“It is not the strongest or the most intelligent who will survive but those who can best manage change.”
― Leon C. Megginson, author of Small Business Management
Though these words are often misattributed to Charles Darwin, Megginson’s concept of “survival of the fittest” is most applicable in this time of increased Cyber hostility.
CMMC (Cybersecurity Maturity Model Certification) is a unified standard for cybersecurity across the defense industrial base. Maturity Levels 1 or 3 will be required for entities to continue doing business with the United States Department of Defense on some contracts as early as June 2021. Adopting Agile Audit practices will help Audit and Compliance teams effectively attain and maintain CMMC Maturity Levels.
Most Internal Audit Teams currently follow a phased process that flows from Planning and Scoping to Fieldwork, Reporting, and then Follow-Up. This phased process results in a big batch of audit results dropped on stakeholders via a draft report for comments and a corrective action plan. The stakeholders then begin extensive work as detailed in the corrective action plan.
Before CMMC became the effective standard, the “big batch approach” was acceptable; corrective action plans known as a Plan of Actions and Milestones (POA&Ms) were created to prioritize and monitor the progress of remedial efforts related to addressing security weaknesses over time. CMMC put an end to the POA&M for Department of Defense contractors because DOD audits revealed that the items documented in the POA&Ms were often never completed.
Now, when a Certified Third-Party Assessor Organization (C3PAO) performs a CMMC audit, it is pass or fail. This all-or-nothing approach puts significantly more pressure on the Internal Audit Teams with the assistance of CMMC Registered Practitioners to identify these problems promptly. Any deficiencies found must then be addressed before the formal audit is performed by the C3PAO.
For example, CMMC Maturity Level 1 has 6 Domains and 17 practices that the organization must perform consistently. All of the 17 Level 1 practices or 130 Level 3 practices that are found to have shortcomings must be addressed promptly before the C3PAO audit….or the contract award is at risk.
Operations Management Teams and Agile Teams have shown time and time again that the more work that is in progress at any given time, on average, the longer all work will take to complete ( Little’s Law). Traditional Audit teams may have assigned as many auditors as they had available to an audit team. Each team would focus on a different set of the 17 practices, with very little feedback solicited from stakeholders until very late in the effort. Audit crossover is thus also likely to occur with traditional audit approaches. This is when a team of auditors working independently on separate test controls descend on an auditee/stakeholder all at once while performing their fieldwork. The result is to overwhelm the stakeholders, causing untimely and excessive interruptions from their day jobs. Minimizing interruptions is good for everyone and will reduce frustration with the process and business impact.
Another problem with most traditional audit approaches is that due to audit crossover. Audit crossover may occur when a team of auditors working independently on separate test controls descend on an auditee/stakeholder while performing their fieldwork, which may overwhelm a stakeholder causing much frustration with the process. Typically the auditee views the audit as an interruption from their day job. Minimizing interruptions is good for everyone.
Suppose that instead, an organization encourages teams of auditors to focus their work such that they complete a test control before another is started. In that case, they will be able to provide corrective action reports for each of the practices on an ongoing basis. This focus, enabled by limiting the team’s work in progress, will allow the organization to begin remediation before the entire audit is completed. The ability to begin remediation early on becomes even more critical as an organization achieves maturity levels 3, 4, or 5.
My experience when providing Scrum training to internal auditors in banking and retail organizations was that these organizations didn’t embrace a collaborative team concept. For the most part, each auditor worked independently on fieldwork and reporting for specific controls with little collaboration with the other auditors..
If we agree that Internal Audit is a complex endeavor and Auditing Cybersecurity Compliance is even more so, would we still want to take the “big batch” approach of Scoping, Planning, Fieldwork, Closure, and Monitoring? Or would it make more sense to break the work into smaller parts to focus on one control at a time, embracing a collaborative team effort to focus on completing work on a control-by-control basis?
Does this approach to audit and compliance sound interesting to you? Applied Professional Scrum is an excellent 2-day workshop that will help your audit teams understand the benefit of using the Scrum Framework to solve complex problems. Next month, I will be offering a new Applied Professional Scrum class, adding a third day focused on building an initial Product Backlog for a CMMC Maturity Level 1 Compliance effort.
Contact me if you would like to learn more about using Professional Scrum to guide your compliance efforts!