Helping Auditors Understand Agile: An Interview with Steve Nunziata


In this interview Steve Nunziata talks about strengthing the relationship between agile and auditors, shifts in mindset required to adapt agile, pros and cons of an agile perspective, his time in various roles of the agile process, and how his classic rock band incoporates agile practices.

Cameron Philipp-Edmonds: Can you start us off by telling us a little about yourself?

Steve Nunziata: Sure. I was born and raised in New Jersey, and even had the Camaro to prove it! I also spent about ten years in Portland, Oregon as a programmer and project manager, and the past several years in San Antonio, leading a project management office and working agile adoption at scale. It’s interesting—I attained my PMP certification around the same time I started working with agile methodologies, so I have always had that ‘toolbox’ of project execution practices available.

Cameron: Very interesting. So what led you to the idea of your session?

Steve: One company that I worked with was looking to aggressively expand their agile portfolio by a factor of ten. About the same time, federal auditors were coming in to review their project execution processes. Since agile was still technically in ‘pilot’ mode, no formal, documented, auditable execution processes existed! Fortunately, we were able to close that gap within sixty days, but it took a rather significant shift in mindset. My session speaks to that evolution.

Cameron: Why do auditors and regulators reject agile practices as non-compliant?

Steve: I believe it’s more a lack of understanding. Agile software development tends to be very team focused, and can appear to be a foreign country to groups on the outer margins – for example, auditors, legal, member experience, and compliance departments. These groups tend to rely on formality and more linear systems thinking, with clear bias for artifacts as evidence of process adherence. Rejecting agile ceremonies as non-compliant is evidence of artifact bias—which is necessary to break if we are to avoid layering agile practice on top of traditional waterfall ones.

Cameron: The reality is that sometimes organizations need to compromise a little on their agile practices in order to fall under the rigid guidelines that some industries operate under. What is one aspect of agile that should never be compromised? Is there one that has a little more wiggle room than the others?

Steve: I’d certainly suggest that ‘working software every iteration’ is fundamental, and should not be compromised in any way. This practice alone significantly mitigates the risk of building the wrong thing, and provides great opportunity for feedback in the product evolution. Agile is inherently a system of feedback loops, so compromising any core ceremonies and practices can have a dramatic impact. Choose wisely, Dr. Jones…

Cameron: How is describing the merits of agile to auditors different from describing it to someone completely removed from agile and the industry?

Steve: Let’s use a restaurant metaphor. We can say the auditor is like the board of health. Their objective is to grade the kitchen on sustainable practices, mitigating risks to a customer’s health. The person sitting in the restaurant is there for a good, quality meal, at a reasonable price. The diner is interested in the outcome. Ensuring the process is efficient and sustainable is the role of the auditor. Auditors don’t need be sold on the benefits of agile—any software development methodology faces the same set of risks. The difference is in the processes to mitigate them.

Cameron: What takeaways would you like the attendees to leave with after your presentation?

Steve: We discuss the initial steps in creating an agile risk and control framework to appease audit groups and foster consistency—but I would love to have folks realize that agile is a philosophy that provides opportunity for teams to evolve and create tools and practices that support not only their goals, but those of their organization as well—auditors being just one of those satisfied constituents.

Cameron: You have more than twenty-five years in IT project management. This has given you experience with agile and waterfall influenced methodologies. Are there aspects of waterfall that you think could still hold merit in today's agile world?

Steve: Sure. For example, I don’t believe any agile methodology has a truly effective risk management process—so, for me, it became necessary to create one to augment adopted agile processes. Agile’s inherent team focus leaves external team pressures out of the conversation; the line of sight is primarily the iteration (sprint), and impediments to delivery of iteration objectives. These types of deficiencies must be remedied with traditional practices, or newly evolved lean ones, that can be more effective in mitigating project execution risks than they were in waterfall.

Cameron: Currently you're an independent consultant, which has allowed you told hold various roles such as ScrumMaster, agile coach, project manager, and a few others. How valuable has it been to hold all of these roles and how has it influenced your agile mindset?

Steve: I think I end up second guessing myself more often! Playing multiple roles has helped me to approach issues from multiple perspectives to ensure proposed solutions won’t end up negatively impacting other key roles. I have definitely gained insight into how project roles, such as Scrum Master and project manager, should collaborate to produce the best possible outcome.

Cameron: You're well established in the San Antonio agile community, facilitating monthly meet-ups and education events, but in your spare time you also play in a rock band. Does your rock band occasionally borrow influences from your agile background?

Steve: Good question! I’d have to say yes. Agility is certainly not limited to the software development space. What I see with cover bands similar to ours is that many bands use a song as a vision of the end state—they want to sound as close to the original recording as possible. This is like knowing all the requirements up front. For us, we look to get the idea of the song – what makes it work? We’ll deconstruct it, and then work to iterate and evolve it into something that sounds like Crossfire (that’s our band). Some of that is out of necessity—we only have three pieces in our band (guitar, bass, drums), and we cover songs by bands with four, five, or more instruments – but we make it work through trying different approaches, and working together. In the end, we do familiar songs in ways that no one else would have thought to do them—and I am extremely proud of that. I guess we prove a small scrum team can outperform a larger, waterfall-ish one!

Cameron: Is there anything you'd like to say to the delegates of the Agile Development Conference before they attend the conference and, of course, before they attend your presentation?

Steve: Agile supports ‘Kaizen’ —the Japanese term for continuous improvement. Come prepared to hear ideas to move your organization to the next level! I hope to see you there!

Steve NunziataSteve Nunziata (CSM, PMP, ACP, SAFe SPC) has more than twenty-five years in IT project management, using waterfall and agile methodologies—and numerous hybrids in between. Steve’s industry experience ranges from health care, sporting goods, transportation, and insurance. For the past ten years, he has focused on agile practices and teams, fulfilling roles such as ScrumMaster, Product Owner, agile coach, project manager, and quality assurance advisor―sometimes in the same day! Steve is very active in the San Antonio agile community, facilitating monthly meet-ups and education events. In his spare time, he enjoys playing in his classic rock band and being with his wonderful family.

About the author

Upcoming Events

Sep 22
Oct 13
Apr 27