Christopher Wright wrote the book Agile Governance and Audit – An overview for auditors and agile teams. Auditing of an agile way of working looks like an unexplored corner. There is not that much written about this topic.
Agile Governance and Audit gives a short introduction to agile, compares agile with waterfall and looks at audit and agile cultures. The author follows a project life cycle from idea towards a usable product including governance and control.
Based on an audit objective related to the position in the life cycle, you get the main risks to consider, the audit approach including a set of questions and a conclusion. The following audit objectives are explored:
- Auditing agile versus waterfall: To ensure management has adequate controls for decisions regarding the choice of approach for projects (agile/waterfall/hybrid approach) and has established the governance and infrastructure to support these approaches
- Auditing project initiation: To ensure management has adequate procedural controls and evidence for decisions regarding inception and choice of approach, business benefits, risk/compliance implication, phasing and level of governance required. A case study is included
- Auditing requirements gathering: To ensure management has adequate controls and evidence for decisions for the consistent gathering, assessment, prioritization and approval of high-level business requirements. A case study is included
- Auditing build and testingphases: To ensure management has adequate controls and evidence for decisions regarding testing performed, and that that testing will ensure management requirements will be met
- Auditing business handover: To ensure management has adequate controls and evidence so that functionality, processes and controls can be operated effectively and maintained by the business post Go Life
- Auditing agile governance: To ensure management has established an effective and efficient framework for governance off the project, with appropriate evidence being retained.
The final chapter gives some top tips for auditors as a take-away.
Conclusion: This easy to read book focusses on projects with an agile delivery team using Scrum, Unified Process or XP. This means, in this book, a temporary organization using an agile way of working that is close to more traditional project management. This is where we now see PRINCE2 Agile, AgilePM, DAD or PMI Agile. I would say it’s a good starting point, and it helps to get an understanding what kind of controls you need to put in place. On the other hand, I hoped to find some audit practices regarding organizations with permanent agile teams using SAFe or LeSS or other agile scaling frameworks. In these situations, the focus will probably be on requirements/user stories/backlog items, roles, governance, decentralized decision making, DevOps, automated testing, continuous integration, continuous deployment and transition. And these areas are not covered in this book (understandable because the book was written in 2014).
In a next post I will review another book in this area: A guide to Assurance of Agile Delivery. Please let me know if you are aware of other books in this area.
To order (Bol.com): Agile Governance and Audit