#141 - Auditing with Agility: Stop Fearing Your Auditors - Clarissa Lucas

 

   

“You should never do something just because the auditors want you to do it. They should be able to explain the risk and controls in accordance with your risk appetite and tolerance.”

Clarissa Lucas is an audit and risk management leader and the author of “Beyond Agile Auditing”. In this episode, Clarissa shared a novel approach to internal auditing called auditing with agility. She shared this concept at the DevOps Enterprise Summit 2022, which drew some parallels to the revolutionary birth of the DevOps movement. Clarissa explained the three core components of auditing with agility, which are value-driven auditing, integrated auditing 2.0, and adaptable auditing.  

Listen out for:

  • Career Journey - [00:04:27]
  • Purpose of Internal Audit - [00:08:38]
  • Challenges with Traditional Auditing - [00:11:01]
  • How Auditing with Agility Started - [00:16:48]
  • Parallels with the Birth of DevOps - [00:22:02]
  • Segregation of Duty - [00:25:04]
  • Auditing with Agility & Value-Driven Auditing - [00:30:21]
  • Integrated Auditing 2.0 - [00:33:52]
  • Adaptable Auditing - [00:41:33]
  • Extending to External Auditing - [00:45:32]
  • 3 Tech Lead Wisdom - [00:47:26]

_____

Clarissa Lucas’s Bio
Clarissa Lucas is an experienced audit and risk management leader with over 15 years of experience. As a thought leader on Auditing with Agility, she has written articles on the topic published by both the Institute of Internal Auditors (IIA) and IT Revolution press, as well as her first book, Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices. Clarissa has spoken at a number of IIA, ISACA, and IT Revolution conferences, as well as local IIA chapter events and various podcasts, on this topic. Clarissa is a Certified Internal Auditor, Certified Information Systems Auditor and a Certified Investments and Derivatives Auditor.

Follow Clarissa:

Mentions & Links:

 

Our Sponsor - Tech Lead Journal Shop
Are you looking for a new cool swag?

Tech Lead Journal now offers you some swags that you can purchase online. These swags are printed on-demand based on your preference, and will be delivered safely to you all over the world where shipping is available.

Check out all the cool swags available by visiting techleadjournal.dev/shop. And don't forget to brag yourself once you receive any of those swags.

 

Like this episode?
Follow @techleadjournal on LinkedIn, Twitter, Instagram.
Buy me a coffee or become a patron.

 

Quotes

Career Journey

  • While I was there and presenting, a lot of the questions that were coming through from the audience really opened my eyes to a number of misconceptions about auditors that led to that fear and not looking forward to the auditors coming, and seeing auditors as roadblocks and seeing them as getting in the way of technology organizations progressing in better ways of working and things like DevOps.

  • So it really started my journey to tear down these silos and help bring some truth to these misconceptions and help these two groups get along better. Because there was a huge opportunity to have them leverage each other instead of getting in each other’s ways.

Purpose of Internal Audit

  • A lot of people might think the purpose of auditing is to shine a light on things that are going wrong and make you look bad. I can assure you that is not what we’re here to do.

  • The really cool thing about internal auditors is we work for the same organization that the people we’re auditing do. So we are different from an external auditor. We are on the same team.

  • The purpose of internal audit is to be independent and objective. We try not to be as biased. If you’re in the weeds every day doing this, of course, you’re doing it great. But there’s a value of that objective, fresh perspective can bring to those things. So our goal is to add value to our organizations. If I had to summarize it, it’s to add value.

  • And we really want to do that through partnering with our clients and bringing that fresh perspective and providing our clients with value through assurance. So letting them know, the things that they rely on to go right, are they gonna go right? Is there a good chance that they’re gonna go right?

  • Or is something not working the way you think it’s gonna work and you’re probably gonna run into problems down the road? Or do you have the mechanisms in place to make sure that when it doesn’t go right, you’re gonna identify that in a timely manner and be able to fix it right away so that you can achieve your objectives?

  • That’s really why we’re here. None of that is to make it look bad or to ruin your day or anything like that, which is probably what some people may have experienced, unfortunately.

Challenges with Traditional Auditing

  • When things go wrong, people are always looking at where were the auditors here. That sometimes would put the auditors on the defensive, that they have to look at everything so that they don’t get those fingers pointed at them.

  • It’s also gotten potentially worse in the past few decades, because we used to show up with checklists and here’s what we’re gonna audit. And things didn’t change very often, so a checklist that you dust off every year and do the same testing was effective for those purposes.

  • But that is absolutely not the world we’re living in today. Things change so quickly. So when auditors show up with that checklist and do the same thing that they did last time they were there, clients are like, this is not helpful. That checklist is so outdated and they’re not digging into what’s really important to me. The auditors might have their heads down and are just focused on executing that checklist.

  • And when I mentioned moving from that individual contributor to this role, like focusing on executing versus understanding people and understanding their processes and what’s important to them, we needed to make that shift. With the rest of the organization, keeping up with the pace of change and modernizing their ways of working, modernizing their technology and their processes as well. And the audit kinda got left in the dust for a little bit.

  • Some of these just gonna show up and throw some unplanned work on your plate that’s not gonna add any value. I don’t blame you for not being thrilled that they’re there. I mean, if somebody walked in here today and is like, do all this work, that’s not gonna help you at all, and you still have to get your other stuff done.

  • When you mentioned they send the checklist to you, we send sometimes–and you’ll get this with external auditors as well–our request list. So we’re figuring out what we wanna audit. We talk to you a little bit, figure out what it is you do. We sit over at our desks and we create our scope for our audit. We fill out a request list and we toss that over to our clients.

  • And it’s usually written in audit terms. So you mentioned we are the experts in risks and controls. We speak in risks and controls. Most people outside of audit or risk functions do not speak in risks and controls. So it’s typically in a different type of wording that then our clients are used to. And they’re stuck trying to figure out what the heck are these auditors actually looking for? Or even if it is clear what we’re looking for, it might not actually be the documentation or the evidence that we need to test what we’re looking at. So those silos really get in the way of a common understanding and really an opportunity to add value more efficiently.

  • What I talk about in the book is called auditing with agility. And it’s a flexible approach where we break down those silos and we really focus on value. So there are three core components. The first one is value-driven auditing, and that is helping with delivering audit reports that actually provide value, because the scope of the audit is focused on what’s gonna add value to the organization and the clients.

How Auditing with Agility Started

  • The traditional way of auditing is a waterfall approach. So that stage gated approach that is similar to waterfall software development. You do one stage before you’d go to the next stage, before you go to the next stage, and you’re very heads down in each of those stages.

  • The auditing profession realized that things were changing. This waterfall approach, strict framework that we have to do this very sequential thing in every situation, wasn’t keeping up with the environment that all of our organizations we’re working in.

  • We also saw that in the technology world and business world, people were applying agile concepts and seeing success. There was a big movement for what’s called agile auditing. Agile auditing is pretty much applying a Scrum framework to the audit process.

  • And some organizations found a lot of success with that. My own personal experience, I found a lot of success with that in certain parts of the organization. So, for auditing technology, some of my clients leveraged Scrum frameworks to manage their own work, so we were able to fit right in there and deliver our audits and sprints in those situations. And it was amazing! But there were also situations where that didn’t work out quite as well.

  • We started thinking, do we wanna do agile auditing or not? And it was very binary, like you have to pick waterfall or you have to pick agile auditing. And we were doing agile. And it kind of dawned on me that the whole point of–as I was attending more conferences related to IT and working DevOps ways of working and agile ways of working, reading about business agility–I was realizing that we were falling into a trap of doing agile instead of being agile. We were looking for a framework. Cause we’re auditors. We like frameworks. We started out with checklists, like it’s comfortable. But again, that’s not working today.

  • It’s got so many opportunities to be so much better. I don’t want you to run from me as an auditor. I want you to call me up and say like, hey, I’ve got a question. I need an audit perspective. Can you help me?

  • Falling in the trap of doing agile versus being agile, so I started experimenting with what I call auditing with agility. And it sounds very similar to agile auditing. But instead of agile auditing, when people hear that, they think it’s a thing to do. When you hear about auditing with agility, I think it’s more clear that you’re auditing. But you’re doing it with agility.

  • It’s a very minor tweak in words, but it’s very intentional. It’s not this framework that you’re gonna cookie cutter apply in every situation. We’re still auditing. We’re still providing that assurance that things are working right or that you’re gonna identify things when they don’t work right. We’re just doing that in a more flexible approach that anchors back to those agile principles instead of specific frameworks.

  • It was in 2021. I started talking about applying some of these DevOps concepts to internal auditing. It was kind of the birth of auditing with agility. And Gene Kim, when I submitted my presentation, he was really impressed by it. And he said, this is very similar to the 2009 presentation that John Allspaw and Paul Hammond did about Flickr and that was kinda the birth of DevOps.

  • It was operations team and the developers. They’re not getting along and they’re not incentivized to do the same thing. They’re incentivized kind of to get in each other’s way. Very similar to audits and clients. Clients are trying to do their thing and here comes the auditors getting in their way and we’re just trying to get an audit report out, but management’s doing these things and not sending us the right things that we’re requesting.

  • And then how DevOps got the two of those groups who historically didn’t work so well together to work together. That’s what I’m trying to do with auditing with agility, is trying to get auditors and clients to get out of each other’s way and work together and help each other.

Parallels with the Birth of DevOps

  • In my presentation there, I was representing the auditor. And I was co-presenting. So historically, up to that point, I had co-presented with other auditors. And this was the first time that I was co-presenting with one of my clients. And similar to the 2009 presentation, it was somebody from development and somebody from operations sharing the stage.

  • With the 2009 presentation, the two presenters, one from development, one from operations, talked about how at their organization they were able to break down those silos, break down those barriers, have a common objective and work together. Very similar to what my client and I were explaining in our presentation, too. So auditor audit client, typically butting heads not getting along super well or just tolerating each other to get through an audit. And we talked about how we worked as one team. So it wasn’t the auditor team and the client team.

  • We did have our separate reporting structures, as is needed for us as auditors to maintain our independence. But that doesn’t mean we cannot work together closely as one team. We worked so closely together to make sure that we were aligned on what our common objective was. And it was to provide and get insights about the most important things in that particular area. Those two primary differentiators were the huge parallels between the two.

Segregation of Duty

  • The question that I would get from my clients is, how do I pass an audit when we’re using DevOps and we’re not doing segregation of duties through the access controls how we historically would? This was my kinda my first view into the misconceptions. Like there’s no passing an audit. I don’t have a pass/fail. I don’t have like a big green check mark to provide at the end of an audit.

  • Why do we segregate duties? And the first answer was, cause the auditors told us we had to. And I’m like, oh, try again. Don’t do things just because auditors tell you. If you don’t understand why we’re telling you to do something, challenge us because you should never do something just because the auditors want you to do it. The auditors should be able to explain they want you to do this because here’s the risk. And you need to control that risk in accordance with your risk appetite and tolerance.

  • When we really started peeling back the layers of why do we segregate duties, we started thinking about things like, we wanna make sure that somebody doesn’t introduce something into production that’s going to do bad things. Historically, we have managed that risk by not letting the same person push their stuff through without having somebody else give the “okay”. We’ve segregated duties. So then I challenged the group and was asking, okay, what else could we do? To manage that risk without having two separate access lists.

  • And that’s when we really started understanding, maybe we could have automated checks and I can push my stuff through and it’ll go through only when this automated test says it passes all these things. The same thing that a human would do when they’re looking at the code, the change, or whatever it is. If this automated test passes, then it goes through. And essentially, you’ve segregated the duties, not between two people, but between the person wanting to promote the code, the developer, and an automated test.

  • It was really about thinking through getting rid of that checklist of we need to look for a segregation of duties, working with our clients, understand what are you trying to accomplish? We’re trying to make sure things get into production, so that we can help serve our business. What could go wrong? What are the risks? We could get something in there that does bad things, either intentionally or unintentionally. People make mistakes. What can we do or what ways can you manage that risk? And what ways do you manage that risk?

  • So instead of walking in and saying, I need to see segregation of duties, give me your access lists, and you give me your access lists, that’s a waste of time. Instead, we’re understanding what you’re trying to accomplish. What can go wrong? How you’re controlling that risk, how you’re managing that risk, and then we test that.

  • Instead of looking at the access list, we’re gonna look at how this automated test is set up? How’s it designed? Is it designed the same way to look for the same things that a peer reviewer would? Or in a world where those duties are segregated? And then is it operating the way that you think it is? So it’s supposed to identify these things and not let it go through to production if it doesn’t meet these criteria. Is it letting things through when it’s supposed to? So if it passes all these tests, it’s supposed to go to production. We would test that.

  • And that’s gonna provide a lot more value than to your earlier point, us handing you a report that says you don’t have segregation of duties in place. What are you supposed to do with that?

  • Maybe you are doing it in a different way. So maybe the finding is you don’t have duty segregated, but you do have these automated tests in place. So instead of having a finding or an audit report that says you have to segregate duties, you can educate your auditors on: this is how we’re managing that risk. Let me walk you through this. How you’re managing that risk and bringing your auditors along so that they understand it.

Auditing with Agility & Value-Driven Auditing

  • What are those three core components?

    • Value-driven auditing.

      • It gets back to that problem of you getting an audit report that’s not valuable to you. So value-driven auditing is really going to make sure that the audit scope, so what the auditors are gonna look at and what they’re gonna do is gonna add value to the organization. So it’s gonna be anchored back to what’s most important to the organization and its key stakeholders, which include the audit clients.

      • We’re gonna look at where are the biggest risks or where are the greatest opportunities too? So there’s risk in not doing things and there’s risk in doing things. So value-driven auditing is really just anchoring back to what is gonna add the most value to the organization and focusing the work there.

    • Integrated auditing 2.0.

      • Audits used to be performed, you’d have a compliance audit, you’d have an operational audit, and you’d have an IT audit. And then those would all be delivered separately, or they’d stitch them together at the end in one report, but all the work would be performed separately.

      • So the auditing profession started doing what’s called integrated auditing, and you would have all of those auditors on the same audit. So each audit would have a compliance, operation, and IT lens, which really helped breaking down those silos within the audit function and provide a more holistic view, a better view of the environment than the separate audits being stitched together. That should be a given right now. We should all be there.

      • What I mean by integrated auditing 2.0 is kind of taking that to the next level. And what we do here is we’re integrating audit work with our audit client’s work. And we still maintain that independence.

      • That’s a question I get a lot from auditors is like, how can we do this and still be independent? There are plenty of ways that we can do that and still be independent. Even the Institute of Internal Auditors, who is our governing body, they set the standards for internal auditing. They tell us that independence doesn’t mean isolation. So you don’t have to have working silos. We still have that different reporting structure. We still maintain those decision rights. But what we focus on with this 2.0 version of integrated auditing is integrating audit work with client’s work.

    • Adaptable auditing.

      • This is where we build in the ability to respond to change. So we’re gonna have a flexible process to audit. Instead of this strict framework, we’re gonna be able to pivot. We’re gonna be able to understand when we should stop auditing.

      • With our old audit waterfall approach, we would have our plan and we would go heads down and execute it and not come up for error until the end. And we really miss opportunities to determine, do we still need to go down this path or do we know enough to deliver now and get out of our client’s hair and move on to something else? So adaptable auditing is where we have that flexibility, the ability to respond to change, which is super important in today’s crazy fast changing environment.

Integrated Auditing 2.0

  • A lot of people think “Beyond Agile Auditing” is primarily for auditors to read. It’s got two primary audiences, both auditors and clients. Because just like DevOps, the developers couldn’t do DevOps by themselves. Neither could operations. They both needed to go and implement those concepts. And integrated auditing is a great place for clients to start and start influencing that experience.

  • You mentioned in the question, do you have a dedicated auditor? You could. But you also don’t know that the type of work, when it’s gonna be there and when it’s not. So there are some things that we can do, like my clients know that they can call me anytime with questions. So it’s not a full-blown audit. Being able to just call somebody up and get that realtime feedback from them is super helpful.

  • And that’s part of the integrated auditing feedback loops. So regular feedback loops, realtime feedback loops, those are probably the most straightforward thing that I can think of for clients to start implementing. You don’t have to wait for the auditors to reach out to you. You can implement, you can start a feedback loop. So you have a question for your auditor, call them up. And it might be intimidating, especially at first, if you don’t have that working relationship with them yet and you’re afraid this is gonna trigger a huge audit and it’s gonna be a bunch of extra time spent.

  • You could start by figuring out what do you need from an audit? What do you need from your auditors? And set up coffee with them.

  • Feedback loops are super, super helpful. Another thing about feedback loops is if you don’t provide feedback to your auditors about what a better audit experience looks like, they’re not gonna know to make a change. Or they might know that they should make a change, but they might try a bunch of things that aren’t what you wanna see.

  • Another one that I wanna highlight in this integrated auditing space that is integrated planning. We talk about getting an audit report that doesn’t help you. It’s focused on the wrong things. It doesn’t really add value. A great way to overcome that challenge is through integrated planning.

  • That’s where we’re gonna work super closely together. We’re actually gonna build out the audit scope together. So I’m gonna be still independent, because I get the final decision rights. And so let’s work together to identify what’s most important to you.

  • Cause I have my own ideas about it. Generally, they’re aligned, but it’s so much more helpful when I get that confirmation from you, or maybe you help me think about it in a different way. So you can help me understand what those risks are and how they actually might manifest in your world.

  • And then integrated planning, instead of me saying, okay, I’m looking for a segregation of duties control, which doesn’t exist because that’s not the way you’re doing things. You’re gonna tell me how you manage that risk. Now we’ve just saved ourselves a ton of time, because now I understand what’s really important to you. I understand those risks and what can go wrong. I understand how you control it. And then you can help me show how those automated tests are set up.

  • I really think that integrated planning and those feedback loops are something that audit clients can start doing today and really, really have a much better experience with their auditors.

  • We’re both aligned on the same goal. So I don’t wanna hand you an audit report that means nothing to you. You don’t wanna receive an audit report that means nothing to you. So it’s not just helping you, it’s helping the auditors too. And that’s why it’s super important for us to work together to make sure that we are both at the end producing this report that’s gonna add value to the organization.

Adaptable Auditing

  • Part of that starts with the value-driven. So focusing on what’s most important. But then, when it comes to the adaptability, how do you build in the ability to change and pivot? Really prioritizing your work, so breaking the audit scope up into manageable pieces and limiting how much you’re focused on at a time, is something that really helps drive adaptability and it’s something that clients can influence as well. So instead of going in and saying, we’ve got these 12 controls that we’re gonna look at, or these 12 compliance requirements we’re gonna look at, and we start looking at all of them at once, we’re gonna figure out what is most important.

  • When it comes to compliance, certain things are gonna have larger fines and larger impacts than others. If there’s something that’s gonna cause millions of dollars in fines on a frequent basis, and there’s a decent chance of that, you wanna focus on that. So prioritizing that instead of starting everything at once.

  • And that is gonna give you results sooner too. And then with those results, we can pivot and say, have we done enough? Have we audited enough? Have we learned enough? So focusing on those areas that are most important, knocking those out first. Limiting what we’re doing at a time, picking it up, doing it, delivering it, starting another thing.

  • And that helps with our clients too, because then you’re not doing all that context switching. I’m not asking you about compliance with this piece of something and then over here and then taking you back to that and where were we with that? So that’s really something that can help us deliver those results sooner.

  • If we look at all these other things that we initially thought we were gonna look at, which is have to do when everything’s in process at the same time. So while we’re limiting that, that gives us that opportunity to pause and think about, should we spend our time collectively–everybody, not just the auditors. Should we spend all of our time finishing this or is there something else out there either in your space or a different space that is more important that we should pivot to?

Extending to External Auditing

  • The book is focused on internal audit practices, because that’s where my background primarily is. And there are different standards that external auditors are held to. I would love to have a conversation about what are those requirements and how can external auditors also leverage these concepts so that they’re also not feared. And so that they’re better positioned.

  • By leveraging these concepts—driving by value, integrating into the client’s work, and being adaptable—those are gonna set the auditors external and or internal up for better success. We’re gonna be focusing on the right things. We’re gonna be not wasting our time or your time. Those are all things that the external auditors can benefit from as well.

3 Tech Lead Wisdom

  1. Auditors are not your adversaries. They should not be out to get you. They actually should be a valuable resource for you to leverage. Absolutely the first thing I want people to walk away with is that I want you to run to your auditors, not from them.

  2. This is a journey. So it’s not like laying a Scrum framework on to an audit process.

    • The way you really get started on this journey is by figuring out what’s most important to you. You’re not gonna apply everything in the book all at once. You got to start small, so figure out what is the most important to you. Is it getting more value out of that audit? Is it being able to respond to change?

    • I’d love to ask people, if you had a magic wand, how would you use it to improve the audit process and what would that look like?

  3. I would have each of you reach out to your auditors today.

    • Connect with them. If you’re in the middle of an audit, pause to go start building and strengthening that relationship.

    • And then provide them feedback. Activate a feedback loop. So let them know now that you know if you had that magic wand or what it would look like. What’s most important to you? Tell your auditors. Open that feedback loop. Ask how you can help.

    • Many of you have a lot of experience with these better ways of working, and auditors typically don’t. This is something new for auditors, for a lot of us. So coach your auditors. You are the experts in these better ways of working. Teach them. That’s also gonna help build those relationships and keep those feedback loops going.

Transcript

[00:00:55] Episode Introduction

Henry Suryawirawan: Hello again, everyone. You’re listening to the Tech Lead Journal podcast, the podcast where you can learn about technical leadership and excellence from my conversations with great thought leaders in the tech industry. If you haven’t, please follow the show on your podcast app and social media on LinkedIn, Twitter, and Instagram, and also video contents on YouTube and TikTok. To support my work in producing this podcast and its various contents, you can buy me a coffee at techleadjournal.dev/tip or subscribe as a patron at techleadjournal.dev/patron.

My guest for today’s episode is Clarissa Lucas. Clarissa is an audit and risk management leader and the author of “Beyond Agile Auditing”. In this episode, Clarissa shared a novel approach to internal auditing called auditing with agility. She shared this concept at the DevOps Enterprise Summit 2022, which drew some parallels to the revolutionary birth of the DevOps movement. Clarissa explained the three core components of auditing with agility, which are value-driven auditing, integrated auditing 2.0, and adaptable auditing.

I hope you enjoy listening to this episode and learning a new approach to internal auditing that doesn’t cause you to dread working with your auditors! From my experience, I sincerely believe we need to revolutionize the way auditing is done in order to bring a better value for the organization and make the experience better and more productive.

If you like this episode, it would be really great if you can help me share this with your colleagues, your friends, and communities, and leave a five-star rating and review on Apple Podcasts and Spotify. It will help me a lot in getting more people discover and listen to this podcast. Let’s go to my conversation with Clarissa after quick words from our sponsor.

[00:03:10] Introduction

Henry Suryawirawan: Hey, everyone. Welcome back to another new episode of the Tech Lead Journal podcast. Today, I have with me, Clarissa Lucas. She’s the author of a book titled “Beyond Agile Auditing: The Three Core Components to Revolutionize Your Internal Audit Practices”. As you can tell from the title, we are going to talk about auditing. I myself have to be honest, I’m not the person who likes to be audited. Nor I know a lot about auditing. So this episode, I think, is gonna be insightful for me at least, and I hope it’ll also give you some learning experience about how we can do audit better. So Clarissa, thank you so much for this time. I’m really looking forward to learn from you about auditing.

Clarissa Lucas: Henry, thanks for having me. And you are not alone in not really being excited about getting audited. That was a big reason why I wrote the book.

So I’ll introduce myself, but I do want to dive into that a little bit, this part about me. So one of my personality traits is I love when people get along and I struggle when they don’t get along. So, when people don’t like the auditors to be there, they see me as the bad guy, and I get it. But those are things that I want to fix. So, you’re not alone in that. I am trying one organization, one person at a time to turn that adversarial relationship, turn that fear of the auditors into something that’s super valuable. So I am so happy that you have me on the show today.

[00:04:27] Career Journey

Clarissa Lucas: I have spent most of my career in internal audit or risk management, second line function. So maybe not always as an internal auditor, but usually in that type of role where somebody’s coming and they feel like they’re being audited. I also do speaking engagements on this topic. This is something that is super near and dear to my heart. And as you mentioned, I’m a published author. My book “Beyond Agile Auditing” just came out a couple of weeks ago. So this has been a whole new learning experience.

A few major highlights in my career are presenting at my first DevOps Enterprise Summit. Taking on my current leadership role, where I pivoted my focus from individual accomplishments to people and then publishing my book. If you don’t mind, I’m gonna take a couple minutes and talk through each of those because I think that’ll help paint the picture for the rest of episode today.

So first one, DevOps Enterprise Summit. In 2020. I wasn’t too far into my current role, and I had the opportunity to speak at the DevOps Enterprise Summit. So I was new to technology auditing. Most of my career in auditing had been on the operational side and not necessarily on the technology side. But this was a new adventure for me. I love learning things, and technology is really important. So I was intrigued by taking on that role.

It was virtual that year. This was 2020, the start of the pandemic. Public speaking has always been a source of anxiety for me, even though that’s a lot of what I do now. Learning and growth is important. And so public speaking. And I am the only, or one of the only auditors at this conference that is focused on technology leaders, really smart technology people. And I didn’t have that background either. To say that it was overwhelming and terrifying for me is probably an understatement. So that virtual environment, since the pandemic was there, made that a really great stepping stone for me. It made it super enjoyable. It helped me build that confidence, which has been a stepping stone for a lot of these other types of opportunities.

Another reason that was such a pivotal moment for me was, while I was there and presenting, a lot of the questions that were coming through from the audience really opened my eyes to a number of misconceptions about auditors that led to that fear and not looking forward to the auditors coming, and seeing auditors as roadblocks and seeing them as getting in the way of technology organizations progressing in better ways of working and things like DevOps. So it really started my journey to, I need to tear down these silos and help bring some truth to these misconceptions and help these two groups get along better. Because there was a huge opportunity to have them leverage each other instead of getting in each other’s ways. Words are hard today. So that was the first turning point.

Another one was when I took on this role, so we’re backing up. The first one was 2020. This is in, 2018, 2019. I took on this role as a technology audit leader. And I had leadership positions before, but I still hadn’t really mastered that transition from individual contributor and focusing on getting the things done to being a leader and focusing on the people. And that shift was super pivotal for me as well, and just really helped me become a better leader, both to my direct reports and in the audit role where I’m leading conversations and leading activities where there are multiple people in the room and you really have to focus on people more so than the mechanics of getting things done.

So those two led to my third, which was publishing my first book. Had I not experienced both of those earlier turning points and experiences, I definitely would not be here today. The experience of publishing a book and taking on more and more speaking engagements and connecting with people that I normally wouldn’t have had the opportunity to, has been an absolutely incredible experience. Absolutely one of a kind. I love helping people. And this book has been a great accelerator to enable me to connect with people and start helping people. And like I said, tearing down those silos and shining a light on those misconceptions.

Henry Suryawirawan: Wow! Thank you for sharing your story. I think that’s really great! So I myself, I’m pretty amazed that you got quite a good reception in the DevOps Enterprise Summit, talking about audit, so there must be something. Maybe we’ll talk about that later as well.

[00:08:38] Purpose of Internal Audit

Henry Suryawirawan: But for people who are new to getting to know in depth about auditing, maybe we can start from there first, right? What is actually the real purpose of auditing? What is auditing and internal auditing specifically if you’ve mentioned the title right? Uh, is there anything that you can enlighten us about auditing here?

Clarissa Lucas: Yep. So a lot of people might think, okay, the purpose of auditing is to shine a light on things that are going wrong and make you look bad. I can assure you that is not what we’re here to do. And the really cool thing about internal auditors is we work for the same organization that the people we’re auditing do. So we are different from an external auditor. We are different from other internal assurance functions, because we do have a bit of that step back, that independence. But we are still part of the same organization. So we are on the same team. And I know that sounds like, oh yeah, yeah. We’re all on the same team. I promise you we are.

So the purpose of internal audit is to be independent and objective. We try not to be as biased by, you know, if you’re in the weeds every day doing this, of course, you’re doing it great. Like it’s wonderful and I’m sure it is. But there’s a value that that objective perspective, that fresh perspective can bring to those things. So our goal is to add value to our organizations. If I had to summarize it, it’s to add value.

And we really want to do that through partnering with our clients and bringing that fresh perspective and providing our clients with value through assurance. So letting them know, the things that you rely on to go right, are they gonna go right? Is there a good chance that they’re gonna go right? Or is something not working the way you think it’s gonna work and you’re probably gonna run into problems down the road? Or do you have the mechanisms in place to make sure that when it doesn’t go right, you’re gonna identify that in a timely manner and be able to fix it right away so that you can achieve your objectives?

That’s really why we’re here. None of that is to make it look bad or to ruin your day or anything like that, which is probably what some people may have experienced, unfortunately.

Henry Suryawirawan: Right. I like when you say that you bring value as well to the organization. Of course, we are talking about internal auditors here. Yeah, external might be different. But as an internal auditor, you also work together, right, to bring value. And I like specifically in the book you mentioned that internal auditors are much better, or maybe you call them experts in risk and control, right? So things, when you said, when things go wrong, what mechanism you should have in place. Or how to make sure that things do actually go right. So I think that’s also important.

[00:11:01] Challenges with Traditional Auditing

Henry Suryawirawan: When we said that many people dread being audited, there must be reasons definitely, right. I myself maybe can share some of my frustration, but maybe from your point of view first, what are some of the common challenges? Why there’s a bad perception or maybe misconception about auditors?

Clarissa Lucas: Yeah, I think when things go wrong, people are always looking at where were the auditors here. So, you know, that sometimes would put the auditors on the defensive of we have to look at everything so that we don’t get those fingers pointed at us. I also think it’s gotten potentially worse in the past few decades, because we used to show up with checklists and here’s what we’re gonna audit. And things didn’t change very often, so a checklist that you dust off every year and do the same testing was effective for those purposes.

But that is absolutely not the world we’re living in today. Things change so quickly. So when auditors show up with that checklist and do the same thing that they did last time they were there, clients are like this is not helpful. Like that checklist is so outdated and they’re not digging into what’s really important to me. Or maybe they are, maybe the checklist is still focused on those areas, but the auditors might have their heads down and are just focused on executing that checklist. And like when I mentioned moving from that individual contributor to this role, like focusing on executing versus understanding people and understanding their processes and what’s important to them, we needed to make that shift. So, I think, you know, with the rest of the organization, keeping up with the pace of change and modernizing their ways of working, modernizing their technology and their processes as well. And audit kinda got left in the dust for a little bit. And that, I think also created some of those challenges and barriers. And then, yeah, some of these just gonna show up and throw some unplanned work on your plate that’s not gonna add any value. I don’t blame you for not being thrilled that they’re there. I mean, if somebody walked in here today and is like, do all this work, that’s not gonna help you at all, and you still have to get your other stuff done, I wouldn’t be thrilled either. I’d be fearing or, you know, dreading, like, I think you said some of that person showing up. So I think those are some of the things that have led to that strange relationship, I’ll say.

Henry Suryawirawan: Right. So when I read the I think the first few chapters in your book, you mentioned also common challenges that you frequently find from either your previous organizations or from your customers, clients. So I think when I read that some of them actually ring true to me. So for example, the things about us versus them, the silos. I think that’s the first impression that I got as well. Especially if the auditors do not come from the same team, right? They’re just separate, maybe reporting to different boss. And they will just throw you checklist, okay, we are gonna do an audit for your system or whatever. And yeah, you have to just come prepared whenever there’s any findings. So that is always not good, because the first interaction itself is kind of like, maybe, many tensions, right? It’s like you’re policing us and we are like criminals.

Clarissa Lucas: Yep. Yep. And that’s not our intent, although I get that the way things have been working in the past, it feels like that. Especially when, you know, you mentioned they send the checklist to you. We send sometimes, and you’ll get this with external auditors as well, here’s our request list. So we’re figuring out what we wanna audit. We talk to you a little bit, figure out what it is you do. We sit over at our desks and we create our scope for our audit. We fill out a request list and we toss that over to our clients.

And it’s usually written in audit terms. So you mentioned we’re the experts in risks and controls. We speak in risks and controls. Most people outside of audit or risk functions do not speak in risks and controls. So it’s typically in a different type of wording that then our clients are used to, and they’re stuck trying to figure out what the heck are these auditors actually looking for? Or even if it is clear what we’re looking for, it might not actually be the documentation or the evidence that we need to test what we’re looking at. So those silos really get in the way of a common understanding and really an opportunity to add value more efficiently. So I know you were going in a different direction, but I did wanna point that out.

Henry Suryawirawan: Yeah, no problem. I would also love to share some of my point of view, right? The frustrations that I have so that we can discuss and maybe other people can relate as well. The other frustration point that I have is about, for example, right, they give us some findings, but they don’t seem to relate so much with the context that we are working in. Or maybe that comes from an outdated version of some documents, like you mentioned. Because some of these comes from compliance, which are probably created some years ago and they may not relate, but they create that as a finding. And you just have to build some kind of rationale why this is not applicable for us before they can say, okay, check. And sometimes it goes through a few rounds of, you know, back and forth before they can accept that.

Clarissa Lucas: Yeah. So, some of the, I think that’s inherent in those silos, that you mentioned and not working as collaboratively together and not getting that base understanding of what is very important. You mentioned from a compliance perspective, what are the current requirements? What are the most important compliance requirements today? Because there are so many different requirements, but what are the ones that are really impactful to you and your organization, both from a regulatory perspective, from an internal policies perspective? Because you’re right, we could spend all this time over in this space to the left, but if that’s not what’s most important, If that’s not working and we hand you a report that says these things are broken or you’re not complying with these areas, you don’t care. That was a waste of your time and my time.

So, what I talk about in the book, generally, is called auditing with agility. And it’s a flexible approach where we break down those silos and we really focus on value. So there’s three core components. The first one is value-driven auditing, and that is one of the things that I think would help with, I don’t think I know I’ve experienced it, helping with delivering audit reports that actually provide value, because the scope of the audit is focused on what’s gonna add value to the organization and the clients.

[00:16:48] How Auditing with Agility Started

Henry Suryawirawan: I think that’s the perfect segue to go into your concept, right? So explain to us a little bit more about this auditing with agility. Is this just some application of agile methodology to some other parts of non-technology? So tell us more about it.

Clarissa Lucas: Yeah, so you’re on the right path there. The traditional way of auditing is a waterfall approach. So that stage gated approach that is similar to software development, waterfall and software development. You do one stage before you’d go to the next stage, before you go to the next stage, and you’re very heads down in each of those stages. So we were finding a lot of those challenges that we talked about. We, the auditing profession, not just Clarissa in her daily struggles, but the auditing profession realized that things were changing. This waterfall approach, strict framework, that we have to do this very sequential thing in every situation, wasn’t keeping up with the environment that all of our organizations we’re working in.

So we also saw that in the technology world and business world, people were applying agile concepts and seeing success. So we moved to, there was a big movement for what’s called agile auditing. Agile auditing is pretty much applying a Scrum framework to the audit process. So you’ve got sprints typically about two weeks. You’ve got Scrum Masters, daily standups. All of the things that you’ll see in a Scrum framework applied to internal auditing. And just like with waterfall, it was do the same thing all the time. So do sprints all the time, do your daily standups all the time in every situation.

And some organizations found a lot of success with that. My own personal experience, I found a lot of success with that in certain parts of the organization. So auditing technology, some of my clients leveraged Scrum frameworks to manage their own work, so we were able to fit right in there and deliver our audits and sprints in those situations. And it was amazing! But there were also situations where that didn’t work out quite as well.

So I started thinking, you know, we started thinking, okay, do we wanna do agile auditing or not? And it was very binary, like you have to pick waterfall or you have to pick agile auditing. And we were doing agile. And it kind of dawned on me that the whole point of, as I was attending more conferences related to IT and working DevOps ways of working and agile ways of working, reading about business agility. I was really realizing that we were falling into a trap of doing agile instead of being agile. We were looking for a framework. Cause we’re auditors. We like frameworks. We started out with checklists, like it’s comfortable. But again, that’s not working today. I mean, it’s working. It’s got so many opportunities to be so much better. Like I don’t wanna be the bad guy anymore. I don’t want you to run from me as an auditor. I want you to call me up and say like, hey, I’ve got a question. I need audit perspective. Can you help me?

So, falling in the trap of doing agile versus being agile, so started experimenting with what I call auditing with agility. And it sounds very similar to agile auditing. But instead of agile auditing, when people hear that, they think it’s a thing to do. When you hear auditing with agility, I think it’s more clear that you’re auditing. That’s what you do. You’re not changing what you do. But you’re doing it with agility. It’s a very minor tweak in words, but it’s very intentional. It’s trying to get the point out that it’s not something you do, it’s not this framework that you’re gonna cookie cutter apply in every situation. We’re still auditing. We’re still providing that assurance that things are working right or that you’re gonna identify things when they don’t work right. We’re just doing that in a more flexible approach that anchors back to those agile principles instead of specific frameworks.

And then it also incorporates, because I was heavily influenced by these DevOps Enterprise summits and the talented speakers there explaining super highly technical things that most of the time were way over my head, but I was picking up a lot of their ways of working and the success they were seeing through applying that DevOps mindset.

Also what resonated with me and kind of why auditing with agility, I think is, you know, really where organizations need to go is, after I did one of my presentations, it wasn’t in 2020, I think it was in 2021. I started talking about applying some of these DevOps concepts to internal auditing. It was kind of the birth of auditing with agility. And Gene Kim, when I submitted my presentation for that, he said he was really impressed by it. And he said, this is very similar to the 2009 presentation that John Allspaw and Paul Hammond did about Flickr and that was kinda the birth of DevOps. So this is kind of awesome, because it was the birth of auditing with agility. And I had not seen the 2009 presentation at that point.

So I went and I watched it, and it was so cool to see. It was operations team and the developers. They’re not getting along and they’re not incentivized to do the same thing. They’re incentivized kind of to get in each other’s way. Very similar to audits and clients. You know, clients are trying to do their thing and here comes the auditors getting in their way and we’re just trying to get an audit report out, but management’s doing these things and not sending us the right things that we’re requesting. So it was really, really cool to see that. Those parallels. And then how DevOps got the two of those groups who historically didn’t work so well together to work together. That’s what I’m trying to do with auditing with agility, is trying to get auditors and clients to get out of each other’s way and work together and help each other. That was a long, long explanation.

[00:22:02] Parallels with the Birth of DevOps

Henry Suryawirawan: I think that’s really exciting, especially again, like coming back to, you mentioned about DevOps Enterprise Summit, right. I think that also piqued my interest when I read your book. The parallels between your presentation and the 2009 John Allspaw presentation. The first moment where we all get introduced into DevOps, you know, so many deploys per days and things like that. So I really love the parallels that you bring here.

Which brings us to the concept of why DevOps is needed. So the first, traditionally, in the first place, right, people try to create a silo between development and operations, and the functions actually kind of like different. If you look from the traditional perspective, one is to introduce more change, the other is actually control change. I believe this is the same thing that happens in the audit. And the clients, let’s call it client as well. So client always wants to do their own business, you know, introduce change, create new products, create new systems, whatever that is, while auditors try to manage the, the risk, the control and things like that. So when you took these parallels, right, what would be some of the interesting things that Gene see in your presentation, that probably will become a birth of something new in the future.

Clarissa Lucas: Yeah. A lot of it was. So in my presentation there, I was representing audit. And I was co-presenting. So historically, up to that point, I had co-presented with other auditors. And this was the first time that I was co-presenting with one of my clients. And similar to the 2009 presentation, it was somebody from development and somebody from operations sharing the stage. And my client and I had a lot of fun too. I mean, I think work should be fun. I love having fun when I work. So us having the presentation and you could tell we had a great relationship. We had a lot of fun doing the presentation that really paralleled with that.

And then with the 2009 presentation, the two presenters, one from development, one from operations, talked about how at their organization they were able to break down those silos, break down those barriers, have a common objective and work together. Very similar to what my client and I were explaining in our presentation, too. So auditor audit client, typically butting heads not getting along super well or just tolerating each other to get through an audit. And we talked about how we worked as one team. So it wasn’t the auditor team and the client team. It was one team. The team. And we were very like specific when we would say very intentional when we would say, like the team, all of us, not, you know, you over there and us here, we were one team.

We did have our separate reporting structures, as is needed for us as auditors to maintain our independence. But that doesn’t mean we cannot work together closely as one team. We worked so closely together to make sure that we were aligned on what our common objective was. And it was to provide and get insights about the most important things in that particular area. So really, those two primary differentiators were the huge parallels between the two.

[00:25:04] Segregation of Duty

Henry Suryawirawan: You mentioned something about different reporting line, right? So I think in the world, we always have this thing called segregation of duty. Maker and checker. I think that is also what happened before the DevOps world where someone needs to have like a different, maybe a like access control or approval before some change can go into production. I think similar thing in audit as well. So how do you see this segregation of duty now with your auditing with agility concept?

Clarissa Lucas: Yeah, this is a common question, and this was one that really sparked me getting into these DevOps Enterprise Summits and presentations. So the question that we would get, that I would get from my clients is, how do I pass an audit when we’re using DevOps and we’re not doing segregation of duties through the access controls or how we historically would? And I mean, this was my kinda my first view into the misconceptions. Like there’s no passing an audit. I don’t have a pass/fail. I don’t have like a big green check mark to provide at the end of an audit.

But then also thinking through segregations of duties and being new to the role, I and I still ask like very elementary questions, which is turned out to be a strength of mine and something that has added value. But here I am a couple days into my new role leading technology audit and I was like, why do we segregate duties?

And the first answer was, cause the auditors told us we had to. And I’m like, oh, try again. Don’t do things just because auditors tell you. If you don’t understand why we’re telling you to do something, challenge us because you should never do something just because the auditors want you to do it. The auditors should be able to explain, we want you to do this because here’s the risk. And you need to control that risk in accordance with your risk appetite and tolerance.

So when we really started peeling back the layers of why do we segregate duties, we started thinking about things like, we wanna make sure that somebody doesn’t introduce something into production that’s going to do bad things. Making it like super not technical, so bear with me there. So I’m like, okay. So historically, we have managed that risk by not letting the same person push their stuff through without having somebody else give the okay. We’ve segregated duties. So then I challenged the group and was asking, okay, what else could we do? To manage that risk without having two separate access lists.

And that’s when we really started understanding, okay, well maybe we could have automated checks and I can push my stuff through and it’ll go through only when this automated test says it passes all these things. The same thing that a human would do when they’re looking at the code, the change or whatever it is. If this automated test, it passes that test, then it goes through. And essentially, you’ve segregated the duties, not between two people, but between the person wanting to promote the code, the developer, and an automated test. So that was one example.

There’s other examples, but it was really about thinking through getting rid of that checklist of we need to look for a segregation of duties, working with our clients, understand what are you trying to accomplish? We’re trying to make sure things get into production, so that we can help serve our business. What could go wrong? What are the risks? We could get something in there that does bad things, either intentionally or unintentionally. People make mistakes. Okay, what can we do or what ways can you manage that risk? And what ways do you manage that risk?

So instead of walking in and saying, I need to see segregation of duties, give me your access lists, and you give me your access lists, and I tell you, well, these people have access to do both. You’re like, why no, it’s set up that way. Like, that’s a waste of time. Instead, we’re understanding what you’re trying to accomplish, what can go wrong? How you’re controlling that risk, how you’re managing that risk, and then we test that.

So then instead of looking at the access list, we’re gonna look at how is this test set up, this automated test set up? How’s it designed? Is it designed the same way to look for the same things that a peer reviewer would? Or, you know, in a world where those duties are segregated. And then is it operating the way that you think it is? So it’s supposed to identify these things and not let it go through to production If it doesn’t meet these criteria, is it doing that? Is it letting things through when it’s supposed to? So if it passes all of these tests, it’s supposed to go to production. We would test that.

And that’s gonna provide a lot more value than to your earlier point, us handing you a report that says you don’t have segregation of duties in place. What are you supposed to do with that? Not something you’re hanging on your fridge.

Henry Suryawirawan: Right. I really love when you said in the beginning that we just follow whatever auditor said. Sometimes that was what happened. I think in most of the client situations, we just follow whatever auditors say because maybe they come from a compliance point of view or they come from a standardized practices and things like that. But always ask or maybe challenge, right? Why need to do certain things. Because sometimes the context is different. And like you said, probably we could do a better way instead of just following word by word what the auditor said.

Clarissa Lucas: Or maybe you are doing it in a different way. So maybe the finding is you don’t have duty segregated, but you do have these automated tests in place. So instead of having a finding or an audit report that says you have to segregate duties and just now segregating duties, you can educate your auditors on: this is how we’re managing that risk. Let me walk you through this. So yeah, I just wanted to point that out too.

Henry Suryawirawan: Yeah, I think it all comes back to the controls that you want in place, right? So not necessarily the technique or the tactics, right? Whatever that is.

Clarissa Lucas: How you’re managing that risk and bringing your auditors along so that they understand it.

[00:30:21] Auditing with Agility & Value-Driven Auditing

Henry Suryawirawan: Right. So let’s go to your, in depth about your concept Auditing with Agility. You mentioned there are three values. So the first one is value-driven auditing. Second one is integrated auditing 2.0. It’s interesting, there’s a 2.0 there. And adaptable auditing. So maybe if we can just go through, skim some of them one by one. value-driven auditing. What do you mean by this?

Clarissa Lucas: Yep. So this is, it gets back to that point and solves that problem of you getting a report that’s an audit report that’s not valuable to you. So value-driven auditing is really going to make sure that the audit scope, so what the auditors are gonna look at and what they’re gonna do is gonna add value to the organization. So it’s gonna be anchored back to what’s most important to the organization and its key stakeholders, which include the audit clients. So we’re gonna look at where are the biggest risks or where are the greatest opportunities too? So there’s risk in not doing things and there’s risk in doing things. So value-driven auditing is really just anchoring back to what is gonna add the most value to the organization and focusing the work there.

And we do talk through a number of practices that you can implement to achieve that value-driven auditing. But I first just wanna focus on like, what are those three core components? Let’s define those and then we can dive into some that I think the audience today are really going to benefit from. So, yep. Value-driven auditing first. I know you mentioned integrating Auditing 2.0 and we’re interested in the 2.0 piece of that.

So, in the auditing world, it’s probably been more than a few years ago, but audits used to be performed, you’d have a compliance audit, you’d have an operational audit, and you’d have an IT audit. And then those would all be delivered separately or they’d stitch them together at the end in one report, but all the work would be performed separately. So the auditing profession started doing what’s called integrated auditing, and you would have all of those auditors on the same audit. So each audit would have a compliance, operation, and IT lens, which really helped, again, breaking down those silos within the audit function and provide a more holistic view, a better view of the environment than the separate audits being stitched together. That’s not what I go into in the book. That is should be a given right now. We should all be there.

So what I mean by integrated auditing 2.0 is it’s kind of taking that to the next level. And what we do here is we’re integrating audit work with our audit client’s work. And we still maintain that independence. I know that’s a question I get a lot from auditors is like, how can we do this and still be independent? There’s plenty of ways that we can do that and still be independent. Even the Institute of Internal Auditors who is our governing body, they set the standards for internal auditing, they tell us that independence doesn’t mean isolation. So you don’t have to have working silos. We still have that different reporting structure. We still maintain those decision rights. But what we focus on with this 2.0 version of integrated auditing is integrating audit work with client’s work.

The third component is adaptable auditing. And this is where we build in the ability to respond to change. So we’re gonna have a flexible process to audit. Instead of this strict framework, we’re gonna be able to pivot. We’re gonna be able to understand when we should stop auditing. So with our old audit waterfall approach, we would have our plan and we would go heads down and execute it and not come up for error until the end. And we really miss opportunities to determine, do we still need to go down this path or do we know enough to deliver now and get out of our client’s hair and move on to something else. So adaptable auditing is where we have that flexibility, the ability to respond to change, which is super important in today’s crazy fast changing environment.

[00:33:52] Integrated Auditing 2.0

Henry Suryawirawan: Thanks for a quick overview of the three values of the auditing with agility. So, like you said, right, the first that piqued my interest is actually the integrated auditing. Regardless, 2.0 or not, right, because I don’t know history of the auditing. So specifically you mentioned that integrating audit work with the client’s work, so does it mean that auditors now have a place in the team? Like you have a dedicated auditors as part of the team that instead of thinking about business stories, right? We call stories in the tech world, business stories or business requirements. But you also have a, like an audit, kind of a stories, audit requirements as part of the work. Maybe tell us a little bit more on that.

Clarissa Lucas: Yeah, there’s a bunch of practices that you can implement and here is where I think the audit clients have a huge opportunity to influence a better audit experience. So a lot of people think, okay, beyond agile auditing, this is primarily for auditors to read. It’s got two primary audiences, both auditors and clients, because just like DevOps, the developers couldn’t do DevOps by themselves. Neither could operations. They both needed to go and implement those concepts. It’s the same as here. And integrated auditing I think is a great place for clients to start and start influencing that experience.

So, you mentioned in the question, do you have a dedicated auditor? You could. But you also don’t know, you know, that the type of work, you don’t know when it’s gonna be there and when it’s not. So there’s some things that we can do is, like my clients know that they can call me anytime with questions, and they do. I’ll get a random paying on a Tuesday afternoon, “Hey, do you have a minute for a quick call?” And they’ll call me up, “Hey, I’m going through this. I wanted to get your thoughts on should I think about it this way or that way?” Or, you know, they’re looking for advice, and I can give that advice. And then they go on their way and I go on my way. So it’s not a full-blown audit. Being able to just call somebody up and get that realtime feedback from them is super helpful.

And that’s part of the integrated auditing feedback loops. So regular feedback loops, realtime feedback loops, those are probably the most straightforward thing that I can think of for clients to start implementing. That is, you know, you don’t have to wait for the auditors to reach out to you. You can implement, you can start a feedback loop. So you have a question for your auditor, call them up. And it might be intimidating, especially at first, if you don’t have that working relationship with them yet and you’re afraid this is gonna trigger a huge audit and it’s gonna be a bunch of extra time spent.

You could start by figuring out what do you need from an audit? What do you need from your auditors? And set up coffee with them. Virtual coffee. Real coffee. I love coffee. So, you know, it’s one of my favorite things. But just start that feedback loop of, hey, we had this audit, or I know we’ve got this audit coming up. I’d love to see us do this in it. I’d love to see a focus on this particular area, or you know, what’s really keeping me up at night? This. Can we spend some time talking about that? Or even if you don’t have an audit coming up, just here are some things that I’ve got questions on or I’d love to see from my auditors.

Feedback can even be, I’ve had clients reach out to me and say, I’d love you to attend our ops review meetings so that you can help us stay on top of the open findings we have. Because we sometimes lose sight of those. Sure. Absolutely. Not only am I connecting with them and providing them information on open audit findings, but I’m also learning more about what’s important to them. So I have this idea of what I wanna audit in that space, but they’re spending all this time and all this money on this one thing. Hey, could you use some objective advice as you’re building that out? And yeah, that’d be great.

So feedback loops are super, super helpful. Another thing about feedback loops is if you don’t provide feedback to your auditors on what a better audit experience looks like, they’re not gonna know to make a change. Or they might know that they should make a change, but they might try a bunch of things that aren’t what you wanna see. So feedback loops are super important.

Another one that I wanna highlight in this integrated auditing space that is, I get so excited about this, it’s integrated planning. So you also mentioned, and I keep anchoring back to this because the concepts that you’re bringing up, the challenges that you’ve brought up, you are so not alone. I bet If you asked your audience today, how many of them experienced some of these same challenges that you’ve experienced, most of them who have interacted with auditors have probably experienced it too. So, we talk about getting an audit report that doesn’t help you. It’s focused on the wrong things, it doesn’t really add value.

A great way to overcome that challenge is through integrated planning. And that’s where we’re gonna work super closely together. So Henry, and I’m gonna come audit you. We’re gonna work closely together. And we’re actually gonna build out the audit scope together. So I’m gonna be still independent, because I get the final decision rights. If I say I wanna look in this closet, and you say, no, no, no, you don’t need to look in that closet, but I still think I need to look in the closet. I’m going to look in the closet. But if you’re also saying, hey, you know what? This is great, but what I’m really worried about or what I really need to go right is this area over here. Let’s spend some time there. And let’s identify, so let’s work together to identify what’s most important to you.

What can go wrong with that? Cause I have my own ideas about it. Generally they’re aligned, but it’s so much more helpful when I get that confirmation from you or maybe you help me think about it in a different way, like, hmm, yeah, that’s really not when we go back to segregation of duties, you know? I may come in without integrated planning and say like, gimme those access lists. And you’re like, I mean, I could do that, but you help me understand. You know, I’m always thinking, well, we’re looking for bad actors and that’s the risk. And you’re like, well, yeah, but actually mistakes happen more often than intentional bad code. So you can help me understand what those risks are and how they actually might manifest in your world.

And then integrated planning, instead of me saying, okay, I’m looking for a segregation of duties control, which doesn’t exist because that’s not the way you’re doing things. You’re gonna tell me how you manage that risk. And how you manage that risk, let’s say it is through those automated testing. Great! So now we’ve just saved ourselves a ton of time, because now I understand what’s really important to you. I understand those risks and what can go wrong. I understand how you control it.

And then you can help me. You’re saying, okay, you know what, here’s what I can provide you that will show you how those automated tests are set up. And then if you wanna sit with me tomorrow, I can run through and I can send something through that’s supposed to fail and send something through that’s supposed to pass and we can get this test knocked out in a day. Great! Way better than going back and forth, getting confused, getting frustrated and handing you report that tells you you don’t have duty segregated. You know that. That was intentional.

So I know I went on about that. This is something I’m super passionate about, but I really think that integrated planning and those feedback loops are something that audit clients can start doing today and really, really have a much better experience with their auditors.

Henry Suryawirawan: Thanks for sharing explicitly what happened in these kind of situations. I think it’s always great to hear from the auditor’s point of view, it’s not just from client’s point of view. And I like the quote that you mentioned earlier, right? Independence doesn’t mean isolation, right? So let’s integrate together. Talk about the plan, the audit scope together. Like sometimes what happen is when we get audited, we just follow whatever scope they have. We wait a couple of times, they go and ask us questions, we answer, go back and forth, and they’ll come up with reports, right? So instead of doing that, I think we could do much better by doing this integrated auditing 2.0.

Clarissa Lucas: I would say real quick with that too is we’re both aligned on the same goal. So I don’t wanna hand you an audit report that means nothing to you. You don’t wanna receive an audit report that means nothing to you. So it’s not just helping you, it’s helping the auditors too. And that’s why it’s super important for us to work together to make sure that we are both at the end producing this report that’s gonna add value to the organization.

Henry Suryawirawan: Right. And it would be best if both the clients and the auditors at the end, actually, like the reports that they produced. They rave about it together, just like what you did in presentation.

[00:41:33] Adaptable Auditing

Henry Suryawirawan: The other value that I think I’m very interested in is you mentioned about adaptable auditing. In many of the audit process that we do, actually, is following some compliance framework, certifications. And they do have a lot of checklists, a lot of areas, a lot of scope, we mentioned. So how can we be more adaptable? Like be flexible, know what to audit, when not to audit. So I think this is very interesting as well for people who normally go through audit by following compliance.

Clarissa Lucas: Yeah. And part of that starts with the value-driven. So focusing on what’s most important. But then when it comes to the adaptability, so you have that stuff, how do you build in the ability to change and pivot? Really prioritizing your work, so breaking the audit scope up into manageable pieces and limiting how much you’re focused on at a time is something that really helps drive adaptability and it’s something that clients can influence as well. So instead of going in and saying, we’ve got these 12 controls that we’re gonna look at, or these 12 compliance requirements we’re gonna look at, and we start looking at all of them at once, we’re gonna figure out what is most important.

So when it comes to compliance, certain things are gonna have larger fines and larger impacts than others. If it’s gonna be a fine of a dollar every year, yeah, we wanna comply with it, but, do you need audit to tell you? Like this, that’s not a good use of anybody’s time. And I know I’m over exaggerating here, but bear with me. So if there’s something that’s gonna cause millions of dollars in fines on a frequent basis, and there’s a decent chance of that, you wanna focus on that. So prioritizing that instead of starting everything at once.

So we’re looking at something that’s gonna be a dollar and a fine and something that’s gonna be a million dollars, and getting pieces of that and keeping those all going in process throughout the entire audit, you’re gonna limit what you’re doing at a time. And that is gonna give you results sooner too. And then with those results, we can pivot and say like, have we done enough? Have we audited enough? Have we learned enough? So focusing on those areas that are most important, knocking those out first.

And this is a concept, I mean, a lot of these concepts should seem familiar. They should be things that you and your audience do already in your own daily work. So you’re really well positioned to help your auditors. Pick these up and you can teach them. So limiting what we’re doing at a time, picking it up, doing it, delivering it, starting another thing.

And that helps with our clients too, because then you’re not doing all that context switching. I’m not asking you about compliance with this piece of something and then over here and then taking you back to that and where were we with that. So that’s really something that can help us deliver those results sooner. And then we think through, okay, now we’ve done these four things. Do we need to keep going? What value will we get by completing the rest of this audit? If the answer is not that much and it’s not worth it, then we stop. Because there could be something else.

Like, if we look at all these other things that we initially thought we were gonna look at, which is have to do when everything’s in process at the same time. So while we’re limiting that, that gives us that opportunity to pause and think about, should we spend our time collectively, everybody, not just the auditors. Should we spend all of our time finishing this or is there something else out there either in your space or a different space that is more important that we should pivot to?

So I think that’s a really good way to drive that response to change. And that’s something that as a client, you can help with that, help them help your auditors with, you know what, I think you’ve provided us enough assurance. I think this is good. The value we’re gonna get out of this is minimal. Like, let’s pivot to something else.

Henry Suryawirawan: Perfectly makes sense, right? Because, I mean, in the tech world, we are so familiar with the agile concept, lean concept, right? These things definitely make sense. And I think one more key from my point of view is also don’t do this auditing when the certain time comes, right. So for example, if you have a yearly requirements to do audit, then you only do that close to the time. So I think you can’t do this definitely, right? Because you have to complete all the checklists in one go. So I think maybe doing it also throughout the time, in small iterations, deliver value and pivot along the way. I think that may be also a great way to have this flexibility in terms of auditing.

[00:45:32] Extending to External Auditing

Henry Suryawirawan: So we discuss a lot about internal auditing. So how do you see the external auditing part? Because these are different type of people. They may not come from the same organization. Maybe the values may not be aligned. So is there anything, any message that you wanna give for external auditors as well, or for clients who are dealing with external auditors?

Clarissa Lucas: Yeah, I would absolutely love to see external auditors leverage these practices too. So the book is focused on internal audit practices, because that’s where my background primarily is. And there are different standards that external auditors are held to, and I’m not quite as familiar with those, but I would love to have a conversation about what are those requirements and how can external auditors also leverage these concepts so that they’re also not feared. And so that they’re better positioned.

So by leveraging all of these concepts, driving by value, integrating into the client’s work, and being adaptable, those are gonna set the auditors external and or internal up for better success. Like I mentioned, we’re gonna be focusing on the right things. We’re gonna be not wasting our time or your time. Those are all things that the external auditors can benefit from as well.

So I absolutely, I’d love to learn more about what those standards are that they’re being held to, and work with them to figure out how they can leverage these practices to not be feared; to have better working relationships while maintaining they have even more of an independence requirement than we do. And, you know, find efficiencies, add more value. I just think it would be great for them as well.

Henry Suryawirawan: Right. And it will be great if all conversation with auditors is like this, very friendly, and we are collaborative, so I do hope happen. Yeah. In all the auditing experience that everyone is having. So thank you so much Clarissa, for explaining this concept, auditing with agility. I learned a lot, and I probably have some perspectives change after you, you know, give some insights about better practices for auditing.

[00:47:26] 3 Tech Lead Wisdom

Henry Suryawirawan: So, as we go to the end of our conversation, I have one last thing that I would like to ask you, which I call three technical leadership wisdom. Think of it just like advice that you wanna give to the listeners so that they can learn from your expertise or your experience. So would you be able to share the version of your three technical leadership wisdom?

Clarissa Lucas: I would love to. So first, auditors are not your adversaries. They should not be out to get you. They actually should be a valuable resource for you to be able to leverage. So, absolutely first thing I want people to walk away with is that I want you to run to your auditors, not from them. And I know that’s gonna take some work. But keep that in mind, we’re not out to get you. We wanna help you.

Second is, this is a journey. So it’s not like laying a Scrum framework onto an audit process. It’s not a, you know, these five steps and boom, you are agile. It’s a journey and you and your audience probably know this from your own experiences in these better ways of working. So that’s not an unfamiliar piece of wisdom to all of you. But the way that you really get started on this journey is by figuring out what’s most important to you. You know, you’re not gonna apply everything in the book all at once. You got to start small, so figure out what is the most important to you. Is it getting more value out of that audit? Is it being able to respond to change? I’d love to ask people, if you had a magic wand, how would you use it to improve the audit process and what would that look like? So that’s what you’re gonna start with.

And third, I would have each of you reach out to your auditors today. Connect with them. So, If you’re in the middle of an audit, pause to go, again, coffee is kind of my go-to. It’s like my peace offering. Get coffee, just set up a virtual chat. Start building and strengthening that relationship. And then provide them feedback. So we talked about feedback loops. Activate a feedback loop. So let them know now that you know if you had that magic wand or what it would look like, what’s most important to you? Tell your auditors. Open that feedback loop. Ask how you can help.

And I know I’m expanding like kind of into three A, three B, but I mentioned this earlier, that many of you have a lot of experience with these better ways of working, and auditors typically don’t. This is something new for auditors, for a lot of us. So coach your auditors. Tell them, hey, you know what? I really think it’d be helpful if you created a task board. I can show you how to do that because we use Jira and this is how it, it’s been working for us. Or maybe you love standups. Hey, why don’t you join some of our daily standups and you can provide your audit status there instead of having a separate meeting? Or why don’t you join into this meeting? So coach your auditors. You are the experts in these better ways of working. Teach them. That’s also gonna help build those relationships and keep those feedback loops going.

So those are my three and a half pieces of wisdom.

Henry Suryawirawan: Okay. The third one, maybe I would also call it auditors are human too. So maybe connect with them, right? Don’t treat them as like robots that just follow checklists. So they are humans as well, and they help us to get the same value, the same goal for the organization.

So thank you so much, Clarissa, for this chat. So if people want to connect with you or they wanna ask you questions, is there a place where they can find you online?

Clarissa Lucas: Yep. So I would ask everyone to check out my website, clarissalucas.com. I have a newsletter where I send out content that’s helpful for both auditors and audit clients, trying to help everyone have a better audit experience. And then I’m also on LinkedIn as well.

And Henry, I really wanna thank you for having me here today. Love getting in front of your type of audience so that people don’t have to fear their auditors, you know. I want auditors and clients to get along and really, really appreciate you having me on here and giving me the opportunity to share.

Henry Suryawirawan: No worries. So I am probably the first person who will not get scared to be audited.

Clarissa Lucas: Yeah, I love it.

Henry Suryawirawan: So thank you for the insights that you give in this episode. Clarissa, thank you so much for the time again. So I hope people get enthusiastic about their next audit experience. And also for auditors, maybe you get a few lessons from here that can change your practices, so thank you again for that.

Clarissa Lucas: My pleasure.

– End –