In a recent blog posting, The Audit Department's Unseen Risks, we discussed the problem of overreliance on Microsoft Office, specifically Word and Excel, for performing audit and compliance work. With these applications, we find that the tools are not complex enough for our needs.
EVERY AUDIT AND COMPLIANCE DEPARTMENT’S NEEDS ARE COMPLEX, AND YOU NEED COMPLEX TOOLS DESIGNED FOR THE JOB. As an audit or compliance professional, what type of software do you really need? At what point does your software solution go from being complex to simply confusing? A major topic in the past five years has been Governance, Risk and Control, or GRC Software. Many companies explore GRC Software solutions for their audit and compliance needs, but how do you know if a GRC Solution or an Audit Management Solution is right for you?
What is a GRC Software Solution? To answer this question, we will look to the professionals. In a September 2014 article, The GRC Reset, by Paul Proctor, VP Distinguished Analyst at Gartner, he explained that, “GRC is one of the most flexible terms in the vendor lexicon, because most of them use it to describe whatever they are selling. Also, many of these products are shells that can be programmed to do whatever you need them to do”.
Most consumer organizations see GRC solutions as a magic bullet, a singular piece of software that addresses the needs of many departments. Many times, however, GRC tools are actually a series of smaller applications that can be connected to interface with each other, and the level of interconnectedness varies greatly. When purchasing these tools, you will likely purchase separate applications for risk management, policy management, resource planning, controls management, audit execution, reporting, issue tracking, and content management. You may also need to purchase a subscription for updated content. Also, you will generally need to license the software for your staff as well as for any management or other stakeholders involved in the process.
GRC consultants will then use these applications as a starting point to custom build the software to meet your needs. The cost for building the software can be very high, and based on your needs, the time to develop can take from a few months to a year.
Highly customized software can be a wonderful solution, as these may be able to meet all of your needs, in your specific environment. Unfortunately, the pace of technological advancement is fast, and getting faster every year. IT departments often have to push the organization to make changes to business applications in order to keep up with technology changes such as security updates or new releases from Microsoft (i.e. Office, Windows, or Internet Explorer). Since the software has been customized, upgrading or updating the software can be very involved, typically requiring the vendor to take the software out of production, which leads to a period of lower productivity for you staff.
The recent focus on Governance, Risk, and Control processes is a wonderful improvement for the audit and compliance industry. By taking a high-level, organizational view of risks and controls, we can integrate the audit plan deeper into the enterprise objectives. As a best practice, we should approach organizational governance, risk, and compliance by strategizing at the macro-level and executing at the micro-level. To accomplish this approach, you should take into account all of the work being done throughout the organization that relates to enterprise goal setting and related risk assessment. The outcome of these enterprise risk assessments should be used as a starting point for your own risk assessment and planning phases. Your needs may be met best by using software and tools built specifically for audit and compliance departments, without the unnecessary extras included in a GRC solution. With rightsized audit management tools built to meet your specific needs, you can obtain the optimal amount of complexity to get the job done, while not overwhelming your staff with confusing software or redundant tools.
Typically, an audit management system will provide a better experience for the end user auditor than a GRC solution. While a GRC tool is built for capture risk data, it may only include broad, often generic, audit coverage. An audit management solution is designed specifically for the auditor’s needs. An audit management tool should incorporate all aspects of the audit process from the risk based audit planning stages through audit execution and reporting, both at the audit level and for the audit committee. By using a single software application that incorporates all of these functions into one software package with a consistently presented, common interface, your staff will gain efficiencies by leveraging the automated features of their tools. On the other hand, an Audit Management system will probably be an off the shelf product that is configured, not customized. Where a GRC vendor might commit to customization to meet every requirement your department can list, an Audit Management vendor will likely tell you the feature does not exist in the current version of the software.
Inevitably there will be some tradeoffs with the GRC vs Audit Management decision. A GRC solution is exactly what some departments need, but for many audit and compliance departments, the scope of a GRC solution is too large. Single tools designed to address everything at the same time can end up doing a disservice to the individual components as departments are forced to adjust their processes to fit a solution designed for another business function. Auditors often talk about the “tools in our audit toolbox”, and your software solution is another one of those tools. One of my colleagues recently compared auditors to mechanics. A mechanic evaluates a complex engine system and makes recommendations for preventative measures or corrections. The mechanic uses tools, like wrenches, in this process, but he generally has an entire set of wrenches. For a complex system, there is rarely a one size fits all solution. In a recent article by Michael Rasmussen, GRC Analyst Rant: Throwing Down the GRC Analyst Gauntlet, he said that “Organizations are best served through a federated architecture that allows for best of breed GRC solutions where they make sense and does not force the organization into the lowest common denominator through one platform that tries to be all things to all needs.”
Our advice on this is simple: Do your homework. If you are planning to introduce software into your department, take it seriously. The software you choose will shape many of your audit processes for years to come. Ask for and check references. During product demonstrations, have the vendor show you the features you need most, not just tell you about how it works. If you are evaluating different products, ask open ended questions like “how does something work” and not “do you have a feature”. Finally, ask for specific implementation timelines and costs. You should have a clear understanding of the process with the vendor you select. Finding the right tool for your department can be an extensive process, but once in place, the technology should be one that meets your complex needs.
Toby is a Certified Internal Auditor (CIA) who holds an MBA with an Internal Audit specialization from Louisiana State University. He is also certified in Control Self-Assessment (CCSA), Risk Management Assurance (CRMA), Internal Control (CICA), and Fraud Examination (CFE). His professional background includes identification and documentation of weaknesses that result in heightened business risk, while recommending solutions to such situations. Toby began his career in internal audit with Macy's Inc. He then worked as an implementation and training consultant for Wolters Kluwer. As a Senior Market Development Consultant at Wolters Kluwer, Toby works with organizations that are looking for software solutions to their audit, risk and compliance needs.
Throughout his career, Toby has assisted numerous internal audit departments create, perform, and supervise financial, operational, and compliance audits to evaluate control frameworks, financial systems and operating procedures.