just the two of us.
So speaking of last year's DevOps at Enterprise Summit, at that time, I co-presented with one of my clients, like Jean said, and you heard that correctly. It was an auditor and an audit client sharing the stage, working together, having fun. And after seeing the submission that I, that i, I made for that presentation for the first time, gene reached out to me and my co-presenter to tell us how startling he thought that presentation was. He likened it to the presentation given by John ospa and Paul Hammond at the 2009 Velocity Conference, where they kind of introduced that first concept of developers and operate operations teams working together. Now, don't hate on me Too bad, but I hadn't seen that video at that time. So I hurried up and looked it up and watched it. And when I did, the parallels between those two presentations became really, really clear to me. So both presentations featured presenters from groups that were historically adversaries, so development and operations and auditors and audit clients, and both presentations also featured, um, examples of where both of those groups that were historically adversaries worked together really, really well. So Gene was right, and not that I doubted you in the least, just additional confirmation, I'm an auditor. I like that. Um, Jean was right. We were really onto something big, and that made me realize that I needed to continue to share my own journey with all of you.
So maybe you didn't bring your auditors with you today because you still unfortunately experienced that adversarial relationship with them. Maybe you'd rather run and hide or just hope that they go away when they show up to audit. You and I get it. I really do. As much as I love auditing, uh, I recognize that it can be a painful experience for all of you as audit clients. And one of the main reasons for that is that the world around us is changing faster than ever before. And our older ways of working, especially in the audit world, just can't keep up anymore. So today we're gonna go on a journey together. We'll explore a path to a better audit experience. We'll explore the challenges with that traditional audit approach that a lot of auditors are still using, which is probably one of the reasons why you're likely not having a good time during your audits.
We'll look at the solution to those challenges, which is called auditing with agility. And it's a concept I talk about in a lot of detail in my book Beyond Agile auditing on our journey today, you're going to learn how you can influence a better audit experience, get more value out of an audit. You'll learn what's historically been, you'll learn how to turn what's historically been a painful and disruptive experience into one of great value. And hopefully I keep saying this, but fun. I want you to have fun during your audits. <laugh>, it's going to have you calling your auditors. I know this sounds crazy, but trust me on this, it's going to have you calling your auditors and asking them to spend time with you instead of trying to avoid them. So let me introduce myself. Jean did a fantastic introduction, uh, but let me, let me introduce you to your tour guide on today's journey because I don't want you to get lost. So my name's Clarissa Lucas, and I've spent most of my over 15 year career in internal audit or another risk management, risk assurance type role. I heard hold the certified internal auditor, certified information systems auditor and certified investments and derivatives auditor designations. I love auditing.
I lead a technology audit team right now, and I'm also a professional speaker and a published author. I've spoken at DevOps Enterprise Summits since 2019, as well as, um, IA Institute of Internal Auditors and Asaka events as well. And my book Beyond Agile Auditing was published this year by IT Revolution. And I will tell you slightly biased, but it is a game changer for those of you who are struggling with your auditors. So while most of my career has been as an auditor, I have spent some time on the other side of the table, as we used to say. So I've, I've been an audit client, so I do have a healthy perspective as to what it's like to fear the auditors, um, as well as being the auditor. Now, I'm not sure how many of you are familiar with Gallup's Strength Strengths Finders assessment. Um, anybody familiar? Make some noise? Okay, good.
Okay. So most of you are, but for those of you who aren't, it's an assessment you take to identify your top five strengths so you can leverage them more effectively and kind of play to your strengths. Well, for me, harmony is in my top five. And how that plays out for me is in situations where auditors and audit clients don't get along well and don't work effectively together. So that creates a lot of anxiety and inner turmoil for me. So that was one of the catalysts for me, experimenting with these better ways of auditing and fixing and, and mending and strengthening those partnerships between auditors and clients. Our journey today will give you the foundation to start your transformation to a better audit experience. For a deeper dive into anything that we talk about today, I encourage you to check out my book, check out my website. There's a slide at the end with all of that information. So, um, you can get that at the end. But I, I wanna leave you with the resources that you can use to continue your journey and share those resources with your auditors as well. So let's address the elephant in the room. Auditors versus clients.
I mentioned that I've been on both sides of the table and I know what it's like to be the bad guy, to be the auditor, and I know what it's like to be audited as an auditor. We're not really
Welcomed by our clients with open arms at most times. Um, and we're not always called upon by our clients. They're not calling us saying, Hey, come to Vegas with me to this conference, or, Hey, come hang out. I want you to audit this space that I, that I'm working in. Uh, and I get it. A lot of you might see audits as unplanned and unnecessary work that adds very little value beyond checking a box. No wonder you're not here with your auditors. And I will say we've certainly come a long way in the past few years. I'm not alone. I'm not the only auditor in the room. That is a huge, huge change. Uh, but there are still some challenges getting in the way.
I really want us to become partners. I want you and your client and your auditors to be partners. And I say partners very intentionally when we tolerate each other and just deal with each other. Uh, that's only gonna go so far, just waiting until your auditors leave. You're not gonna get the most out of an audit. But when you partner with your auditors and you leverage each other's unique strengths, you can unlock a whole new experience and get way more value out of an audit. Auditing with agility is about breaking free from old ways of working. Now, traditionally, auditors perform audits using a waterfall approach. The rest of the organization has adapted. You've all adapted to better ways of ways, uh, but gonna be fully transparent As auditors, we are lagging behind. We haven't caught up with that. A lot of auditors use that same waterfall approach to auditing.
Now, what I mean by that is it's a stage sequential approach to auditing, and it seems very familiar to all of you, either from you've experienced this as an audit client or you've been familiar with the waterfall process in all of your work. But what that means is we have a planning stage, a field work stage, and a reporting stage. We have follow up too, but let's focus on those, those first three. So in the planning stage, as auditors, we figure out what we wanna audit. We identify key objectives, key risks, key controls, how we wanna test those controls. We articulate that document that make it all nice and pretty and perfect, and we get approval on it from our leaders. And then we present it to you as our audit clients. Only at that point are we allowed then to move into field work.
So now planning's done, we start field work. We've got this, what we think is a beautiful well thought out audit plan that we're gonna follow. We are heads down now in field work, and we are testing those controls. We're executing that plan. And throughout that, we might have some conversations with all of you to get more information and hopefully give you some insights and to what it is we're seeing some of the results that we're, we're coming up with. Uh, but really we are heads down testing. Once we finish our testing, we get our work papers all documented. Again, we, we love things to be all perfect and well together and documented. Then we move on to reporting. So now we're in the reporting stage and we compile our results together and we present it to you in an audit report. But it's usually not that smooth, is it? At that point in time, you're, you're getting surprised usually. So there's stuff in the report, it's written in auditor language, which is not the same language that you all are using every day and things in there. There's things in there that you weren't expecting. So that results in a lot of roundabout negotiations on everything.
So as I'm sure you've all experienced, um, probably all of these and maybe more, but there's a number of challenges with this traditional approach to auditing. It results in unplanned work for you and your team. <affirmative>, it relies on a lot of context switching, which introduces inefficiencies. It inherently has choke points at each of those phases, and it often delays communication of results until the end of the, of the audit, which leaves you with stale, outdated results and sometimes surprises. That sounds awful. As an audit client, you have probably either provided this feedback to your auditors or maybe whispered it behind their backs. I totally get it. Uh, that the auditors didn't understand your business or your product or your operating model, either current state or future state, or that the audit provided very limited or unfortunately no value to you and your and your team.
And finally, these older ways of working don't easily facilitate change and the ability to pivot and keep up with today's changing environment. So we tried really hard, uh, give us maybe an a for effort on this. We tried really hard to fix this problem. Um, so we turned what's called agile auditing. Now, in its simplest form, agile auditing is overlaying the scrum framework onto the audit process. So it's sprint based auditing, and I dunno if Bill sing's here, but we had a conversation over breakfast yesterday morning and he said something that was really, really hit home for me. Uh, one of the problems with adapting some of these, um, what other people are doing and what other organizations are doing is we, we get focused on the things to do without understanding the why behind doing those things. So we, we did daily standups because that's what the agile auditing framework says to do.
We delivered in sprints because that's what the agile auditing framework and the scrum framework says to do. But we got stuck in kind of a form over substance. Um, and it didn't, it didn't really work well for a lot of organizations. And just like waterfall auditing, agile auditing assumes one size fits every situation in reality. That's, that's not what actually happens. And because of this, it lacks flexibility. And what I just mentioned before is we need that flexibility to keep up with today's changing environment. And that's why we need to move beyond agile auditing to what's called auditing with agility. Now, auditing with agility moves beyond these strict frameworks like waterfall and Agile auditing, and it really empowers teams, collective teams. So not just auditors, but a team of auditors and audit clients together to add the most value possible through a flexible and customizable approach to auditing.
The key to auditing with agility is selecting the best approach for a given situation, given the outcomes that you want to achieve and adjusting along the way as needed. The goals of auditing with agility include those of traditional, um, waterfall auditing, which were to help the organization achieve its objectives by providing value through assurance and advice. It also includes the goals of agile auditing, which we thought were going to be increasing efficiency and the ability to respond to change. But it also, auditing with agility also strives to deliver even greater value through prioritizing work based on value to the organization, delivering results timely and focusing on outcomes. Auditing with agility takes the evolution one step further, even by leveraging ideas from Agile and Scrum, just like agile auditing did. But we also incorporate concepts from DevOps. Auditing with agility consists of three core components. Value driven auditing, integrated auditing, and adaptable auditing.
What do I mean by value driven auditing? All that means is that we are going to create the scope of the audit. We're gonna have that be driven by what's most valuable to the organization. We're gonna constantly anchor back to organizational value. Now, I talked about auditing with agility, focusing on outcomes not output. So let's talk about those outcomes. Those include greater alignment between audit work and the organization's priorities. So we're not gonna be looking at stuff that doesn't matter to you. Expedited delivery of value and elevated awareness of, and ability to respond to risks. So there's a lot of activities that you can do in collaboration with your auditors to put this component into practice. Valuing actionable insights over extensive documentation, delivering value, frequently measuring progress through delivery of value, increasing visibility, and constantly optimizing for global goals. Now I wanna point out, uh, that this is not out of your control.
So you're probably asking me like, Clarissa, there's only one other auditor in the room. Why are you telling us all this stuff? We're not the auditors, but you have in your, you in your control, the ability to influence a better audit experience by working with your auditors to incorporate these practices. So everything I talk about today, it is not just for the auditors, it is for all of you as well. So let's move on to that second core component, which is integrated auditing. What that means in this context is integrating audit work into your daily work while your auditors maintain your independence. So don't throw shoes at me back there. We are maintaining our independence, don't worry. So outcomes are important here too. Primary outcomes of integrated auditing are increased client engagement and buy-in stronger partnerships between auditors and clients and greater efficiency during the audit.
And these are things you can really do something with. So key practices here with integrated auditing are intentional collaboration between yourself and your auditors, working together daily, working as one team toward a collective goal, integrated planning and feedback loops. I wanna take a quick detour to talk about, uh, an example of integrated planning. Uh, and Jean mentioned this before, that one question I have gotten from this audience every year. I've been coming here since 2019. Um, that question centers around segregation of duties, DevOps, and internal audit. Anybody had that question before? Okay, thank you. I was like, woo, maybe I, maybe I missed the mark. So yes, I've gotten a lot of questions on that over the years. You've all wanted to know how you can pass an audit when you no longer rely on traditional segregation of duties controls to manage the risk of bad things, making it into production.
Totally oversimplifying, but bear with me here. So I'm going to guess that that question is prompted by a situation that goes something like this. Your auditor show up with an agenda or a checklist or something that a a list of things that they think they should be auditing in their mind. They need to see that, um, duties are segregated between the software within the software development or change process because back in the day, that's how you managed the risk of bad things, making it into production. But let's say today you've all evolved and you're using automated tests in the deployment pipeline or some other type of control to manage that risk. So when your auditors ask you for evidence that a segregation of duties control is in place and you can't provide that evidence because that's not how you're managing the risk anymore, they're gonna hand you an audit report with a finding that says you don't have that segregation of duties control in place, which you already knew that, right?
Um, and they're expecting you to put in that control in place. So now they want you to put in a manual duplicative control when you've already got that risk covered. That is an absolute disaster. Had we all just used what's called integrated planning, we would not be in this mess. So integrated planning is where you and your auditors are going to work very closely together to plan the audit. You'll help your auditors understand your objectives. So what you're trying to accomplish, your key risks, what can get in the way of you achieving those objectives, your key controls, what are you doing to manage that risk? So you're set up for success to achieve those objectives. Now, instead of spending time asking about and expecting to review evidence for a control that isn't in place, so in this case, the traditional segregation of duties control is intentionally not in place.
We're not gonna ask about that. We're going to focus on the control you do have in place and provide assurance over that. I think it's probably more helpful to you to get a report that says this control that you need to go, right? That cannot go wrong. It's either working or it's not working. Way more valuable to you than a report that tells you you don't have a control in place that you already knew you didn't have in place because you purposely didn't have that in place, right? Fair. So with your next audit suggests integrated planning and you will all thank me later. Our third core component is adaptable auditing. Here's where we're going to add flexibility into that audit process and improve our ability to respond to a changing environment. Key outcomes here are greater efficiency and greater buy-in and engagement as well as the ability to respond to change.
Practices associated with this outcome are intentionally pausing to determine whether to stop auditing and pivot the audit's focus to accommodate for those changes. Pursuing simplicity, leveraging self-organizing teams and limiting the amount of work in process. So I know we've talked about a lot of these benefits sporadically throughout, but I wanted to put them all together in a visual for you. Auditing with agility has a number of benefits that I think you would all be interested in. Increased efficiency, ability to respond to change stronger relationships between you and your auditors. Greater engagement and buy-in better alignment of your investment of time during that audit on what's valuable to you and your organization as well as timely communication. So you're not getting stale, outdated results that you really can't do anything with.
Auditing, with agility is about breaking free from those old ways of working and constricting frameworks. So auditors can partner with you to really add value and reduce those audit induced headaches. It's also about moving past that tired auditor versus client mentality where you see your auditors as roadblocks to progress. We wanna be champions of progress. We wanna be, uh, facilitators of progress. We don't wanna be roadblocks to that. I don't ever want any of you to ever have to think, Ugh, we can't do this because the auditors won't let us. Like, we have got to get past that. Beyond Agile auditing shows you how to work more effectively with your auditors, uh, leveraging each other's strengths to help each other succeed. Solving that age old problem of us versus them auditors versus clients.
So I mentioned this is a journey and we're now transitioning this from my journey to your journey, and I wanna leave you with some resources that can help you on that journey. Uh, you can connect with me on LinkedIn or my website. I'll also be at the book signing this afternoon. So I hope to see all of you there. Uh, you can also subscribe to my newsletter. It's not just for auditors, it's for audit clients as well. I share content to help in this journey because I know it's not a flip the switch and now we're best friends with our auditors. That would be awesome. But, uh, so I wanna make sure you have what you need to be successful on this journey. And I also have an ask of all of you. I need, I need some help. I wanna understand examples of where you have experienced these ways of working applied to the audit process or other ways that I haven't thought of and haven't seen yet.
I also wanna hear your story about the challenges you faced with your auditors and how you overcame them. And then finally, I'm gonna borrow something from Jerry McGuire. Um, help me help you, help me help you. I wanna understand what challenges you're currently facing with your auditors so I can help you come up with solutions for those. As always, it has been truly a pleasure to be out with here with all of you here today on the stage. Um, I'm no longer the loan auditor in the room, which is awesome. It is an honor to be part of this community that has taught me so much over the years, and I truly appreciate that. Thank you to IT Revolution and everyone who made this possible. And for all of you, I wanna wish you best of luck on your journey. Happy auditing.