Agile Internal Audit Engagements: Are There Any Conflicting Roles Carried Out By Scrum Masters And Product Owners?

By Mikhail Ben Rabah, CIA, CFE, CRMA
Government Audit Manager, Presidency of the Government, Tunisia


The Covid-19 pandemic has accelerated the implementation of Agile internal auditing processes worldwide. The need of timely recommendations and quick response to emerging risks has demonstrated the limits of traditional waterfall auditing approaches, inherently prone to waste.

Hence, adopting Agile approaches and methodology was found far harder and challenging than initially assumed. One of the most common challenges/issues is human based.

It should be noted that an Agile Internal Audit Function (IAF) has a flat organizational structure in contrast to a traditional hierarchical structure with the Head of Internal Audit, audit managers and (senior) auditors. Furthermore, and like all Agile projects, performing an Agile audit requires the creation of independent, multidisciplinary teams, in which all expertise needed (e.g., IT, financial risk management, compliance) is available.

And since internal auditors are not assumed to be inherently trained in Agile methodology and techniques, especially at the start of the organization’s Agile audit project, the question then arises as to whom to assign the responsibility of leading the agile audit process in a single engagement.


Note that two key players are essential in carrying the Agile audit engagement forward: the Scrum Master and the Product Owner.

The Scrum Master

First, it needs to be remembered that an Agile Audit Engagement Process encompasses the following components:

The development of the initial audit project plan: the audit team defines the project after consulting with key stakeholders.

Sprints : (can range from one to four weeks):   time-boxed activities starting with a “sprint planning “ceremony where goals for the current cycle are identified, risks are prioritized, and testing procedures are defined. The work plan is also referred to as a “sprint backlog”. The last day of the sprint, a review meeting (i.e., “sprint review” ceremony) is conducted where observations are discussed with audit team members and other relevant stakeholders.

The sprint review ceremony represents an incremental reporting exercise and may produce an actionable report item for which the audit client will begin developing responses or action plans. The “sprint retrospective” ceremony is the last activity performed in each sprint during which the audit team evaluates its own performance in each sprint and make changes or other adjustments to improve work in subsequent sprints.

At the first beginning of an organization’s experience with Agile internal audit, audit teams have to be coached by competent trained Agile coaches who may be hired from outside the Internal Audit Department or even from outside the organization. We call these coaches Scrum Masters.


A Scrum Masteris the facilitator of a successful Agile process and his ultimate responsibility is maximizing the audit value added by the implementation of Scrum.

Some of his key roles are:

–          Ensuring that audit team members are applying the Agile principles during the whole process,

–          Ensuring that the team remains focused, makes progress and meets the deadlines in an Agile way,

–          Organizing the team work by circulating the tasks around the team members.

Consequently, and from a theoretical perspective, the Scum Master does not have to be a part of the audit team or the audit department. He is not responsible for the execution and the audit result. He does not participate in the core activities of the audit engagement (e.g., selecting audit procedures, audit testing, confirming findings, audit reporting).  

This responsibility lies with the Product Owner. In general, the Product Owner is the auditor-in-charge or the head of the internal audit department.

However, in real life, audit departments may face some challenging issues in initial stages of implementing Agile audit processes with regard to conflicting roles carried out by Scrum Masters and Product Owners. Misunderstanding, misassigning or mishandling the roles of Scrum Master and Product Owner could lead to such issues.


Potential Conflicting Roles

In a traditional waterfall auditing approach, the auditor in-charge and supervising managers are solely responsible of the engagement planning and execution phases including time budgeting, task assignment and so on. No external parties interfere with the audit process. In Agile internal auditing, the audit team members may find the new rules and time constraints introduced by the Scrum Master stressful and impeding the engagement goals. Conflicts may rise in trying to conform with  Agile rules.

According to recent surveys and studies conducted by the IIA and some leading audit companies, many internal audit departments have reported such issues at the initial stages of implementing the Agile audit approach.

Furthermore, Scrum Masters when coming from outside the IAF should be closely scrutinized for potential conflict of interest although they are not a part of core audit activities. In addition, Scrum Masters have to abide by the same principles of conduct in the audit field, especially the confidentiality principle.


A way out?

Not really. The Agile audit project  is obviously implemented and managed  through a long learning process. The only way out is that the organization gains maturity as exploiting ongoing experience acquired through different agile engagements.

As the Agile audit project moves forward, experienced auditors may be identified from Internal Audit to champion the adoption of Agile Auditing and trained in the Scrum approach. Hence, the IAF becomes self-sufficient and no further need of external Agile coaches is required.