Internal audits are an important part of running a business, particularly if your organisation is in a highly regulated space or conforms to any ISO Management System Standards (where internal audits are compulsory).
Though important, internal audits can often be a source of frustration, both for auditors and the auditees. The process, particularly if done manually using spreadsheets and similar tools, can be labour intensive and time consuming. Audit participants can find themselves devoting time looking for evidence and relevant documentation to present, while auditors will often end up having to duplicate work done on site in their final reports.
It may seem as if a time consuming audit process isn’t the end of the world. But there is a more significant risk that organisations must be mindful of. If the internal audit process is seen as an unpleasant one, it can lead to a negative working relationship between internal audit teams and the departments/teams they are reviewing. This can have a knock-on effect on an internal audit function’s efficacy. As a recent joint report from The Internal Audit Foundation and Crowe LLP noted: “maintaining effective relationships with other groups and departments within the organisation is always a critical concern for the internal audit function. It is important for internal audit to understand the universe of relationships within an organisation to better protect it…Cooperative, positive relationships with those being audited can greatly expedite the audit process and improve the quality of audit results.”
In certain fields, the importance of this working relationship makes intuitive sense. With regards to audit cybersecurity systems, the focus of the Internal Audit Foundation and Crane’s report, the complex nature of the controls and systems being audited means that internal audit teams need to work with their colleagues in other departments to best conduct their duties.
For example, as The Internal Audit Foundation and Crane point out; “one of the fundamental first steps internal audit must take in developing a cybersecurity audit plan is to thoroughly understand the cybersecurity framework (e.g. ISO 27001, COBIT 5, CIS Top 20) the organisation uses. The selection of a framework is a management decision, often determined by IT and InfoSec executives. The framework sets out the standards that internal audit will audit against. As such, the framework is a pivotal factor that drives the development of the audit plan.” Or, in other words, if the internal audit team is not kept in the loop as to the cybersecurity frameworks being used (and it is possible to use a combination) they may devise an audit plan that does not cover the entirety of the cybersecurity system – which may lead to nonconformities being missed.
But the same point could be made for other disciplines, particularly when ISO Management System Standards are involved. Maintaining certification against ISO 9001, ISO 14001, ISO 45001 and others requires effort on the part of all members of an organisation. If the internal audit team is unable to work effectively with other teams – if they do not submit evidence as part of the audit or drag their feet in implementing corrective actions – in the worst case scenario the organisation could lose its certificate. And with many customers requiring ISO certification as part of their procurement process, the loss of such could have an impact on an organisation’s bottom line.
Software as a solution
Audit software has the ability to alleviate some of the most pressing administrative burdens internal audit teams (and auditees) face. By serving as a central hub for all audit activities, software can help cut the time it takes to prepare for, conduct and report on an audit. Instead of having to spend time searching for relevant documentation prior to an audit, teams can upload relevant paperwork to one (searchable) central repository. In turn this makes it easier for the auditor to link documentation and policies to controls, and assess their effectiveness in the round. Furthermore, instead of having to record their findings across multiple media (often notepads!) before pulling everything into a final report, auditors can record their findings as they go on the audit platform, avoiding the unnecessary duplication of work.
Having all the information in one place can also help to improve the working relationship between internal audit teams and other departments in their organisation by eliminating ambiguity. All the evidence, along with the auditor’s report, is available to relevant teams, allowing them to understand why the auditor has made a particular decision (e.g. major non-conformance or minor non-conformance) and what corrective action is required. This means internal audit teams and other departments can work together to improve an organisation’s control environment.
Indeed, the importance of audit software in a mature internal audit process has been highlighted by The Institute of Internal Auditors (IIA). In their report on Internal Audit Process Maturity the IIA note that “Optimized” internal audit processes (i.e. those of the highest maturity) leverage information technology systems to “maximize the efficiency and effectiveness of the audit process.” This is done, in part, by utilizing software to “document and track status of identified issues” and to conduct “real time reviews of internal audit work papers and maintain an electronic sign-off of all reviews performed.”
How Apomatix can help
Apomatix have developed an Active Risk Audit Management platform to help internal auditors meet the challenges they face. The platform was built by experts, auditors and enthusiasts to empower internal auditors. Our product suite has tools which will help reduce the time and cost of each audit and allow auditors to focus on delivering what matters. The platform centralizes the entire audit process, allowing auditors to plan, run and report on audits quicker than ever before.
If you are interested in learning more about how Apomatix can help, please contact Matt from our Operations Team: email@example.com
If you would like to assess your company’s GDPR risk in a matter of minutes, please click here to start a trial.Get started