How to work with Your Auditors to Influence a Better Audit Experience

When you think of an internal audit or being audited, your thoughts might elicit  emotions like fear, anxiety, or annoyance. With the unplanned work the audit adds to your plate, the unexpected findings, and the results that don’t seem of much value to you, it’s no wonder you’re not necessarily thrilled to get a visit from your auditors.

But what if it could be different? What if instead of dreading the arrival of your auditors, you’d be as excited to see them as you would the Amazon delivery driver bringing your latest purchase?

It is possible to influence a better audit experience, transforming it from a check-the-box exercise with little perceived value to one of actual value that helps set you and your product or development team up for success with way less pain.

In my journey (as an auditor), one of my clients suggested we experiment with adding agility into our audit work while we audited them. They showed us how to incorporate some of these practices. My team and I were initially unsure, but we were willing to try it. Very soon into the experiment, we were convinced that the audit process needed agility and better ways of working. Going through that experiment and learning from our clients strengthened our partnership, and it is still one of the strongest partnerships I’ve experienced to date.

Why Are Audits So Painful?

To unlock a better audit experience, it’s important to understand why audits are so painful. For at least the past thirteen years (as long as I’ve been in the audit game), audits have been performed using a waterfall approach. That means audits leverage a staged, sequential methodology, where one stage must be completed before moving on to the next stage.

A typical audit comprises three main stages: Planning, Fieldwork, and Reporting. Auditors using the waterfall methodology must finish Planning before beginning Fieldwork and Fieldwork before starting Reporting. This approach should be familiar to those with experience in the history of technology program management or software development methodologies.

When applied to internal audits, the waterfall can be fairly effective in certain scenarios– primarily those in which the type of work is known and stable. This was quite common decades ago and even a few years ago in certain situations; however, that’s not the environment we operate in today. Now, most of our work is either unknown or dynamic (or both). As a result of this mismatch between how an audit is run and the environment in which organizations operate, audits have become painful.

Some parts of organizations, like IT, have adapted to the current, dynamic environment by adopting better ways of working. Still, many internal audit teams stick to older methods of working that can’t keep up with today’s pace of change. The auditors’ older ways of working often don’t provide enough visibility for you as to what work is coming your way in the next few weeks or months. The auditors schedule what seems like surprise meetings with you that you need to attend. They also send you long lists of documentation they need you to provide. What does this mean for you as developers? Unplanned work piled onto your plate and time spent on an audit that doesn’t provide enough value.

The problem is exacerbated by strained or adversarial relationships between auditors and developers (those subjected to being audited). The interaction model often looks like this -- auditors announce their arrival and ask many questions. Then, they go away for a little while. When they return, they present you with a plan. Then, the real fun begins. Over the next few weeks, you answer question after question and respond to endless requests for documentation.

At last, the end of the audit arrives, and the auditors unveil the results. Unfortunately, the audit report is full of findings that don’t matter to you. They could be gaps you were already aware of or gaps that aren’t important to your business.

This typically happens when the auditors don’t have the audit scope focused on the areas of most importance to your business or don’t quite understand how critical or non-critical the gaps are to your business. Or it could be that the findings represent critical gaps that aren’t articulated in a clear way.

Now, you’ve got to allocate time to fix these gaps -- even those that don’t matter to you. It’s no wonder you don’t love your auditor! Today’s interaction model between auditors and developers, paired with the mismatch between how an audit is performed and how the organization works, is often ineffective and inefficient.

What Does a Better Audit Experience Look Like?

One of my favorite questions to ask my clients is this: "If you had a magic wand and could use it to make a better audit, what would that better audit look like?" The responses include things like:

• Less time wasted
• Results that mean something to me
• Results that are timely and not stale (not communicated months after they’re identified)
• Auditors who understand my business
• An audit that happens with me, not to me
• NO SURPRISES!

But that can’t happen in real life, can it? It absolutely can, through what’s called auditing with agility. Auditing with agility is a flexible, customizable approach to auditing that borrows concepts from Agile and DevOps.

Remember before DevOps how technology development teams and operations teams used to get in each other’s way? Those two teams weren’t incentivized to work together. So things resulted in strained or even adversarial relationships. That sounds a lot like what’s happened with auditors and developers. With the introduction of a DevOps operating model, way of working, and culture, Dev teams and Ops teams were now able to (and incentivized to) work together toward a common goal.

Auditing with agility does for auditors and developers what DevOps does for Dev and Ops teams. When applying these better ways of working through the audit process, you can experience the following:

• Greater efficiency (less time wasted)
• Better alignment between audit work and organizational value
• Greater ability to respond to change during an audit (e.g., pivoting the audit’s focus to account for a changing business environment or stop auditing when the remaining audit work will no longer provide value)
• More timely results
• Greater buy-in from you and your team
• Stronger working relationships between you and your auditors.

Your experience shifts from unplanned, non-value-added work to planned work aligned with value. You work with your auditors to help them understand your business. They provide timely, valuable, and actionable results that don’t surprise you since you’ve worked so closely with them throughout the entire audit process. You are an active participant in the audit rather than an innocent bystander. The audit happens with you, not to you.

That’s what a better audit experience looks like. Now, you just need to know how to get there.

How to Influence a Better Audit Experience

You might think, "I know I need a better audit experience, but what can I do about it as a technology product owner or developer? Isn’t that all within the auditors’ control?" While the auditors control the audit process, you can certainly influence a more valuable audit that happens with you, not to you. Auditing with agility helps you do just that.

Remember, auditing with agility is a flexible, customizable audit approach that leverages concepts from agile and DevOps to create a more value-added and efficient audit. There are three core components to auditing with agility:

• Value-driven auditing, where the scope of audit work is driven by what’s most important to the organization
• Integrated auditing, where audit work is integrated with your daily work
• Adaptable auditing, where audits become nimble and can adapt to change

Each core component has practices associated with it. For example, practices associated with value-driven auditing include satisfying stakeholders through value delivery. In my book, Beyond Agile Auditing, I state that stakeholders "value audit work that is focused on the highest, most relevant risks and the areas that are important to achieving the organization’s objectives.^[1]" As an auditor, I like to ask my clients questions like "What absolutely needs to go right for you (or your business) to be successful?" or "What can’t go wrong for you (or your business) to be successful?" I do this to help identify what matters and what is most valuable to my client’s business.

What can you, as a product owner, architect, or developer, do to ensure your efforts during the audit are in support of the most relevant risks? Help your auditors understand what value looks like to you. Help them understand what you and your team are trying to accomplish and what has to go right for that to happen. This will help the auditors make a well-informed decision about what to focus on during the audit. When the audit is focused on areas of value to you and your organization, the audit results (assurance that things are as you expect or need them to be, or awareness of critical gaps that could prevent you from achieving your objectives) are more valuable to you.

Here’s what that might look like in practice. Let’s say you heavily leverage a third-party Software as a Service (SaaS) solution for key aspects of your business, such as network security. You depend on this third party to keep the solution’s baseline configurations and patches current. You also depend on the third party to follow appropriate change management practices when changing the SaaS solution. If the third party fails to deliver as expected, you may run into some huge problems; in this instance, those problems could be vulnerabilities in your network’s security. As the auditors come in to audit your business or product, it would be very valuable if they could provide you with some assurance whether the risk of the third party failing to deliver is managed effectively. You’d want to know about it if it isn't, right?

Here’s where you can help. You’ll want to invest some time explaining your business to the auditors and helping them understand how important it is that the dependence on that third party is effectively managed. You can even specifically ask your auditors to look at this during the audit—ask them to provide insights as to whether the safeguards in place are effective in managing the risk of the third party failing to deliver. Then, the audit results delivered to you will be of utmost value because they’ll be focused on what matters most to your business.

Let’s move on to the second core component of auditing with agility: integrated auditing. Integrated auditing is where audit work is integrated into your daily work. A key practice of integrated auditing is integrated planning.

Before exploring integrated planning, let’s reflect on the last time you were audited, which probably leveraged the waterfall audit approach. I would wager that it went something like this: the auditors had a couple of meetings with you to get a high-level understanding of your product. You explained to them that one risk is errors making it into production, which could disrupt your product or the business that depends on your product. The auditors left for a few days or weeks. When they returned, they told you what they would be auditing. They also provided you with a request list asking for the names of people who have both developer access to your product and access enabling them to promote code into production. They’re looking to test traditional segregation of duties (SOD) controls. But you stopped managing the risk of errors making it into production through segregating traditional access roles a while ago. Now, you manage that through automated tests in the development pipeline. Alas, the auditors aren’t auditing what matters to your organization, and the request list doesn’t seem to make sense. That’s frustrating, and unfortunately, it’s not uncommon. Luckily, integrated planning can solve that problem by helping the auditors focus on what matters and create a mutual understanding of the documentation needed to complete the audit.

So what is integrated planning? "Integrated planning includes the entire audit team assigned to the audit, as well as the audit clients (e.g., developers), in identifying key risks, key controls, and testing procedures." Think about it -- if you’re more involved in the audit planning process, there’s a better opportunity for you to educate your auditors about what’s important to you, help them understand your business or product, and understand why the auditors have defined the scope as they have. Instead of the auditors coming in with checklists, you’ll work together to create a plan for the audit that makes sense to you and your auditors. You’ll also work together to develop the documentation needed to complete the audit. Because you’re doing this with the auditors, you’ll both understand what is requested. You’ll know exactly what you need to provide, and the auditors will know exactly what they will receive. In the example above, you’ll help your auditors understand that testing traditional SOD controls won’t work because you changed the way you manage the risk that used to be controlled via SOD controls. You’ll explain to them how today’s automated tests in the development pipeline manage that risk. Then, you’ll work together to articulate what evidence they can review to determine whether those automated tests are effective -- and it will likely not be access lists like they requested in the past. That saves a LOT of time and frustration.

There are a few key factors that drive successful integrated planning. While these success factors apply across all three core components of auditing with agility (value-driven, integrated, and adaptable auditing) and the associated practices, let’s take a quick detour to cover it now. The Three Ways of DevOps are principles that form the foundation of DevOps. They include flow/systems thinking, amplifying feedback loops, and a culture of continual experimentation and learning.

Borrowed from the Three Ways of DevOps, these better ways of working require a culture of organizational learning and safety. Auditors need to be open to new ways of auditing and listening to their clients and leveraging their clients’ knowledge to help them make well-informed decisions about the audit scope. As developers, you must be open to trying a different way of working during an audit and be willing to invest time to partner with your auditors and help them understand what’s valuable to you. Instead of spending as little time as possible with your auditors, particularly during planning, investing more time in activities like integrated planning yields worthwhile results. Finally, auditors and developers also need to give each other grace as they navigate these new ways of working together.

It’s important to note that auditors must maintain appropriate independence and objectivity. Because of this, they’ll retain final decision rights on the audit’s scope and other key decisions related to the audit. Now that you’re working closely with your auditors to develop the scope, if they include something that doesn’t make sense to you ("Why would they want to audit that?"), work with them to understand why they’re including it in the audit scope. Perhaps it is a regulatory requirement that they include it. Or maybe the CEO requested it. Perhaps they see value in it and can help you understand their perspective. Or maybe they misunderstood or didn’t realize it was valuable. Staying involved and integrating yourself into the planning process not only improves the relationship between you and your auditors, but also cultivates greater buy-in on the audit’s scope (and the results).

Finally, with adaptable auditing, you and your auditors continue to work together throughout the audit and intentionally watch for the need to change. If something happens while the audit is in process (e.g., the organization’s operating environment changes or you learn something during the audit that might cause you to modify the audit’s scope), you and your auditors re-evaluate whether to continue the current course, change course, or stop auditing. This is similar to the Agile Principle (from the Agile Manifesto, which was created by the Agile Alliance to bring agility to software development) of embracing changes, even if they occur later in the development process. When auditing with agility, we embrace changes, even if they occur later in the audit process, rather than blindly sticking to the original plan when the original plan no longer adds the most value.

Now that you’re working with your auditors to help them focus their audit on what’s most valuable, integrating yourself into the audit process -- beginning with integrating into the planning activities and pivoting to adapt to change -- you’re more likely to support the audit, experience efficiencies, and get more value from your investment of time. You’ll truly experience the benefits of having an independent partner bring a fresh perspective to your product and help set you up for success. Instead of hoping the auditors leave you alone, you’ll be proactively reaching out to them, asking them for their perspective.

Conclusion

While audits may have been painful in the past, you no longer have to sit by and ensure those types of experiences. With the help of auditing with agility, you can cultivate a much better working relationship -- even a partnership -- with your auditors. You can influence a better audit experience by helping your auditors understand what’s most important to your product’s success, integrating their work into your daily work, and adapting to changes as needed.

As a developer or product owner, start today by calling your auditors and inviting them to join you for coffee (in-person or virtual). Start building that partnership by discussing your product and how it helps support the organization’s success. Ask them how they’re innovating in internal audit to stay current. Tell them about these better ways of working and offer to teach them how to apply them to an audit. You’ll be pleasantly surprised with the results when you do.

Your auditors may be a little apprehensive at first. After all, they may not even realize they can work differently for better outcomes. They also might not initially see how changing their ways of working can lead to better outcomes. With time and commitment (from both parties), your auditors should see the benefits of applying these better ways of working to the audit process. It’ll strengthen your partnership and unlock value neither you nor your auditors ever imagined.

References

1. Lucas, Clarissa. Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices. IT Revolution, 2023. P. 73.
2. IT Revolution. The Three Ways: The Principles Underpinning DevOps | Gene Kim.
3. History: The Agile Manifesto.