Mobile Edition
Print
Get the Mag
Weekly UpdatesdOING MORE WITH LESS IS EASY TO SAY, BUT NOT to do. Chief audit executives (CAEs) are being pressed to extend their audit plan from a traditional focus on controls to include assessments of risk management and governance processes and practices; do more on fraud, strategic, and operational risk; update their risk assessments and audit plans more frequently, as risks are changing faster and faster; and do it all with the same or a smaller budget.
[ILLUSTRATION OMITTED]
Technology can be part of the solution. The recent IIA Global Audit Information Network report, A World in Economic Crisis: Key Themes for Refocusing Internal Audit Strategy, discusses the results of a roundtable with Fortune 250 CAEs held in March during the General Audit Management Conference near Washington, D.C. "On the whole, participants agreed that technology is underutilized in internal auditing but represents an opportunity for significant cost savings," the report notes. "While new technology may require new investments, the discussion pointed to several ways in which these CAEs are using automation and analytics [another name for data analysis software] to reduce manual testing times and increase audit coverage."
But which technology is most likely to enhance both the efficiency and effectiveness of the audit process? The IIA's 2009 IT Audit Benchmarking Study lists categories of software used by internal audit functions:
* Extraction.
* Data analysis.
* Fraud detection/investigation.
* Automated workpapers.
* Control self-assessments.
* Compliance.
* Continuous auditing.
* Risk assessments for the annual audit plan.
Respondents identified the same products (ACL, IDEA, SAP (including Crystal Reports), Microsoft Office, and Oracle (including PeopleSoft)) for five of the eight functions: extraction, data analysis, fraud detection, continuous auditing, and risk assessments. This finding and the accelerating change in technology justify a closer look at whether these are the right categories to discuss (see "The Changing Face of Audit Software" on page 37).
For the purposes of this discussion, I suggest there are three categories of internal audit software:
* Audit administration includes audit planning and resource management applications, collaboration tools, stand-alone automated workpapers, deficiency tracking, risk and control self-assessments, flowcharting and process document management, and similar functionalities.
* Data analysis, also called audit intelligence--an adaptation of the term business intelligence (BI)--encompasses: data extraction and analysis, continuous auditing, risk assessment functionality, and fraud detection.
* Specialized tools include products used for specific IT audit tasks such as vulnerability assessments, log analysis, and network monitoring for computer and network security, including data leakage.
Ernst & Young's (E&Y's) Global Internal Audit Survey 2008 notes that "Leading internal audit functions use data analytics for numerous activities, including risk assessment, planning, execution, and reporting." The survey also reports use of data analytics for fraud detection and continuous auditing. Data analysis software is quite broad in its application for each major stage in the audit process.
RISK ASSESSMENTS
Only 17 percent of E&Y survey respondents rated their risk assessment performance as "very competent." This may be linked to the low numbers who use data analysis software during the risk assessment and audit planning process. According to the survey, only 24 percent of internal audit functions use data analytics during risk assessment, and 35 percent use it for audit planning. "As internal audit's focus on risk continues to evolve, so does the need for effective and intuitive technologies to support these efforts," E&Y comments. "Respondents believe technology falls short in providing the necessary intuitive functionality needed to enable risk assessments, risk prioritization, and risk-based internal audit planning."
Surveys report what is happening, not what is possible. They indicate what people believe, not necessarily what is true. These results, especially the comment regarding risk assessment and audit planning, may be the result of internal audit departments not understanding available technology.
When I became CAE of a BI software company, I was surprised how little the internal audit department was using our own software--especially for risk assessment. Our customer, Cisco Systems, was well ahead of us and using it routinely in every phase of the audit process. But Cisco is one of the few organizations that do this well, perhaps because its internal auditors are well aware of the potential of BI solutions. As I network with other CAEs, I am struck by how few know that their organization already owns a BI product or how it can be used. They don't realize that the software used by their financial and operational analysts can also be used by internal auditors to monitor the business and understand risks. Instead of asking the financial analysts for financial statements or product profit and loss statements, and operational analysts for inventory balances and trends, auditors could be using data analysis software themselves to obtain the information in the form they need, when they need it.
Historically, internal audit departments have relied on IT audit specialists to develop and run computer-assisted audit tools (CAATs). But the latest BI technology does not require the involvement of IT auditors for day-to-day data analytics. The solutions are designed for financial analysts and similar staff to use as part of their daily work. If financial analysts can use the software, developing and running their own queries and reports, all internal auditors should be similarly competent in its use.
Another part of the problem may be that CAEs and their teams are looking to internal audit software vendors for data analysis software. Although some excel lent stand-alone products are available, and include fraud detection and other specialized data monitoring routines, justifying an acquisition for a product that will be used only by internal auditing can be tough for some audit shops--especially in this economic environment. CAEs are more likely to succeed by examining what is already available within their organization. If those applications are not sufficient for internal auditing for routine query and analysis, they probably are not sufficient for the financial analysts either; the CAE may be able to persuade the finance department and other potential data analytics users to collaborate with internal auditing on a solution.
An emerging trend is for CAEs to update their risk assessments and audit plans more frequently. The E & Y survey found that 52 percent of CAEs now update their assessments and plans more often than annually-- 20 percent review it quarterly and 13 percent review it more frequently than that. In February IIA President Richard Chambers blogged on InternalAuditorOnline.org on the "signs that potential trouble could be brewing for the CAE." No. 1 on the list was "You are executing an annual audit plan developed from a risk assessment conducted six months ago, and no new audits have been added in the past two months."
Data analytics, especially when the data can be at your fingertips, is essential if the CAE is to monitor business risks, update the plan, and perform audits that address today's risks rather than those of the past. Auditors might want to monitor:
* Revenue by location, business division, or product.
* Revenue backlogs, both value and age.
* Personnel losses in key positions, such as controller or legal.
* Volume of credit notes and manual journal entries.
* Inventory and accounts receivable, both balances and aging by location or division.
Auditors should also review other risk indicators specific to the business.
PLANNING INDIVIDUAL AUDITS
In the same way that data analytics can be useful in understanding and monitoring risks across the enterprise, the tools can be used to understand risks and define the scope of individual internal audit projects. In its 2009 State of the Internal Audit Profession Study, PricewaterhouseCoopers recommends: "Make it a requirement of your internal audit methodology to include upfront data analytics and review of automated reporting as part of audit planning. At a minimum, data analytics should include performing limited fraud detection procedures; financial trend analysis; and ratio analysis for relevant investment, productivity, liquidity, activity, lever age, profitability, and coverage ratios. The data needed to perform these types of analyses is often readily available--and can be performed well in advance of fieldwork. This allows for more focused time spent in the field looking at items already flagged for some anomaly or potential concern."
At Cisco, auditors use data analysis software to understand business trends and identify unusual data transactions or activities. The audit team at Business- Objects used data analytics to plan an audit of sales contract management efficiency. They identified where the greatest volume was occurring, where the backlogs were, and where related costs appeared to be highest. They used this information to determine which locations to include in the audit scope.
PERFORMING AUDITS
The use of CAATs is part of traditional auditing, especially in financial services, retail, and similar businesses. According to E&Y, 78 percent of audit departments use data analysis software to execute audit projects, 45 percent for fraud detection, and 37 percent for continuous auditing.
The opportunity for the future lies in three primary areas. Improvements in technology have made data analysis software easier to use. Auditors can use it for one-off queries and analyses, including sampling, in addition to the more sophisticated reports produced by programming experts using ACL, IDEA, or other products.
FEED