Bold steps come in threes. For Julius Caesar, it was veni, vidi, vici. For audit departments considering automated work paper tools, the choices can be summed up in three questions:
- Do we do nothing?
- Do we build?
- Do we buy?
Often, the most appealing solution for companies is buying, says Michael Mask, a Chicago-based director in Protiviti’s Risk Technologies Solutions Group. “It makes the most sense for the most people.”
That is not to say the first two options are bad choices. Determining which option is best is a bold move in the right direction and, like any decisive business move, requires careful planning.
For many organizations, the need for an automated Internal Audit (IA) work paper tool is an emerging process, says Mask. An organization may be starting a new department, for example, or spurred by specific events, issues or key risks. In other cases, a merger that brings two sets of auditors together ― drives to the surface the need for a work tool.
“From a needs-based perspective, we see a few key things,” says Mask.” In some cases, firms without audit technology realize they have become inefficient. In other cases, firms with technology in place may find that it is no longer effective – for example, using an outdated legacy system.”
“Finally, some firms may have excellent technology that now lacks the ability to bring users to the next level, such as a lack of integration with other Governance Risk Compliance (GRC) efforts,” Mask adds.
However, companies should not merely wait for events to overtake them. “It makes sense to assess your needs for a work paper tool as part of your annual planning,” Mask says. “Always ask, ‘Are we effective with our use of tools?’” Event-driven assessment is also important, including a change in leadership, significant staff turnover or a technology event, such as a changeover in company platforms.
Interestingly, says Michael Gowell, managing director at PricewaterhouseCoopers, which offers the TeamMate audit management system, a firm’s size appears to have little to do with selection decisions. “We have seen an incredible ramp-up in the last three or four years. We have been growing at about 30 percent annually,” says Gowell, who is based in Los Angeles. It is not so much that the work paper tools are linked directly to Sarbanes-Oxley (SOX); rather, SOX has raised the profile of the corporate audit department in general.”
“If you look around, most audit departments seem to be understaffed, so they are looking for tools to use as a capacity multiplier,” Gowell says. “They need to do more with less. That means the pressure to automate falls on small, as well as large, shops.”
Mike Awad, president of IAD Solutions, which produces Audit Leverage, agrees that size does not drive selection decisions. “Our client list includes departments of one or two auditors, up to those with dozens.”
Firms should be moving toward automated work papers because it is the best practice, Gowell adds. His reasoning is clear and simple: “It allows you to spend more time auditing and less time documenting.”
What next?
There are several types of tools worth assessing. The first are low-tech tools, including existing technologies such as Microsoft Word and Excel.
Next are internally developed tools, often databases and advanced Excel utilities.
From there come two types of commercial products. One is an audit-specific solution, which basically does only internal auditing. The second option is Governance Risk Compliance (GRC) solutions, which aim to do internal auditing and/or other governance risk control-type work, such as SOX.
Is there a best choice? The only way to find out is to define your needs, in a written mission- or charter-type statement, Mask says. “Your needs are a mixture; they are cost-based, location-based, functionally-based, and technically-based. It helps everyone involved if you can say, ‘I have 10 auditors, a mixture of technologies, our budget looks like X, and this, on a conceptual level, is what we need the tool to do.’ If you have that point-of-view, then you can use this as a ‘compass’ during the selection process.”
“Otherwise, it is like car shopping,” he continues. “Depending on which dealer’s lot you are on, all of a sudden you need different things.”
Before contacting outside vendors, Mask urges firms to hold in-depth internal discussions. Internal stakeholders should include audit leadership – a combination of the internal audit director and audit staff – technologists, and perhaps legal representatives who might be involved in the contract and procurement process.
Staff buy-in is also critical, says Awad. “No matter how good the tool is, if the audit director tries to force it from on high, it is doomed for failure.”
The group should develop its list of criteria, though Mask cautions against going overboard. “Oftentimes, we will see people with a list of 300 things they would like. If vendors can just check a box and say ‘We have it,’ then you are not in a much different position than you were when you started,” he says. Depending on the shop, some items, such as a multi-lingual system for an international company, will be the most important function.
Avoiding pitfalls
Often, potential buyers will sit through numerous tool demonstrations and try to reconcile what they see with what they want, Mask says. Or, they will simply click around on a demo CD. “Neither strategy is the best use of your time.”
Instead, he recommends identifying the top three to five vendors, based on software surveys and/or analysts’ reports, and then send out requests for proposals or information. Following a first round of demonstrations, potential buyers can make a first cut and then follow-up with the remaining vendors. One recommended approach is to run a simple case-study through a standard demonstration so you can observe a relevant situation.
It is wise to create a dedicated internal team to handle the project from beginning to end. “If this is a hobby, or it is not an acknowledged business exercise, you could run into problems,” Mask says. A representative from the audit team should take the lead; Mask notes that many audit shops see this as a best practice exercise. “I would not delegate this to the technologists, or whoever happens to be available that week. Nor would I have the internal audit director do it all.”
Also, be careful not to overlook the total cost of ownership. It may be wise to map two-, three- and five-year costs to the budget cycle, for example. True costs can include software licensing; ongoing maintenance fees; installation/implementation services; and need-based auxiliary services, such as uploading old audits or additional training. Additionally, budget costs for purchasing a server, software and training. Create a timeline budget, which gives target dates for starting the project as well as installing the tool. Knowing these costs upfront can help firms reduce their choices earlier in the selection process.
Gowell weighs in with several other considerations.
“You want a tool that is flexible, something that will change as your methodology changes. You also want a tool that is easy to use, because there is a large amount of turnover in audit departments,” he says. He also recommends a tool that is easy to configure without vendor customization. “If you can do that on the user end, it will make it easier to handle upgrades.”
There are three potential groups that should be included in the selection process to avoid potential pitfalls. Technologists are the first group. “You say you want to buy a product, and they tell you, ‘We cannot support it.’ You want to involve them early and often,” says Mask.
Second are attorneys. “It is certainly worth saying to them, ‘We are about to purchase one package, with three in the running. Do you see any red flags?’ Those red flags can pop up in the 11th hour, after you have made your choice,” Mask adds. To avoid this scenario, obtain copies of the contractual arrangements as you move close to making a decision.
Finally, coordinate efforts with internal peer groups, such as SOX control groups or other risk management teams. The goal is to avoid purchasing an incompatible tool. “You do not want to go through a big selection process when it makes more sense to simply turn on an additional module that another department already owns,” says Mask.
Take a look at vendors – and yourself
Do the vendors you are considering have a history and a future? That is
very important to know, Mask says.
Adequate due diligence can provide adequate answers. When was the company founded? How many customers does it have? Can it provide peer references? Does it have a future? Is it publicly or privately funded? How many employees does it have? Does it have a product road map aligned with your own development? What is the next version of the product? Can it help you progress down the path you have defined?
Interestingly, companies that choose to build their own work tools have similar considerations as those that are purchasing a tool, particularly when putting together cost and time budgets. In addition, it is imperative to know what is at your disposal. Are you contracting with third-party vendors? Working with internal developers?
Certainly there are advantages to building a tool in-house. “You can get exactly what you want, and you may get it at an accessible price if you have internal technology expertise,” Mask says. On the other hand, building a tool is no small project, and it is likely the momentum will end once the project is completed. In other words, the tool will not evolve through upgrades, as it would via vendors. “We have seen departments be effective with Excel spreadsheets and their own Intranet, but it does require coordination and awareness of limitations,” Mask says.
Regardless of the choice, it may make sense for companies to consider adding an automated audit work paper tool to their audit department. “If you find that your existing internal audit process is becoming a distraction from real audit work, that is a real red flag,” Awad says.
( 4 pages, 90 KB)
Automated IA Work Paper Tool Poll