Today’s rapidly evolving business, regulatory and technological landscape presents growing challenges for internal audit leaders and practitioners. With many business leaders committed to ongoing transformation, audit teams must support transformation efforts while providing value.

To lean into transformation, internal audit leaders are increasingly adopting agile auditing methods. These include accelerating audit cycles to deliver timely insights (e.g., to not be confined to a plan), reducing effort and paperwork while maintaining all auditing standards, and maintaining continuous communication with all stakeholders.

How can your organization enable an agile auditing mindset? Well, it depends. While some organizations choose to leverage the software development agile practices of scrums and time-boxed sprints, others choose to deliver their audit work iteratively, throughout the audit, instead of all at once at the end.

Consider the following agile auditing practices to enable your mindset.

Agile Auditing Procedures

Agile is a term used to describe a set of principles that were designed for use in software development. Initially published in 2001, it includes four values:

• Individuals and interactions over processes and tools
• Working software over comprehensive documentation
• Customer collaboration over contract negotiation
• Responding to change by following a plan

Many internal audit functions have adopted their own manifesto to adopt this wording while delineating auditing priorities.

Agile auditing typically starts with a risk assessment to identify the areas of highest risk or priority. From there, auditors, working with other team members, can choose a framework that best suits the rhythm of the working group-- leverage kanban or scrum as a starting point.

Working with the highest risks/priorities, identify the key processes and controls, translating components of the audit work into “stories” or tasks that are ranked. Each story is placed into a sprint, or a period of 2-4 weeks to be completed. Stories are completed only if they are usable and actionable by stakeholders, with documentation being “just enough” to support any conclusions. After each sprint, have the team complete a brief retrospective before planning for the next sprint.

Manage each sprint via a daily meeting. Stand-up meetings, usually held first thing in the morning, are typically no more than 15-30 minutes, in which all story owners “stand up”, speaking to everyone in the meeting about their progress. As each story owner is providing their update, the meeting moderator is noting the progress made, as well as any items that are blocking progress for each story, providing transparency.

Although audit reports must be written and delivered at the end of the audit, making stakeholders and senior leaders aware of significant issues proactively will enable response and recovery to happen much sooner, adding business value.

Agile Auditing Standards

Although there is no separate set of formal agile auditing standards or agile auditing regulations, the agile methods that are used for each audit should comply with existing professional audit standards, such as the IIA’s Global International Audit Standards. Consisting of 15 principles across five domains, these standards will ensure proper ethics and professionalism in any agile audit.

Although all IIA principles should be followed as a part of agile audit practices, below are several key principles to review:

Principle 4 Exercise Due Professional Care

Principle 4 states that internal auditors must apply due professional care in planning and performing internal audit services. Utilizing agile methods should never be an excuse for care that is less adequate and effective.

According to the IIA, professional care requires:

• Conforming with Global International Audit Standards
• Considering the nature, circumstances and requirements of the work to be performed
• Applying professional skepticism to critically assess and evaluate information

In an agile environment, professional care means proactively reviewing changing circumstances, consulting those in the stand-up meeting who can provide guidance, and adjusting approaches in real-time to ensure results are supported and reliable.

Principle 9 Plan Strategically

Principle 9 requires that the chief audit executive develop and implement an internal audit function that can achieve long-term success. This means aligning the internal audit function with organizational goals, risk management processes and controls. Additionally, the chief audit executive develops the organizational internal audit plan.

In agile audits, the team adopts the internal audit plan approved by the chief audit executive and creates milestones and deliverables that align with 2-3 week sprints. This allows the team to adjust as new priorities are brought to the daily stand-up meetings.

Agile planning reduces the time it takes to prepare, as teams are preparing for each sprint, as opposed to an entire audit. This enables more updates and stakeholder touchpoints to ensure that priorities are being addressed during each sprint.

Principle 12 Enhance Quality

Principle 12 is the engine that drives the quality of the internal audit function. Assessment of the internal audit function is managed by a structured quality assurance and improvement program, led by the chief audit executive. According to Principle 12, this program should include continuous monitoring as well as periodic internal and external assessments to ensure conformance with the standards and to drive continuous improvement.

In an agile audit environment, the quality assurance program should address agile practices:

• Defining standard agile practices (e.g., daily stand-up meetings, sprint retrospectives, backlog management, etc.) as a part of the internal audit methodology, to assess conformance
• Embedding supervisory reviews into stand-up meetings, so quality is continuously checked
• Using agile metrics (throughput, story points, customer satisfaction, etc.) alongside traditional QA metrics when measuring performance and improvement

Agile Auditing Tools

Agile auditing tools are specifically designed for the internal audit function, and they incorporate agile principles like iterative planning, continuous feedback and transparency. The following are several commonly used tools:

Visual Management Boards

Visual management boards, such as kanban or scrum boards, provide transparency by visualizing tasks and progress in real time. Sprint teams use these boards to track sprint work tasks, from those in the backlog to those that are completed, color-coding tasks to quickly show status. Additionally, any bottlenecks and/or changes in priorities are highlighted.

Audit Trails and Documentation

These tools maintain compliance and transparency through automated, real-time logging of changes, decisions, and evidence during sprints. Audit trails capture every workflow step, such as task movements or comments made, creating documentation. Documentation evolves incrementally, auto-generated from visual board data and version-controlled. These features support standards like SOX and HIPAA by providing verifiable, timestamped histories.

Integration Capabilities

Integration capabilities in agile auditing tools connect systems like ERPs, CRMs and GRC platforms, enabling data flow for risk monitoring and evidence collection. Integrations can automate task tracking across project management and communication applications, reducing manual follow-up. Additionally, integrations enable auditors to quickly review if fields have been completed in workflows or if artifacts and steps have obtained proper approval.

Agile Auditing Templates

Agile auditing leverages templates from agile project management practices such as Scrum or Kanban. These templates are typically used in project management software, in tools such as Excel, or even on whiteboards.

Audit Backlog Template

An audit backlog template is a living list of audit work items and tasks that replaces an annual or quarterly plan. The backlog contains all scoped items the team may review, including audits, risks and controls, allowing for items to be added, re-prioritized or removed as needed. Fields in the audit backlog contain:

• An item ID number – a unique identifier
• An audit user story (description) (i.e., As a member of finance, I want the accounts payable process audited so that we can ensure accurate and timely payments.)
• Priority level (e.g., high, medium or low)
• Estimated effort/story points, including a measure of work needed to complete the story or task
• Status level (e.g., in progress, completed, etc.)

Sprint Planning Template

The sprint planning template is used at the beginning of each sprint to define the work that will be completed during the time-boxed period, typically 2-4 weeks. In agile auditing, teams use this template to select audit tasks from a backlog, estimate effort using story points, determine the acceptance criteria or the definition of “done”, and commit to completion.

With this information, teams can then assign owners, note the velocity from past sprints, and indicate any new regulatory risks that must be taken into account.

Storyboard/Kanban Template

A storyboard, or kanban, is a visual representation of the audit workflows and is essential for tracking the daily progress of tasks and stories. They can be represented by a digital board in a software tool, or even sticky notes on a wall or whiteboard.

Tasks that are written on these digital or physical notes are categorized as one of the following:

• To-do – tasks planned for the current sprint
• In progress – tasks that are being worked on
• Review – work that is under review
• Done – tasks that are completed as per the acceptance criteria

In the daily standup meetings, owners of the tasks that are either in progress or under review update the team on the status of each task for transparency and reporting purposes.

Learn more about agile auditing by exploring these related resources on KnowledgeLeader:

• Agile Audit Leading Practices
• Best Practices of Internal Audit Innovators – Strategy and Transformation
• Building Agile Capabilities in Your Organization