Improving Internal Audit Through Technology

By John Verver CA, CISA, CMC

Vice President, Services and Product Strategy ACL Services Ltd
A number of studies show that internal audit functions are looking more seriously at technology as a way
to improve productivity and the organizations risk management process. Technology can help automate
activities, such as ongoing monitoring of certain internal controls, and free internal audit professionals to
lend their expertise to their organizations in other high-impact areas.
To better understand how internal audit departments can best leverage technology to enhance their
productivity and effectiveness, it helps to look at how the use of technology in the internal audit process
has changed over the past 20 years.
Software programs such as Microsoft Word, Excel and PowerPoint have become almost universal as a
foundation technology for audit planning, programs, working papers, reporting and much documentation.
Use of the Internet has transformed auditors ability to access and share information such as regulatory
requirements, standards and audit best practices.
Arguably though, one of the most significant changes is the extent to which the profession has recognized
the importance of data analysis and automation of audit and control testing procedures through
continuous auditing and monitoring. While the use of general-purpose software to support internal audit
has undoubtedly created efficiencies, it has not changed the fundamental approach to auditing. On the
other hand, data analysis technology has caused fundamental changes in audits approach by allowing
entire populations of financial and operational transactions and other data to be comprehensively tested
and, where appropriate, to be analyzed close to real time on an automatic basis.
The expectations of internal audit have changed considerably in the past decade. Internal audit is now
increasingly involved in areas such as risk management, fraud detection and monitoring and identifying
opportunities for operational improvements that enhance financial performance. While these are
important areas that make the role of the internal auditor more interesting and more challenging, the
recent economic turmoil has put a lot of pressure on resources. The reality is that internal audit cannot
successfully meet expectations and perform at a new level without doing things differently and technology
or, more accurately, the very efficient and effective use of technology is essential for internal audit to
succeed in its evolving mandate.

Technologys Fruitful Harvest Assurance and Confidence

Technology affords a number of benefits, starting with the level of assurance and confidence that an audit
leader can provide the organization. By using technology to identify risks, to test controls and examine the
data evidence of all that has occurred and to do so in a comprehensive fashion audit achieves a far
higher level of assurance than is possible through more traditional audit methods.
Efficiencies created by the use of technology and by integrating data analysis and continuous auditing
into the audit process also mean that the audit department is better positioned to complete its audit plan,
which is a significant challenge for many audit departments.
When internal auditors use audit-specific data analysis technology, they are often able to gain insights
beyond the reach of anyone else in the organization. By providing the results of such analysis to the
business managers on a timely basis, management can respond, fix problems, and the entire
organization can benefit.

2009 Protiviti Inc. All rights reserved. An Equal Opportunity Employer.

Page 1

So how does a technology-focused audit approach specifically improve an organizations overall risk
management efforts? There is increasing recognition that the primary focus in terms of enterprise risk
management should be in the areas of strategic and overall business risks, rather than on financial,
compliance and operational risks. This makes good sense but does not mean that financial and
operational risks can be ignored.
The role that audit can play in these latter areas is to help drive some of the best practices of audit and
assurance processes into the business. The areas of continuous auditing and monitoring are good
examples of this. When audit departments implement automated continuous auditing, the benefits of
providing timely notification of control risks and anomalies to management often become apparent. The
next logical step can be for management to take on responsibility for similar processes in the form of
continuous control monitoring. This can become a key component of financial and operational risk
management strategy, allowing management to continually assess risks and the effectiveness of the
controls for which they are responsible.

Getting Started One Audit at a Time

In general, for a company just beginning to consider how technology can benefit its audit process, the
best practice is to start using technology in an area that provides high payback and then progress from
there. The big bang approach to implementing technology in audit is seldom the most effective.
However, there are some important starting points to consider. One of the most important is for audit
leaders to make a clear declaration of strategy for the use of technology, as well as to avoid leaving
technology initiatives and decisions solely to specialists. It is often worth developing a directional vision
for how technology should be part of the audit process. The next step can be to decide on the sort of
technology platform that makes sense in order to best support and integrate overall audit processes.
In the case of implementing data analysis, an approach that is often effective is the one audit at a time
method. At the planning stage for every audit, consideration is given to how technology can best be
applied. For example, can the overall risk assessment for an audit area be based on a data analysisbased review? Are there specific audit objectives that can be addressed far more efficiently through data
analysis than through manual procedures? Can travel expenditures be reduced by performing remote
analysis? Does it make sense to set up audit analytic procedures to run on an automated continuous
basis? Then, at the end of every audit there is formal assessment of the effectiveness of the use of
analytics and a recommendation on how to best extend use during subsequent audits.

Selling Technologys Value Proposition

The audit committee is not usually in a position to decide on funding for software used by audit. This is
more typically a CFO decision although the audit committee can be an influencer. The arguments in
support of software acquisition should of course be based on the benefit they provide to the business
overall. This can include issues that are specific to the audit department: improving the level of
assurance, greater efficiency and productivity, improved quality, security and controls around audit
processes. They can also include more direct benefits to business process areas. For example,
technology that provides immediate quantifiable benefits to a business process area by reducing
instances of errors, fraud and abuse is likely to create a strong value proposition.
There are a number of areas in which audit and business management need to work together. At a
practical level it often starts with the Information Systems (IS) department and agreement on the best way
for audit to be provided with access to the data needed to perform analysis and testing in a way that
ensures compliance with corporate standards. Audit also needs to consider whether their standards for
managing and maintaining all audit content and documentation are sufficient.

2009 Protiviti Inc. All rights reserved. An Equal Opportunity Employer.

Page 2

For those audit departments that are implementing continuous auditing and monitoring, the involvement
of the business can be critical to the process. Many aspects of continuous auditing can be performed
relatively autonomously. When business management is provided with regular results from the audit
process or takes on responsibility for continuous monitoring, then the relationship between audit and
management will change. Such processes as response to exceptions, remediation of control weaknesses
and escalation of issues require clearly defined and agreed responsibilities and working procedures.
When incorporating technology as part of the typical audit process, many of the best practices are the
same as for implementation of any technology including, for example, setting objectives, planning, system
design, technology selection, role assignment, training, quality and control processes, collaboration
processes, security, measuring results, among others. While business process areas usually have crossfunctional teams dedicated to the successful implementation of technology, this is often not the case for
audit. The tendency can be for audit technology to be selected and implemented in far more of an
unstructured and unplanned way. This brings us back to the issue of audit leadership giving a clear
mandate and setting expectations for technology to become a strategic component of the audit approach.

Overcoming Challenges
A recent Protiviti survey identified that the technology areas of data analysis, continuous auditing and
fraud monitoring were the sectors among all audit domain areas where improved knowledge and skill
sets were most needed. This is a good indication that the top challenges are simply that not enough
auditors know how to actually apply current technologies in an efficient, effective way. Education and
training clearly have a key role to play in overcoming these challenges, as well as turning to outside
expert resources for assistance.
The selection of technology itself is also a key issue for overcoming challenges. Many audit departments
rely on a variety of home-grown systems to manage and maintain audit processes and documentation.
General-purpose software is still widely used for many audit processes, from maintaining working papers
to performing analysis. Audit and assurance processes are specialized activities with unique
requirements, and there is a strong argument to use an integrated platform technology that has been
specifically designed for that purpose.
One risk of ignoring the importance of technology to the audit process is that internal audit will not
manage to keep up with professional standards and best practices. There have been numerous surveys
and reports by The Institute of Internal Auditors (The IIA) and professional audit service firms that
emphasize the critical importance of technology to support audits changing mandate. Audit departments
that are slow to embrace technology risk falling behind in the quality of the assurance activities that they
provide.
Another likely outcome is that, audit will under-deliver value to the organization. Recent years have
produced some tremendous success stories of audit departments that have used technology to transform
the role of internal audit and contribute to the performance of the organization at a new level. Those audit
departments that ignore the importance of technology are the most likely to under perform.

About the Author

Contact John Verver (jverver@acl.com) with questions or comments about this article.

2009 Protiviti Inc. All rights reserved. An Equal Opportunity Employer.

Page 3

Article from Protiviti KnowledgeLeader www.knowledgeleader.com.

KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools,
resources and best practices to help internal auditors and risk management professionals save time,
manage risk and add value. Free 30-day trials available.

Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of
experts specializing in risk, advisory and transaction services. The firm helps solve problems in
finance and transactions, operations, technology, litigation, governance, risk and compliance.
Protivitis highly trained, results-oriented professionals provide a unique perspective on a wide
range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle
East.
Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half
International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member
of the S&P 500 index.

2009 Protiviti Inc. All rights reserved. An Equal Opportunity Employer.

Page 4