Improving Internal Audit Through Technology

Your Recent History

Select Country

Language

English

Careers | About Us | Contact Us

\|	Solutions Business Operations Improvement Finance & Accounting Excellence IT Consulting Internal Audit & Financial Controls Litigation, Restructuring & Investigative Services Risk & Compliance Transaction Services	\|	Industries Consumer Products & Services Energy Financial Services Government Healthcare & Life Sciences Industrial Products Private Equity Technology, Media & Communication	\|	Insights Browse by Content Case Studies Current Challenges Events Featured Articles Flash Reports Newsletters Podcasts Points of View Resource Guides Survey Guides Live Surveys & Benchmarks Webinars White Papers Browse by Role Board Member Chief Audit Executives / Audit Professional Chief Financial Officer / Finance Professional Chief Information Officer / Technology Professional Chief Risk Officer / Risk Professional Legal Professional Browse by Industry Consumer Products & Services Energy Financial Services Government Healthcare & Life Sciences Industrial Products Technology, Media & Communication KnowledgeLeader Blog	\|
\| GRC Software \| KnowledgeLeader \|

Home >
United States >
Insights >
Browse by Content >
Featured Articles >
Improving Internal Audit Through Technology

Insights

Improving Internal Audit Through Technology

John Verver CA, CISA, CMC
Vice President, Services and Product Strategy – ACL Services Ltd

Contact John Verver (jverver@acl.com) with questions or comments about this article.

Source: Protiviti's KnowledgeLeader

A number of studies show that internal audit functions are looking more seriously at technology as a way to improve productivity and the organization’s risk management process. Technology can help automate activities, such as ongoing monitoring of certain internal controls, and free internal audit professionals to lend their expertise to their organizations in other high-impact areas.

To better understand how internal audit departments can best leverage technology to enhance their productivity and effectiveness, it helps to look at how the use of technology in the internal audit process has changed over the past 20 years.

Software programs such as Microsoft Word, Excel and PowerPoint have become almost universal as a foundation technology for audit planning, programs, working papers, reporting and much documentation. Use of the Internet has transformed auditors’ ability to access and share information such as regulatory requirements, standards and audit best practices.

Arguably though, one of the most significant changes is the extent to which the profession has recognized the importance of data analysis and automation of audit and control testing procedures through continuous auditing and monitoring. While the use of general-purpose software to support internal audit has undoubtedly created efficiencies, it has not changed the fundamental approach to auditing. On the other hand, data analysis technology has caused fundamental changes in audit’s approach by allowing entire populations of financial and operational transactions and other data to be comprehensively tested and, where appropriate, to be analyzed close to real time on an automatic basis.

The expectations of internal audit have changed considerably in the past decade. Internal audit is now increasingly involved in areas such as risk management, fraud detection and monitoring and identifying opportunities for operational improvements that enhance financial performance. While these are important areas that make the role of the internal auditor more interesting and more challenging, the recent economic turmoil has put a lot of pressure on resources. The reality is that internal audit cannot successfully meet expectations and perform at a new level without doing things differently and technology – or, more accurately, the very efficient and effective use of technology – is essential for internal audit to succeed in its evolving mandate.

Technology’s Fruitful Harvest – Assurance and Confidence
Technology affords a number of benefits, starting with the level of assurance and confidence that an audit leader can provide the organization. By using technology to identify risks, to test controls and examine the data evidence of all that has occurred – and to do so in a comprehensive fashion – audit achieves a far higher level of assurance than is possible through more traditional audit methods.

Efficiencies created by the use of technology and by integrating data analysis and continuous auditing into the audit process also mean that the audit department is better positioned to complete its audit plan, which is a significant challenge for many audit departments.

When internal auditors use audit-specific data analysis technology, they are often able to gain insights beyond the reach of anyone else in the organization. By providing the results of such analysis to the business managers on a timely basis, management can respond, fix problems, and the entire organization can benefit.

So how does a technology-focused audit approach specifically improve an organization’s overall risk management efforts? There is increasing recognition that the primary focus in terms of enterprise risk management should be in the areas of strategic and overall business risks, rather than on financial, compliance and operational risks. This makes good sense but does not mean that financial and operational risks can be ignored.

The role that audit can play in these latter areas is to help drive some of the best practices of audit and assurance processes into the business. The areas of continuous auditing and monitoring are good examples of this. When audit departments implement automated continuous auditing, the benefits of providing timely notification of control risks and anomalies to management often become apparent. The next logical step can be for management to take on responsibility for similar processes in the form of continuous control monitoring. This can become a key component of financial and operational risk management strategy, allowing management to continually assess risks and the effectiveness of the controls for which they are responsible.

Getting Started One Audit at a Time
In general, for a company just beginning to consider how technology can benefit its audit process, the best practice is to start using technology in an area that provides high payback and then progress from there. The “big bang” approach to implementing technology in audit is seldom the most effective. However, there are some important starting points to consider. One of the most important is for audit leaders to make a clear declaration of strategy for the use of technology, as well as to avoid leaving technology initiatives and decisions solely to specialists. It is often worth developing a directional vision for how technology should be part of the audit process. The next step can be to decide on the sort of technology platform that makes sense in order to best support and integrate overall audit processes.

In the case of implementing data analysis, an approach that is often effective is the “one audit at a time” method. At the planning stage for every audit, consideration is given to how technology can best be applied. For example, can the overall risk assessment for an audit area be based on a data analysis-based review? Are there specific audit objectives that can be addressed far more efficiently through data analysis than through manual procedures? Can travel expenditures be reduced by performing remote analysis? Does it make sense to set up audit analytic procedures to run on an automated continuous basis? Then, at the end of every audit there is formal assessment of the effectiveness of the use of analytics and a recommendation on how to best extend use during subsequent audits.

‘Selling’ Technology’s Value Proposition
The audit committee is not usually in a position to decide on funding for software used by audit. This is more typically a CFO decision – although the audit committee can be an influencer. The arguments in support of software acquisition should of course be based on the benefit they provide to the business overall. This can include issues that are specific to the audit department: improving the level of assurance, greater efficiency and productivity, improved quality, security and controls around audit processes. They can also include more direct benefits to business process areas. For example, technology that provides immediate quantifiable benefits to a business process area by reducing instances of errors, fraud and abuse is likely to create a strong value proposition.

There are a number of areas in which audit and business management need to work together. At a practical level it often starts with the Information Systems (IS) department and agreement on the best way for audit to be provided with access to the data needed to perform analysis and testing in a way that ensures compliance with corporate standards. Audit also needs to consider whether their standards for managing and maintaining all audit content and documentation are sufficient.

For those audit departments that are implementing continuous auditing and monitoring, the involvement of the business can be critical to the process. Many aspects of continuous auditing can be performed relatively autonomously. When business management is provided with regular results from the audit process or takes on responsibility for continuous monitoring, then the relationship between audit and management will change. Such processes as response to exceptions, remediation of control weaknesses and escalation of issues require clearly defined and agreed responsibilities and working procedures.

When incorporating technology as part of the typical audit process, many of the best practices are the same as for implementation of any technology including, for example, setting objectives, planning, system design, technology selection, role assignment, training, quality and control processes, collaboration processes, security, measuring results, among others. While business process areas usually have cross-functional teams dedicated to the successful implementation of technology, this is often not the case for audit. The tendency can be for audit technology to be selected and implemented in far more of an unstructured and unplanned way. This brings us back to the issue of audit leadership giving a clear mandate and setting expectations for technology to become a strategic component of the audit approach.

Overcoming Challenges
A recent Protiviti survey identified that the technology areas of data analysis, continuous auditing and fraud monitoring were the sectors – among all audit domain areas – where improved knowledge and skill sets were most needed. This is a good indication that the top challenges are simply that not enough auditors know how to actually apply current technologies in an efficient, effective way. Education and training clearly have a key role to play in overcoming these challenges, as well as turning to outside expert resources for assistance.

The selection of technology itself is also a key issue for overcoming challenges. Many audit departments rely on a variety of “home-grown” systems to manage and maintain audit processes and documentation. General-purpose software is still widely used for many audit processes, from maintaining working papers to performing analysis. Audit and assurance processes are specialized activities with unique requirements, and there is a strong argument to use an integrated platform technology that has been specifically designed for that purpose.

One risk of ignoring the importance of technology to the audit process is that internal audit will not manage to keep up with professional standards and best practices. There have been numerous surveys and reports by The Institute of Internal Auditors (The IIA) and professional audit service firms that emphasize the critical importance of technology to support audit’s changing mandate. Audit departments that are slow to embrace technology risk falling behind in the quality of the assurance activities that they provide.

Another likely outcome is that, audit will under-deliver value to the organization. Recent years have produced some tremendous success stories of audit departments that have used technology to transform the role of internal audit and contribute to the performance of the organization at a new level. Those audit departments that ignore the importance of technology are the most likely to under perform.

Download the PDF:

Improving-Internal-Audit-Through-Technology.pdf

Related Resources can be found on KnowledgeLeader: Password is required. Free trials are available to non-subscribers.

Improving Productivity and Effectiveness Poll

2009 Internal Audit Capabilities and Needs Survey

Global Technology Audit Guide (GTAG) 1: Understanding IT Controls

Continuous Monitoring and Auditing: What is the difference?


Site Map \| Glossary \|Terms of Use \| Privacy Policy \| Site Feedback \| Media Center \| Events

© 2012 Protiviti Inc. All Rights Reserved.