Auditing Auditors!

Source:- ACL Blog, Author John Verver

Copy-of-Copy-of-Copy-of-Analytics-for-reputational-risk-3

We heard recently from a forward-thinking CAE who asked the internal audit team to audit themselves and come back with recommendations on ways to improve performance including, specifically, the ways that technology is applied.

Initially, this seemed to me to be a fairly unusual—but well worthwhile—concept. After a bit of reflection, it struck me that this really should be commonplace. After all, any audit department that adheres to the IIA’s professional practice standards needs to be subject to “ongoing performance monitoring” under the requirements of the Quality Assurance and Improvement Program. The IIA clearly defines the procedures involved in performing a quality assessment and describes the various aspects of an internal audit function that should be assessed. Standards of performance include both the quality and productivity of audit work.

So how often do you look closely at the way that technology supports and improves your internal audit quality and productivity? Arguably, this is something that should be done on an ongoing basis. In practice, though, I suspect it usually only happens when something happens: a new CAE is appointed, or a major version upgrade is required to the software that has been in place for a decade. Yet technology changes constantly—hopefully for the better—and new functionality appears that can make a real improvement in the way that software can be applied.

Why aren’t technology assessments part of ongoing performance monitoring?

Perhaps one issue is that the IIA is fairly vague about the requirements for the use of technology. Standard 1220.A2 states that “In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.” A requirement solely to “consider” is not exactly very demanding. But, as an increasing number of audit teams can demonstrate, the right technology can do much to transform the quality and productivity of audits.

So why not go beyond the IIA’s directives for the use of technology and really focus on the ways that audit performance can be positively impacted through improved tools and techniques?

Being “too busy to improve” wastes time and money

Of course, it does take some time and effort to go through a serious technology assessment process, and maybe the idea of doing so just gets ranked in terms of priorities as “a good idea—but now is not a great time.” But, as there is probably never going to be a great time, this really means: “I guess we have to stick with our good old spreadsheet, Word docs, and folder system—or outdated audit software—even though it is clunky and doesn’t really do anything close to all the things we want it to.”

One way out of this impasse that I have seen work effectively, is to task someone with establishing a business case for the use of improved technology. The good thing about a business case is that, if done properly, it causes people to really think about what could be achieved and to do so realistically in terms of benefits and costs. Some of the more qualitative benefits may be harder to quantify—but considering how an audit team currently performs—in terms of both quantity and quality of audits—and how it could perform, seems like a pretty good investment of time. Building a business case also provides a source for goals and measures that can be used in monitoring the success of new technology once it has been implemented.

Wednesday, March 2, 2016 In: Hot Topics Comments (None)

Contact

Pricing

Demo