Choosing the right tools: today's auditors face a dizzying array of software choices. advice from the experts, along with the results of Internal Auditory ninth annual software survey may help narrow the field and facilitate decision-making - Cover Story

Internal Auditor, August, 2003 by Tim McCollum, David Salierno

CORPORATE GOVERNANCE AND REGULATORY concerns are among a number of forces putting pressure on organizations to establish stronger internal controls over financial records and systems. Consequent y, internal audit departments are turning to audit software tools to help them meet the tighter deadlines and stricter requirements imposed on their companies by laws like the u.s. Sarbanes-Oxley Act of 2002. * Sarbanes-Oxley, enterprise risk management (ERM), increased reliance on enterprise software systems, and other factors are making chief audit executives (CAE) and internal audit managers more interested in using computer audit tools, according to the 2003 Internal Auditor software survey. Compared to last year, more survey respondents reported that their audit departments were using software for data analysis, fraud detection, control self-assessment (CSA), continuous monitoring, and workpaper automation. (See The IIA's Web site, www.theiia.org, for last year's survey results.)

Now that audit software tools are becoming more necessary, audit professionals must determine what types of software best fit their requirements, while avoiding the common pitfall of buying products that may not fit their audit environment. This can be a daunting task given the ever-growing assortment of commercially available audit packages, which must be weighed against using general-purpose software such as database or spreadsheet programs and developing in-house, tailor-made solutions from scratch.

To ease the decision-making process, we've gathered advice from several experts and surveyed practitioners on their product choices and selection criteria. The survey results and expert advice may help auditors make better-informed software decisions and increase the odds of finding the right tools for their department.

NEEDS SHOULD DRIVE SELECTION

Experienced information technology (IT) auditors say an organization's specific needs should guide audit software selection, just as they would for any other software tool. However, it's tempting for audit managers to think buying software will solve their problems. According to the experts, internal auditors often fail to use audit software correctly because they choose the wrong tools for the job.

"A lot of software companies are saying that you need their software to ensure Sarbanes-Oxley compliance," says John Tongren, managing partner of audit consulting firm Tongren & Associates in Norton Shores, Mich. "The assumption is that the software is doing things correctly. Does the internal auditor know enough about the organization's requirements to make sure that the software is doing what it really should be doing?"

The most difficult task for some audit shops is defining their specific requirements, according to Dave Coderre, audit principal with the Royal Canadian Mounted Police (RCMP) in Ottawa, Ontario. "Auditors may not know what is possible," he says. "And they may only be looking at automating what they currently do manually, and that's a limited view."

ERM is a leading reason that organizations are using audit software, particularly CSA and risk management/ analysis tools, according to the Internal Auditor survey. For many internal audit organizations, audit tools are a low-cost and automated way to meet their increased governance and risk management responsibilities.

In the past three years, auditors at Denver-based business software maker J.D. Edwards have been acquiring new tools to help the company with a variety of audits. J.D. Edwards has only a nine-person audit shop to serve a company with offices in more than 20 countries, but like many technology companies, it relies on software to enhance the capabilities of auditors and do more with minimal personnel, says Senior IT Audit Manager Mark Bigler.

"Instead of adding bodies, we've tried to get smarter and taken more of a risk-based audit approach using automated tools," Bigler says. "We're using tools that help us identify potential problems on the front end, as opposed to detecting them on the back end." Bigler says the company is currently shopping for risk management and internal controls-related software, along with forensics software, and is developing its own tools to perform software license audits at client sites.

According to audit consultant Tongren, before audit departments can determine their audit software needs, they must first define:

* THE AUDIT MISSION, OBJECTIVES, AND PRIORITIES. Corporate governance and risk management issues have given internal auditors new responsibilities and requirements. Auditors must work with senior management and the corporate board to determine how audit software will help them meet these responsibilities and which responsibilities are most important. Auditors also need to know how much freedom management will give them to conduct different types of audits that software tools may facilitate.

HBOS PLC, the result of a merger between Bank of Scotland and Halifax PLC, chose to upgrade its audit management software last year to align with the bank's new group internal audit minimum standards methodology. The new methodology reinforces a risk-based approach to audits and is used in conjunction with a risk assessment model that identifies risk at the group, divisional, and enterprise-wide levels, according to Bob Holroyd, HBOS senior audit manager for quality assurance and continuous improvement.