Internal Auditors Negligent in Use of Technology

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


For many years, Jim Kaplan’s AuditNet has been a wonderful source of audit programs and more. In fact, Jim was presented with the Bradford Cadmus Memorial Award in 2007 for his contribution to the profession.

Recently, AuditNet published a scathing 2012 State of Technology Use by Auditors (PDF). It appropriately bemoaned the failure of internal audit departments to make good use of technology to improve the quality and efficiency of its assurance and consulting work.

The three primary findings were:

  • “While audit software tools have been available for almost 2 decades, auditors and audit departments are not making full use of the technology.
  • Auditors use audit software tools mostly on an ad hoc basis with some repetitive use, and departments do not have a strategy or plan to integrate technology in the audit process.
  • The main reason for limited use of audit technology tools is the cost of the software and training and management resistance to change.”

But the picture is, in my opinion, far worse — making the current state tantamount to negligence.

What am I talking about?

Jim’s review was based on the adoption and effective use of traditional audit tools that have, as he points out, been available for ‘almost 2 decades’. But, we have technology today that has brilliant capabilities for internal auditors that few are even considering because they remain wedded to traditional, audit-oriented tools.

Internal auditors worry about risks when it comes to management using new technology, but are blind (with a few exceptions) to the potential of these tools for internal audit! Open your eyes and just imagine the possibilities!

  1. Business intelligence and related tools. Management is using solutions from IBM Cognos, Oracle Hyperion, and SAP BusinessObjects and others to monitor the business, analyze results, and make quality decisions. There is no reason for internal audit not to use these tools as well; they are paid for (addressing the third bullet, above), supported by the organization’s IT department, used by financial and operational analysts who can be tapped for existing reports and experience with the products, and run against reliable and secured data sources. The continuing development of tools for predictive analytics has exciting potential for internal auditors seeking to understand risk levels not just now but in the next months.

  2. Mobile. Not only are more and more enterprise applications moving to mobile, but so are analytics applications. Here’s a video from Oracle that covers the topic in general and one by SAP’s Chief Marketing Officer that describes how he manages the business using his iPad.

The AuditNet report includes ten recommendations, an “Action Plan for Auditors.” I would add some at the start of the list:

  1. Develop a strategic plan for internal audit, with consideration of the more significant risks that are likely to warrant attention as well as the need for upgraded risk monitoring.

  2. For each area, identify how technology can be used effectively — whether as part of a continuous auditing program or to support traditional, project-based engagements.

  3. Recognize that just as risks are addressed by a combination of controls (which may include IT general controls), recognize that you may need a combination of tools (for example, to audit both business process controls and controls within IT processes).

  4. Understand all the technology that is available to be used, not only (traditional) tools designed for auditors but those used by management in finance, IT, and across the enterprise and those that management is planned to deploy.

  5. Understand constraints on the use of technology, including resources, and consider them in the strategic plan as well as in the plan for the current period.

Organizations of all sizes and in all sectors are deploying new technology in exciting ways. Why aren’t internal auditors doing the same?

Posted on Oct 1, 2012 by Norman Marks

Share This Article:    

  1. I do agree with Norman in some other way round, especially that 5 points added to the  points in the AuditNet Report but futher study should be conducted to prove critisism of negligence in fully automation of the Internal Audit Activities

    Adopting or non adopting of new technology for internal auditor depends in the number of factors, but commonly depends on IT environment of the Organisations in deploying new technology.Taking example a case study of the public sectors in Developing Countries. Till today some of them are still using traditional governance approach which involves manual business operations. In that scenario how can an Internal Audit be negligent is deploying modern technological tools in his/her audit work?

    I strongly and fully will agree to this survery, if the author would have have consider other factors to be constant such as IT environment of the Organisation.

  1.  As as a CIA who has embraced IT over my three decade career, I found  the most important factor in my ability to fully employ tools like relational databases, Oracle Financials and IBM Cognos was my decision to add a systems analyst to my staff.  Having a trained systems analyst as a member of the audit team who, though not an auditor or accountant, allowed our group to effectively interface with IT departments both within and outside our organization.  I had some convincing of management to do to get permission for the hire, but, once I did, the team's auditing expertise, combined with the technical know how of the analyst allowed us to implement full SAS and ACL functionality almost overnight and to then construct database supported control and risk models of our organization... the quality of the analysis we were turning out delighed management and all grumbling about the appropriateness of a systems analyst reporting to the Director of Internal Audit almost immediately ceased.... I highly recommend the practice of adding systems people to your internal audit team... a whole new world will open up and you may be able (as I was) to recover enough dollars from your enhanced analytical capacity to make the IA function more than pay for itself.  A win-win all the way around... especially at budget time....

  1. There are other considerations to keep in mind.  While I am quite proficient in a number of audit tools (and I include Access and Excel along with SAS and ACL), we should also consider whether there is a problem in the current audit process before jumping onto the automation bandwagon.  Is it necessary to review 100% of the data to report that there is a control weakness?  Do we need a continuous audit process for a quarterly control?  If an 80% confidence level in our sampling has been accepted for 20 years, do we really need to reach or a 95% or 99% confidence level?  If the scripted analysis results in 25 false positives, is that any different from pulling an initial sample of 25 for a manual review?

    I'm not against technology.  I was a programmer for many years before I moved into IT auditing, and have a healthy appreciation for the benefits of automation.  But I also know that it is not the answer, it's just a tool.  The best tool an auditor has is located just above the shoulders, and the best computer program in the world can't replace a good mind.  And as a final thought, many of us who have served in the military are familiar with this adage:  "Better is the enemy of good enough."

  1. Richard, you raise a key point: that technology should not be adopted for its own sake. It should be adopted because there is a business need, either to improve efficiency or effectiveness.

    But I think there are challenges in the new world of risk-based assurance and consulting services:

    1. We need to audit the risks that matter now, rather than what was identified as part of an annual assessment and plan. How do we stay informed of changing risk?
    2. We need to provide assurance when it is needed, and in a fast-paced world can we rely on traditional methods that take months to deliver an opinion?



  1. I worked in Internal Auditing for about 35 years after public accounting. I worked in Northern Virginia where I became friends with Jim. Even helped him get AuditNet started.  I highly respect his Internal Auditing knowledge, skills, and opinions. Before I retired I pushed hard and finally got my organization to adopt and install a quality bases paper-less Internal Auditing system, one Jim highly recommended. I also totally agree and support the standards Jim advocates.  I have tried to get these implemented, having limited success over the years. After retirement, I have been active in my small town retirement choice to get local government to implement internal auditing with emphasis on these opportunities for internal auditing. No success so far. But, as Jim has shown over the years, never give up.

    Jim, thanks for telling it like it is and recommending how it shouldT6Yct4 be! 


Leave a Reply