Contact

2770 Research Drive

Rochester Hills, MI  48309

Audit Management

IT Audit Management

Similar to BCP solutions, audit management processes have traditionally been supported through software that is specifically focused on the unique requirements pertaining to the audit lifecycle. GRC technology vendors did not have much demand for creating audit management solutions within their platforms. Some of this could be related to the fact that a heavy emphasis was placed on providing a document repository management capability as part of the audit management solution. Other factors, including the independence that most audit teams feel they need in order to function, prevented the GRC technology platforms from including audit capabilities.  Sargon practitioners also witnessed the proliferation of multiple tools within the same organization due to these independence-type (political) reasons. A final reason for the late adoption is also due to an organization’s size: many mid-sized and smaller organizations do not have a separate security or risk/compliance function, just an internal audit team performing multiple roles.

 

The situation is starting to change. IRM technology is becoming more accessible for audit teams to utilize, while still maintaining their independence. We see more organizations starting to integrate their internal audit management program into the IRM technology platform due to the benefits of integration that these platforms can provide. We typically see the following lifecycle process as a minimum capability for IRM platforms:

 

  • Planning

  • Execution

  • Assessing

  • Testing

  • Evidence Lifecycle Management (Request, evaluate, map, store, archive)

  • Findings/Issues Management

  • Remediation Management

  • Reporting and Dashboards

 

There are many different methodologies and approaches that we can rely upon to build out a structured internal audit capability. IRM technology platform capabilities have been maturing to include the necessary tasks and integration points so that personnel that need to utilize an automated approach can manipulate the platform capabilities to suit their needs, thereby replacing the dedicated audit management software. Many of the nuances required by audit teams such as workpaper management, audit bias tracking, staff workloads, and other audit-specific tasks are tailored to fit a client’s needs or are managed through other integrated tools.

 

Important requirements that automated solutions need to support for audit management include:

 

  • Control, risk, regulation, and policy repositories

  • Procedure/asset repositories

  • Business hierarchy

  • Risk assessment workflow

  • Control testing workflow

  • Evidence submission and storage

  • Document management (work papers)

  • Calendaring

  • Personnel inventories, profiles, and audit histories

  • Scheduling

  • Incident management and remediation planning

  • Project metrics

  • Notifications and alerts

  • Reporting

  • Audit analytics

  • Robotic Process Automation (RPA)

  • Continuous monitoring

 

Leveraging IRM technology platforms to support the audit lifecycle enables tighter integration with all aspects of IT people, processes, and technology.  This solution removes the need to track things manually and improves quality by getting rid of the reliance upon spreadsheets. The ability to correlate audit work papers with evidence, findings, and remediation efforts in a single platform can improve productivity and reduce time spent on administrative tasks. A final benefit to leveraging an IRM platform for internal audit teams is the availability of analytics. As audit teams become more automated, we are seeing a demand for better data sources in order to drive more evaluation based on continuous monitoring and analytics. Analytics is another area where IRM platforms will be making heavy investments to compete effectively against the specialty software tools.

 

Sargon Solutions has deep experience assisting organizations with automating internal functions. Many of the Sargon practitioners have spent time working for Big 4 audit companies as well as internal audit teams and can translate that experience to assist clients with leveraging IRM solutions for Internal Audit. Common use cases we see from clients include:

  • Assessment/testing workflow process

  • Audit lifecycle process

  • Audit Analytics