Audit and risk management software: Why are some teams lagging behind board and management expectations?

Three leading organizations in the internal audit and risk management world recently released reports on current hot topics.  The Institute of Internal auditors, PricewaterhouseCoopers and Protiviti each performed surveys of Chief Audit Executives, senior business management and board members and provided their findings. For what must be the 4th or 5th year in a row for this sort of report, improved use of technology by internal auditors stands out as a critical area to be addressed. In their report, PwC noted that:

“Only 40% of CAE’s and 35% of senior management consider that IA is “leveraging technology effectively in the execution of audit services.”

There are many possible reasons why internal auditors have not moved forward more quickly in utilizing software technology more effectively. One thing that I strongly suspect is that there is a direct correlation between the value that an internal audit department contributes to an organization and the extent to which they use technology in support of delivering that value. Or, to look at it another way, the internal audit departments that don’t use technology effectively may well be able to do so because they do not play a particularly critical role in the organization.  If you look at almost any important operational area, in any organization, in any industry, you will find that there has been a huge investment and effort over the past decade to transform effectiveness and competitiveness through the use of technology.

It strikes me as a bit of an unfortunate reflection on those internal audit departments that can get by with an approach that has not really changed in decades. I guess in some cases it can be a classic “chicken and egg” situation. Internal audit leadership may well want to drive up the value-add of their department, but they are not given sufficient resources to really transform effectiveness, because they are not seen as having demonstrated particularly value. The challenge—which is rarely really insurmountable—is how to get out of this cycle.

“CAATs and data analysis remain on center stage …internal auditors plan to strengthen their knowledge of computer-assisted tools and continuous auditing and monitoring techniques. Additionally, internal audit functions intend to leverage more advanced forms of data analysis to support risk management and overall business objectives.”

I think this last point can be key. If internal audit departments are going to support risk management and business objectives in a meaningful way then they are going to need to perform and contribute at the same level as any critical functional area. In which case, technology, in areas such as advanced analytics, mobile access to audit and risk management systems and continuous risk assessment dashboards, has to just be a given.

The IIA’s “Three Lines of Defense Model” is an important document that helps to point out the importance of internal audit, in the context of risk and controls management, as well as the business overall, to senior management and the board. The good news here is that the IIA reports that the “Three Lines of Defense Model” is now recognized by the majority of North American organizations.

The PwC report refers to a model for transforming the role of internal audit from “assurance provider,” through “problem solver” and “insight provider” to “trusted advisor.” I like this model (PwC’s graphic is below) as it sets a clear goal and a credible path for really taking internal auditors beyond their traditional role into one that is value-adding and highly relevant—a role in which technology is as pivotal as it is in any other critical function.
(Source: ACL Blog)

Tuesday, April 1, 2014 In: Hot Topics Comments (None)