No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

3 Ways Internal Audit Can Strike a Balance Between Productivity and Control

Maintaining Business Process Documentation in an Agile Environment

by Kevin Alvero and Wade Cassels
July 3, 2019
in Featured, Internal Audit
The word "agile" imposed on amorphous shape

Internal audit must know how to respond when business process owners want to go faster and document less (such as in Agile environments). Nielsen’s Kevin Alvero and Wade Cassels discuss what IA can do to meet these seemingly contradictory goals.

In the five months between the crashes of the Boeing 737 Max 8 airplanes in Indonesia and Ethiopia that resulted in the deaths of 189 people and 157 people respectively, Boeing received multiple complaints from pilots about the Max 8’s autopilot system, according to an NBC News report.[1]

Several of those complaints mentioned insufficient documentation, with one even referring to the aircraft’s manual as “criminally insufficient.” A CBC report suggested that details about the Max 8’s MCAS computer system, which was the focus of the investigation into both crashes, was at one time included in the Max 8’s manual, but left out of the final draft.[2] Meanwhile, an investigation was also opened into the process by which the Federal Aviation Administration (FAA) had certified the Max’s flight control system.[3]

Regardless of their ultimate outcome, investigations into the circumstances surrounding the two crashes has heightened discussion about the importance of business process documentation. Documentation forms the basis for the quality, reliability, repeatability and legitimacy of all organizational activities, and in some industries – such as transportation and health care – it is a matter of life and death.

Business process documentation is critical to the internal audit process as well. It sets the foundation of the auditor’s understanding of the process and represents the expected state that the process is audited against. Yet increasingly, organizations are trying to become more agile and are challenging the quantity of documentation they are required to produce, particularly if they perceive that it is just extra work that is slowing them down and that it is primarily being produced as an exercise to satisfy auditors. To be clear, Agile methodology does not promote neglecting mandatory or critical documentation for the sake of speed. Rather, one of the tenets of the Agile Manifesto is “working software over comprehensive documentation.”

What, then, should be the response and approach of internal audit when the organization wants to go faster and document less, or differently? First, internal audit should be involved and supportive of efforts to alleviate the burden of excessive documentation. Second, internal audit should reinforce the benefits of documentation to the business and defuse the idea that satisfying internal audit is the primary goal. Third, internal auditors must know what kind of documentation matters and how to determine if it is existent and sufficient in an Agile environment.

If internal audit functions can execute on these three main points, they stand a good chance of striking the right balance between supporting the business in its pursuit to deliver faster and better and providing assurance that appropriate controls are in place.

1. Avoid Pushback

Some organizations have embraced Agile methodology wholeheartedly. However, for other organizations and individual business units, while they may not describe themselves as going Agile, per se, they are looking to somehow lessen the burden of documentation in order to move faster and make the best use of their resources. In either case, when organizations move to adopt a more agile product development process, it is critical that internal audit take the right attitude when it comes to the matter of documentation. Rather than asking, “how is the business going to produce the documentation we need to do our audit?,” internal audit must instead ask, “how are we going to perform our audit based on the documentation that is produced by the process?”

In other words, internal audit should not ask the business to produce documentation for the sole purpose of applying it to a tried-and-true audit process, as this ultimately serves the needs of internal audit, but not of the business. If they do, they risk making themselves irrelevant and not valuable to the organization.[4] (Denning, Forbes) Instead, PwC notes, internal auditors “need to disrupt themselves.”[5]

Internal audit should seek to understand the rationale behind the move to a more agile process and how the business intends to satisfy its requirements as it relates to documentation. That last part is particularly important, because agility and recklessness are not the same. According to Deloitte, two common myths auditors have about Agile development processes is that Agile teams can do whatever they want and Agile projects produce no documentation.[6]

But these are indeed myths, and it is important for internal audit to discern whether the Agile approach is being adopted responsibly and to support efforts to ensure that mandatory documentation is not omitted. This requires communication and involvement in the early stages of the transition, because control activities need to be changed in an Agile environment. Neither process owners nor internal audit should perceive Agile as a means of circumventing controls. Rather, controls must be adapted to account for the use of Agile techniques.

“As the use of Agile becomes pervasive,” says PwC, “all risk, compliance and assurance executives need to embrace how these highly effective methods can coexist with effective controls. With a sufficient understanding of the Agile environment and leading controls development practices, risk professionals can take the right steps to integrate controls that protect against risk and noncompliance without compromising much needed agility.”[7]

2. Reinforce the Value of Documentation

One of the best ways internal audit can ensure that the business produces enough documentation (of the right kind) is to reinforce the notion that it is in the business’s best interest do so. This is particularly important if internal audit perceives that one of the drivers of the effort to lessen the burden of documentation is that process owners don’t fully appreciate its value. Internal audit must be able to understand and communicate the importance of business process documentation beyond the fact that internal auditors need it to be able to do their jobs. Internal auditors should approach requests for documentation as a “help me help you” proposition and be able to articulate benefits such as:

  1. Process optimization. Documentation review can reveal opportunities to enhance processes, correct inefficiencies or errors and introduce automation.
  2. New employee training. Documentation helps ensure thorough and consistent training for new employees, to the benefit of the company and the new hires.
  3. Company knowledge sharing and retention. Documentation preserves specialized knowledge, reducing the risk of relying too heavily on a few individuals. It also helps the organization defend its intellectual property.
  4. Operational consistency. Documentation forms the basis for ensuring that business processes are performed consistently to management’s specifications.[8]

Documentation imparts value in all these ways and more, but as to what exactly constitutes documentation, auditors and business process owners alike should keep an open mind.

3. Have the Skills to Assess Documentation

According to the Project Management Institute (PMI), one of the key reasons Agile initiatives fail is because of a lack of Agile experience on development teams.[9] Similarly, internal audit teams assigned to Agile projects must have training and experience to recognize how to alter their approach.

When auditing Agile projects, Deloitte states, “IA teams may need to think differently — whether this means recognizing a different set of controls, changing where to look for evidence that controls exist, testing an ongoing control or helping the team gain even more operational efficiencies.”[10]

In order to audit effectively in an environment that is more agile and produces less documentation, auditors need to adapt their skills and understand how to access and interpret documentation in this new environment. As always, documentation must exist, and it must be complete, accurate and timely (i.e., up to date). However, auditors must understand how to assess these attributes in forms of documentation different from traditional reports. Also, they must become accustomed to accessing and assessing these forms of documentation in real time throughout the development process with less reliance on looking at documentation after the fact.

According to PwC, auditors conditioned to reconciling formally documented and approved project charters, business requirements, design documents and user acceptance test reports can instead gain assurance through:

  • “Requirements,” typically in the form of Epics, Features and Stories, stored in a tool such as JiRA, Rally or Team Foundation Server (TFS).
  • Traceability established to track each story through the tool chain to show approvals, testing results and ultimately its release into production.
  • Evidence and approvals retained in the tools to allow for auditability. For example, authorized product owners may have to sign off on user stories using a checkbox approval at the end of a sprint (requires role-based access to be defined and for appropriate business representation to be integrated into the production life cycle).[11]

Conclusion

The importance of business process documentation has not diminished in spite of the rise of Agile methods. What is changing is how internal auditors can expect to access documentation and what it might look like. If internal audit and process owners are willing to engage each other in the early stages of Agile transformation, internal audit can be a valuable partner in ensuring that the business reaches its speed and efficiency goals without putting control in jeopardy.


[1] Blackman, J., Rosenblatt, K. “U.S. pilots complained about Boeing 737 Max 8 months before Ethiopia crash.” NBCNews.com. March 13, 2019.

[2] Gollum, M., Shprintsen, A., Zalac, F. “737 Max flight manual may have left MCAS information on ‘cutting room floor.’” CBC.ca. March 26, 2019.

[3] Gates, D. “Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system.” SeattleTimes.com. March 17, 2019.

[4] Denning, S. “Can Internal Auditing Become Agile? Seven Keys To Thinking The Unthinkable” Forbes.com. March 21, 2017.

[5] PwC. “Agile on the Rise – Integrating Effective Controls.” 2018.

[6] Deloitte. “Auditing Agile projects – Your grandfather’s audit won’t work here. 2018.

[7] PwC. “Agile on the Rise – Integrating Effective Controls.” 2018.

[8] Churazova, A. “The Easy Guide to Business Process Documentation.” Blog.nuclino.com. January 22, 2019.

[9] Miller, G. J. (2013). Agile problems, challenges, & failures. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.

[10] Deloitte. “Auditing Agile projects – Your grandfather’s audit won’t work here. 2018.

[11] PwC. “Agile on the Rise – Integrating Effective Controls.” 2018.


Previous Post

Uncovering the Data and Compliance Issues Banks Face Today

Next Post

How Can Lawyers Work with Monitors to Achieve Better Outcomes?

Kevin Alvero and Wade Cassels

Kevin Alvero and Wade Cassels

Kevin M. Alvero, CISA, CFE, is Senior Vice President, Internal Audit, Compliance and Governance at Nielsen. Kevin leads the internal quality audit program for Nielsen Global Media, as well as its industry standards compliance initiatives, including the external accreditation process. Kevin began his career with Nielsen in 2003 and has been leading the Internal Audit department since 2010. In addition to his audit expertise, Kevin possesses more than a decade of experience with traditional audience measurement and digital ad measurement. Kevin is a Certified Fraud Examiner (CFE) and Certified Information Systems Auditor (CISA). He is also a member of the Board of Governors for the Institute of Internal Auditors (IIA) Florida West Coast chapter.
Wade Cassels, CCSA, CISA, is a Senior Operational Auditor at Nielsen.

Related Posts

parliament

Coming Soon to the UK: Sweeping Corporate Criminal Liability Reforms?

by Peters and Peters
March 28, 2023

UK legislators have proposed major amendments to the Economic Crime and Corporate Transparency Bill currently passing through Parliament. If adopted,...

wind turbines

What Companies Around the Globe Need to Know About EU Sustainability Reporting

by John Peiserich
March 28, 2023

By the beginning of next year, large companies in the EU or that do a substantive amount of business in...

amsterdam

At a Gathering of Compliance Practitioners, No Shortage of Food for Thought

by Mary Shirley
March 28, 2023

Last week, about 300 ethics and compliance professionals descended upon Amsterdam’s Hotel Okura to participate in SCCE’s European Compliance &...

documents

Meeting Accounting Standards in an Uncertain Economy

by Tom Zauli
March 28, 2023

After a Covid-related grace period, new contract accounting standards — ASC 606 — are in effect for both public and...

Next Post
illustration of man looking at watch

How Can Lawyers Work with Monitors to Achieve Better Outcomes?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT