Automation, automation, automation. Everything today is about doing things faster and more efficiently to free up time to do more “value-added” work. Whether you’re looking for data analytics capabilities, faster rolling planning processes, a single, secure repository for all the data collected by internal auditors on standardised templates, a way to manage internal audit workflow more efficiently or automated reporting, there will be a system – probably several – that offers you all of this and more.
But, like other innovations, progress comes at a cost, which may be high. A new software system may be essential to enable you to meet stakeholder requirements in the future, but you need to get the choice right. This will involve doing some robust due diligence and ensuring that you identify your needs and ask potential suppliers the right questions. It may also involve far more.
Much depends on where you are starting from and what you want to achieve. However, there are some common themes and work on these starts long before you email a vendor. Getting the most from a new system may involve a fundamental rethink about where your internal audit function is today, where you want it to be tomorrow and how you plan to get there. These are far larger questions than which software will provide the best support, but they need to be addressed if you are to gain the benefit of increased functionality and harness the power of today’s internal audit software to make the most of your investment.
“If you don’t have a good understanding of your objectives, the possibilities and the outcomes you require, then the whole project may be built on quicksand,” warns Andy Broughton, director of presales consulting at TeamMate. “However, you can use the project as an opportunity to reflect on what you’re doing now and identify improvements.”
Some improvements will also incur risks: increased communications can be helpful or oppressive; greater transparency and the ability to gather and drill through data is excellent as long as security is robust; having all your internal audit documents, templates, plans and reports in a single place is wonderful, until the wifi goes down. Primary issues are often the basic ones – who will have access to the system, what are your contingency plans and who is responsible for back-up?
For a start, systems are only as good as the data you put into them. Do you intend to migrate data from previous systems and multiple sources? How accurate, complete and reliable is this data or do you need to spend time cleaning it? Do you need the new system to connect to multiple software packages across the business to gather new data from the second line?
Be realistic about the time and effort that you will need to put into the decision and implementation. New functionality won’t make you more efficient unless you can dedicate time to examining your existing processes and identifying where you can simplify, automate and improve these. You also need to build in adequate time to configure the system to your requirements and train up the people who use it. Many organisations appoint champions who undergo more intensive training and who can then support the others when they start to use it for real audits.
The upfront cost of the new system is just one element. Long-term efficiency gains may require investment in time and resources early on. The best system will be undermined if the people who are supposed to use it lack support and confidence and start to circumvent it.
Similarly, you may need to provide training or support for managers and auditees so they understand what they can gain from it, especially if they need to access it for information or to submit documents. You will only gain from providing fast, regular reports if management understands the dashboards and the need for their input and responds positively to automated requests for documents or alerts about impending deadlines. People can be scared of technology and some may need more support than you expect.
Conversely, it’s worth remembering that increasing expectations may create new demand. If managers love the new reports they receive, they may start to ask for more and on different issues. This is great for internal audit and its reputation in the business – as long as you can meet this demand and are realistic about what you have the resources to provide. Increasing efficiency is always good, but it can lead to scope-creep if you find that time gained is then spent on areas that are not a priority for the internal audit team.
As in any major decision, much depends on the human factors – training and communication, how user-friendly the system feels and whether internal auditors, management and auditees understand the need, benefits and advantages the new system can offer.
It’s also essential to feel comfortable with the supplier. They may have the best system, but do you want to work with them? Do they understand your organisation’s values and what you want to achieve? Do you like them? “It’s a long-term relationship, like a marriage,” says Neil Macdonald, director at Technology4Business. “Things change and the vendor and the customer need to work together over time to ensure the longer term goals are achieved and the system remains used and relevant.”
As with all major investments – of time, money and trust – it’s worth getting the basics right because such opportunities come along so rarely. Technology cannot make a good internal auditor, but good internal auditors deserve the technological tools that help them to move their team’s performance to the
1 Ask what you really need of a new system and identify your “must haves” as well as a second tier of “would be nice to haves”. What issues are deal-breakers? Big issues include whether the system will work across multiple jurisdictions or regions, whether it will be hosted by your IT servers or on the cloud, will internal auditors need to work offline as well as online (for example, if they are somewhere with a poor connection or regular outages) and what kind of support and back-up does the supplier offer – in all the regions where you will use it?
2 Talk to other heads of audit about their systems and how they use them. Use the Chartered IIA’s forums to meet others in your situation and ask potential suppliers to put you in touch with clients who are in the same sector or who have similar needs.
3 Work out what you will need in future as well as what you want now – a new system is a long-term investment and you need to know that it will support your team’s development as it evolves. On the other hand, it’s also possible to get too excited about things that may not ever realistically be necessary or appropriate for your team or your organisation.
It’s sometimes better to have a solid industrial dishwasher that does the job properly, rather than the whizzy kitchen gadget that plans the dinner parties you never hold, sends out invitations to guests you don’t know, cooks exotic dishes you don’t eat, but can’t keep your plates clean.
4 Draw up some standard questions for all the suppliers on your shortlist. Use all of your auditing skills to listen to their answers and what they tell you, beyond the obvious. This should be the start of a long relationship, so look for what they’re not saying or what their answers imply about their attitudes and their views of internal audit work and your organisation.
Do you feel that they understand your needs, listen to you and that they and their software are a good “fit” for your organisational culture and your team? This may turn out to be more important than the functionality of the software.
5 Don’t get sidetracked by the details too early. It’s more important to find the right fit with the people and the system as a whole, than to worry about whether it does one particular fairly minor function or can be configured to meet a specialist need. Use the process of selection as an opportunity to question what you do and how you do it. It’s easy to be overly prescriptive about what you want a system to do and how you want it to look and function, but there are many ways of doing things.
This is an excellent opportunity to challenge your preconceptions and your requirements. If a new system doesn’t offer functions that you believe you need, ask why not. It’s possible that what you think you need, or the way you do something, is no longer necessary, or can be done better. Processes evolve and just because you’ve always done something in a certain way doesn’t mean that you can’t do it better in the future.
In association with TeamMate and Technology4Business
Internal auditors rarely get the opportunity to buy a new software solution and, as a cost centre in the business, they need a robust business case for this kind of investment, so what lies beneath a successful project?
1 Define your objectives. No one buys technology for fun. You need to establish what problems you want the technology to help you to address. This will help you
to define your desired outcomes and then you can start to assess what technology is available.
At the same time, it’s useful to find out what technology other organisations and internal audit departments use. Speak to vendors, but also talk to your peers via forums or Chartered IIA groups. There may be things you can do that you haven’t considered.
2 Understand the needs of internal stakeholders. The needs of the internal audit department are just one part of the jigsaw puzzle. Other parts could include the requirements of your IT department – what is your organisation’s IT strategy and, for example, are you able to consider a cloud-based solution? What are your organisation’s compliance requirements and who validates and approves decisions affecting these?
You may also need to talk to procurement and legal teams about contractual terms, pitching requirements and approval processes. Who needs to be involved in any decision and how long will the process take internally?
Identifying who needs to be involved and their availability will help you to set a realistic timeframe for the implementation. Ask when you need the solution to be in place and work back from the final date to see whether this will
3 Conduct market research. Rank the features and capabilities you need in your software and work out what’s critical and what’s optional. At the highest level, you need to know whether your requirements are so unique that you need a bespoke solution, or whether you’d be better using an off-the-shelf package. Each has its benefits.
The world won’t stay still, so you need to consider your ongoing budget and resources. This may be more of an issue with a bespoke solution, but ask vendors of off-the-shelf solutions how they will deal with upgrades and future developments.
Ask also whether the system will support the entire internal audit cycle and how many people in your department and across the business will be working on which elements (you may want to prioritise areas that involve most people or take up more time). How much expertise will auditees and assurance providers need to use the software and will you want to collaborate with multiple internal IT systems? Do you need to fit into other initiatives in the organisation, such as Agile processes?
Some questions go beyond technical features – for example, is the vendor stable? Do they have a track record of investing in and developing their software? In your organisation, how will you deal with security updates and IT patches and how will your new system be kept up to date and compatible? If you require your IT department to implement upgrades, will you be at the back of the queue? Such non-functional requirements are important.
4 Speak to vendors. If you send a list of requirements to the relevant vendors, you should be able to whittle the list down to a shortlist of three or four. It’s worth giving those on the shortlist more information about your key requirements and some examples of, say, your methodology, audit universe and main reporting needs. Organisations can be shy about sharing sensitive information, but the data doesn’t usually need to be valuable and you could use a non-disclosure agreement. If you’re transparent with vendors you are more likely to find out how a solution will work for you in practice.
No vendor will have a system exactly configured for your needs, so consider whether you like the look and the feel of the software. Spend a few days “playing” with it to get a picture of the user experience. This will give you a good idea about how comfortable you will feel using it in practice.
TeamMate is one of the world’s leading providers of audit and assurance expert solutions with over 25 years of experience providing technology and services to corporate, commercial and public sector auditors.
What are you looking to achieve with data analytics?
This may sound obvious, but to complete the journey, you need to know where you are going. Will the whole audit team, whether large or small, be actively involved in analysing data? What existing experience and skills do you have in the team? Will you start with impactful quick-win projects? Where do you want to progress to?
Aim to create an analytics roadmap with short- and long- term milestones. Considering these issues at the start will help you to separate the “must haves” from the “nice to haves” in system technical requirements.
One regular issue highlighted in our training programmes is that internal auditors struggle to visualise what to do with data analytics because they don’t understand what is possible. It’s a chicken and egg situation.
Improving your understanding of data analytics will help you to identify the functionality needed for audits to have the maximum impact. Attend training courses, ask peers what they are achieving, what they would change and what does analytics maturity look like for them? Talk to software vendors and obtain use-cases and examples of how similar teams are using analytics, it’s never too early to start talking to them!
Does the software meet your technical needs?
Ten great questions to ask when choosing software:
1. Will it work with our data sources and data sizes?
2. Our data is sensitive. Who hosts it?
3. How easy is the tool to use? Can it cater for a range of skills and experience?
4. Will it support our analytics journey – from code-free “big button” analytics to direct data connection and automation?
5. Does it provide a robust audit trail?
6. Does it enable efficiencies through repeatability?
7. What did colleagues and peers think of it? Are they still using it, if not, why?
8. Are outputs in a format that allows internal auditors to investigate further?
9. Can results be easily reviewed and added to audit reports?
10. Does the software make collaboration easier – between internal audit team members, audit management, other assurance providers and process owners? Remember, software works best when internal auditors understand how to design testing plans with data analytics in mind (this is a key outcome from our Data Analytics for Auditors training course).
Is the vendor fully aligned with what you want to achieve?
It’s not just about software, vendors are like a spouse – it’s a partnership and you could be with them for many years! Do they understand your situation, your challenges and goals? Do they have a genuine interest in you achieving these and, very importantly, do they return your calls?
Have they demonstrated technical competence – not just in the software, but also in internal audit within your sector – so that they can respond effectively to your needs? Our most common question is: “How do I know I’m getting the most from data analytics?”
A good vendor should be able to enrich your vision and understanding of what you want to achieve through actively sharing knowledge and contributing ideas. They will also challenge you to use the software and your training to the full.
Neil Macdonald and Paul Thompson are directors at Technology4Business, which provides audit software, training and data analytics co-sourcing.
This article was first published in September 2021.