Why Companies Are Not Implementing Audit, Antifraud and Assurance Software…and How to Fix It

Enfea - Isaca

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

2 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Copyright © 2006 ISACA. All rights reserved. www.isaca.org.Why Companies Are Not Implementing Audit, Antifraud and Assurance Software…and How to Fix ItBy Dean Brooks and Rich Lanza, CPA-CITP, CFE, PMPhy doesn’t everyone have a comprehensive suite of Too Many New Productsaudit software tools? While researching the book, it was discovered that roughlyW This is an interesting question. In business, certain half of the products available to auditors today had beentools are taken for granted as being needed by essentially launched since 2002, after the US Sarbanes-Oxley legislationeveryone. Everyone who uses a personal computer has e-mail was passed. Although many were Sarbanes-Oxley-related riskand a web browser, a spreadsheet and a word processor. A new management or control self-assessment packages, there werehire sitting down at his/her PC for the first time would be new products (as well as a dramatic rise in the pace of productastonished—maybe even insulted—if these basic tools were not releases) in most categories.available. In the Sarbanes-Oxley market in particular, the authors expectAuditors have these tools like anyone else. But if we try to to see a shakeout among vendors, as the relatively small auditdefine even one software tool specific to the audit profession software market cannot support 20 or even 30 different products allthat is required on top of these basics, we fail. It does not chasing the same pool of buyers. Mergers and acquisitions ...

Informations

Publié par	Enfea
Nombre de lectures	14
Langue	English

Extrait

Why Companies Are Not Implementing Audit, Antifraud and Assurance Software…and How to Fix It

By Dean Brooks and Rich Lanza, CPA-CITP, CFE, PMP

hy doesn’t everyone have a comprehensive suite of audit software tools? toolsWare taken for granted as being needed by essentially This is an interesting question. In business, certain everyone. Everyone who uses a personal computer has e-mail and a web browser, a spreadsheet and a word processor. A new hire sitting down at his/her PC for the first time would be astonished—maybe even insulted—if these basic tools were not available. Auditors have these tools like anyone else. But if we try to define even one software tool specific to the audit profession that is required on top of these basics, we fail. It does not matter if one breaks down the profession into categories and looks just at internal or external auditors, fraud examiners, IT auditors, audit managers, etc. No category has an indispensable tool that every person needs. The strange thing about this is that software excels at processing huge amounts of information in rigorous, repeatable ways—and auditing is nothing if it is not rigorous and repeatable. Why are so many proven, powerful productivity tools begging for users? In researching the2005 Buyer’s Guide for Audit, Anti-Fraud, and Assurance Software, the authors studied more than 100 software products and spent more than 500 hours analyzing them. About half of these were designed specifically for auditors and accountants, often by other auditors and accountants. In nearly every product area, a similar story was found: auditors are slow to adopt professional software created for their needs. It did not appear to matter very much whether the task was risk management, project management, control self-assessment, fraud investigation, data analysis or even routine tasks such as generating confirmation letters. The largest single share of work in any category was typically being done using Word, Excel and e-mails, which is memorialized in survey after survey of the audit profession. There is a real gap between the impression created by trade shows, advertising and enthusiastic sales people, and what actually gets implemented. It was very rare to find a vendor that held more than 50 percent of its potential market. Vendors often spoke candidly of their main problem not being competition from other products, but their inability to get auditors to buy and use any product at all. This article will focus on three key reasons why this situation prevails: 1. There are too many new products out there, particularly related to Sarbanes-Oxley. 2. Getting data and doing analysis are very difficult. 3. There are insufficient resources—time, people and money— especially for enterprise-level solutions.

JO U R N A LON L I N E

Too Many New Products While researching the book, it was discovered that roughly half of the products available to auditors today had been launched since 2002, after the US Sarbanes-Oxley legislation was passed. Although many were Sarbanes-Oxley-related risk management or control self-assessment packages, there were new products (as well as a dramatic rise in the pace of product releases) in most categories. In the Sarbanes-Oxley market in particular, the authors expect to see a shakeout among vendors, as the relatively small audit software market cannot support 20 or even 30 different products all chasing the same pool of buyers. Mergers and acquisitions are up dramatically already. This is a pattern familiar to everyone from the “dot-bomb” era of web-based businesses. What is more troubling for vendors today is that no one has proved, as yet, that Sarbanes-Oxley software is necessary to maintain an affordable level of compliance to the new laws. There are bright spots in the way of case studies, but for every one, there is a company that uses Microsoft Excel instead of an audit-specific solution. Sarbanes-Oxley tools remain a “nice to have” for the estimated 80 percent or more of public companies that completed year one without buying new software. There is understandable hesitation to buy from any vendor when the requirement is uncertain and no one knows which vendors will emerge as dominant in coming years. In more established audit software categories, such as workpapers, data analysis or forensics, there is some pressure on vendors from new arrivals and changes in technology. This may be a reason for some not to buy, but the basic problem remains that many audit shops (particularly small departments, small accounting firms or sole practitioners) have not gotten around to implementing even the tools that have been available for a decade or more. In these categories, one must look for other explanations—see the next two sections. Finally, in many niche categories, such as telecommunications analysis software, presentation software, wireless communications, flowcharting, spreadsheet checking and web demonstration software, the main problem seems to be that auditors are often unaware that the category even exists, or they are too busy to investigate. Groups of auditors have been asked about cheap, easy-to-implement and highly useful products, such as an electronic bank and accounts receivable confirmation system or a spreadsheet audit tool. Most respondents either have not heard of the products or have never seen one in use. These products typically do not require a license for every member of the department or long training times, and they cost no more than Excel or Word. They rarely involve an all-or-nothing commitment in which every job must be done using the tool, or none. They make an ideal case for casual, gradual implementation. But, auditors are generally unaware of their many options here.

Getting Data Is Too Difficult This is a multipart problem. First, audit departments do not always have a strong, cooperative relationship with IT. Audit needs are low priority and only become a high priority when there is a “hot” fraud case or senior management request. Second, even when electronic data files are available, a certain level of experience and knowledge is needed to deal with all the technical issues relating to file formats, inconsistent spelling and entry errors, multiple sources, etc. Larger departments tend to delegate all such tasks to one person, who becomes their internal IT resource. But this option is not available to smaller organizations, and even where it is available, succession planning is rarely done, so the organization’s resource is lost every few years, and much of the practical knowledge gained goes elsewhere. Third, even when data have been properly reformatted to allow complex tasks such as continuous monitoring, data analysis or fraud investigation, the skills involved in visualizing data manipulation or writing scripts are not widely found among auditors. The authors estimate that half of the work done in the data analysis area is performed by no more than five percent of auditors, most working in large organizations. The rest of the audit world either does the analysis the hard way, by printing hard copy reports, or transferring the data to a spreadsheet, or simply does not do this type of analysis. This is unfortunate, in the authors’ opinion, because an organization’s ability to do intensive data analysis is closely related to success in implementing enterprise-level software projects. Generally, if there is no one in the organization who is already running automated testing using some desktop tool and who is familiar with all the data sources and data issues, it will be much harder to get any benefit from enterprise-level continuous monitoring or risk management. A single skilled individual can sometimes accomplish more in a week with a company-issued copy of Microsoft Access on a laptop than a department of 50 unprepared people can with US $250,000 in business process management software (BPM) and months of struggling. This is not a complaint about BPM software; it is a fact about human skills and motivation. Data analysis must be made much easier to do, so a higher percentage of auditors can do it routinely. However, more user-friendly tools are only part of the solution. The audit culture must also change. Auditors must see technical skills in data analysis as a professional requirement.

Not Enough Time, People or Money Despite the new post-Enron glamour of audit and accounting as a career and the higher priority given to audit by management, audit departments still do not have the resources to do everything at once. By the time they catch their breath from

all of last year’s work, they are off to the races again for the upcoming year’s compliance. The concern here is that there are simple steps that can be taken to increase productivity without huge investments in new software or training, and these should generally be taken first, before implementing companywide Sarbanes-Oxley-related risk management databases or other complex projects. Often, an organization finds itself in a panic to reach goals in one year that would have been easy had they started a year or two sooner. The authors’ advice is to take a step-by-step approach: • Find more than one “champion” in the organization for the positive benefits of automating risk management, control self-assessment and data analysis. • Support the champions with a modest but steady budget for new software, freedom to attend training and conferences and to do peer networking, and focus the attention and interest of higher management. • Focus on achieving a real, measurable return at each stage, such as reducing or eliminating a particular kind of error, cutting labor costs for quarterly or annual audit tasks, or obtaining substantial monetary recoveries from analyzing inefficient payables operations. • Ensure that the annual audit plan contains efforts to automate, whether through audit process enhancement or improved data analysis.

Conclusion The old cliché about the glass being half full or half empty applies to the present half-commitment of audit to using productivity software. There is much that has not yet been done, but ought to be. When it is, auditors will not only make a larger contribution to the success of the organization, but they will enjoy better working conditions, more job satisfaction and higher confidence in their organization’s success.

Dean Brooks is president and owner of Ekaros Analytical Inc., a publishing and consulting company that focuses on audit and analysis. He has edited and published numerous audit-related books. He is a coauthor on the newly released2005 Buyer’s Guide to Audit, Anti-Fraud, and Assurance Software.

Rich Lanza, CPACITP, CFE, PMP has more than 13 years of experience using audit, antifraud and assurance software. This knowledge and experience was codified into his recent publication, the2005 Buyer’s Guide to Audit, Anti-Fraud, and Assurance Software. Lanza also founded AuditSoftware.Net, a free web site devoted to using technology for generating bottom-line results.

Information Systems Control Journalis published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one toreceive an annual subscription to theInformation Systems Control Journal. Opinions expressed in theInformation Systems Control Journalrepresent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of thisJournal. Information Systems Control Journaldoes not attest to the originality of authors' content. © Copyright 2006 by ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprintor republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

JO U R N A LON L I N E