- Corporate Security Teams
- Risk & Compliance Teams
- Information Security Teams
Governance, Risk and Compliance
By Resolver Modified September 13, 2021
I recently read the vendor section of the IIA quarterly magazine and saw all the usual software companies (including BPS ) lined up one next to the other with their respective ad copy. It seems every one of us are “the world’s best”, “the new standard”, or “most comprehensive” tool available. I’m going to go out on a limb here and say that all of these companies are good at what they do and you should not feel afraid to engage any of them in a discussion about your audit software needs. As a person who has been in this market for a long time, I can also tell you that the products are generally not the same. The confusing part for most buyers is that if you line each product up next to your standard set of requirements, each product will have a reasonable answer for everything. Most vendors, for instance, offer assessment management and planning, issues management and reporting with ad hoc facilities. Think of these products as cars. They all have wheels, an engine, seats and provide a nice way to start and stop. So what is the difference? What is the best choice?
Ok there is no simple answer other then the obvious. The best software is the one that is right for you and for what you are trying to do. I know this doesn’t sound helpful, but it’s true. Think of the car analogy. Next time you are on the highway (carefully) take note of the vehicles around you and think about their designs. Each is clearly doing the basics well, that is, driving on the highway. But each is also purpose built. Trucks are different than compact cars, which are different than motorcycles. If you have lots of stuff you need to haul, but still want to commute every day, maybe you have a pickup. If your life compels you to drive with speed and style, then a sports car may be the obvious choice. Just going from A to B for as little money as possible? Get a small car. For those in between people, you have one of those small sporty SUV’s that are so popular and kind of do everything OK.
The simplest audit tools basically give you a file tree structure and some standard templates that you can fill out to record your work, attach documents and the like. You rename and reuse these concepts if you want to create an issue or a review note, or if you want to get specific about listing risks, controls, objectives and so forth. When you finish filling out the forms and completing the tree structure, you are done and can save your audit for future reference. Most vendors will create some good looking reports including a final audit report which takes your information and re-organizes it into a friendly output. Some of the same tools are applicable to SOX testing and certain regulatory compliance checklists that your company may need to run. Justifying the expense seems easy and there appears to be little in the way of start-up costs. Let call this system Type A
By contrast, the more sophisticated tools give you the options to set up complete living-breathing pictures of your audit universe through some form of multi-hierarchical system. You can separate your legal, organizational and auditable entities and create elaborate relationships between processes, risk, controls, etc. You can run risk assessments across hierarchies (say, processes), have the results roll up using rules you define, then conduct formal targeted audits using other structures (say, your traditional auditable units). You can even compare year-over-year results. Systems like these expect that auditors may work in teams with junior and senior positions so scheduling and workflow (approvals, notifications etc) and secure roles are well developed concepts in the software. Some have centralized controls libraries with the ability to reference policy, risk, KRIs, losses and other data create a rich central control point from which audits are spawned by the system. These features also lend themselves well to integrated controls initiatives, secure and specific sharing of information between risk management and compliance groups and even some advanced analytical reporting. Let’s call this system Type B.
If your needs are strait forward and will always be that way. I think the choice is obvious. Type A. Even if you’re somewhere in the middle you will be able to stretch the A type of system pretty far. It will (with a little help from the vendor) do quite a bit for you. Say it’s a small car, you can get a roof rack for it and haul home a living room set from IKEA on the highway and it will work. Do this every weekend, however, and your going to be longing for a pick up truck.
The second type of system, delivers the more sophisticated and heavier duty functionality because it is designed from the frame up to do so. This system, however, will take a bit more effort to get up and running and for administrators of the system will require more focus and training. It has more moving parts, and is most likely be more expensive. On the other hand, you will most likely never find yourself constrained; it will be easy to modify to meet diverse needs of a larger group and will integrate well into your IT infrastructure. For some companies, buying for the long term, means choosing a system like this one.
Both systems will work for you but they are built on different frames. You can’t turn one into the other any more that you can turn a small car into a pick-up. The car analogy is a bit silly, I grant you that but I use it because it’s easy to tell a compact car from a pickup truck. It is less easy to distinguish audit software tools during an RFP. If the difference is critical to you and your organization, then I would like to offer you some points to consider when looking at audit software:
1 – Do you need a centralized facility to model your audit universe? For many companies this is a lot more than creating a couple of hierarchies and attaching testing plans to them. You may also need to classify and rate risks, controls, processes and other artifacts in multiple ways (principle risk, organizational unit, key business process, key control, etc.). If you are a global organization you may conduct risk assessments at a different granularity than you conduct audits. Add in geography, departmental risk scoring, results from previous audits and assessments, SOX testing, confidentiality requirements and the whole thing can no longer be managed reliably without a more sophisticated tool. A tool that has built all of these elements properly will ensure that you can make the necessary cross references and connection between these elements and that these connections will drive the behaviour and automation you would expect. Less sophisticated audit tools can, in fact, still work for you. The danger is that they are stretching their concepts to achieve the functionality – meaning you may have unexpected compromises in your future. These compromises usually lead to abandoning part of your system in favor of spreadsheets or some other flexible tool.
2 – What are your expectations with respect to work papers automation? Remember that the goal here should be to make it easier for auditors to conduct their work in a complete fashion and support the final report with credibility. If you only need a system of record, then a less sophisticated tool will do. As long as there are plenty of places to type and an easy way to categorize and link things, you will have little problem ensuring that your work is stored electronically and is easy to access and report on.
Work paper automation, however, can also get quite deep. In fact, I recently sat in on a study of audit tools and found that only a handful of vendors (by their own admission) had actually invested to create specific work paper management functionality. These vendors have created dedicated concepts for things like audit approach, key control matrix, risks, controls, tests, assertions, scoping, issues and evidence. Each of these concepts has their own workflows, collaborative facilities and configurable automation that presents to the auditor as needed. The features are designed to streamline the work, minimize the typing and allows for re-use of standard components and knowledge in the company. By far one of the biggest differentiators in the audit tool space is the amount of support for work papers management or automation. It is basically the difference between a general assessment tool and an audit tool and is always present when comparing Type A tools (basic audit functionality) to Type B tools (sophisticated audit functionality).
3 – Audit planning. Many of the tools available to auditors and compliance folks have some concept that allows for planning. From the audit perspective, we are trying to ensure that the effort of auditing is concentrated in the areas of the business that need it most. For many shops, this means a tool that helps them conduct mini-audits or self-assessments so that they can rank each auditable unit in terms of risk. Ultimately this information is used to design an audit plan for the year. Once again, bigger is not always better here. There are Type A products out there that do a fine job of helping auditors with this task. In fact, many of the products that completely fall down in terms of work paper automation actually have great risk assessment and planning features. Given this fact, please ensure that you understand what your real requirements might be. For instance, are the “assessable units” in your company (the smallest unit that you will risk assess) the same as your auditable units (the organization you will plan and execute an audit on)? Larger or more sophisticated shops often do not bring these two concepts into alignment. Ensure that your candidate system can separately handle the ideas of auditable unit, assessments and organizational unit. Ensure that the scoring rules, and how they roll-up, are not dependant on any single hierarchical relationship. This is all sounding quite technical, but it can be an important subtlety for some companies. All I am saying is that one should take extra care to ensure that you don’t buy a system and then find yourself longing for the flexibility of spreadsheets once again. A few other points on audit planning: Do you desire multi-year planning? And do you consider your staffing and resource availability in the planning process? Finally, is the audit plan a living thing that you are constantly updating based on changing conditions? Or is it a static plan that you re-build every year? The final considerations tend to lead prospective buyers to more elaborate audit Type B tools.
4 – ERM and Compliance. Recently I had a conversation with some thinkers at OCEG and they confirmed for me that auditors are being asked to deal with more compliance testing and enterprise risk management information gathering. The discussion of how tools manage this, or should manage this, is so long that it should be broken up over the course of several blogs (this being already too long as it is). I will say that if the first three items that I have discussed in this piece are built with care and appropriate sophistication, then you will most likely be set up well to help manage ERM and compliance problems for your company. Remember that risk definitions vary depending on the regulation or ERM framework you may be adopting. Control definitions are not any exception either. We have seen risks be defined as root causes (supplier ships bad parts), events (company product fails when customer tires to use it) or consequences (lawsuit and bad press). Similarly controls can be preventative (catch bad parts before they get into our product), or mitigating (ensure we have enough insurance). A unified set of definitions and frameworks on which to hang your company policies will always leave gaps, so ensure your audit product has a way to deal with multiple interpretations of the concept of risk and control. Without this ability, your ERM initiative will be divorced from your audit universe.
In conclusion, please forgive the car analogy (it was the best one I had going for now) and I hope you find some of the points here helpful.Four