Eliminate guesswork in your internal audit program

Gain structure, integrity and insights for internal audit, risk and compliance

Throughout my time as an internal auditor, one of the most important roles the internal audit team played was identifying issues and risks within the organization, monitoring those items to completion, and reporting on their status. As we approached the end of each quarter, this responsibility became more pronounced and urgent, as this was our time to shine, our time to justify our existence and demonstrate that we were adding value to the organization. But when reporting time would come, we always seemed to find ourselves in scramble mode.

This was particularly frustrating because we all knew we were doing quality work, that we were identifying key items that truly required management’s attention. Unfortunately, we lacked a reliable system for documenting and tracking these issues. Sure, we had the shared spreadsheet where everyone could input their issues, but having multiple people access the same spreadsheet on a shared drive was inefficient and cumbersome. To make matters worse, the best part about using spreadsheets (their unending flexibility) led to a variety of data integrity and reporting issues. It was too easy for us to input bad data, and this inevitably led to challenges and inefficiencies in the reporting process.

We also struggled to check in with management on the status of their issues. Because our collection and monitoring process was so disjointed and hard to work with, we usually didn’t perform any meaningful follow up until we were a week or two out from the audit committee presentation. Three months would have passed since we last checked in with an issue owner, and often the due date for their remediation plan would have come and gone. When we’d finally get around to following up with them, all too often they would say, “yeah, I know I said I’d be done by the end of October, but now I need until February at the earliest.” As you can imagine, it was not a fun experience to tell the audit committee that an issue they were expecting to be resolved was now being extended indefinitely.

Eliminate the Guessing Game: The Role of Technology

There is little to be gained by playing this guessing game, outside of additional stress and scrutiny which are already plentiful enough in our lives. But there is good news. Sometimes the byproduct of pain and inefficiency and drudgery is the realization that there must be a better way to do this. And the good news is that there is most certainly a better way. Advancement and improvement, whether monumental or incremental, is always within our reach. As long as we are willing to accept that something is broken, it becomes infinitely easier to fix.

Onspring’s no-code Governance, Risk & Compliance Suite helps you take control of the information that you rely upon to deliver value to your organization. By centralizing your data, assigning clear ownership for each critical component, enforcing security and data integrity, and leveraging clear and dynamic reporting, Onspring can help you take the necessary steps to eliminate the guesswork in your professional life. Staying with this example of managing audit findings, our clients have been able to gain the following insights about this critical process.

  • They know at any time how many open findings they have, which audit projects they relate to, and their overall severity gave the level of risk they represent to the organization. They can also track and report on repeat findings, allowing them to identify patterns of behavior that could adversely impact their organization.
  • They have a clear understanding of who is responsible for each mitigation action. They have the ability to efficiently follow up with mitigation owners, alert them of agreed actions that are either coming due or have gone past due. And they can clearly demonstrate the impact on the organization when these mitigation plans are not completed on time.
  • They have given their business owners the ability to provide periodic updates on their mitigation plans and formally request due date extensions when required. This gives them confidence that the owners of the plans understand what they are responsible for and are working to resolve their issues. They also can track the frequency and extent of due date extensions, allowing internal audit to identify situations where commitments are not being met.
  • They can place all findings in the broader context of their organization: what locations, risks, controls, applications, etc. are impacted by this finding? Understanding these relationships allows our clients to prioritize their efforts and ensure that they are paying proper attention to the most critical issues their organizations are facing.

This is one simple example of how Onspring can gather seemingly simplistic bits of data and transform them into meaningful and actionable information. And it’s not just limited to internal audit findings or even internal audit in general. Our solutions can help bring this level of understanding and control to your Compliance, Risk Management, Vendor Management and/or Business Continuity programs, as well as any other area of your organization that can benefit from structure, integrity, and insight.

About the author


Jason Rohlf
Vice President at Onspring
20 years internal audit & GRC experience