Power tools: 2002 audit software usage survey; three avid users talk about how they use top-rated software products to automate their most important tasks. Plus, the results from the IIA's annual poll of members' application preferences are revealed

Internal Auditor, August, 2002 by Christy Chapman

ASK ANY INTERNAL AUDITOR TO NAME HIS OR HER favorite audit software, and you're likely to get a lengthy response. Auditors who favor a particular tool often feel quite strongly about it and are eager to testify to its wondrous capabilities.

That's why a few of the results from this year's software survey are somewhat surprising. In most of the audit automation categories included on the survey, more than half of the participants indicated they do not use any type of software to facilitate their work. In some categories, such as network security and e-commerce control (see pages 32-33), this negative response is attributable to the audit teams' lack of involvement in the respective activity. But in other instances where the task is an essential element of the audit process -- such as workpapers (see page 33) -- or is an increasingly important risk management activity -- such as continuous monitoring (see page 35) -- one has to wonder why more auditors aren't taking advantage of the power these tools offer, especially given the ardent enthusiasm of their devoted users.

To demonstrate the indispensable value software holds for some practitioners, we tracked down three auditors who are passionate about their favorite power tools. Their chosen software applications - ACL for continuous monitoring, TeamMate for automated workpapers, and Microsoft Excel for data analysis -- also happen to rank among the top products in our survey.

GENE SCHECKEL, IT AUDITOR

PHILLIPS PETROLEUM CO.

USES ACL FOR CONTINUOUS MONITORING

WE'VE BEEN USING ACL SINCE 1996, and during that time we've developed several continuous monitoring applications. For our internal audit department, continuous monitoring is an outgrowth from normal audit activity -- we use it to keep tabs on items that require attention beyond our scheduled audit plan. The frequency of our monitoring activities varies based on the specific requirements of the area under review and can range from semi-annual monitoring to daily check-ups.

MAINTAINING CONTROLS

One of our most recent continuous monitoring efforts is a monthly relative-size-factor analysis performed for accounts payable. Each month after dosing, we pull from SAP all the payments made during the previous month. We then use ACL to compare those payments to all payments from the previous 12 months and divide the highest payment in the list by the second highest to obtain the relative-size-factor ratio. After these calculations have been made, we review any payment that is significantly greater than other payments made to the same vendor. We don't find many errors, but when we do, the amounts tend to be significant.

We are also performing a daily monitoring exercise for accounts payable. Last year we acquired Tosco Corp., a large crude oil refiner and marketer of petroleum products. On May I, they turned off their legacy financial system and converted to SAP. We were concerned that some invoices that had already been paid in the old system might accidentally get reentered and paid again in SAP. Duplicate payment controls exist in SAP and were also a part of the legacy system, but no such control existed between the two systems.

We wrote an ACL application to compare the payments between the two systems and report all duplicates. The application enables us to capture duplicate payments daily, before the money actually leaves the organization, and it has led to significant savings. Now we can research the front-end controls and try to find out why some items are slipping through the cracks.

We're going to continue this monitoring activity for approximately six months. By that time, the old legacy system will have been inactive for so long that it's highly unlikely we'll re-pay an invoice. However, we're getting ready to bring another large acquisition online with SAP and plan to use the same application to check for duplicate payments between their legacy financial system and SAP.

UNAUTHORIZED PURCHASES

Some of the continuous monitoring exercises we perform on a quarterly and semi-annual basis include reviews of procurement card activity and travel and entertainment expenses. For procurement cards, we check for several types of exceptions. One of the most common checks is for split transactions; we use ACL to identify payments showing the same vendor, date, and procurement card, totaling more than the card's transaction limit.

We also use the software to look for procurement card policy infractions. We use AOL's ability to search for a string of characters and scan vendor names for key words pertaining to pawnshops; liquor, jewelry, toy, music, and video stores; charities; and political campaigns. Whenever the program identifies one of these words, we check the invoices and find out what was purchased. The exercise serves as an effective deterrent to procurement card abuse because word of our reviews has traveled throughout the company, and employees know that we are, in essence, looking at every procurement card transaction.

CLIENTS KNOW BEST