Internal Audit Departments around the world have an obligation to inform management about the risks inherent to their organizations, but what about the risks inherent to the audit department itself. The Institute of Internal Auditors (IIA) points out several high level issues commonly identified during the Quality Assurance and Improvement Program (QAIP):
- No formalized risk assessment procedures
- Inappropriate CAE reporting relationships
- Out-of-date charters
- Perceived inadequate staff knowledge
Beyond risks identified during the QAIP, there are several frequently overlooked risks deeply integrated in the way the audit department handles audit documentation. While audit management solutions have been on the market for many years, a very large percentage of audit departments still rely solely on Microsoft® Office, especially Word and Excel, for their audit documentation. The documentation is usually stored on the auditors’ laptops, on network drives, or on SharePoint. Word and Excel are excellent tools for which every auditor should have advanced working knowledge, but these applications are not equipped to cover all of an auditor's requirements.
Some of the risks that result from over reliance on Word and Excel are listed below, and these will each be explained in more detail:
- Failing to adhere to information security policies
- Using outdated versions of documents and spreadsheets
- Evidencing audit management review
- Issuing audit reports that do not tie to audit documentation
- Challenges to capturing complete data for audit committees
Failing to adhere to information security policies
Organizations are faced with ever increasing pressure to ensure security over confidential data, and audit departments are in a unique position as a good audit charter will grant access to basically all information within an organization. The data is then included in testing and documentation by the auditors. If the test work is performed in Word and Excel, stored on laptops, emailed to reviewers, and included in share drives, there are numerous opportunities for data security to be compromised and the organization's information security policies to be violated.
Using outdated versions of documents and spreadsheets
The Word documents with the audit programs and the Excel files with the test work all go through multiple iterations during the course an audit. Keeping up with the most current version can be a nightmare for the both the auditor and for the manager who could end up reviewing outdated versions.
Evidencing audit management review
The review process itself can be daunting when working in Word and Excel. Comments added to Word and Excel can be deleted by anyone. Track changes can be turned on or off by anyone. How do you know if the review notes were ever even completed? In the end, the comments are all cleared and the changes are all accepted, so any evidence of review is lost.
Issuing audit reports that do not tie to audit documentation
A consistent issue in using Word and Excel is the inability to compile data. When audit programs are spread across multiple Word documents and test work is in a variety of spreadsheets, compiling all of the information into a single audit report is problematic. The simple act of tying the audit work to the report for completeness then tying the report back to the work for accuracy can take weeks. Once the department's management gets there hands on the report for wordsmithing, the entire process may either be started over, or simply abandoned. The issue gets even more complicated when the auditee provides documentation during the closing meeting; the documentation you've been asking for since the audit began. Now you really have to start over, and tying the report back to the work essentially becomes a full time job.
Challenges to capturing complete data for audit committees
As if compiling data for the audit report was not complicated enough, the risks associated with capturing, analyzing and presenting data to the audit committee can be infinitely more complex. Pouring back through audit reports to categorize the types of audits, the types of issues, group the information, and look for trends can take weeks. The same data is then put into tables to create charts and graphs that will be included in reports and slide decks for audit committee presentations. The main problem is simple: manual input error. The data, the charts, the graphs, and ultimately the report and presentation all depend on the quality of the manually compiled data that is all subject to the risks already described.
Many departments have been reluctant to transition to an automated audit management solution, but now may be the time. A recent study published by The IIA titled Developing and Effective Internal Audit Technology Strategy concluded that “embracing the use of technology to enhance and extend the reach of internal audit efforts is an important, strategic undertaking.” While Word and Excel will continue to be primary tools that every auditor needs, the risk of over reliance on these applications should not be ignored.