For years, compliance audits have basically been conducted the same way: create an audit plan, complete the audit plan, review the audit results. But in recent years, this traditional method of auditing has proven to be too rigid and time-consuming with little room for open communication between stakeholders. Considering the ever-shifting nature of compliance and security requirements and the fact that executives and customers need greater assurance that their key assets are protected in today’s dangerous cyber risk landscape, the traditional approach to auditing has become inadequate. Modern compliance and security teams need to have a real-time understanding of risks and control performance. Enter Agile auditing, a new approach to auditing that yields a higher level of assurance about the control processes under examination.
In this article we dig into Agile auditing — what it is, how it compares to traditional auditing, the benefits, simple steps for how you can begin to implement Agile auditing in your organization, and how to measure success.
The Agile Methodology
Before looking at it through a compliance lens, it’s important to understand where the term “Agile” originated. The Agile methodology is not new in itself. In the early 2000s, the technology space was changing at a breakneck speed and many developers knew that the traditional “waterfall” approach to building and updating software wasn’t working. The pace of software updates was infrequent — so opportunities for customer feedback were sparse. Without sufficient user data, it was difficult for developers to know if their product was meeting customer needs.
In response to this, the Agile Manifesto was created. Though many of the principles were decades old, what is now known as the Agile method was formalized and rose to popularity shortly after Y2K. Here are the four core values of Agile software development:
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation
- Responding to change over following a plan
The methodology focuses on customer needs and relies on shorter work cycles — “sprints” — that allow for iterative, more adaptable software development. It also leans into open and frequent communication and collaboration between software developers.
What is Agile Auditing?
With the understanding of Agile’s roots, it’s not surprising that the methodology has been co-opted by compliance and audit professionals to support their workflows.
So, what is Agile auditing? Agile auditing is focused on conducting shorter audits with an emphasis on evaluating the business processes most prone to failure and the controls meant to address the most critical/likely risks in a given moment. Instead of working through an inflexible list of steps, the Agile auditing process encourages internal audit and compliance teams to work iteratively on top priorities and attempts to call control owners to action as soon as issues arise. As with Agile software development, Agile auditing encourages communication and collaboration early and often.
Agile vs. Traditional Auditing
While the Agile approach to auditing isn’t fully reinventing the auditing “wheel”, there are some key differences between Agile and traditional auditing methods:
|A rigid, long term plan is created and followed with little to no room for flexibility
|While long-term goals are considered, plans are created in 2-3 week sprints and are flexible in how they are carried out
|Steps are completed and then followed through to the end without reevaluating any prior steps
|Because this model is focused on highest risk controls and/or business processes in a given moment, steps are often revisited and reevaluated
|Limited communication and collaboration between the auditor and the control/process owner
|Stakeholders are encouraged to communicate and collaborate openly
|Results are reviewed at the end of the entire auditing process
|Results on control performance are shared as soon as tests have been completed
Practical Resources From Security Professionals
The Benefits of Agile Auditing
Making the shift to Agile auditing from a more traditional process can be a tough transition for some compliance professionals. However, there are notable benefits of Agile auditing to keep in mind, including:
- Faster response time: If an issue within a business process is detected or if a control needs to be adjusted, the Agile approach to auditing allows teams to respond quickly.
- Better understanding of organizational risks and controls: Because Agile auditing focuses on the highest risk business processes and controls in an organization, it forces the entire company to fully analyze their risks and prioritize them. This leads to greater organization-wide understanding of what requires the most attention and how accompanying controls are performing in real time (or close to it).
- Increased confidence heading into external audits: With controls being closely monitored and updated regularly, internal teams have a clear view of the state of their organization’s compliance posture before they need to meet with an external auditor.
- Easily presentable findings for leadership: The Agile auditing process documents which organizational risks need to be addressed and what exactly is being done to mitigate them. With these comprehensive results readily available, compliance teams can easily deliver current key findings and status reports to their leadership teams.
- Open communication and collaboration: As mentioned previously, a major piece of the Agile methodology is the belief that the audit/compliance team and business process/control owners should be constantly communicating and collaborating. A successful Agile auditing process will help to bolster healthy company-wide communication and collaboration that facilitates a culture of compliance.
Five Steps to Begin Agile Auditing
If you’re interested in moving towards an agile audit model, here’s what to do:
- Complete a thorough risk assessment: With an agile audit, you’re looking to be selective with the process(es) you audit. In order to feel confident about where to focus and how to structure your Agile auditing plan, you need to have a clear understanding of what risks your organization faces and the consequences of those risks. To do so, you should evaluate all current and potential risks and the controls (or lack thereof) tied to those risks.
- Interview control stakeholders: Take time to speak to all control owners in order to understand how key risk areas are being addressed with controls. Further, ensure that the audit team and the control operators both know what evidence would clearly showcase that control processes are operating effectively. Having these conversations will also help you to identify where compliance efforts overlap with other teams’ initiatives and how working on compliance-focused tasks impacts those teams.
- Automate the gathering of evidence of controls: A way to speed up the process before the audit starts is to automate the gathering of evidence of controls whenever possible through technology. For instance, you can implement a compliance software tool that integrates with the operational systems you’re already using so that compliance-relevant reports generated in these systems can be automatically gathered into one place for easier audits. When the evidence collection process is automated, it eliminates unnecessary waiting periods and enables the audit team to run tests on controls sooner.
- Adopt a project management framework and stick to it: Those who use the Agile methodology often utilize specific project management frameworks to track and organize their projects. Two popular Agile frameworks are Scrum and Kanban. Both frameworks are designed to help teams efficiently work cross-functionally and collaboratively.
- Create an audit plan: Once you’ve conducted a risk assessment, interviewed control stakeholders, and automated controls where appropriate, you can develop a plan for how to complete your Agile audit. Your plan should outline each audit step in extreme detail and list out the tasks that need to be completed consistently by control owners. Upon reading this plan, control owners should fully understand their responsibilities and how to properly manage their controls and verify that control activities have been performed.
How to Measure the Success of an Agile Audit
After you have created an Agile auditing plan, you’ll need to define how to measure success. These are some areas to focus on:
- Reduction of total time spent on audits: Agile workflows should create efficiencies throughout the audit process. As a result, Agile audits should take less time than traditional audits to complete. Streamlining the audit process will cut back on tedious, administrative tasks, giving stakeholders more time to work on other meaningful projects.
- Speed of responsiveness: Working in shorter cycles (sprints) provides teams with up-to-date data on a consistent basis. Organizations can use this data to make quick decisions in regards to risk management. Monitoring the speed of responsiveness (e.g., making more frequent changes to controls within key domains) is a good gauge for whether an Agile auditing process is working.
- More open communication and collaboration: Conducting an Agile audit will encourage stakeholders to communicate and collaborate openly, allowing for a smoother, less siloed workflow. Open communication also means that stakeholders will spend less time waiting around for responses from other teams and can instead immediately take action on controls or processes that need to be fixed or adjusted.
How Hyperproof can Support Agile Auditing
Our compliance operations platform supports Agile auditing by giving compliance teams and business process owners a central source of truth for controls and risks. With Hyperproof, you can quickly hone in on critical controls and do the testing and accompanying remediation work all in one place. Hyperproof is built with Agile principles in mind, allowing organizations to:
- Monitor risk with a comprehensive dashboard right out of the box. Once risk and/or control owners complete mitigation activities, the risk health status is updated automatically in Hyperproof, giving real-time alerts on environment changes.
- Create audit plans, assign tasks to stakeholders, and track project completion. With clear project visibility and insights, you can easily track audit progress and stakeholders can see where they are in the process.
- Easily select a set of controls you want to audit and automatically gather evidence of control activities. Hyperproof integrates with a variety of cloud storage providers (Google Drive, Dropbox, Box, etc.) and operational systems (developer tools, application monitoring tools, CRMs, device management tools, etc.). It comes with native data connectors that automatically extract compliance info from source systems and pull it into Hyperproof.
- Define cadences for control monitoring. In Hyperproof you can define cadences and deadlines for reviewing controls with Tasks (which can be one-off or repeating) and rely on the system to auto-remind control owners to get their work done on time.
- Communicate and collaborate openly. We built our compliance operations platform to meet people where they already work. Hyperproof integrates with dozens of services across cloud storage, project management, communications, cloud infrastructure, DevOps, security, and business applications so that compliance work can fit seamlessly into your existing business processes and workflows.
Ready to begin Agile auditing with Hyperproof? Book a demo now.