ACL EBOOK

Connecting the Dots:

Building Internal Audit Value
Using Technology to Optimize Internal Audit Processes
and Increase Audits Relevance to the Business and C-Suite
By John Verver, CA, CMC, CISA, strategic advisor to acl

CONTENTS
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
And Now. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
But Wait A Moment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
The Case For Change. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Overcoming The Technology Performance Gap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
How Can Technology Really Change Internal Audit?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
So What Is Wrong With Internal Audits Current Approach To Technology Usage?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Top 8 Considerations For Successfully Leveraging Technology In Internal Audit Management:. . . . . . . 17
Start With Leadership & Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Set Goals, Allocate Resources, Measure Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Align Technology Shift with Internal Audits Strategic Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Build A Seamless End-To-End Internal Audit Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Abolish Silos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Integrate Data Analysis and Automated Testing Closely into Audit Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Spread the Vision of Technology-Driven Internal Audit and GRC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Spread the Benefits of Data-Driven Internal Audit and GRC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Connecting the Dots: Building Internal Audit Value

Connecting the Dots:

Building Internal Audit Value
Using Technology to Optimize Internal Audit Processes
and Increase Audits Relevance to the Business and C-Suite
By John Verver, CA, CMC, CISA, strategic advisor to ACL

EXECUTIVE SUMMARY
The role of internal audit has evolved considerably in recent years. There are
increasingly demanding expectations around the value that internal auditors
should deliver to their organization. Many audit leaders are up for the
challenge and want to earn a seat at the executive table. As with any critical
function in an organization, technology can play a vital role in enabling
success. However, many internal audit departments are simply not using
technology at the level needed to deliver what is expected.

At ACL, we believe strongly in the power of technology to help internal

auditors realize their full potential as highly valuable professionals that are
sought after throughout the organization.

There is a serious technology performance gap. Many audit teams are relying
on outdated technology and processes which limit their ability to function at
an optimal level and deliver far greater insights and value.

Connecting the dots across separate audit, risk management, and

compliance processes taking place across the organization.

There are a number of factors that must be addressed in order for internal
audit to transform its effectiveness through technology. These include:

leadership declaring technology as a strategic imperative

managing technology implementation in the same way as any critical project
designing an end-to-end audit process that makes best use of
current technologies

In this eBook, well look at how internal audit can build value,
executive alignment, and relevance by connecting the dots:

Connecting the dots among the audit team and business unit contributors
and stakeholders through collaboration in a single system.
Connecting the dots directly from factual data to big picture risks
and objectives.
And, Connecting the dots within the auditors workflow, by pulling
together pieces of the audit process previously scattered across shared
drives, spreadsheets, email, and various other technology.

understanding the practicalities of integrating analysis and automation

into the audit process
moving beyond a silo approach and aligning audits use of technology
with that of risk management and compliance
Connecting the Dots: Building Internal Audit Value

Then

In most organizations the role of internal audit has changed

tremendously in the past decade. Look back to the early 2000s and the
world was pretty different. The typical focus was on completing the
traditional cyclical audit of specific financial and operational areas. The
approach was predictable with little change in procedures from one audit
cycle to another. Auditors dutifully followed a well-established audit
program, with heavy reliance on internal control process walk-throughs
and sampling. It was OK to get hold of the prior audit working-paper file
and just do what was always done.
Internal auditors were typically seen by senior
management as something of a necessary evil:
diligent, detail-oriented and responsible professionals,
with an obsession about matters that really were not
expected to contribute much to the overall business
objectives of the organization.

Connecting the Dots: Building Internal Audit Value

And now

Roll forward to today and the internal audit function of

many organizations has either evolved considerably or
undergone a complete transformation.
In addition to its assurance functions, expectations are now
that internal audit be heavily involved in the assessment of
the risk management function and as value-adding
advisors in many aspects of an organizations operations.
The opportunity for internal audit today is more
exciting than ever before. The internal auditor is in a
unique organizational position, with a mandate that
provides access to an incredibly broad and varied
range of people, processes, systems and data. What
other role is better poised to deliver unique insights
and contributions to an organizations success?
We hear frequently that progressive internal audit
departments want a seat at the table, to be taken
seriously by the C-Suite and highly regarded for
the value they can contribute.

Connecting the Dots: Building Internal Audit Value

But wait
a moment

100

THE CASE FOR CHANGE

The gap between expectations and performance for how

effectively internal audit leverages technology

80

60

40
PERFORMANCE

20

CAEs

SENIOR
MANAGEMENT

BOARD
MEMBERS

Expectation: % who expect this from internal audit; base = total survey responses
Performance: % who believe internal audit performs this well;
base = only those respondents that expect internal audit to do this

All of this seems fine. Why shouldnt internal audit be a critical

component of the governance, risk management and compliance
structurea component that makes a real difference?
No reason at all. Except that, in practice, very few internal audit
departments are really enabled to function as a critical contributor.

So now lets look at how technology has impacted internal audit

in the past five years.

Take a look at any critical functional area and it is a good bet that in the
past five years there has been tremendous investment in resources and
systems. How many businesses have been transformed, in terms of
competitiveness and efficiency, through the use of technology? Think
of almost any industry today and it is almost always assured that
technology now plays a fundamental roleone that is resourced,
funded and managed in a way that maximizes the chance of success.

And yet, unfortunately, there is a sizeable disconnect between how

CAEs expect technology to be used in internal audit and how
technology is actually used. A recent PwC report shows that only 40%
of CAEs considered that internal audit was leveraging technology well.
Senior managements view was even less favorableonly 35% rated
internal audit as using technology effectively.1

Higher performance by designA blueprint for change - 2014 State of the Internal Audit Profession Study April 2014 webinar presentation by PwC

(1)

Well, we have certainly heard in just about every survey and report from the
IIA and Big Four firms that technology is expected to play a tremendous role.
It is always considered to be one of the top priorities for CAEs.

Connecting the Dots: Building Internal Audit Value

11

OVERCOMING THE TECHNOLOGY PERFORMANCE GAP

So, despite the tremendous opportunity facing internal audit today it seems that there is a real problem with how
internal audit is actually using technology. The rest of this eBook focuses on some of the key issues that should be
addressed in order to arrive at a point where your internal audit department can be rated as fully meeting
expectations for leveraging technology. None of these issues are particularly complex or hard to addressbut they
do require a shift in thinking and approach. They also present a very real opportunity for CAEs and other audit
leaders to raise their profile within the organization and to become strong advocates for the role of technology in
transforming internal audit processes, as well as taking a more integrated approach to risk management and
compliance throughout the organization.

HOW CAN TECHNOLOGY

REALLY CHANGE INTERNAL AUDIT?
How can technology be used to really transform the
value that internal audit delivers to their organization,
while also making sure that internal audit is not building
a technology silo that in practice duplicates that of
other functional areas.
In this eBook we call it connecting the dots.
The objective is to use technology to tie together a
range of different internal audit processes into one
seamless, interconnected system.

Connecting the Dots: Building Internal Audit Value

13

SO WHAT IS WRONG WITH INTERNAL AUDITS

CURRENT APPROACH TO TECHNOLOGY USAGE?
Well, of course, the answer is that it depends. It depends on
the history and approach of your own internal audit
department. Chances are, though, that your use of audit
technology is still built around the traditional processes of
audit management and working paper documentation. You
may be using dedicated audit management softwaremany
such systems have been available for decades. Or, if you are
like approximately 57% of internal audit departments1you
rely on electronic work papers and documentation using a
combination of Microsoft Excel and Word, email and
operating system folders for managing file storage, sharing
and security.

The challenge of traditional audit management software is that

most systems require a high degree of configuration and set up.
This may seem to make sense so that technology can support
the processes that have been in place for years.

But what if the time has come for a complete re-think

of approach in order to reflect the way that internal
audit should really work in order to not only
maximize the value they deliver, but also to optimize
the way they deliver it?
Surveys indicate that many auditors using traditional audit
management software find challenges in terms of functionality
and ease-of-use.
Of course, one of the most compelling reasons to move to a
more modern approach is that current technology can do far
more to reduce the risks of financial and reputational damage
from regulatory non-compliance or critical control failures.
OCEG Technology Survey Report 2013

(1)

How does your current dedicated

audit management system handle
process change?

How about being able to update and

share information from anywhere at
any time?

If your audit technology is still based

on Microsoft Office, how much time
is spent trying to update, organize,
manage and share spreadsheets and
Word documents?

Does your CAE have the ability to

simply look at an Apple or Android
handheld device, from anywhere in
the world, and get an immediate view
of the progress of every audit project
and status of findings and follow up?
Is your CAE confident about sharing a
dashboard of current quantified
findings and risk trends with senior
management?

Do users find software truly intuitive

and easy-to-use?
How much time and money is spent
on software training, only to find that
users forget what they learned within
weeks?

Does your use of technology

demonstrate to the Audit Committee
and C-Suite that you must have a
seat at the table?

How about review and sign-off

proceduresare these really
efficient and secure?
Do you have a well-managed centralized
repository of findings and reports?
Do you know how much time is really
wasted on tedious low-value tasks and
high-risk gaps created with spreadsheets?

Assuming that data analysis is an

important part of your audit
approach (as every survey indicates
is desirable), how is the data
accessed and managed?

Internal audit clearly has a unique

role and perspective within the
organization. Yet how powerfully is
this demonstrated within the
governance structure and to key
decision makers?
Use of slide decks and manually
generated reports is unlikely to
impress business leaders that
technology is being effectively
leveraged.

Do you know whether the data being

analyzed is really complete and validated?
Can you rely on the integrity of
analytic tests?
Is the underlying data as secure and
well-controlled as any data within core
business processes?

Connecting the Dots: Building Internal Audit Value

15

8
considerations
Top

...for

Successfully
Leveraging

Technology in Internal
Audit Management

Connecting the Dots: Building Internal Audit Value

17

start with Leadership

& strategy

If technology is truly expected to be a critical component of internal audit, then it

needs to be treated as such. This means starting at the top, with internal audit
leadership making a clear declaration of the role of technology as a strategic
enabler for internal audit.
Unfortunately, in many internal audit departments, technology usage and decisionmaking issues are delegated to someone who demonstrates some technical interest and
aptitudebut often lacks the strategic vision and authority to lead a technology
transformation.
Ideally, the strategic declaration from the CAE or audit leader should be aligned with a
similar directive from those responsible for the related processes of risk management,
internal control, compliance and fraud detection. There is plenty of evidence that this is a
critical distinguishing feature of those internal audit departments that are rated highly in
the effectiveness of technology use.

Connecting the Dots: Building Internal Audit Value

19

set goals,
allocate resources,
measure
progress

TREAT INTERNAL
AUDIT TECHNOLOGY
STRATEGY AND
IMPLEMENTATION
WITH THE RESPECT
IT DESERVES
Look at how critical technological projects are managed in core business areas.
Chances are that they are properly funded, resourced and well managed. Objectives, plans and schedules are
established. People are held accountable for progress and the achievement of measurable goals. The same
principles apply to the successful use of technology in internal audit. Again this starts with internal audit leadership,
where expectations are set. Most successful internal audit technology initiatives are also led by a champion who is
appointed by the CAE and has the authority, knowledge and strategic understanding to drive a real transformation.
Audit leadership also plays a critical role in communicating the technology strategy and objectives to key
stakeholders in the C-Suite and audit committee.

Connecting the Dots: Building Internal Audit Value

21

Align technology shift

with Internal Audits

strategic
objectives

The technology selection process should be driven from the declared goals of technology enablement
for internal audit.
While word-of-mouth and peer recommendation are valid data points, selection of specific software should
also be based on a forward-thinking approach. After many years of relative stagnation, technology for audit
and risk is already beginning to undergo rapid change. Consider what is important for the internal audit team
and the way the team will be expected to operate in a one to three-year timeframe.
Technology shifts in areas such as mobile computing, cloud-based software, software-as-a-service and Big Data
are having a transformative effect on how organizations operate. Internal audit, perhaps more than any other
functional area, has a huge opportunity to benefit from these shifts.

KEY SOFTWARE
TECHNOLOGY
TRENDS THAT WILL
DRIVE INTERNAL
AUDIT SUCCESS

Mobile computing

Multiple devices

Cloud

Big Data

Visual analysis and reporting

Seamless workflow

Intuitive consistent interface

Just-in-time training and

support

Knowledge management

Digital media

23

Build a seamless
4

end-to-end

internal audit process

Annual
Audit Plan

Risk

Assessment

Schedule
Audit Projects
and Resources

Plan

Audit Project

Risk & Controls

Database

Perform

Audit Procedures
and Control Testing

Response

Document

& Resolution

Audit

Procedures
& Findings

Report

Start by looking at all the key components of the internal audit process and how they should ideally fit together.
It soon becomes clear that there is a logical cyclical flow of interrelated activities. This concept is ideal for technology enablement and
for achieving breakthroughs in efficiency and effectiveness. Software technology should support this in a seamless, consistent and
intuitive way. Expect software to be lean yet comprehensive, but not complex or expensive to implement. It is just not realistic to
expect a breakthrough in internal audit performance by continuing to rely on a variety of different generic software tools, however
convenient it may initially appear to be.

Connecting the Dots: Building Internal Audit Value

25

Abolish

Silos

Internal audit needs, of course, to be an objective and

independent function.
But this does not mean that it should operate in a technology silo.
Internal audit processes clearly interrelate with multiple functional
processes, particularly risk and control management and compliance.
Consider how both audit and other functions need to be involved in
the following:

Identify and assess risks

Test controls and adherence to regulations
Monitor transactions
Note and investigate exceptions
Share and respond to findings and reports
Review, monitor and use dashboards for detailed drilldown

Not only is it disempowering for internal audit to use multiple systems for
their role in the above activities, it is also costly and silo-creating for other
functional areas to select and use separate systems.
Internal audit can play a strong leadership role by being an advocate for the
benefits of integrated technology systems that span multiple areas,
reducing costs and bringing a common and aligned perspective to
governance, risk management and compliance (GRC) processes
throughout the organization.

Connecting the Dots: Building Internal Audit Value

27

Integrate
6

data analysis and

automated testing
closely into audit
processes

Annual
Audit Plan

Schedule

Audit Projects
and Resources

Plan Audit Project

Risk Assessment

Determine audit program steps

performed via data analysis

Assess risks based on

trend analysis and
control monitoring

Response and
Resolution

Data Analysis
and Transaction
Monitoring

Perform Audit Procedures

and Control Testing
Test 100% transactions, balances
and control effectiveness

Determine if remediation
efforts were effective

Audit Report

Document Procedures
and Findings

Embed quantified analysis into audit report findings

It is widely recognized that data analysis should play a vital role in internal auditbut it is seldom utilized
anywhere close to its full potential.
One of the primary reasons for this is that, just as with audit technology in general, data analysis is often not actually treated as if
it were critical to the successful achievement of audits mission and objectives. Too often it is treated as something of an add-on
to the audit processused sporadically and inconsistentlyinstead of as a fully integrated core strategic component.
Leading modern audit management software enables data analysis to be integrated fully into the internal audit process: from
initial risk assessment and audit planning, through detailed control testing and continuous auditing to exception management
and quantified findings and reports.

Connecting the Dots: Building Internal Audit Value

29

Spread
the vision

of technology-driven
internal audit and GRC

It seems clear that there is a great opportunity for internal audit to get its own house in order and
become a leader in the use of technology to transform the value it delivers.
Internal audit has a unique perspective and role. There is also a clear overlap between its own technology
requirements and those of risk management and compliance. In combination, there is also a real opportunity for
internal audit to drive a vision and be a core part of a strategy for technology-driven GRC within the organization
as a whole.
Realizing a new internal audit vision.

Sharing the vision on high.

New technologies now play an essential role in

enabling transformation, competitiveness and
success in virtually every critical business area. Yet too
many internal audit departments, while wanting to
transform the value they contribute to their
organization, fail to really embrace current
technology and take advantage of its benefits. In
order to make substantial change in internal audit
contributions and effectiveness, audit management
should give serious thought to how todays
technology can transform the audit process.

One of the practical challenges for internal audit to

truly leverage technology in transforming audit
management and working paper processes is a lack
of funding. There is often a big disconnect between
expectations around audits use of technology and
actual budget and resource allocation. The answer to
this problem is often to deliver a business case for
how technology can transform both audit processes
and contribute to risk and compliance processes.

Connecting the Dots: Building Internal Audit Value

31

Spread
the benefits

of data-driven
internal audit and GRC

One of the great advantages of data analysis in audit is its ability to

provide precisely quantified findings and insights.
A common positive side effect of internal audit presenting its findings to
management is a response like:
How did you get that information? We have always wanted to get
an analysis like that.
Not only can data analysis be applied very impactfully as part of a
transformed audit process, but it can also play a highly effective role in
quantified risk assessment and continuous monitoring.
And, not only can a data-driven approach change the material
impact that audit provides, but it can also present a strong argument
for increased funding to continually expand technology usage.

Connecting the Dots: Building Internal Audit Value

33

CONCLUSION
There are many issues to consider in order to transform internal audit processes by leveraging technology.
Internal audit is facing a tremendous opportunity to enhance its value proposition to the organization. Through the concepts
described in this eBook, we have identified ways in which the power of current technology can be harnessed to truly help
build value, executive alignment, and relevance for internal audit.
Connecting the dots is really very simple and is all about
using the latest technology in a way that enables:

Intermeshing the disparate audit, risk management, and

compliance processes taking place across the
organization.
Collaboration among the audit team and business unit
contributors and stakeholders.
Directly linking transactional data analysis to big picture
risks and objectives, for fact-based insight, risk
assessment, and performance measurement.
Integrating the day-to-day workflow of each individual
auditor as well as across the audit team, by pulling
together pieces of the audit process often scattered
over shared drives, spreadsheets, email, and other
unconnected technologies.

Hopefully, this eBook has given you some useful ideas on

the key issues to address and some new perspectives.
You may also find it useful to read ACLs whitepaper on
Integrating Working Papers with Audit Management,
which details how to shift from typical common practices
to best practices.
At ACL, we are strong believers in the power of technology
to help internal auditors realize their full potential. We
envision an era when internal auditors are recognized as
highly valuable professionals and become sought after
throughout the organization.

ACL has drawn upon its two decades of experience working with thousands of customers worldwide
and developed detailed methodologies and best practices to boost the impact and value of audit, risk
management, and compliance processes.
For a free assessment of how your organization can best integrate technology to transform your teams
value proposition, call 1-888-669-4225 or visit: www.acl.com

Connecting the Dots: Building Internal Audit Value

35

ABOUT THE AUTHOR

IC ADVISOR TO A
ATEG
CL
STR

John Verver, CPA, CISA, CMC is an acknowledged thought leader, writer and speaker on the application of technology in audit, fraud
detection, risk management and compliance. He is recognized internationally as a leading innovator in risk and control data analytics,
continuous controls monitoring, and continuous auditing, as well as a contributor to professional publications. He is currently a strategic
advisor to ACL, where he has also held vice president responsibilities for product strategy, as well as ACLs professional services
organization. Previously, John was a principal with Deloitte in Canada.

JOHN

ABOUT ACL
ACL delivers technology solutions that are transforming audit, compliance, and risk management. Through a combination of software and expert content,
ACL enables powerful internal controls that identify and mitigate risk, protect profits, and accelerate performance.

Contact

Driven by a desire to expand the horizons of audit and risk management so they can deliver greater strategic business value, we develop and advocate
technology that strengthens results, simplifies adoption, and improves usability. ACLs integrated family of productsincluding our cloud-based governance,
risk management, and compliance (GRC) solution and flagship data analytics productscombine all vital components of audit and risk, and are used
seamlessly at all levels of the organization, from the C-suite to front line audit and risk professionals and the business managers they interface with. Enhanced
reporting and dashboards provide transparency and business context that allows organizations to focus on what matters.

Call ACL at 1-866-669-4225

or email [email protected]

And, thanks to 25 years of experience and our consultative approach, we ensure fast, effective implementation, so customers realize concrete business results
fast at low risk. Our actively engaged community of more than 14,000 customers around the globeincluding 89% of the Fortune 500tells our story best.
Here are just a few. Visit us online at www.acl.com

2014 ACL Services Ltd.

ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners.