For many years, Jim Kaplan's AuditNet has been a wonderful source of audit programs and more. In fact, Jim was presented with the Bradford Cadmus Memorial Award in 2007 for his contribution to the profession.
Recently, AuditNet published a scathing 2012 State of Technology Use by Auditors (PDF). It appropriately bemoaned the failure of internal audit departments to make good use of technology to improve the quality and efficiency of its assurance and consulting work.
The three primary findings were:
- "While audit software tools have been available for almost 2 decades, auditors and audit departments are not making full use of the technology.
- Auditors use audit software tools mostly on an ad hoc basis with some repetitive use, and departments do not have a strategy or plan to integrate technology in the audit process.
- The main reason for limited use of audit technology tools is the cost of the software and training and management resistance to change."
But the picture is, in my opinion, far worse — making the current state tantamount to negligence.
What am I talking about?
Jim's review was based on the adoption and effective use of traditional audit tools that have, as he points out, been available for 'almost 2 decades'. But, we have technology today that has brilliant capabilities for internal auditors that few are even considering because they remain wedded to traditional, audit-oriented tools.
Internal auditors worry about risks when it comes to management using new technology, but are blind (with a few exceptions) to the potential of these tools for internal audit! Open your eyes and just imagine the possibilities!
- Business intelligence and related tools. Management is using solutions from IBM Cognos, Oracle Hyperion, and SAP BusinessObjects and others to monitor the business, analyze results, and make quality decisions. There is no reason for internal audit not to use these tools as well; they are paid for (addressing the third bullet, above), supported by the organization's IT department, used by financial and operational analysts who can be tapped for existing reports and experience with the products, and run against reliable and secured data sources. The continuing development of tools for predictive analytics has exciting potential for internal auditors seeking to understand risk levels not just now but in the next months.
- Mobile. Not only are more and more enterprise applications moving to mobile, but so are analytics applications. Here's a video from Oracle that covers the topic in general and one by SAP's Chief Marketing Officer that describes how he manages the business using his iPad.
The AuditNet report includes ten recommendations, an "Action Plan for Auditors." I would add some at the start of the list:
- Develop a strategic plan for internal audit, with consideration of the more significant risks that are likely to warrant attention as well as the need for upgraded risk monitoring.
- For each area, identify how technology can be used effectively — whether as part of a continuous auditing program or to support traditional, project-based engagements.
- Recognize that just as risks are addressed by a combination of controls (which may include IT general controls), recognize that you may need a combination of tools (for example, to audit both business process controls and controls within IT processes).
- Understand all the technology that is available to be used, not only (traditional) tools designed for auditors but those used by management in finance, IT, and across the enterprise and those that management is planned to deploy.
- Understand constraints on the use of technology, including resources, and consider them in the strategic plan as well as in the plan for the current period.
Organizations of all sizes and in all sectors are deploying new technology in exciting ways. Why aren't internal auditors doing the same?