Signify Insights
Signify Insights
Spotlights
A publishing & interactive-learning property · Philadelphia · est. 2019
Back to Spotlights
VOL. II  ·  Internal Audit  ·  Agile GRC

Stop Writing Audit Plans. Start Running Value Streams.

The annual audit plan was built for a world that changed once a year. improve™ borrows from agile software delivery to keep assurance moving at the speed of the business it serves.

By the Signify Insights deskMay 20269 min read

For most of its life, internal audit has run on an annual calendar. A plan is locked in the autumn, a fixed list of audits is marched through over twelve months, and judgment arrives at the very end, in a report nobody reads until something has already gone wrong. It is a cadence built for a slower world — one where the business changed about as fast as the plan could be revised.

That world is gone. Regulation, technology and risk now move in weeks, and an audit function that can only re-scope once a year is structurally behind. improve™ is a response to that problem: an agile operating model for Internal Audit and Compliance, built by borrowing the parts of Scrum and SAFe that actually translate to assurance work.

From a rigid plan to a running list of value

The first move improve™ makes is to retire the static annual plan and replace it with something living: a Value Proposition Listing — a continuously updated list of the areas worth auditing or inspecting, each chosen because it delivers a specific, nameable value to a stakeholder. Every item on that list is an Audit Value Stream.

Audit was never about completing the plan. It was about creating value the business can feel. The plan was just the packaging.

This reframing matters more than it first appears. A plan is a promise made in the past about a future you couldn't see. A value stream is a bet you place now, on the risk that matters now — and that you can re-prioritise the moment the facts move.

Three principles the function is judged on

improve™ holds an agile function to three standards. They are deliberately high-level, because they are meant to describe a posture, not a checklist:

  • Tech-driven. The function reaches for data and tooling first, not last — using technology to surface risk rather than to document that it looked.
  • Value-centric. Every stream has to justify itself by the value it creates, not by the hours it consumes or the boxes it ticks.
  • Growth mindset. The team treats failures as information, stays curious about where it can add value, and keeps learning rather than defending last year's approach.

Beneath the principles, the model is structured in segments — major sequences of related events the function moves fluidly between — and tasks, the core activities, tools and deliverables maintained inside each segment.

Planning the sprint is the heavy lifting

Once a value stream is judged worthy of execution, the real work begins: planning the sprint. This is where audit leaders earn their seat, and where most of the cross-functional collaboration happens — defining the stream's boundaries, people, deliverables and milestones. Four things get finalised, and skipping any of them is how value streams quietly fail:

What a sprint plan locks down
  1. Team and stakeholder assignments. A focused group drawn from both the business and the assurance function, with individual names and roles attached — not a department, a person.
  2. Ready State. The green-light date. The moment every prerequisite is met and the team is 100% ready and focused to execute. Set by the stakeholder, not assumed.
  3. Sprint iterations and KPI/KRI measures. A clear reporting structure agreed up front, with an update schedule that prevents ad-hoc status meetings from eating the value the sprint is meant to create.
  4. Completed State. The definition of done — usually acceptance of the assess-and-recommend report with management's corrective actions. It restates, one final time, the value the stream exists to deliver.

The KPI output feeds straight into continuous monitoring, which is the point: the sprint isn't a one-off event, it's a loop. The function is always either running a stream, monitoring the last one, or re-prioritising the list.

Status reporting is not value. Agree the update cadence once, then spend the saved hours on the risk itself.The discipline most functions skip

Why it works

An agile function creates a collaborative process with the business instead of an adversarial one. It produces insight fast, develops repeatable and increasingly autonomous compliance solutions, and gives risk professionals genuinely challenging work — which is, not incidentally, how you keep good people. None of that survives contact with a rigid annual plan.

Success still depends on the unglamorous things: leaders, business stakeholders, audit and compliance committees, and senior sponsors who actually back the shift. The framework doesn't remove the need for judgment. It just stops the calendar from getting in judgment's way.

Companion piece — play itGRC Maturity, in 5 Questions
Keep readingYour Bots Are Employees Now. Audit Them Like It.Compliance · RPAEvery Transformation Dies in the GapStrategySample or Skip: The Testing GameInternal Audit