Raven Catlin - Agile Auditing

Ceciliana graduated with her Master of Science in Business Continuity, Security, and Risk Management (receiving the “Excellence in Graduate Studies” honor) from Boston University in May 2016, and her BSBA in Accounting from California Polytechnic State University in 1992. She also holds a Graduate Certificate in Risk Management and Business Continuity from Boston University and a Master's Certificate in Applied Project Management from Villanova University. Ceciliana is a Certified Project Management Professional (PMP), a Certified Internal Auditor (CIA), a Certified Information Systems Auditor (CISA), a Certified Government Audit Professional (CGAP), a Certification in Risk Management Assurance (CRMA), and holds a Certificate as a Scrum Team Member (endorsed by Scrum Inc. and Dr. Jeff Sutherland, co‐creator of Scrum).

Ceciliana is married to the love of her life, Pheary, and lives near Sacramento, California. She enjoys surfing, paddleboarding, reading, cooking, dancing, gardening, and landscaping. She is a salsa master and a Zumba dance aficionada. Ceciliana constantly applies her knowledge of project management, risk management, auditing, and Agile frameworks to her everyday life – take, for example, one of her largest landscaping projects, which was laying over 10,000 pounds of custom‐built concrete pavers in preparation for her terrific child, Helm, and wonderful daughter‐in‐love, Nikkole (yes, “daughter‐in‐love,” as their relationship is much more than what is required by law). This entire project was completed in just under two months using the Agile methodology. The Agile team was a crew of six family members – all part of the wedding party! They made use of a Scrum Board with the headings “Backlog,” “To Do,” “In Process,” “Verified,” and “Done.” Each Team Member signed up for different user stories in the Backlog (tasks), and proceeded to go from To‐Do to Done (Done = Ta‐Dah!). Ceciliana's greatest joys are also spending time with her family, learning new concepts and skills, experimenting with new techniques (including raising chickens and worms), and sharing her newly attained knowledge with everyone she can.

Finally, Ceciliana is the founder and CEO of Team Oriented Solutions, an innovative organization of trained professionals with one dream: Make the world a better place by providing world‐class education, training, facilitation, and coaching services to businesses around the globe.

Agile auditing is perfect for all types of audits across any industry. As Agile audit grows in popularity, different Agile audit methodologies develop. From our point of view, Agile auditing is a framework, not a methodology. The Agile audit framework presented in this book can be used to develop your Agile audit methodology (as indicated in the Preface). There are five critical differences in our Agile audit framework that are distinct from other Agile audit methodologies that we read, discussed, and studied.

1 It is a framework, not a methodology. It is intended to provide ideas and guidance for an audit team to quickly deliver value to audit clients and stakeholders. The framework allows audit teams to incorporate other practices and tools into an Agile audit methodology that they create.

2 The framework requires and provides a structure and guidance for more collaboration with audit customers/clients. Audit customers and auditees are Agile team members from day one of the Agile audit. Agile audits cannot move forward without audit customer engagement.

3 The framework focuses on adding value from the audit client's perspective by centering the Agile audit on the value proposition. The value proposition focuses on business objectives and business risks, not audit risks. More specifically, the Agile audit framework encourages adding value by helping audit clients evaluate whether they have put the right actions and controls to mitigate threats and risks to an acceptable level to help them achieve their objectives. This framework helps organizations increase resiliency; it enables auditors to more quickly deliver insights on whether business and management controls are working as intended to reduce risks and help achieve objectives. It provides flexibility to help management and audit clients articulate their objectives and articulate how each process aligns with the organization's strategy. Similarly, if management hasn't determined the risks that may affect their ability to accomplish objectives, the Agile auditing framework helps management and auditors to collaborate in risk identification.

4 The framework uses a risk universe, rather than an audit universe, to determine the upcoming priorities and an Agile audit plan. We discuss the difference between the risk universe and audit universe in Chapter 8: Implementing Agile Auditing: The Audit Planning Process.

5 Each Agile audit is completed in two weeks. Audit planning, audit execution, and final result communications are finished in just two weeks. We recognize that a defined two‐week project cycle deviates from Agile disciplines. We've discovered that this time constraint is the best way to get better at determining how much work each Agile audit team can complete. We also learned that to apply Agile auditing consistently, audit teams must think differently about traditional audit processes and deliverables. The two‐week cycle forces the necessary thinking and related practices.

This Agile audit framework is a drastic, disruptive change for many audit teams. It is a change that the audit profession needs. We recognize unique challenges in adopting the framework. In the spirit of continuous improvement, we accept and consider all challenges presented by students and audit leaders. We love it when audit practices across the globe incorporate our Agile audit framework. We love it even more when others challenge the framework, thoughts, practices, and methodologies. For example, in a 2015 class of 30 students, when we suggested that an audit team, even a team of one auditor, could complete an entire audit in a two‐week time frame one student called us “crazy.” We deliberately decided on a two‐week cycle to break the decades‐long auditing practices that created many of the problems encountered in nearly every audit. Others also felt that Agile auditing was vastly different from traditional auditing and would be “impossible” to implement. Each challenge resulted in a reevaluation of the framework and the creation of more choices in it. It's comical that the same “crazy” and “impossible” comments were made when Agile entered other disciplines. However, it has been fully adopted in many disciplines!

A few weeks after the 2015 class, it concerned us that others couldn't see the value in this approach to Agile auditing. Once again, we were back learning, thinking, and analyzing the framework, and we realized there was a problem. The problem was not necessarily with the Agile audit framework, but with audit approaches, perceptions, and assumptions, specifically:

Audits are supposed to be risk‐based; we pioneered Agile auditing, thinking that all auditors used a risk‐based approach. We were wrong.

We pioneered Agile auditing believing that all auditors already collaborated with audit clients to complete audit work. Again, we were wrong.

We assumed employees, auditors, and audit clients have a common goal: the organization's success. Unfortunately, there are many examples where the success of the organization is not a mutual goal.

We thought all auditors wanted and needed to feel liked by their coworkers. As much as we don't like to admit it, some auditors enjoy being feared and disliked by their coworkers even today.

We believed that if all employees understand the how and why of the audit process, audits can be improved.