Many internal audit shops are adopting Agile project management principles in an attempt to create a more flexible, adaptive, and customer-oriented audit function. And while the results have been promising, expect a few bumps along the way.

To be sure, Agile is not a revolution for internal audit, but a step to the next stage of evolution. Nevertheless, this journey is vital if internal audit is to remain relevant. In my view, Agile is easy to learn, but hard to implement, particularly because it requires a shift in mindset for the entire internal audit team. Audit departments that create an environment in which Agile flourishes find that teams remain flexible and can churn out innovative solutions faster.

Through the introduction of new techniques such as MoSCoW and Kanban, Agile also increases team productivity and employee satisfaction. It minimizes the waste inherent in redundant meetings and repetitive planning. These tools also equip our internal auditors with new techniques. I particularly find the following tools for Agile audit execution invaluable for continually improving the ability to deliver audit services, while improving communication and collaboration. We have also embraced them for our own Agile journey here at BNY Mellon.


We use the MoSCoW technique to prioritize and plan internal audit activities. The MoSCoW method is an acronym, which stands for: “Must Have, Should Have, Could Have, and Will not Have.” (The “o’s” have been added only to spell out the familiar city to make the term easier to remember.) This method allows internal audit to reach a common understanding with stakeholders on the importance they place on the delivery of audit activities that could generate the most value.

MoSCow also reminds auditors to develop a laser focus on what’s most important from an audit coverage standpoint in a constrained environment. This is especially important given that more and more auditors are being asked to do more with less. Using MoSCoW can enable internal audit teams to more efficiently manage scope, focus on key issues, and drive better allocation of resources. It is, however, difficult to embrace prioritization methods such as MoSCow when auditors are used to the habit of covering everything on a specific audit. Embedding MoSCoW and deriving value from it requires time, experience, and open minds.


Sprints are at the center of Agile auditing and involve time-boxed intervals during which tasks must be completed. Here at BNY Mellon, we established a sprint maximum of two weeks. This enables the internal audit team to remain focused and committed to completing the required tasks within the allotted time. I personally have noticed a shift in auditor mindset, where during a sprint the entire internal audit team demonstrates urgency and determination to resolve any roadblocks and drive towards the finish line.

We run four events in any given sprint. The work to be performed during the sprint is planned at the Sprint Planning Meeting. Collaborative work of the entire internal audit team leads into a working plan. The goal is for everyone to leave the meeting with a complete understanding of what the next two weeks look like and to commit to the work. Next, the Daily Stand-Up is a 15-minute time-boxed event for the internal audit team to synchronize activities and create a plan for the next 24 hours. Team members explain what they did yesterday that helped the audit team meet the sprint goal, what they are planning to do today, and finally discuss any impediments.

At the end of a sprint, a Sprint Review is held with key stakeholders to highlight what was done during the sprint and to obtain feedback from stakeholders. During this meeting, any internal audit viewpoints and audit observations can be discussed with stakeholders. Following this meeting, a potential audit finding form is usually populated and distributed to stakeholders within 24 hours for review and action planning. In this meeting, stakeholders are also informed of tasks planned for any following sprints.

Finally, a Sprint Retrospective provides an opportunity for the internal audit team to inspect and create a plan for improvement to be carried out during the next sprints. The Sprint Retrospective occurs after the Sprint Review and prior to the next Sprint Planning Meeting. The key outcome of this meeting is to inspect how the last Sprint went with regard to people, relationships, processes, and tools.

To recap, a sprint typically has four components to manage the workflow of the given project:

  • Sprint Planning Meeting: A focused meeting to cover all the expectations of the sprint, who is responsible for what, and how it will be accomplished.
  • Daily Stand-Ups: Daily timed briefings on what was accomplished the prior day, the goals for the next 24 hours, and any hurdles that may be in the way of meeting those goals.
  • Sprint Review: A meeting between internal audit and stakeholders to review the work, obtain feedback, and discuss the results of the sprint.
  • Sprint Retrospective: A meeting to discuss how the sprint went and how the process can be improved for the next sprint.


Kanban is a simple yet visually effective tool to monitor progress on internal audit activities and can help propel an Agile internal audit initiative. It contains specific activities that need to be performed, activities in progress, and, finally, activities that have already been completed. Whilst application of Kanban boards vary from organization to organization and can be digital or physical, I generally find the old fashioned use of Post-Its on a flip chart the most collaborative and effective means to brainstorm problems and unblock issues preventing completion of the activities by internal audit.

Whatever the platform, Kanban boards enable an end-to-end, real-time view of a project’s status, helping teams focus, prioritize activities, and highlight delays. It is a great project management tool to facilitate candid dialogue with stakeholders during the Sprint Review event and foster collaboration across the cross-functional internal audit team during events such as Sprint Planning and the Daily Stand-Up.

AR 1008 ArticleImage

Sample Kanban Board: Image by Andy Carmichael, used under license [CC BY-SA 4.0]

Shu Ha Ri

While sprints are an important part of Agile, successfully implementing Agile internal auditing is actually more like a marathon. Embracing the Japanese philosophy of Shu Ha Ri is invaluable in navigating through this journey. Introducing an Agile approach to auditing inevitably means transformative change and requires a shift in the mindset of internal auditors. The Shu Ha Ri philosophy can provide structure and aid in change-management processes.

Shu Ha Ri is a concept to describe different levels of training or learning, and while it was developed in a martial arts setting, it can be applied to Agile to help us along our journey to implementation. Shu Ha Ri involves three types of learning or training styles. In the first, “Shu,” the student follows the form and disciplines of the master closely, repeating the basics and structures without deviation, with the goal of mastering the techniques. Once mastered, the student can begin to depart from the forms, moving into the “Ha” stage, experimenting with new ways and applications of what was already mastered and innovating on them. In the “Ha” stage the student learns more about the underlying principles and theory behind the techniques. In the final stage, “Ri,” the student learns from his own practice, arriving at a new place, and adapting what he or she has learned to new circumstances.

The idea is not to try to change the world overnight. By initially focusing on the “Shu” principle, internal auditors are encouraged to learn the fundamentals and get comfortable with the basics. In a highly regulated industry, such as financial services, Shu also facilitates the transition with minimal to no change in auditing methodology.

As internal auditors gain experience in delivering internal audit projects using the Agile approach and gain confidence, it is imperative that internal audit organizations continue to evolve and find ways to make the auditing process more Agile friendly. This continuous improvement process is essentially the “Ha” stage, a stage where internal audit is not afraid to explore the limitations on the way things are done and push the boundaries of such limitations.

Finally, the “Ri” stage is about mastering Agile internal auditing to the point that this becomes the norm.

The journey of an agile transformation is not easy and requires multiyear planning, sponsorship from senior management, learning the ceremonies of Agile techniques, the patience to master those techniques, the education of stakeholders, and the continued drive to build an ecosystem that continuously promotes an Agile mindset.

Those who move down this Agile internal audit path will arrive at a place where internal audit is not only providing a better service for its clients but where it works happier and smarter too.

Phot by Headway on Unspalsh