I’ve worked in the compliance and risk field for almost 15 years. Every company I’ve worked for and with has had policies; all of them also had and made exceptions to their procedures and guidelines. The way the policies were written, stored and communicated tends to be similar across organizations. However, the way exceptions are managed is less consistent. Depending on the company’s size and maturity, exceptions might be granted during simple a hallway conversation; or in a more formal method, as a multi-level risk analysis and approval workflow using a technology.
As someone who has worked with auditors for over a decade implementing software to help streamline their audits, I can undoubtedly say that the auditor stereotypes are mostly untrue. First off, I’ve met several auditors that I would consider “glass half-full” people; the kind that would be more likely to say, “What would we do if Karen won the lottery and quit?!” rather than “What would we do if Karen got hit by a bus?!”
Let’s consider everything auditors do. Their best work might be getting organizations to simply follow the rules—when they get groups to comply with rules and regulations, I think that’s a super feat in and of itself. But there is far more to being an auditor than just following the rules, and that’s where the superhero thing comes into play.
I am what you might call a late bloomer. It took a while, but I finally feel like I’m coming into my own with this whole “being a professional” thing. I share this because in my early days as an internal auditor I didn’t really grasp the concept of why we were doing what we did, let alone how we were helping drive a risk-focused culture in our organization.
To some, the constant barrage of “why” questions from their kids is irritating, but to me it was my very favorite thing about having those youngsters in my house. The concept of “why” is rooted in learning. When you ask this question, you are seeking to gain knowledge, perspective, understanding—you simply want to figure it out.
Onspring recently conducted a survey, reaching out to audit professionals to find out about future trends in the internal audit field. Putting together tangible questions that deliver concrete results on current practices in internal audit and risks that may impact the field in the future was our target, and that was accomplished.
A lot of times when we start showing a client our out-of-the-box audit solution, we’ll be told, “Oh, that’s pretty close to what we already do.” We’ll have to tweak a couple of fields, but what Onspring starts with initially is usually all that a lot of clients will need. We take a lot of pride in the fact that we’ve added and shaped our audit solution to meet most of the needs presented to us by customers.
Much like my fishing trip, you should begin defining your requirements and planning early on, maybe even wade around in research materials for a few months before beginning the purchasing process itself. It is of paramount importance to ask yourself the tough questions that will help shape and define your scope—questions around your budget, specific needs, timeline and workflow requirements tend to work best.
I recently had lunch with an audit executive who told me her team needed a new audit software solution. However, she kept putting it off because she felt overwhelmed by the myriad of options and the process of finding one. Wading through solution websites, stretching out mentally to determine which functionalities are marketing fodder and which are real, knowing she’d have to sit through numerous demos; she said she felt exhausted before she’d even begun!
The Onspring Admin Audit History report—this report logs every configuration change made in the system. When finishing a project or you need to count up the hours spent administering a site, pull up this report, set the filters based on the user account and date range (if any). Once the filters are set, you can export the data to Excel.
Selecting an IA software platform is not always an easy choice. To begin with, there are many stakeholders involved: audit staff, management, process and control owners, the audit committee and the board. Then tack on a wide variety of auditable entities: business units, processes, organizational functions, applications, facilities, etc. Finding a single management platform that can bring all of these elements together in a way that fits the size, scope and methods of your IA department is no easy task.
A quick Google search for “internal audit software” reveals a long list of available solutions. Many of these providers (Onspring included) exhibited at the recent Governance, Risk and Controls (GRC) Conference in Phoenix, co-sponsored by the IIA and ISACA. In terms of sheer quantity of choices, internal auditors have no shortage of software at their disposal. But how many of these solutions enable internal auditors to (as the IIA Research Foundation report describes) “creatively innovate to stay a step ahead of the real-time pace of technology advancement”?