The IA Toolchain #3 — IA, its Spreadsheets all the way down

See my first blog on the IA toolchain here

For a millennial IA professional like me, Microsoft Excel has been the one-size fits-all swiss army knife for my whole working life. Even the dying gasps of paper audit documentation that I saw in my early career often involved printed excel sheets (don’t ask!).

Where there are lists of things to be done, controls to be tested, evidence to be requested and projects to be planned excel has been there and it has done a pretty good job.

The IA Toolchain

As internal audit continues to develop into a more real-time activity performed at the “Speed of risk” the practice of generating excel sheets to be shared/emailed around team members for updates is starting fall behind as a technology solution. Real-time assurance needs a real-time technology solution that can support a more iterative audit and greater collaboration with stakeholders

Applying agile principles to audit has been tried by many different teams with varying results. At its worst, it can lead to teams parallel running with an agile veneer layered on top of a traditional approach. As well as creating excel documents and PowerPoint project plans we also put everything on post-its or an online work management tool adding additional work translating between documents and aligning status updates that takes focus away from providing useful insight to management.

It is very easy to throw a list of tasks on a KanBan board in Trello or Jira and use this to track what the team is doing. I suggest we can take this a step further and replace a large chunk of the functionality used in specialist audit tools used for documenting our work. Often at a fraction of the cost using solutions that are proven at scale for security and performance.

I have been experimenting with using online workflow tools used by software dev teams in my organisation as a full replacement for audit scoping, planning, and fieldwork documentation.

How about an audit documented in JIRA?

Traditionally an audit work program is built by defining the material risks in the scope of the audit, identifying key controls for these risks, and then defining test steps. Agile teams use all sorts of terminology to describe their work items but much like an audit, they boil down to breaking large scope items (Release, Feature, Epic, etc) into small chunks (User Stories, Issues, Tasks) for delivery.

Epic — Risk

User Story — Control

Bug — Issue!

So an agile work tool like TargetProcess or Jira is perfectly designed to break down an audit into small chunks and actually record the activity we are doing. What's more, they also have built-in workflow engines to allow us to define review requirements and status transitions to provide a clear audit trail of review approval and completion of tasks.

A kanban board showing User Stories (Controls) organised by Epic (Risk)

Where things can get interesting is that with a tool like Jira we can also define a workflow that requires review by an independent reviewer and automatically records the reviewer and when the review was completed

A Jira workflow built for the completion of an audit control test. Transitions are subject to workflow rules to mandate review of completed work papers.

Now, this is still really just a better post-it. What about if we actually use the Card in the tool to document our audit testing

A TargetProcess User Story including audit workpaper template.

So instead of just writing Test control x on a Jira card and moving it from in-progress to done now we are documenting the test plan as epics and user stories and documenting the analysis performed and evidence we have collected all within the tool.

We can also track concerns identified by logging them in the tool and defining a workflow

The great thing about these tools is that they provide various ways to slice the information so dashboards can be produced at different levels of detail to suit different audiences.

A breakdown of an audit in Targetprocess Project view

We can also define custom metadata to enable teams to collect data points about the controls they are testing that can become a powerful data source to profile the control environment and what our assurance coverage looks like

Some Benefits

• Real-time single source of truth on project progress
• Focus — The right tool can support your team in managing their WIP and making dependencies visible
• Built for collaboration — The teams you are auditing are probably using these tools why not collaborate with them.
• Frequent feature development — Especially with SaaS implementations no features are made available frequently.
• METADATA — Can be a gold mine for identifying waste in your process and identifying enterprise-wide themes and messages for your stakeholders.
• Flexible workflows to build system enforced quality controls into your process
• Major vendors provide enterprise-grade security, stability, backup, etc.
• Cheap — SaaS implementations are often a negligible outlay even for small teams (compared to specialty GRC/audit systems)
• Some tools also include document collaboration tools as well (e.g. Jira/Confluence). Scope Statements or longer documents can be stored and collaborated on from within the tool as well.

At the end of the day, it is not about the specific tool you use, there are loads of different alternatives for work management in addition to the examples I used. The key argument in favour these tools for an audit team over an audit-specific tool is that they are built with flexibility in mind and can be adapted easily to fit the workflow you need for your team. Tools that are widely used in many organisations and known by IT departments and other stakeholders have lower support costs than bespoke audit systems and they don’t charge you an arm and a leg to reinvent the basic features of collaboration and project management that we need an audit management system for.