The conceptual shift coming to audit technology
Please welcome Matt Kelly, Editor and CEO of Radical Compliance, to the Workiva blog.
Not long ago, AuditNet published a survey of more than 400 internal audit executives that explored how well audit technology meets their needs. The statistic that jumped out the most: 76 percent said their current technology at best meets only some of their needs.
I know what you’re thinking. “Whoa, 24 percent actually have audit technology that does meet their needs?”
The rest of us would do well to consider what else this survey tells us about what audit technology will need to do in the future; and by implication, how audit executives must use technology to meet the risk and compliance challenges hurtling toward organization. Let’s take a look.
First, a plurality of respondents (just shy of 50 percent) said they use basic applications such as word processors, email, and spreadsheets to manage audit needs. No other type of technology came close, although use of specialized monitoring software placed second at 22 percent. Only 15 percent said they use a fully integrated solution with analytics ability.
Now let’s consider how internal auditors use technology. As the survey puts it, “For which parts of the audit process do you leverage technology the most?” Fieldwork and documentation topped the list at 60 percent, followed by planning at 55 percent, and risk assessment at 52 percent. Scheduling, reporting, and communicating issues all placed further back.
So far, all those numbers cohere. Most often, internal auditors use desktop applications. And most often, they use technology for tasks such as fieldwork, documentation, scheduling, and planning. That’s fine; you can do all those tasks with desktop apps.
You can also then assign yourself to the 76 percent who say audit technology meets some of your needs.
That’s one big theme of this survey: Most audit executives use respectable but not cutting-edge technology to do respectable but not cutting-edge audit work. So your audits and audit technology are not “bad” by any means. They just won’t give the insights and assurances that audit functions will need to deliver in the future.
The AuditNet survey did ask about those audit technology needs for the future. The answers suggest a conceptual shift, to a focus more on audit capabilities, specifically around analytics and integrating your conclusions into risk management programs. That shift has more implications than you’d think.
First, consider what some of those future needs are. Above all, survey respondents said they will need better “big data” and data analytics. Close behind was better integration with enterprise risk management, dashboard reporting tools, and predictive analytics.
Again, all those answers cohere. Business processes rely on data more than ever before, they operate faster than ever before, and they are more inter-connected than ever before. In fact, while we always talk about “data analytics,” that’s a bit of a misnomer-audit functions really want synthesis: the ability to find connections among multiple streams of data to illuminate your risks. The useful data is out there; it’s just awash in an ocean of irrelevant data.
So, internal audit in the future will be more about studying and observing business processes, then determining when and why those processes fluctuate outside your comfort zone. All of that activity will (ideally) also be connected to your internal control or risk management system.
What specific audit technologies will meet those needs? To a certain extent, audit executives of the future might cut the Gordian knot and move to cloud-based solutions. Desktop tools will always be there, but you will likely see yourself leasing technology from other providers to deliver heavy-duty analytic power, risk libraries, control matrices, and so forth.
That conceptual shift will help to drive the internal auditor up the value chain, to be an adviser on risks and business process improvement (assuming you can balance the need for auditor independence). It will let you focus on how to build effective business processes, rather than the scut work of auditing internal controls. It will let you focus on what’s coming next, not what must be done now.
And that, really, is what an audit leader wants most of all.
About the author
Matt Kelly is an independent compliance consultant who studies corporate compliance, governance, and risk management issues. He maintains a blog, RadicalCompliance.com, where he shares his thoughts on business issues and speaks on compliance, governance, and risk topics frequently. Kelly was named as "Rising Star of Corporate Governance" by the Millstein Center for Corporate Governance in the inaugural class of 2008 and named to Ethisphere’s "Most Influential in Business Ethics" list in 2011 (no. 91) and 2013 (no. 77). Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Mass., and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.