Internal audits are an important part of running a business, particularly if your organisation is in a highly regulated space or conforms to any ISO Management System Standards (where the requirement to perform audits is compulsory). Internal audits provide objective assurance and help senior leadership (chief executive and the board of directors) understand whether the organization’s controls are operating effectively.
Though important, internal audits can often be a source of frustration, both for the internal audit department and the auditees. The process, particularly if done manually using spreadsheets and similar tools to review internal controls, can be labour intensive and time consuming. Audit participants can find themselves devoting time looking for evidence and relevant documentation to present, while auditors will often end up having to duplicate work done on site in their final reports.
It may seem as if a time consuming audit process is not the end of the world. But there is a more significant risk that organisations must be mindful of. If the internal audit process is seen as an unpleasant one, it can lead to a negative working relationship between internal audit professionals and the departments/teams they are reviewing. This can have a knock-on effect on an internal audit function’s efficacy.
As a recent joint report from The Internal Audit Foundation and Crowe LLP noted: “maintaining effective relationships with other groups and departments within the organisation is always a critical concern for the internal audit function. It is important for internal audit to understand the universe of relationships within an organisation to better protect it…Cooperative, positive relationships with those being audited can greatly expedite the audit process and improve the quality of audit results.”
In certain fields, the importance of this working relationship makes intuitive sense. With regards to audit cyber security systems, the focus of the Internal Audit Foundation and Crane’s report, the complex nature of the controls and systems being audited means that internal audit teams need to work with their colleagues in other departments to best conduct their duties.
For example, as The Internal Audit Foundation and Crane point out; “one of the fundamental first steps internal audit must take in developing a cyber security audit plan is to thoroughly understand the cyber security framework (e.g. ISO 27001, COBIT 5, CIS Top 20) the organisation uses.”
Furthermore, “The selection of a framework is a management decision, often determined by IT and InfoSec executives. The framework sets out the standards that internal audit will audit against. As such, the framework is a pivotal factor that drives the development of the audit plan.”
In other words, if the internal audit team is not kept in the loop as to the cyber security frameworks being used (and it is possible to use a combination) they may devise internal audits plans that does not cover the entirety of the cyber security system – which may lead to non-conformities being missed.
But the same point could be made for other disciplines, particularly when ISO Management System Standards are involved. Maintaining certification against ISO 9001, ISO 14001, ISO 45001 and others requires effort on the part of all members of an organisation.
If the internal audit team is unable to work effectively with other teams – if they do not submit evidence as part of the audit or drag their feet in implementing corrective actions – in the worst case scenario the organisation could lose its certificate. And with many customers requiring ISO certification as part of their procurement process, the loss of such could have an impact on an organisation’s bottom line.
Software as a solution
The importance of audit software in a mature internal audit process has been highlighted by The Institute of Internal Auditors (IIA). In their report on Internal Audit Process Maturity the IIA note that “Optimized” internal audit processes (i.e. those of the highest maturity) leverage information technology systems to “maximize the efficiency and effectiveness of the audit process.”
Audit software has the ability to alleviate some of the most pressing administrative burdens internal audit teams (and auditees) face. By serving as a central hub for all audit activities, software can help cut the time it takes to prepare for, conduct and report on an audit. Instead of having to spend time searching for relevant documentation prior to an audit, teams can upload relevant paperwork to one (searchable) central repository.
Having all the information in one place can also help to improve the working relationship between internal audit teams and other departments in their organisation by eliminating ambiguity. All the evidence, along with the audit reports, are available to relevant teams, allowing them to understand why the auditor has made a particular decision (e.g. major non-conformance or minor non-conformance) and what corrective action is required. This means internal audit teams and other departments can work together to more effectively manage risk.
In light of the COVID-19 pandemic, the need for teams to work together effectively has become even more significant. With many organization asking staff to work remotely for an extended period of time, internal auditors face an unprecedented challenge. The additional risks brought about by homeworking, coupled with opportunistic malicious activity like phishing scams, will test security controls to their limit.
Audit software can play a vital role by enabling distributed internal audit teams to continue their assurance activities remotely. Ensuring security controls are implemented effectively can reduce some of burden faced by management and the board, allowing them to focus on the more pressing issues caused by the outbreak.
How Apomatix can help
Apomatix have developed an Active Risk Audit Management platform to help internal auditors meet the challenges they face. The platform was built by experts, auditors and enthusiasts to empower internal auditors. Our product suite has tools which will help reduce the time and cost of each audit and allow auditors to focus on delivering what matters. The platform centralizes the entire audit process, allowing auditors to plan, run and report on audits quicker than ever before.
If you are interested in learning more about how Apomatix can help, please contact Matt from our Operations Team: firstname.lastname@example.org