Auditing in an environment of constant change

I have wanted to write on this topic for some time now and finally am getting around to doing it. In a sense, this is a follow up to a previous post.

How do you evaluate controls in an environment where the only constant is change?

Agile Methodology for Software Development

In a current project, the audit stakeholder is using the agile methodology for software development. A good introduction of the methodology can be found here . Here is a short excerpt from that source: 

“Most software development is a chaotic activity, often characterized by the phrase “code and fix”. The software is written without much of an underlying plan, and the design of the system is cobbled together from many short term decisions. This actually works pretty well as the system is small, but as the system grows it becomes increasingly difficult to add new features to the system…

The original movement to try to change this introduced the notion of methodology. These methodologies impose a disciplined process upon software development with the aim of making software development more predictable and more efficient. They do this by developing a detailed process with a strong emphasis on planning inspired by other engineering disciplines – which is why I like to refer to them as engineering methodologies… The most frequent criticism of these methodologies is that they are bureaucratic. There’s so much stuff to do to follow the methodology that the whole pace of development slows down.

Agile methodologies developed as a reaction to these methodologies. For many people the appeal of these agile methodologies is their reaction to the bureaucracy of the engineering methodologies. These new methods attempt a useful compromise between no process and too much process, providing just enough process to gain a reasonable payoff.

The most immediate difference is that they are less document-oriented, usually emphasizing a smaller amount of documentation for a given task”

Some of the basic tenets of this methodology are the following: 

– Principle based vs. rule based; 

– People centric vs. process centric; 

– Communication verbally vs. via documentation, and

– Software development is a creative process and therefore not easily planned.

 Based on the description and origin of the agile methodology, it does not appear that this methodology and the formal aspect of ‘controls’ marry well. As noted below with regards to the aspect of monitoring and quantitative analysis of results, 

“Unfortunately there are commonalities among some agile methodologies that may be less than  positive. One is that unlike more classical iterative methods, explicit quantitative quality measurements and process modeling and metrics are often subdued and sometimes completely avoided.” agile methods introduction,


What is an auditor to ‘audit’ in this kind of environment? 

*Governance is key*

The aspect of governance is critical and is a good starting point for understanding the control environment.

It seems like the theme of ‘governance’ has come up front and center in some of my most current projects and I will expand upon this theme in a future blog post. See norman mark’s blog for a good introduction on ‘governance’. 

For now, here are some of the key questions specific to governance in a context and environment of constant change. 

1. Is there a clear governance structure to monitor and evaluate activity?

2. Are objectives clear? 

3. Is there transparency and accountability about progress towards achieving objectives? 


“Letting go of predictability doesn’t mean you have to revert to uncontrollable chaos. Instead you need a process that can give you control over an unpredictability. That’s what adaptivity is all about. So how do we control ourselves in an unpredictable world? The most important, and still difficult part is to know accurately where we are. We need an honest feedback mechanism which can accurately tell us what the situation is at frequent intervals.” (martin fowler blog,)


“All aspects of project governance can be understood in terms of requirements. Progress reporting and cost estimation all depend on how successful the team has been in delivering appropriate function-ality in each of its iterations. Therefore it is possible to express delivered functionality in terms of requirements” (information age article) , 


“The implication of the agile methodology is that formalization of the software process hinders the human and practical component of software development, and thus reduces the chance for success. While this is true when formalization is misused and misunderstood, one has to be very careful not to overemphasize and under-measure (individuals, working software, customer collaboration and responding to change) since this can lead to the same problem, poor quality software” (agile method introduction)

4. How do you measure success? 

“For agilists the question is business value – did the customer get software that’s more valuable to them than the cost put into it. A good predictive project will go according to plan, a good agile project will build something different and better than the original plan foresaw”. martin fowler blog 

5. Have the right questions been asked?

6. What are the critical risks?

7. Has management acknowledged the risk and responded in terms of making a decision on how to treat the risk (i.e. accept, mitigate, transfer/share, etc)?

8. Is there a clear understanding into the types and levels of activity?

I have found that through this project, having these questions as a starting point has led to good insight about the governance structure. It has also given me the opportunity to provide recommendations that help mitigate critical risks and achieve objectives. 


Some good references about agile technology and identifying controls in an agile environment: 

martin fowler blog,

agile method introduction paper,

information age article


0 Responses to “Auditing in an environment of constant change”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


July 2012
« Jun   Aug »



Online Accounting Degree blog feature

%d bloggers like this: