Don't do things just because auditors tell you. If you don't understand why we're telling you to do something, challenge us because you should never do something just because the auditors want you to do it. The auditors should be able to explain we want you to do this because here's the risk, and you need to control that risk in accordance with your risk appetite intolerance. Hey everyone, my name is Henry Surya Viravan.
And you're listening to the Technical Journal Podcast, the show where I'll be bringing you, the greatest technical leaders, practitioners and thought leaders in the industry to discuss about their journey, ideas and practices that we all can learn and apply to build a highly performing technical team and to make an impact in your personal work. So let's dive into our journal. Hello again everyone.
You're listening to the Technijunal Podcast, the podcast where you can learn about technical leadership and excellence from my conversations with great thought leaders in the tech industry. If you haven't, please follow the show on your podcast app and social media on LinkedIn, Twitter and Instagram, and also video contents on YouTube and TikTok to support my work in producing this podcast and its various contents. You can buy me a coffee at
technijunal.net tip. Or subscribe as a patron at Technically. Journal dot dev slash patron. My guest for today's episode is Clarissa Lucas. Clarissa is an audit and risk management leader and the author of Beyond Agile Auditing. In this episode, Clarissa shared a novel approach to internal auditing called Auditing with Agility. She shared this concept at the DevOps Enterprise Summit 2022, which drew some parallels to the revolutionary birth of the DevOps movement.
Clarissa explained the three core components of auditing with agility, which are Value Driven Auditing, Integrated Auditing 2.0, and Adaptable Auditing. I hope you enjoy listening to this episode and learning a new approach to internal auditing that doesn't cause you to drag working with your auditors. From my experience, I sincerely believe we need to revolutionize the way auditing is done in order to bring a better value for the organization and make the experience better and more
productive. If you like this episode, it will be really great if you can help me share this with your colleagues, your friends and communities and leave a 5 star rating and review on Apple Podcasts and Spotify. It will help me a lot in getting more people discover and listen to this podcast. Let's go to my conversation with Clarissa after quick words from our sponsor. Are you looking for a new cool swag? Technically, Juno now offers you some Swags that you can purchase
online. These swags are printed on demand based on your preference and will be delivered safely to you all over the world. Where shipping is available, Check out all the cool swags available by visiting Tech Lead. Journal dot dev slash shop And don't forget to break yourself once you receive any of those swags.
Everyone, welcome back to another new episode of the Tech Lead Journal Podcast. Today I have with me Clarissa Lucas. She's the author of a book titled Beyond HR Auditing. The three core components to revolutionize your internal audit practices. As you can tell from the title, we are going to talk about auditing. I myself have to be honest, I'm not the person who likes to be audited. No, I know a lot about auditing. So this episode I think is going to be insightful for me at least.
And I hope it will also give you some learning experience about how we can do audit better. So, Clarissa, thank you so much for this time. I'm really looking forward to learn from you about auditing. Henry, thanks for having me. And you are not alone. And not really being excited about getting audited. That was a big reason why I wrote the book. So I'll introduce myself.
But I do want to dive into that a little bit, this part of about me so. One of my personality traits is I love when people get along and I struggle when they don't get along. So when people don't like the auditors to be there, they see me as the bad guy and I get it. But those are things that I want to fix. So you're not alone in that. I am trying one organization, one person at a time to turn that adversarial relationship, turn that fear of the auditors into something that's super
valuable. So I am so happy that you have me on the show today. I have spent most of my career in internal audit or risk management second line function, so maybe not always as an internal auditor, but usually in that type of role where somebody's coming and they feel like they're being audited has to do speaking engagement on this topic. This is something that is super near and dear to my heart and as you mentioned, I'm a published
author. My book Beyond Agile Auditing just came out a couple of weeks ago. So this has been a whole new learning experience. A few major highlights in my career. Are presenting at my first DevOps Enterprise Summit, taking on my current leadership role where I pivoted my focus from individual accomplishments to people, and then publishing my
book. If you don't mind, I'm going to take a couple minutes and talk through each of those because they think that'll help paint the picture for the rest of the episode today. So first one DevOps Enterprise Summit in 2020. I wasn't too far into my current role and I had the opportunity to speak at the DevOps Enterprise Summit, so I was new to technology auditing.
Most of my career in auditing had been on the operational side, not necessarily on the technology side, but this was a new adventure for me. I love learning things and technology is really important, so I was intrigued by taking on that role. It was virtual that year, this was 2020, the start of the pandemic. Public speaking has always been a source of anxiety for me, even though that's a lot of what I do now.
Learning and growth is important and so public speaking and I'm the only or one of the only auditors at this. Conference that is focused on technology leaders, really smart technology people, and I didn't have that background either. To say that it was overwhelming and terrifying for me was probably an understatement. So that virtual environment since the pandemic was there, made that a really great stepping stone for me. It made it super enjoyable.
It helped me build that confidence, which has been a stepping stone for a lot of these other types of opportunities. Another reason that that was such a pivotal moment for me was while I was there and presenting a lot of the questions that were coming through from the audience really opened my eyes to a number of misconceptions about
auditors that led to that fear. And not looking forward to the auditors coming and seeing auditors as roadblocks and seeing them as getting in the way of technology organizations progressing in better ways of working in things like DevOps. So it really started my journey to I need to tear down these silos and help bring some truth to these misconceptions and help these two groups get along better.
Because there was a huge opportunity to have them leverage each other instead of getting in each other's ways. Words are hard today, so that was the first turning point. Another one was when I took on this role, so we're backing up. The first one was 2020, this is in 2018-2019. I took on this role as a technology audit leader.
And I'd had leadership positions before, but I still hadn't really mastered that transition from individual contributor and focusing on getting the things done to being a leader and focusing on the people. And that shift was super pivotal for me as well and just really helped me become a better leader both to my direct reports and in the audit role where I'm leading conversations and leading activities where there are multiple people in the room and you really have to focus on
people more so than. The mechanics of getting things done. So those two led to my third, which was publishing my first book. Had I not experienced both of those earlier turning points and experiences, I definitely would not be here today. The experience of publishing a book and taking on more and more speaking engagements and connecting with people that I normally wouldn't have had the opportunity to has been an absolutely incredible experience, absolutely
one-of-a-kind. I love helping people, and this book has been a great accelerator to enable me to connect with people and start helping people and like I said, tearing down those silos and shining a light on those misconceptions. Wow, thank you for sharing your story. I think that's really great. So I myself, I'm pretty amazed that you got quite a good reception in the DevOps Enterprise Summit talking about audit. So there must be something.
Maybe we'll talk about that later as well, but for people who are new to getting to know in depth about auditing. Maybe we can start from there. First, right? What is actually the real purpose of auditing? What is auditing and internal auditing? Specifically, if you mentioned in the title right, is there anything that you can enlighten us about auditing here?
Yep. So a lot of people might think, OK, the purpose of auditing is to shine a light on things that are going wrong and make you look bad. I can assure you that is not what we're here to do. And the really cool thing about internal auditors is we work for the same organization that the people we're auditing do. So we are. Different from an external auditor, we are different from other internal assurance functions because we do have a bit of that step back, that
independence. But we are still part of the same organization. So we are on the same team. And I know that sounds like, Oh yeah, yeah, you're you're all on the same team, I promise you we are. So the purpose of internal audit is to be independent and objective. We try not to be as biased by, you know, if you're in the weeds every day doing this. Of course, you're doing it great. Like it's wonderful and I'm sure it is.
But there's a value that that objective perspective, that fresh perspective can bring to those things. So our goal is to add value to our organizations. If I had to summarize it, it's to add value. And we really want to do that through partnering with our clients and bringing that fresh perspective and providing our clients with value through assurance. So letting them know the things that you rely on to go right, are they going to go right? Is there a good chance that
they're going to go right? Or is something not working the way you think it's going to work and you're probably going to run into problems down the road? Or do you have the mechanisms in place to make sure that when it doesn't go right, you're going to identify that in a timely manner and be able to fix it right away so that you can achieve your objectives?
That's really why we're here. None of that is to make it look bad or to ruin your day or anything like that, which is probably what some people may have experienced, unfortunately. Right. I like when you say that you bring value as well to the organization, Of course, we are talking about internal auditors here. Yeah, external might be different, but it's an internal auditor. You also work together, right,
to bring value. And I like specifically in the book you mentioned that internal auditors are much better or maybe you call them experts in risk and control, right. So things when you said when things go wrong, what mechanism we should have in place or how to make sure that things do actually go right. So I think that's also important when we said that many people. Dread being audited. There must be a reasons, definitely right?
I myself maybe can share some of my frustration, but maybe from your point of view, First, what are some of the common challenges? Why there's a bad perception or maybe misconception about auditors? Yeah, I think when things go wrong, people are always looking at where we're the auditors here. So you know that sometimes would put the auditors on the defensive of we have to look at everything so that we don't get those fingers pointed at us, I also think.
It's gotten potentially worse in the past few decades because we used to show up with checklists and here's what we're going to audit. And things didn't change very often. So a checklist that you dust off every year and do the same testing was effective for those purposes. But that is absolutely not the world we're living in today. Things change so quickly, so when auditors show up with that checklist and do the same thing that they did last time they were there.
Clients are like, this is not helpful, like that checklist is so outdated and they're not digging into what's really important to me or maybe they are, maybe the checklist is still focused on those areas, but the auditors might have their heads down and are just focused on executing that
checklist. And like when I mentioned moving from that individual contributor to this role, like focusing on executing versus understanding people and understanding their processes and what's important to them, we needed to make that shift so. I think you know with the rest of the organization keeping up with the pace of change and modernizing their ways of working, modernizing their technology and their processes as well and audit kind of got left in the dust for a little bit.
And that I think also created some of those challenges and barriers and then. Yeah, Somebody's just going to show up and throw some unplanned work on your plate. That's not going to add any value. I don't blame you for not being thrilled that they're there. I mean, if somebody walked in here today and is like, do all this work, that's not going to help you at all. And you still have to get your other stuff done.
I wouldn't be thrilled either. I'd be fearing or, you know, dreading like I think you said some of that person showing up. So I think those are some of the things that have led to that strained relationship, I'll say. Right. So when I read the, I think the first few chapters in your book, you mentioned also common challenges that you frequently find from either your previous organizations or from your customers clients. So I think when I read that some of them actually ring true to me.
So for example, the things about us versus them, the silos, I think that's the first impression that I got as well, especially if the auditors do not come from the same team, right. They are just separate maybe reporting to different boss and they will just throw you checklist, OK, we're gonna do an audit for your system or whatever. And yeah, you have to just come prepared whenever there's any findings.
So that is always not good. Because the first interaction itself is kind of like maybe many tensions, right? It's like, yes, you're policing us and we are like criminals. Yep. Yep. And that's not our intent, although I get that the way things have been working in the past, it feels like that, especially when you know, you mentioned they send the checklist to you, We send sometimes and you'll get this with external auditors as well. Here's our request list.
So we're figuring out what we want to audit. We talk to you a little bit, figure out what it is you do. We sit over at our desks and we create our scope for our audit. We fill out a request list and we toss that over to our clients and it's usually written in audit terms. So you mentioned we're the experts in risks and controls. We speak in risks and controls. Most people outside of audit or risk functions do not speak in risks and controls.
So it's typically in a different type of wording that then our clients are used to and they're stuck trying to figure out what the heck are these auditors actually looking for or even if it is clear what we're looking for, it might not actually be the documentation of the evidence that we need to test what we're looking at. So those silos really get in the way of a common understanding and really an opportunity to add
value more efficiently. So I know you were going in a different direction, but I did want to point that out. Yeah, no problem. I would also love to share some of my point of view, right, the frustrations that I have so that we can discuss and maybe other people can relate as well.
The other frustration point that I have is about for example, right, they give us some findings, but they don't seem to relate so much with the context that we are working in or maybe that comes from an outdated version of some documents like you mentioned because some of these comes from compliance
which are probably. Created some years ago and they may not relate, but they create that as a finding and you just have to build some kind of rationale why this is not applicable for us before they can say, OK, check. And sometimes it goes through a few rounds of, you know, back and forth before they can accept that.
Yeah. So some of the, I think that's inherent in those silos that you mentioned and not working as collaboratively together and not getting that based understanding of what is very important, what you mentioned from a compliance perspective, what are the current requirements. What are the most important compliance requirements today?
Because there are so many different requirements, but what are the ones that are really impactful to you and your organization, both from a regulatory perspective, from an internal policies perspective? Because you're right, We could spend all this time over in this space to the left. But if that's not what's most important, if that's not working and we hand you a report that says these things are broken or you're not complying with these areas, you don't care.
That was a waste of your time and my time. So what I talk about in the book generally is called auditing with Agility and it's a flexible approach where we break down those silos and we really focus on value. So there's three core components. The first one is value driven auditing and that is one of the things that I think would help with.
I don't think I know I've experienced that helping with delivering audit reports that actually provide value because the scope of the audit is focused on what's going to add value to the organization and the clients. I think that's the perfect segue to go into your concept, right? So explain to us a little bit more about this auditing with agility. Is this just some application of agile methodology to some other parts of non technology? So tell us more about it. Yeah.
So you're on the right path there. The traditional way of auditing is a waterfall approach. So that stage gated approach that is similar to software development, waterfall and software development. You do one stage before you go to the next stage, before you go to the next stage and you're very heads down in each of those stages. So we were finding a lot of those challenges that we talked about.
We, the auditing profession, not just Clarissa and her daily struggles, but the auditing profession realized that things were changing. This waterfall approach, strict framework that we have to do this very sequential thing and every situation wasn't keeping up with the environment that all of our organizations were working in. So we also saw that in the technology world and business world, people were applying. Agile concepts and seeing
success. So we moved to There was a big movement for what's called Agile auditing. Agile auditing is pretty much applying A Scrum framework to the audit process. So you've got sprints, typically about two weeks, you've got Scrum masters, daily standups. All of the things that you'll see in a Scrum framework applied to internal auditing. And just like with waterfall, it was do the same thing all the time. So do sprints all the time, do your daily standups all the
time, in every situation. And some organizations found a lot of success with that. My own personal experience, I found a lot of success with that in certain parts of the organization. So auditing technology. Some of my clients leveraged Scrum frameworks to manage their own work. So we were able to fit right in there and deliver our audits and sprints in those situations and it was amazing. But there were also situations where that didn't work out quite as well, so.
I started thinking, you know, we started thinking, okay do we want to do agile auditing or not? And it was very binary, like you have to pick waterfall or you have to pick agile auditing. And we were doing agile.
And it kind of dawned on me that the whole point of as I was attending more conferences related to IT and working DevOps, ways of working and agile ways of working, reading about business agility, I was really realizing that we were falling into a trap of doing agile instead of being agile. We were looking for a framework because we're auditors. We like frameworks. We started out with checklists like it's comfortable. But again, that's not working today. I mean it's working.
It's got so many opportunities to be so much better. Like I don't want to be the bad guy anymore. I don't want you to run from me as an auditor. I want you to call me up and say like, hey, I've got a question. I need audit perspective. Can you help me? So following in the trap of doing agile versus being agile, so started experimenting with what I call auditing with agility and it sounds very similar to agile auditing.
But instead of agile auditing, when people hear that, they think it's a thing to do. When you hear auditing with Agility, I think it's more clear that you're auditing. That's what you do. You're not changing what you do, but you're doing it with agility. It's a very minor tweak in words, but it's very intentional. It's trying to get the point out that it's not something you do. It's not this framework that you're going to cookie cutter apply in every situation.
We're still auditing. We're still providing that assurance that things are working right or that you're going to identify things when they don't work right. We're just doing that in a more flexible approach that anchors back to those agile principles instead of specific frameworks.
And then it also incorporates, because I was heavily influenced by these DevOps Enterprise summits and the talented speakers there explaining super highly technical things that most of the time we're way over my head. But I was picking up a lot of their ways of working and the success they were seeing through applying that DevOps mindset.
Also, what resonated with me and kind of why auditing it with agility, I think is, you know, really where organizations need to go is after I did one of my presentations. It wasn't in 2020, I think it was in 2021. I started talking about applying some of these DevOps concepts to internal auditing. It was kind of the birth of auditing with agility and Gene Kim when I submitted my
presentation for that, he said. He was really impressed by it and he said this is very similar to the 2009 presentation that John Alspa and Paul Hammond did about Flickr and that was kind of the birth of DevOps. So this is kind of awesome because it was the birth of auditing with agility and. We had not seen the 2009 presentation at that point. So I went and I watched it and it was so cool to see.
It was operations team and the developers, they're not getting along and they're not incentivized to do the same thing. They're incentivized kind of to get in each other's way, very similar to audits and clients. You know, clients are trying to do their thing and here come the auditors get in their way and we're just trying to get an audit report out. But management's doing these things and not sending us the right things that we're requesting. So it was really, really cool to
see that. Those parallels and then how DevOps got the two of those groups who historically didn't work so well together to work together. That's what I'm trying to do with auditing with Agility is trying to get auditors and clients to get out of each other's way and work together and help each other. That was a long, long explanation, right? I think that's really exciting, especially again like coming back to you mentioned about DevOps Enterprise Summit, right.
I think that also picked my interest when I read your book, the parallels between your presentation and the 209 John Osborne presentation, the first moment where we all get introduced into DevOps, you know, so many deploys per days and things like that. So I really love the parallels that you bring here, which brings us to the concept of why
DevOps is needed. So the first traditionally in the 1st place, right, people try to create a silo between development and operations and the functions actually kind of like different if you look from the traditional perspective. One is to introduce more change, the other is to actually control change. I believe this is the same thing that happens in the audit and the clients, let's call it
client as well. So client always wants to do their own business, you know, introduce change, create new products, create new systems, whatever that is while audited, try to manage the risk, the control and things like that. So when you took this parallels right, what would be some of the interesting things that Jin see in your presentation that probably will become a birth of something new in the future?
Yeah, a lot of it was. So in my presentation there, I was representing audit and I was copresenting. So historically, up to that point, I had copresented with other auditors and this was the first time that I was copresenting with one of my clients. And similar to the 2009 presentation, it was somebody from development and somebody from operations sharing the stage. And my client and I had a lot of fun too. I mean, I think work should be fun. I love having fun when I work.
So us having the presentation and you could tell we had a great relationship. We had a lot of fun doing the presentation that really paralleled with that. And then with the 2009 presentation, the two presenters, one from development, one from operations talked about how at their organization they were able to break down those silos, break down those barriers, have a common objective and work together.
Very similar to what my client and I were explaining in our presentation to so auditor, audit client, typically butting heads, not getting along super well or just tolerating each other to get through an audit. And we talked about how we worked as one team. So it wasn't the auditor team and the client team, it was one team, the team and we were very like specific when we would say very intentional when we say like the team, all of us not you know you over there in us here
we were one team. We did have our separate reporting structures as is needed for us as auditors to maintain our independence, but that doesn't mean we cannot work together closely as one team. We worked so closely together to make sure that we were aligned on what our common objective was and it was provide and get insights about the most important things in that particular area. So really those two primary differentiators were the huge
parallels between the two. You mentioned something about different reporting line, right. So I think in the world we always have this thing called segregation of duty maker and checker. I think that is also what happened before the DevOps world and someone needs to have like a different maybe a like access control or approval yeah, before some change can go into production. I think similar thing in audit as well.
So how do you see this segregation of duty now with your auditing with agility concept? Yeah, this is a common question and this was one that really sparked me getting into these DevOps enterprise summits and presentations. So the question that we would get, that I would get from my clients is how do I pass an audit when we're using DevOps and we're not doing segregation of duties through the access controls or how we historically
would. And I mean this was my kind of my first view into the misconceptions like there's no passing and audit. I don't have a pass fail. I don't have like a. Big green check mark to provide at the end of an audit, but then also thinking through segregations of duties and being new to the role. I and I still ask like very elementary questions which has turned out to be a strength of mine and something that has
added value. But here I am a couple days into my new role leading technology audit and I was like why do we segregate duties? And the first answer was because the auditors told us we had to. I'm like, ooh, try again.
Don't do things just because auditors tell you if you don't understand why we're telling you to do something, challenge us because you should never do something just because the auditors want you to do it. The auditors should be able to explain, we want you to do this because here's the risk and you need to control that risk in accordance with your risk appetite and tolerance. So when we really started peeling back the layers of why do we segregate duties?
We started thinking about things like we want to make sure that somebody doesn't introduce something into production that's going to do bad things. Megan is like super not technical. So bear with me there. So I'm like, OK, so historically we have managed that risk by not letting the same person push their stuff through without having somebody else give the OK, we've segregated duties. So then I challenged the group and was asking, OK, what else could we do? Manage that risk without having
two separate access lists. And that's when we really started understanding. OK, well, maybe we could have automated checks and I can push my stuff through and it'll go through only when this automated test says it passes all these things the same thing that a human would do when they're
looking at the code. Or the change or whatever it is, if this automated test, it passes that test, then it goes through and essentially you've segregated the duties not between two people, but between the person wanting to promote the code, the developer, and an automated test.
So that was one example. There's other examples, but it was really about thinking through, getting rid of that checklist of we need to look for segregation of duties, working with our clients to understand what are you trying to accomplish. We're trying to make sure things get into production so that we can help serve our business. What could go wrong? What are the risks? We could get something in there that does bad things, either intentionally or unintentionally.
People make mistakes, Okay. What can we do? Or what ways can you manage that risk? And what ways do you manage that risk? So instead of walking in and saying, I need to see segregation of duties, give me your access lists and you give me your access lists. And I tell you, well, these people have access to do both. You're like, why? No, it's set up that way. Like, that's a waste of time.
Instead, we're understanding what you're trying to accomplish, what can go wrong, how you're controlling that risk, how you're managing that risk. And then we test that. So then instead of looking at the access list, we're going to look at how is this test set up, this automated test set up, How's it designed? Is it designed the same way to look for the same things that a peer reviewer would? Or, you know, in a world where those duties are segregated? And then is it operating the way
that you think it is? So it's supposed to identify these things and not let it go through to production if it doesn't? Meet these criteria. Is it doing that? Is it letting things through when it's supposed to? So if it passes all of these tests, it's supposed to go to production. We would test that. And that's going to provide a lot more value than to your earlier point, us handing you a report that says you don't have segregation of duties in place.
What are you supposed to do with that? That's something you're hanging on your fridge. Right. I really left a new set in the beginning that we just follow whatever auditor set sometimes that was what happened. I think in most of the client situations, we just follow whatever auditors say because maybe they come from a compliance point of view or they come from a standardized practices and things like that. But always ask or maybe challenge right, why we need to
do certain things. Because sometimes the context is different and like you said, probably we could do a better way instead of just following word by word what the auditor said. Or maybe you are doing it in a different way. So maybe the finding is you don't have duties segregated, but you do have these automated
tests in place. So instead of having a finding or an audit report that says you have to segregate duties and just now segregating duties, you can educate your auditors on this is how we're managing that risk. Let me walk you through this. So yeah, I just wanted to point that out too. Yeah, I think it all comes back to the controls that you want in place, right?
So not necessarily the technique or the tactics, right, whatever that is. How you're managing that risk and bringing your auditors along so that they understand it? Right, so let's go to your in depth about your concept auditing with agility. You mentioned there are three values, so the first one is value driven Auditing. The second one is Integrated Auditing 2.0. It's interesting there's a 2.0 there.
And adaptable auditing. So maybe we can just go through scheme, some of them one by one Value driven auditing. What do you mean by this? Yep. So this is it. Gets back to that point and solves that problem of. You getting a report that's an audit report, that's not valuable to you. So value driven auditing is really going to make sure that the audit scope. So what the auditors are going to look at and what they're going to do is going to add
value to the organization. So it's going to be anchored back to what's most important to the organization and its key stakeholders which include the audit clients. So we're going to look at where are the biggest risks or where are the greatest opportunities, too. So there's risk in not doing things and there's risk in doing things. So value driven auditing is really just anchoring back to what is going to add the most value to the organization and focusing the work there.
And we do talk through a number of practices that you can implement to achieve that value driven auditing. But I first just want to focus on like, what are those 3 core components? Let's define those and then we can. Dive into some that I think the audience today are really going to benefit from. So Yep, value driven auditing first. I know you mentioned integrating auditing 2.0 and we're interested in the 2.0 piece of that.
So in the auditing world, it's probably been more than a few years ago, but audits used to be performed. You'd have a compliance audit, you'd have an operational audit and you'd have an IT audit and then those would all be delivered separately or they'd stitch them together at the end in one report, but all the work would be performed separately. So the auditing profession started doing what's called integrated auditing and you would have all of those auditors
on the same audit. So each audit would have a compliance operation on IT lens which really helped and breaking down those silos within the audit function and provide a more holistic view and better view of the environment than the separate audits being stitched together. That's not what I go into in the book. That is should be a given right now. We should all be there. So what I mean by integrated auditing 2.0 is it's kind of taking that to the next level.
And what we do here is we're integrating audit work with our audit clients work and we still maintain that independence. I know that's a question I get a lot from auditors is like how can we do this and still be independent. There's plenty of ways that we can do that and still be independent. Even the institute of internal auditors who is our governing body, they set the standards for
internal auditing. They tell us that independence doesn't mean isolation, so you don't have to have working silos. We still have that different reporting structure, we still maintain those decision rights. But what we focus on with this 2.0 version of integrated auditing is integrating audit work with clients work. The third component is adaptable auditing and this is where we build in the ability to respond to change.
So we're going to have a flexible process to audit instead of this strict framework. We're going to be able to pivot. We're going to be able to understand when we should stop auditing. So with our old audit waterfall approach, we would have our plan and we would go heads down and execute it and not come up for air until the end. And we really miss opportunities to determine do we still need to go down this path or do we know enough to deliver now and get out of our clients hair and move
on to something else. So adaptable auditing is where we have that flexibility, the ability to respond to change which is super important in today's crazy fast changing environment. Thanks for a quick overview of the three values of the auditing with agility. So like you said right, the 1st that picked my interest is actually the integrated auditing. Regardless 2.0 or not, right? Because I don't.
I don't know the. History of the auditing, so specifically you mentioned that integrating audit work with the client's work. So does it mean that auditors now have a place in the team like you have a dedicated auditors as part of the team that instead of thinking about business stories, right, we call stories in the tech world business stories or business requirements, but you also have a like an audit kind of a stories, audit requirements as
part of the work. Maybe tell us a little bit more on that. There's a bunch of practices that you can implement and here is where I think the audit clients have a huge opportunity to influence a better audit experience. So a lot of people think, OK, beyond edge auditing, this is primarily for auditors to read. It's got two primary audit audiences, both auditors and clients, because just like DevOps, the developers couldn't do DevOps by themselves. Neither could operations.
They both needed to go and implement those concepts. It's the same as here and integrated auditing, I think it's a great place for clients to start and start influencing that experience. So you mentioned in the question, do you have a dedicated auditor, You could, but you also don't know, you know that the type of work, you don't know when it's going to be there and when it's not.
So there's some things that we can do is like my clients know that they can call me anytime with questions and they do. I'll get a random hang on a Tuesday afternoon. Hey, do you have a minute for a quick call and they'll call me up? Hey, I'm going through this. I wanted you to get your thoughts on should I think about it this way or that way or, you know, they're looking for advice and I can give that advice and then they go on their way and I
go on my way. So it's not a full blown audit being able to just call somebody up and get that real time feedback from them is. Super helpful. And that's part of the integrated auditing feedback loops. So regular feedback loops, real time feedback loops. Those are probably the most straightforward thing that I can think of for clients to start implementing. That is, you know you don't have to wait for the auditors to reach out to you.
You can implement and you can start a feedback loop so you have a question for your auditor. Call them up and it may be intimidating, especially at first. If you don't have that working relationship with them yet and you're afraid this is going to trigger a huge audit and it's going to be a bunch of extra time spent, you could start by figuring out what do you need from an audit, what do you need from your auditors and set up coffee with them. Virtual coffee, Real coffee.
I love coffee, so you know, it's one of my favorite things. But just start that feedback loop of, hey, we had this audit or I know we've got this audit coming up. I'd love to see us do this in it. I'd love to see a focus on this particular area or you know what's really keeping me up at night this? Can we spend some time talking about that? Or even if you don't have an audit coming up, just here are some things that I've got questions on or I'd love to see
from my auditors. Feedback can even be that clients reach out to me and say I'd love you to attend our OPS review meeting so that you can help us stay on top of the open findings we have because we sometimes lose sight of those. Sure, absolutely. Not only am I connecting with them and providing them information on open audit findings, but I'm also learning more about what's important to
them. So I have this idea of what I want to audit in that space, but they're spending all this time and all this money on this one thing. Hey, could you use some objective advice as you're building that out? Yeah, that would be great. So feedback loops are super, super helpful. Another thing about feedback loops is if you don't provide feedback to your auditors on what a better audit experience looks like, they're not going to know to make a change.
Or they might know that they should make a change, but they might try a bunch of things that aren't what you want to see. So feedback loops are super important. Another one that I want to highlight in this integrated auditing space that is. I get so excited about this. It's integrated planning. So you also mentioned, I keep anchoring back to this because the concepts that you're bringing up, the challenges that you've brought up, you are so
not alone. I bet if you asked your audience today how many of them experienced some of these same challenges that you've experienced, most of them who have interacted with auditors have probably experienced that too. So we talked about getting an audit report. That doesn't help you. It's focused on the wrong things. It doesn't really add value. A great way to overcome that challenge is through integrated planning and that's where we're going to work super closely together.
So Henry, I'm going to come audit you. We're going to work closely together and we're actually going to build out the audit scope together. So I'm going to be still independent because I get the final decision rights. If I say I want to look in this closet and you say, no, no, no, you don't need to look in that closet, but I still think I need to look in the closet, I'm going to look in the closet. But if you're also saying, hey,
you know what, this is great. But what I'm really worried about or what I really need to go right is this area over here. Let's spend some time there and let's identify. So let's work together to identify what's most important to you. What can go wrong with that? Because I have my own ideas about it. Generally, they're aligned, but. It's so much more helpful when I get that confirmation from you. Or maybe you help me think about
it in a different way. Like, yeah, that's really not when we go back to segregation of duties. You know, I may come in without integrated planning and say, like, give me those access lists and you're like, I mean, I could do that, but you help me understand, you know, I'm always thinking, well, we're looking for bad actors and that's the risk. And you're like, yeah, but actually mistakes happen more often than intentional bad code.
So you can help me understand what those risks are and how they actually might manifest in your world. And then integrated planning, instead of me saying okay, I'm looking for a segregation of duties control, which doesn't exist because that's not the way you're doing things. You're going to tell me how you manage that risk and how you manage that risk. Let's say it is through those automated testing. Great. So now we've just saved ourselves a ton of time.
Because now I understand what's really important to you. I understand those risks and what can go wrong. I understand how you control it. And then you can help me. You're saying, okay. You know what?
Here's what I can provide you that will show you how those automated tests are set up. And then if you want to sit with me tomorrow, I can run through and I can send something through that's supposed to fail and send something through that's supposed to pass and we can get this test knocked out in a day. Great. Way better than going back and forth, getting confused, getting frustrated and hinting. You report that tells you you don't have duty segregated.
You know that that was intentional. So I know I went on about that. This is something I'm super passionate about, but I really think that integrated planning in those feedback loops are something that audit clients can start doing today and really, really have a much better experience with their auditors. Thanks for sharing explicitly what happened in these kind of situations. I think it's always great to hear from the auditor's point of view. It's not just from client's
point of view. And I like the quote that you mentioned earlier, right? Independence doesn't mean isolation, right. So that's integrate together, talk about the plan, the audit scope together. Like sometimes what happen is when we get audited, we just follow whatever scope they have, we wait for a couple of times, they go and ask us questions, we answer. Go back and forth and they'll come up with reports, right?
So instead of doing that, I think we could do much better by doing this integrated auditing 2 point. Zero. I say real quick with that too is we're both aligned on the same goal. So I don't want to hand you an audit report that means nothing to you. You don't want to receive an audit report that means nothing to you. So it's not just helping you, it's helping the auditors too.
And that's why it's super important for us to work together to make sure that we're both at the end producing this report that's going to add value to the organization. Right. And it will be best if both the clients and the auditors at the end actually like the reports that they produce. Yeah, they erase about it together just like what you did in the presentation.
The other value that I think I'm very interested in is you mentioned about adaptable auditing in many of the audit process that we do actually is following some compliance framework certifications. And they do have a lot of checklists, a lot of areas, a lot of scope we mentioned. So how can we be more adaptable, like be flexible, know what to audit, when not to audit? So I think this is very interesting as well for people who normally go through audit by
following compliance. Yeah. And part of that starts with the value driven. So focusing on what's most important. But then when it comes to the adaptability, so you have that stuff, how do you build in the ability to change and pivot, really prioritizing your work. So breaking the audit scope up into manageable pieces and limiting how much you're focused on at a time is something that really helps Dr. adaptability, and it's something that clients can influence as well.
So instead of going in and saying we've got these 12 controls that we're going to look at or these 12 compliance requirements we're going to look at and we start looking at all of them at once, we're going to figure out what is most important. So when it comes to compliance, certain things are going to have larger fines and larger impacts than others. If it's going to be a fine of a dollar every year, yeah, we want to comply with it, but. Do you need audit to tell you like this?
That's not a good use of anybody's time. And I know I'm over exaggerating here, but bear with me. So if there's something that's going to cause millions of dollars in fines and a frequent basis and there's a decent chance of that, you want to focus on that. So prioritizing that instead of starting everything at once.
So we're looking at something that's going to be a dollar and a fine and something that's going to be $1,000,000 and getting pieces of that and keeping those all going in process throughout the entire audit. You're going to limit what you're doing at a time and that is going to give you results sooner too. And then with those results we can pivot and say like have we done enough, have we audited enough, have we learned enough?
So focusing on those areas that are most important, knocking those out first, and this is a concept, I mean a lot of these concepts should seem familiar. They should be things that. That you and your audience do already in your own daily work. So you're really well positioned to help your auditors pick these up and you can teach them. So limiting what we're doing at a time, picking it up, doing it, delivering it, starting another
thing. And that helps with our clients too, because then you're not doing all that context switching. I'm not asking you about compliance with this piece of something. And then over here and then taking you back to that and where were we with that? So that's really something that can help us deliver those results sooner. And then we think through okay, now we've done these four things, do we need to keep going? What value will we get by completing the rest of this
audit? If the answer is not that much and it's not worth it, then we stop because there could be something else like if we look at all these other things that we initially thought we were going to look at. We just have to do when everything's in process at the
same time. So while we're limiting that, that gives us that opportunity to pause and think about should we spend our time collectively, everybody, not just the auditors, Should we spend all of our time finishing this or is there something else out there either in your space or a different space that is more important that we should pivot to. So I think that's a really good. Way to drive that response to change.
And that's something that as a client you can help with that, help them, help your auditors with. You know what, I think you've provided us enough assurance. I think this is good. The value we're going to get out of this is minimal, like let's pivot to something else. Perfectly makes sense, right? Because I mean, in the tech world, we are so familiar with the HR concept, lean concept, right? So these things definitely make
sense. And I think one more key from my point of view is also don't do this auditing when the certain time comes, right. So for example if you have a yearly requirements to do audit, then you only do that close to the time. So I think you can't do this definitely right because you have to complete all the checklist in one go. So I think maybe doing it also throughout the time in small iterations that they will value
and pivot along the way. I think that may be also a great way to. Have this flexibility in terms of auditing. So we discussed a lot about internal auditing. So how do you see the external auditing part? Because these are different type of people, they may not come from the same organization, maybe the values may not be aligned. So is there any message that you wanna give for external auditors as well or for clients who are dealing with external auditors?
Yeah. I would absolutely love to see external auditors leverage these practices too. So the book is focused on internal audit practices because that's where my background primarily is and there are different standards that external auditors are held to. And I'm not quite as familiar with those, but I would love to have a conversation about what are those requirements and how can external auditors also leverage these concepts so that they're also not feared. And so that they're better
positioned. So by leveraging all of these concepts, driving by value, integrating into the client's work and being adaptable, those are going to set the auditors external or internal up for better success. Like I mentioned, we're going to be focusing on the right things. We're going to be not wasting our time or your time. Those are all things that the external auditors can benefit
from as well. So absolutely I'd love to learn more about what those standards are that they're being held to and work with them to figure out how they. Can leverage these practices to not be feared, to have better working relationships while maintaining they have even more of an independence requirement than we do and you know, find efficiencies, add more value. I just think it would be great for them as well. Right.
And it will be great if all conversation with auditors is like this, very friendly and we are collaborative. So I do hope we. Do things also. Happen. Yeah, in all the auditing experience that everyone is having. So thank you so much Clarissa, for explaining this concept. Auditing with agility, I learned a lot and I probably have some perspective change after you, you know, give some insights about better practices for auditing.
So as we go to the end of our conversation, I have one last thing that I would like to ask you, which I call 3 technical leadership wisdom. Think of it just like advice that you want to give to the listeners so that they can learn from your expertise or your experience. So would you be able to share the version of your 3 technical leadership wisdom? I would love to so first. Auditors are not your adversaries. They should not be out to get you.
They actually should be a valuable resource for you to be able to leverage. So absolutely, first thing I want people to walk away with is that I want you to run to your auditors, not from them. And I know that's going to take some work, but keep that in mind. We're not out to get you. We want to help you. Second is, this is a journey. So it's not like laying a Scrum framework onto an audit process. It's not a you know these five steps and boom, you are agile. It's a journey.
And you and your audience probably know this from your own experiences in these better ways of working. So that's not an unfamiliar piece of wisdom to all of you. But the way that you really get started on this journey is by figuring out what's most important to you, you know you're not going to apply everything in the book all at once. You got to start small, so figure out what is the most important to you. Is it getting more value out of that audit?
Is it being able to respond to change? I'd love to ask people, if you had a magic wand, how would you use it to improve the audit process and what would that look like? So that's what you're going to start with. And 3rd, I would have each of you reach out to your auditors today, connect with them. So if you're in the middle of an audit, pause to go again. Coffee is kind of my go to. It's like my peace offering.
Get coffee. Just set up a virtual chat, start building it and strengthening that relationship, and then provide them feedback. So we talked about feedback loops. Activate a feedback loop. So let them know. Now that you know, if you had that magic wand of what it would look like, what's most important to you? Tell your auditors. Open that feedback loop. Ask how you can help. And you know, I'm expanding like kind of into three, a 3B.
But I mentioned this earlier that many of you have a lot of experience with these better ways of working and auditors typically don't. This is something new for auditors for a lot of us. So coach your auditors, tell them, hey, you know what, I really think it'd be helpful if you created a task board. I can show you how to do that because we used JIRA and this is how it's been working for us or
maybe love standups. Hey, why don't you join some of our daily standups and you can provide your audit status there instead of having a separate meeting. Or why don't you join into this meeting? So coach your auditors. You're the experts in these better ways of working. Teach them. That's also going to help build those relationships and keep those feedback loops going. So those are my 3 1/2 pieces of wisdom. Okay, the third one maybe.
I would also call it auditors are human too, so maybe connect with them right. Don't treat them as like robots that just follow checklists. So they are humans as well and they help us to get the same value, the same goal for the organization. So thank you so much, Clarissa, for this chat. So if people want to connect with you or they want to ask you questions, is there a place where they can find you online? Yep, so I would ask everyone to check out my website clarissalucas.com.
I have a newsletter where I send out content that's helpful for both auditors and audit clients, trying to help everyone have a better audit experience. And then I'm also on LinkedIn as well. And Henry, I really want to thank you for having me here today. Love getting in front of your type of audience so that people don't have to fear their auditors, You know, I want auditors and clients to get along and really, really appreciate you having me on here and giving me the opportunity to
share. No worries so. I am probably the first person who will not get scared to be audited anymore, so I love it. So thank you for the insights that you give in this episode. Clarissa, thank you so much for the time again. So I hope people get enthusiastic about their next audit experience. And also for auditors, maybe you get a few lessons from here that can change your practices. So thank you again for that.
My pleasure. Thank you for listening to this episode and for staying right until the end if you highly enjoyed it. I would appreciate if you share it with your friends and colleagues who you think would also benefit from listening to this episode. And if you're new to the podcast, make sure to subscribe and leave me your valuable review and feedback. It helps me a lot in order to grow this podcast better.
You can also find the full show notes of this conversation on the episode page at Technically journal dot dev website, including the full transcript, interesting quotes and links to the resources mentioned from the conversation. And lastly. Make sure to subscribe to the show's mailing list on techlyjuno dot dev to get notified for any future episodes. Stay tuned for the next Techlyjuno episode, and until then, goodbye.
