The term “agile” has been used for about two decades, first in software development, and then in general process management (Manifesto for Agile Software Development, Kent Beck et al., 2001, http://agilemanifesto.org/). In the abstract, it means that a process has a high-frequency flow, with multiple feedback and decision points and an outcome that is not pre-determined, albeit there is always a stated objective.
Two other words to know in this context is are “waterfall” which is an opposite of the agile process, and “scrum” which is part of the agile process. “Waterfall” resembles a traditional audit process: it begins as smooth sailing down a river, starting with planning, assessing risk, gathering information, arriving at conclusions, and then, in a single step, going down a waterfall into the expression of the auditor’s opinion, which is the final deliverable. In traditional auditing, most audit plans go forward without re-visiting the risk assessment. The strategy of traditional audits is within the waterfall paradigm, and mostly non-iterative. The one notable exception occurs if fraud is found, at which point the auditing standards require the auditor to re-evaluate the risk associated with the particular area in which fraud has been identified (SAS 99, Consideration of Fraud in a Financial Statement Audit). Otherwise, for the most part, audits under U.S. GAAS and the PCAOB’s Auditing Standards both fit into a “waterfall” paradigm. In the waterfall paradigm, most of the audit procedures are pre-determined by the audit plan and are not revisited, except for a change in the assessed risk due to fraud. Of course, auditors may change audit programs at any time; however, in practice the strategy of GAAS auditors is to plan and then execute without any high-frequency changes to the audit plan.
Agile auditing tries to stay away from this rigidity, and this is where the second relevant term is important: the “scrum.” Like in rugby or football, the scrum is a meeting of many players, and everyone has a role to play. These are the feedback and re-planning meetings that happen frequently, where changes to the original plan are made based on the current status of the process.
Internal auditing is governed by audit standards for internal auditors, promulgated by the Institute of Internal Auditors (IIA; https://www.theiia.org/en/standards/). There is no direct prohibition in the IIA’s Core Principles or Code of Ethics against applying an agile internal audit process. So internal auditors—ever creative—have started to change their process from “waterfall” to “agile”: instead of plan and then execute (Exhibit 1), there is a trend toward: plan => scrum => execute (short term) => feedback => back to plan (Exhibit 2).
The Effect on Public Companies’ Audits
Under the PCAOB’s AS 2605 Consideration of the Internal Audit Function, the external auditor is required, among other things, to obtain an understanding of the internal audit function, and then assess the competence and objectivity of the internal auditor. Although these requirements include multiple variables and factors to consider, the audit plan and the nature, timing, and extent of the internal audit work are key to the external auditor’s understanding of the internal auditor’s function. Next, when assessing the competence and objectivity of the internal auditors, the external auditor should also consider the internal auditor’s policies, programs, and procedures. The specific factors emphasized here could have a significant effect on the external auditor’s risk assessment, especially if a new agile approach is being implemented, in full or in part, by the internal auditors. For the most part, ironically, external auditors are strategically bound mostly by the traditional waterfall paradigm.
Internal and external auditors should educate and familiarize themselves about the risks and opportunities that come with an agile process. One opportunity is for internal auditors to be more efficient, as their procedures may change during the feedback phase of a particular procedure. (It is relevant to remember that internal auditors also focus on internal efficiencies, which are not a direct focus for external audit purposes.) A risk to the internal audit function may exist when the original goals are not fully met, or if there is not a complete feedback phase during the entire process, basically when internal audit fails to see the “big picture.” As with any process—agile or not—the outcome is what external auditors focus on. As far as the PCAOB is concerned, the outcome for testing is definitive: the questions “Are internal controls effective?” and “Are financial reports fairly stated?” must be answered.