In this episode we explain why auditors are looking for alternatives to traditional audit management software and audit analytics software.
Conor McGarrity: Today we’re going to be talking about audit software. There’s a couple of things we’re going to be looking at.
Yusuf Moolla: Audit management software that’s used for managing working papers and the like. And then audit analytics software. So that’s specialized analytics software that is aimed at auditors.
Conor: What’s the main thing that we need to be considering?
Yusuf: For both of them, the main thing is whether we need that specific software for the audits that we do. So, we’ll walk through, both for audit management software and audit analytics software, where they may not be needed and what the alternatives might be. Why is this topic important to auditors? It’s important because there’s a growing, discussion amongst audit teams about software creating headaches. So they can be quite expensive, they usually have reasonably high learning curves – you’ve got to work out exactly how the software works, there’s some limitations in the way in which they’re used – people tend to find workarounds, and then they do create some duplication. These are some of the problems. The benefits of having audit software are numerous. However, they do need to be balanced off against those negative points.
Conor: Let’s start with the first topic then. Audit management software itself. And there’s obviously a lot of commercial products available off the shelves and so forth. And they’ve been around for quite a long time, been adopted and used fairly well by some of the audit teams. But I guess we’re moving into a more progressive stage here, with internal audit and performance audit. What are some of the main considerations you think teams are thinking about these days as to whether or not they continue with the audit software they have or whether they actually need it.
Yusuf: Okay. So, the first thing is can you afford it? So audit management software is quite expensive, or reasonably expensive, and there’s already, and we’ll talk about why this is important, but there’s already significant investment in other services by various organizations that internal auditors or performance auditors would work with. So, for example, Microsoft SharePoint or OneDrive, Dropbox, or Google drives, etc. There’s a reasonable level of investment that has gone on in terms of those. So, to spend money, additionally, in terms of audit management software, sometimes does feel like a bit of a duplication and this good reason for that actually being the case. So, the benefits of audit management software are that it allows you to, in one place, create all of the working papers and reports and scope documents that you need to have. Your methodology is stored there; all work that you do will be in accordance with that methodology because they do, if they’re configured in a particular way, they do enforce the use of that methodology. And then it makes it a little bit easier to review because everything is in one place. And then you’ve got things like document sign offs and sign off stamps and things that you can’t really tamper with. So, particularly when there’s other auditors that are relying on your work, they can come in and see you that’s been done in that way. Those benefits, particularly for small and medium teams tend to be insufficient to overcome the expense and the amount of time that goes into learning the software. We’ve seen a few internal audit teams now, and I’m talking small to medium. So, to define small to medium, this is where you have an internal audit team of anywhere up to 20 people. And for those, we’ve seen a range of them over the last few years, particularly most recently, where cloud solutions are easily available and so widely used, that they’re moving away from using that software. And the reasons for them are numerous, but top reasons for moving away, that it is expensive, relatively, it’s also, difficult to use. So, what we find is that quite a few teams actually record their work in the audit management software and then keep copies of it outside of that in network folders or SharePoint sites or the like. And that means that the software is creating duplication for them. The reality is that for most small and medium teams, they might be able to get away with things like using OneDrive or SharePoint to save their work. They can still save the methodology. Still have scoping templates and working paper templates and reporting templates. If you really need to have sign offs, you can create PDFs with sign-off stamps on them.
Conor: Have you seen internal audit teams in particular, moving away from renewing their licenses or divesting themselves from software to run their audits?
Yusuf: We’ve seen both. So, we’ve seen some teams that had nothing in place and as they were growing, they thought: Oh, we should put some sort of audit management software in place. And they then went through the process of looking at what the various options were and eventually ended up saying: we’re just going to use SharePoint. It doesn’t make sense to go that way nowadays. Then there’s other teams that we’ve seen who have been using the software and have either abandoned their use or have actually divested. So, they’ve canceled their licenses and decided not to have the software installed anymore, as they migrate to newer platforms, particularly where Office365 or something like that is coming in. They can access the documents from anywhere, anytime, through a corporate portal, usually quite well restricted and well controlled. And then they decided, we don’t need to have something on top of that. Now I know that quite a few of the audit management software providers have been creating cloud environments in which data can be stored and working papers and the like can be stored. But for those teams anyway, it feels like duplication and it’s creating unnecessary strain.
Conor: Are you saying some of these audit management software tools don’t give enough flexibility to the way teams are moving?
Yusuf: I don’t know that it isn’t necessarily flexible, but software really is something that enables you to do your work better, in theory. So, you don’t really want to be learning too many different ways of using the same type of software. For example, Microsoft Suite or the Google suite is something that we all use all the time, and we learn how to use Word, we learn how to use Excel, we learn how to use PowerPoint. And then we learn how to use OneDrive and sync within OneDrive. We learn how to use SharePoint because we need to have documents in there. If we then have to learn yet another piece of software that we have to store our documents in and record our documents in and work out how to open a file, how to close a file, how to bring methodologies in, how to review within there, it then becomes additional overhead. It becomes clunky when you’re combining various software and you have to use yet another piece of software to achieve a particular purpose. So simple is better.
Conor: Some of the main considerations there. Can we afford it? Which is quite an obvious one. Is it fit for purpose for us as a team? Maybe we’re not a large team, are we still getting the value out of that system, given that there are all these other options available that may suit our purposes better.
Yusuf: Where you’re moving towards a more agile approach to conducting audits, the traditional software – and I’ll say traditional software because even the latest versions that might claim to have AI built in and agile disruption covered, etc., they’re still built in a traditional waterfall project methodology way. And so if you are conducting your audits in a slightly more agile way, then there are other options, that project teams themselves are using for their agile projects that you may be able to adopt rather than trying to squeeze an agile approach into a traditional audit management software approach. So that’s audit management software. Next up is audit analytics software, and this is a little bit different. There have been many teams over the years that have been using specific audit analytics software. We’re not going to name names as we haven’t before, but usually they’d have three letter acronyms or four-letter acronyms. Now that software was created for auditors. And even with audit management software or just like with management software, the auditors that they were created for, typically financial statement auditors. So external auditors. The same doesn’t apply or what people within internal audit or performance audits need is different because yes, they both called audits. And yes, there will be overlapping people that are recruited in from external audit to do internal audits or performance audits, but they are very different services that are being offered. And there’s very different expectations in terms of the delivery from those audits.
Conor: Can we tease that out a little bit? One of the key differences in terms of the external auditor’s needs versus the internal auditor or performance auditor is that most of the work they do year on year is repeatable. The same sort of tests, albeit maybe a new data set, whereas internal audit and performance auditors may have more tailored requirements in terms of their analytics for almost every project, but that’d be the key difference.
Yusuf: That’s one of the differences. Financial statement auditors would generally have larger teams involved in them. So, you would need to have a clear separation between review and approval. Your financial statement audits are delivering a product out into the public because your financial statement goes with an audit opinion, particularly when you’re dealing with larger listed entities. Whereas your internal audit reports are all within the organization and performance audit reports are out to the public. They’re quite different. We’re not providing an opinion on the soundness of financial control. The makeup of those teams would be different and then the actual work that is done is exactly the same, as you said, year on year. There’d be changes in methodology and there’ll be specific risks that are identified in particular years, but for the most part 80 plus percent, if you like, of the work will be the same year on year. Internal audit and performance audit. Every project is different. Every project has its own set of risks. And then you also have project audits and you have BAU audits and you have technology related audits. Some will be shorter than others. You may have a level of consistency between a few projects, but you’re not going to have this I do the same thing every year that financial audit does. What that means for audit analytics software is that you don’t want to have something that you necessarily going to create a whole bunch of routines for, and then execute it every year. That’s not the purpose of audit analytics software. And actually, that’s what audit analytics software is doing. So, it’s actually going against what it’s set up for – most audit specific analytics software. The other thing is that there’s a range of prebuilt routines. Now those prebuilt routines will work quite well for financial statement audits. So, you know where you’re looking at gaps and duplicates in invoices. That doesn’t work for internal audit because internal audits for the most part, want to follow a hypothesis-based approach. And those prebuilt routines are putting you into putting into a quarter, a square space where you have to execute it in accordance so that now you can create additional scripts and the like, but then the problem with that is you learning a scripting language that you can only ever use for audit purposes, unless somehow somebody outside audit is using the same sort of language, which doesn’t happen very often because audit analytics software isn’t that scalable? It doesn’t have the newer techniques and approaches that you need. So broadly audit analytics software is a no go for me anyway. and the reasons are, first of all, you don’t need to have prebuilt routines for internal audit performance audit. In fact, you don’t want them, secondly, , audit logs, and this is something that’s often brought up , as a benefit, you have an audit log that’s built into your analytics software, that audit log exists in order to show what was done before. So, somebody else can redo it. With newer workflow style software. You don’t need that anymore because your workflow actually captures the sequence of events. the audit software would have menu driven steps. So, you would. select, data coming in and then you would execute from a range of preexisting menus, looking for gaps and looking for duplicates and doing joins that may or may not work, et cetera. And then what happens is that the steps that you’ve taken, I actually recorded in a log. And so somebody else that’s coming in that wants to do the same thing. Again, you can look at that log and execute it. or if you want to re execute what you’ve done before with workflow style software nowadays. So KNIME, Alteryx, Lavastorm, etc., usually have far better functionality. They may not have people or teams, but far better functionality. that’s workflow style software. So, whatever you are building exists in the workflow. So, if you want to see what was done before and rerun it, you just open the workflow, tweak a few things if you need to and rerun it. So that argument is out the window as well. so broadly audit analytics software is something that I would stay away from. they haven’t kept up with the times. You don’t need prebuilt routines and you don’t need the audit logs.
Conor: So, you say they haven’t kept up with the times albeit at that the internal audit profession and the performance audit profession is a huge market. So why have these audit analytics firms been targeting more the financial statement auditors in terms of the product they’re producing?
Yusuf: They’re not targeting financial statement auditors. But they use the financial statement, audit approach to create the software that is then sold to internal auditors and performance auditors as well. The objectives for the use of analytics, the way in which analytics should be used is different. but the software doesn’t cater for that difference. And so what ends up happening is that particularly where you have teams that aren’t very fair with analytics or, are used to doing analytics in a particular way. They see that as the right thing to do. and so the software is actually creating disadvantage by, not allowing for the full range of possibilities that exist with analytics.
Conor: So, it sounds like there’s a real risk there that, some internal auditors or performance auditors may be shoehorned into certain testing regimes because it’s pre-built into the analytics software. Rather than taking that hypothesis-based approach. Is that a real risk?
Yusuf: That is a real risk. And in fact, even until not until recently, but even as recent as last month, we had a question from somebody that had used audit analytics software. And the question was, what sort of routines would you recommend for. And the answer to that was that prebuilt routines is something of the past. Like we used to do that 20 years ago. It’s still worth looking at to get some idea of some of the potential tests that you can do. But if you focusing purely on prebuilt routines, which is what a lot of the audit analytics software providers are pushing for, because that’s one of the benefits that they explain, then yes, you’re creating a risk. Because you’re looking at things based on analytics routines that exist rather than looking at things based on what it is that you need to do, what your audience needs, what the objective is, what the risk is, what sort of hypothesis you’re looking to cover.
Conor: It’d be really interesting to , get a better handle on how much of that is through lack of awareness or lack of education about the limitations of that current software versus perhaps trying to just do something, knowing that the software they’re going to be using is not fit for purpose, and they’re not using it in the right way in any event.
Yusuf: If you’re an audit team that doesn’t do analytics work all the time and we’re seeing more and more analytics work being done, but particularly medium-sized teams don’t necessarily have the same sort of budgets that the larger sized teams would have, you do look to your vendors because they’re meant to be the experts in the field. They’ve got hundreds of people working for them, bolding the software and creating different ways in which to use it. So, the expectation is that you would get some benefit by having a relationship with those vendors. When in fact it’s, like you said, creating a risk.
Conor: We need to go back and make it very clear when internal or performance auditors are starting out in their career, some of the limitations that exist.
Yusuf: Reality is that it would definitely help to have newer people coming in, understand what the differences are and what they should, and shouldn’t be using. It’s equally important for, senior managers and heads of audit to understand as well, because largely they’ll be the ones that are driving the adoption of such software within the teams. However, that bottom up approach is useful as well because often heads of internal audit will look to their teams to understand what it is they want to use. when I started doing audit work, I used one of those and I think it was the three little one that I used for some time. It really worked at the time, but this was 20 years ago. So, you’re not talking about the same sort of situation. So, if all I knew was that software, then that’s what I would be looking for. And if I had a vendor coming in and showing this to me, that’s what I would be looking for. That’s what I would know about. But if somebody in my team came and showed me something different than I would hope that I’d have the wherewithal to look at that a little bit differently. Yes, it’s important. Both for more junior people coming in, but also for senior members of the team.
Conor: Some of the key questions that need to be asked these days when any audit team is looking to buy audit management software or renew their licenses or consider if indeed it’s still fit for purpose for them? Can they afford it? Is it the right fit for their team? And probably most importantly, can you get the scene all you and functionality from some of the other products. the second thing was audit analytics software. The main take away from me there was that, it may have been designed for a different purpose and that maybe we need more of a bespoke attitude to our internal audits and performance audit when it comes to all of the analytics, instead of trying to shoehorn a particular product to actually suit our testing.