Abstract. The Institute of Internal Auditors recently published a number of papers under their Practitioner Survey Series. The series reflects output from the Global Internal Audit Common Body of Knowledge surveys of the internal audit profession. This article is a companion piece that focuses in part on the paper “Staying a Step Ahead—Internal Audit’s Use of Technology,” by Michael Cangemi published in 2015. The paper is based on data from the 2015 global practitioner’s survey, as well as prior survey data, primarily from 2006. To get the most out of this article you should download and read the paper “Step Ahead—Internal Audit’s Use of Technology.” The key findings in the globally focused paper are that the use of technology in the audit process continues to grow, but there is room for improvement. In addition, there has been a major expansion of the use of automated monitoring and the use of data analytics. This article suggests IAs should use these technologies to improve the effectiveness of internal audit (IA) and their contribution to their companies, leading to an enhanced view of IA by the C-suite.
"Without data you're just another person with an opinion."
– W. Edwards Deming, Data Scientist
The use of automation by internal audit (IA) continues to expand, along with the extensive growth of copmuter systems in businesses and society globally. Has the use of technology by IA expanded in pace or lagged behind?
The recent Institute of Internal Auditors Research Foundation (HARF) survey to update the Common Body of Knowledge (CBOK) has shined a new light on the use of technology by IA. Whether the progress has been enough to keep pace with the expansion of technology, or if IA fallen behind, is in the eye of the reader.
Consider this a companion article to the Insitute of Internal Auditors (IIA)'s Practitioner Survey Series report: "Staying a Step Ahead – Internal Audit's Use of Technology," published in July 2015. The report is available as a free download from IIA.1
BELDEN MENKUS, CISA
The key findings in the report "Staying a Step Ahead" are as follows:
The speed of adoption of computers systems continues at an incredibly fast pace. However, there were many small steps: at first, mainframe computers processed one program at a time; next, computer software enabled partitioning a computer’s memory to enable running one program in each partition. However, soon newer, larger, and faster mainframes, which were able to run multiple programs at the same time, were deployed providing heretofore-unimaginable productivity improvements.
New businesses were invented based on the availability of the computer’s speed and capacities. In fact, 50 years ago this year, in 1965, an article was published in Electronics magazine by Gordon Moore. It was about cramming more components onto electronic circuits or “chips” and forecasted “a proliferation of electronics . . . leading to such wonders as home-computers . . . automatic controls for automobiles, and personal portable communications equipment.” 2
The first networks connected computers with wires enabling files to be shared by more than one location. The birth of the mini-computer expanded the reach of the computer to smaller business entities. At this stage, computer terminals allowed many users to connect to computer systems over internal networks.
This era was quickly superseded by the advent of the personal computer, which once more revolutionized the very young computer industry. Then a computer terminal gave way to smart terminals using microcomputers. Now everyone at work would have a personal computer, and in what seemed like an instant, everyone had a home computer too.
Perhaps one of the most significant developments was in the area of office and home productivity. New programs for word processing and spreadsheets (for numerical data processing) changed the paradigm, allowing substantial increases in productivity and improved documentation for every company function; this was especially valuable to IA. This productivity enhancement continues today with tablets and smart phone devices. As the IIA reports points out, this development appears to impact the CBOK survey and may be affecting IA use of tech in a significantly positive way.
Another very significant tech development was in connectivity and internal networks. This was followed by the invention of the Internet that opened up connectivity to the masses and allowed for more IA productivity advances. This development also appears to influence IA’s use of tech in a very significant way.
Clearly, the CBOK survey is pointing to a great impact of programs for word processing and spreadsheets, as well as the use of the Internet by IA. What is interesting to this writer is that these developments, with their positive impact on IA use of tech, are more in the category of a rising tide lifting all boats than due to IA seeking productivity or expanded coverage gains for their work.
As computerization expanded IA responded by training auditors and building IT Auditing functions within the IA departments. Auditors learned how to review data center controls and how to audit software applications. They build tests of data and deployed new tools for looking at data using generalized audit software.
A major hurdle for internal auditors was a need for programming skills. Computer programs have disparate data files with unique record and data fields layouts. For auditors to look at data on a computer file they need to understand how each software system’s data was organized. Each data file has data fields (such as name, invoice amount, etc.) that are in unique sequences, in different programs, therefore requiring any program written to handle the data to set up the file definition. Most IAs study auditing and accounting, and the CBOK report confirms that this is still the case.
Making this step easier for internal auditors was a major objective of early generalized audit software programs, which helped with the file definition programming and then provided per-programmed audit routines. These disparate data files are still a problem today; however, there are many new software applications that make the process easier.
Much of the audit use of the computer to audit data and test applications was, and is still, performed by the IT Audit Departments within IA. Early in the development of IT auditing some audit leaders believed all auditors would be IT auditors, since the computer was so pervasive. Instead, other audit priorities continued to keep IT auditing as an ever expanding department within IA. This survey demonstrates that IA is still in this stage of relying on experts with more technology training in their department or via outsourcing. The exception is the invention of programs for word processing and spreadsheets as well as, the use of the Internet by IA, which added more technology use, and recently new data analytics programs are providing another push forward. “The effects of emerging technologies have been paradoxical. On one hand, emerging technologies have created a more difficult system to audit effectively. On the other hand, auditors have managed to use emerging technologies as audit tools and thus become more effective and efficient.7
Survey data for 2015 reveals that IA use of technology in the audit process at extensive and moderate use level combined is generally below 50% in the surveyed IA departments. However, when compared to similar data in 2006 the data shows use of technology continues to grow. That said there is room for improvement. Fewer than 40% of CAEs worldwide feel their departments’ use of technology is appropriate or better and there are large differences between regions (see Figure 1).
As noted in the introduction, whether the progress has been enough to keep pace with the expansion of technology is in the eye of the reader. Is the use of IT in IA sufficient or should IA be making expanded use of technology more of a priority? As the report notes; “Responses clearly show that extensive use of technology is the exception, not the rule. For about half of all respondents globally, usage of most technology tools is ‘none’ or ‘minimal.’” On the other hand, if we look at the trends and progress since the 2006 survey there is clearly good growth.
One IA thought leader sees it like this:
The internal audit profession should be pleased to see that the reported use of technology by internal audit appears to be growing nicely since prior surveys. While the numbers remain lower than many would like to see, over the years more internal audit departments are making productive use of analytics, including forms of continuous auditing and risk monitoring, to enhance the value and efficiency of their work. (Norman Marks, retired CAE and author of World-Class Internal Audit and World-Class Risk Management).1
One observation that stands out and speaks to good progress is the use of electronic workpapers, where 72% claim moderate or extensive usage. We, the author and the IIA review team, believe this is most likely referring to word-processing and spreadsheets and to a lesser degree audit software. We also note this is a major trend in business in general (see Figure 2).
Not surprisingly, when looking at specific IT tools the use of automated data mining and analytics is rising significantly since the 2006 survey. While the IIA report stays away from discussing specific software packages used by IA, I believe the advancements in software offerings have had a major impact on the expansion of automated auditing.
As we know, IA is an independent verification function. Auditors can and do use automated, independently implemented computerized applications as part of their audit coverages. On occasion, these audit routines are integrated into operations, while still being independently controlled by audit.
Software systems, for example, from companies like CaseWare Analytics, ACL, and Oversight Systems are among the leaders in providing software to internal audit. A good example is from CaseWare, which took over development of the IDEA data extraction software from the Canadian Institute to Chartered Accountants in the 1980s. They continue to make improvements for new and better technologies. Today the latest version (10), is easy to use and includes features like dashboards and visualizations.
In addition, in the last decade they added a new product CaseWare Monitor, which takes feeds of data from IDEA, ACL, or applications such as SAP and provides continuous controls monitoring; independently monitoring controls and transactions across multiple businesses and systems and detecting breakdowns in internal controls.
Similarly, ACL has also continued to advance their offerings. Oversight Systems recently converted their offerings to cloud versions and most vendors are offering their software in a software as a service (SaaS) model, eliminating the upfront capital investment. I give a lot of credit for the expansion of automated auditing by IA to the advances in the software offerings from these companies.
The IIA report provides a closer look at monitoring the effectiveness of IC. Monitoring is a key component of the COSO framework for IC.3 It is an integral element of management’s system of IC. Automated Continuous Monitoring (CM) is the use of technology to monitor something, for most audits, the initial focus may be to monitor an internal control. However, for management CM is an evolving use of technology to improve, not only controls, but also operations integrity, transaction accuracy, and customer satisfaction.
As more fully discussed in one of my prior EDPACS articles: “Internal Audit’s Role in Continuous Monitoring”4: CM is predominantly a business operations issue. It can also add to the internal control system and therefore most times affects audit coverage, through audit scope reductions. However, this is the tail—not the dog! First, you have to have a business function and then you need internal control.
My EDPACS article and the IIA report strongly recommend the expanded use of continuous monitoring and analytics by operations, as well as, IA. In all cases audit should and will adjust their audit scope to value CM systems built into operations. However, the most important role auditors can serve, with regard to CM, is to recommend its expanded use, thereby leveraging systems efficiency and effectiveness, as well as the overall control environment.
The IIA report discusses how the Three Lines of Defense model5 helps demonstrate the connection of the use of these tools by management, the first line, compliance functions (second line), and IA third line of defense. IA is perfectly positioned to identify opportunities for efficiency and control improvement opportunities. In many cases, these opportunities involved the use of automation, analytics and CM.
According to other IIA survey data, 8 out of 10 CAEs worldwide believe assurance of internal controls is one of the top ways to add value. However, many surveys of company management say they want more from IA. Yet in the survey of CAEs only 5 out of 10 also say business improvement demonstrates IA is adding value.6
I believe business process improvement should be much more integrated into IA’s mission and work. While I agree IC is important, there needs to be a wider focus.
When I transitioned from public accounting to the CAE role, at Phelps Dodge Corporation, I took a very broad view of our IA mission. We decided to set our mission to improve the company’s controls and business efficiency—rather than just auditing controls. We set a broad scope, first to focus on financial audits but more importantly to go well beyond financial into operational audits, contract audits, and acquisition audits. We wanted to go further than audit findings and to recommend efficiency, as well as systemic integrated control features. We wanted to help improve the business operations and the internal control system.
The key to our success was the positive contributions we made to the business in IC findings and preventive IC recommendations. Since IA is not part of the product development or sales process, it is especially important for IAs to be passionate and proficient in making solid contributions to the business, including audits of IC, but beyond, to improvements recommendations.
This approach resulted in our management seeing tremendous value in IA. In addition, our board, not just the audit committee, began recommending our approach at other companies. As a result, I co-authored a book called Managing the Audit Function, now in a third edition and Chinese translation, to share our methodology.7
To expand further, I see internal control as different at every company and therefore measuring IC effectiveness is difficult. There is always some value since it is assessed against general frameworks (COSO)—but every case is different. Therefore C-suite has a hard time determining the effectiveness of this IA work, on occasions leading to some of the issues of management being dissatisfied with return on investment (ROI) on IA.
Business process improvement, on the other hand, can bring tangible, recurring efficiencies to a company. This is measurable and should be encouraged in the IA charter and work flow.
In conclusion, the use of tech by IA is improving. As technology innovations like the mainframe, networks, PCs, mobile devices, and advanced use of analytics continue, so too does IA advance. This current expansion of continuous monitoring and analytics provides a great opportunity for IA to expand their use of technology for continuous auditing, monitoring, and analytics. However, by far the greatest opportunity they have is to contribute to their company’s mission by recommending the expanded use of these technologies in all aspects of their companies’ operations.
Michael P. Cangemi, is author of Managing the Audit Function (John Wiley, 3rd Edition US, Chinese and Serbian translations) and a business advisor. A former CPA, CISA, he was President, CEO, and Director of Etienne Aigner, a leading designer of women’s accessories and President and CEO of Financial Executives International (FEI). He currently serves as President of Cangemi Company LLC, through which he serves as senior advisor and or investor to various companies and manages his other business interests. Michael has had a successful career with a long-term significant focus on finance and technology. His career progressed from accountant/auditor to CAE, to CFO, CEO, and Board member and Audit Committee Chair. He served on the International Accounting Standards Board AB in London and in numerous ISACA and IIA professional capacities, including International President of ISACA, Trustee of IIA Research Foundation and editor in chief of the ISACA Journal (1987–2007). Mr. Cangemi has a significant focus on Continuous Monitoring and Analytics for GRC and Business Process Improvement. He served on the COSO Board, is a Senior Fellow of the Rutgers University Continuous Audit Lab, a member of FEI’s Committee on Finance & Technology and the EDPACS Editorial Advisory Board. He is a Senior Advisor to Oversight Systems, CaseWare RSM, and Instride Footwear Company.