Spring 2012, Vol. 1 - Grant Thornton LLP
Spring 2012, Vol. 1 - Grant Thornton LLP
Spring 2012, Vol. 1 - Grant Thornton LLP
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CorporateGovernor<br />
Providing vision and advice for management, boards of directors and audit committees <strong>Spring</strong> <strong>2012</strong> <strong>Vol</strong>. 1<br />
Highlighting the results of the Chief Audit Executive Survey<br />
Why GRC technology is<br />
key for internal audit<br />
Forward-looking internal audit<br />
departments have seen the future, and it<br />
revolves around a much greater reliance<br />
on technology — specifically, automated<br />
technology solutions that integrate the<br />
governance, risk and compliance (GRC)<br />
environments. As businesses continue<br />
to accelerate their pace and expand their<br />
scope, they are increasingly reliant on<br />
internal audit to provide timely ongoing<br />
information to ensure that the right risks<br />
are being monitored and that controls<br />
are working properly. GRC-specific<br />
technology is key to internal audit’s<br />
ability to carry out this mission.<br />
Generally speaking, the technology<br />
allows an organization to perform and<br />
manage GRC-related strategy and<br />
implementation such as cataloging<br />
risks and compliance requirements<br />
and the controls associated with them.<br />
Organizations commonly use GRC<br />
tools 1 for internal audit documentation,<br />
Sarbanes-Oxley testing, internal audit<br />
function management and administration,<br />
and enterprise risk management.<br />
But despite its recognized value, many<br />
internal audit departments have been<br />
slow to adopt a GRC tool. According to<br />
<strong>Grant</strong> <strong>Thornton</strong> <strong>LLP</strong>’s <strong>2012</strong> survey of<br />
approximately 300 chief audit executives<br />
(CAEs) from U.S. companies, only 21<br />
percent of respondents report that their<br />
departments are using a GRC tool.<br />
The majority (79%) say they are not.<br />
Moreover, respondents seem to realize<br />
they may be falling further behind when<br />
it comes to GRC technology. Fully half<br />
(50%) don’t believe their organization<br />
leverages GRC-specific technology<br />
effectively — and that’s up from<br />
44 percent last year.<br />
continued><br />
1 See www.<strong>Grant</strong><strong>Thornton</strong>.com/CAESurvey.
Why GRC technology is key for internal audit (continued)<br />
Roadblocks to use<br />
Respondents listed cost of effort and<br />
time to deploy, cost of seat license, and<br />
difficulty to maintain and support as<br />
the top challenges to implementation.<br />
While CAEs see some obstacles to<br />
overcome — as there are with any<br />
significant change management effort —<br />
their willingness to adopt a GRC tool<br />
is closely tied to their ability to enhance<br />
audit quality and deliver greater value<br />
to stakeholders. And with boards and<br />
executives challenging internal audit<br />
to find ways to add even more value,<br />
CAEs can’t afford not to act. Indeed,<br />
as the economy moves toward what<br />
seems to be a period of greater growth<br />
and stability, the timing may be ideal<br />
for internal audit to embrace expanding<br />
mandates and push for improvements<br />
and investments in their departments<br />
and organizations. These improvements<br />
may include the implementation of<br />
GRC-specific technology.<br />
As CAEs explore the brave new<br />
world of GRC technology, they’ll want<br />
to consider how it can help them embed<br />
best practices within their internal audit<br />
departments and how to size up new<br />
technology tools.<br />
What’s in it for internal audit?<br />
Internal auditors have an obligation<br />
to warn management, the board and<br />
the audit committee about potential<br />
risks, but they also have an obligation<br />
to optimize their internal operations.<br />
<strong>Grant</strong> <strong>Thornton</strong>’s experience has shown<br />
that effective use of GRC-specific<br />
technology results in a significant<br />
reduction in an organization’s compliance<br />
costs and a significant increase in audit<br />
team productivity and audit quality.<br />
This allows internal audit to focus on<br />
higher-value activities as opposed to<br />
administrative tasks such as building<br />
spreadsheets and formatting audit<br />
reports. Additional benefits of a GRC<br />
tool include:<br />
• Better decision-making as a result of<br />
greater access to information<br />
• Heightened management and<br />
organizational effectiveness<br />
• Improved communication with<br />
stakeholders<br />
• Greater accountability within the<br />
internal audit group and for business<br />
process owners<br />
• Increased confidence in the quality<br />
and reliability of the organization’s<br />
system of controls<br />
Support for strategic objectives<br />
A primary consideration in implementing<br />
GRC-specific technology is the need<br />
to align it with a company’s strategic<br />
objectives. Business managers and CAEs<br />
can use the technology to evaluate whether<br />
strategic objectives are being supported.<br />
For example, if a company wants<br />
to expand its international distribution<br />
network, the company may be working<br />
with foreign agents and will need to<br />
ensure that these agents are properly<br />
trained with respect to anti-kickback<br />
provisions. Part of the GRC process<br />
would include having controls in place<br />
to identify these agents and to ascertain<br />
that appropriate training and monitoring<br />
are taking place. Local (in-country)<br />
management or compliance leaders<br />
would update the GRC application.<br />
The application would then be used by<br />
internal audit to track training status and<br />
success and to identify delays in training.<br />
The GRC tool should provide real-time<br />
training information to business leaders<br />
along with internal audit and compliance<br />
management. In this way, GRC-specific<br />
technology can help internal audit<br />
departments reduce risk by monitoring it<br />
more effectively and less expensively.<br />
continued><br />
A primary consideration in<br />
implementing GRC-specific<br />
technology is the need to align it with<br />
a company’s strategic objectives.<br />
2 CorporateGovernor – <strong>Spring</strong> <strong>2012</strong> <strong>Vol</strong>. 1
Why GRC technology is key for internal audit (continued)<br />
Sometimes less is more<br />
When it comes to choosing a GRC<br />
tool, more is not always better. Some<br />
organizations have not been able to<br />
fully leverage the functionality of highly<br />
sophisticated tools and have not realized<br />
their expected return on investment as a<br />
result. Departments should be realistic<br />
about their needs and scope in order to<br />
avoid purchasing a tool with features<br />
that may go unused. Below are some<br />
common features that companies may<br />
find desirable:<br />
What benefit(s) do you achieve from using data analytics?<br />
Item<br />
Total score*<br />
More efficient internal audit process 738 1<br />
Increased internal audit coverage 688 2<br />
Quickly identify patterns, trends and relationships 662 3<br />
Increased risk monitoring 645 4<br />
Reduced time to perform internal audit 489 5<br />
Reduced internal audit headcount 220 6<br />
Other 143 7<br />
*Score is a weighted calculation. Items ranked first are valued higher than the following ranks; the score is the sum of all<br />
weighted rank counts.<br />
Rank<br />
• A software as a service (SaaS)<br />
delivery model<br />
• Web-based access<br />
• Real-time audit planning, execution<br />
and review features<br />
• Security features to monitor and<br />
control user access<br />
• Document repository and document<br />
management functionality<br />
• Robust dashboard reporting<br />
• Issue and remediation tracking<br />
Still, not every functionality<br />
is necessary for every company.<br />
Organizations will need to evaluate their<br />
technology options carefully in order<br />
to find a tool that meets their unique<br />
requirements.<br />
Complementary tools: Data analytics<br />
and continuous auditing<br />
While companies have been slow to<br />
embrace GRC-specific technology, other<br />
automated auditing tools, such as those<br />
that support data analytics and continuous<br />
auditing, have seen broader acceptance.<br />
According to the latest CAE survey, 64<br />
percent of respondents say they’re using<br />
data analytics tools to examine raw data<br />
and draw conclusions. See the chart above<br />
for the benefits of using data analytics.<br />
Those respondents who were not<br />
employing data analytics cited the<br />
following obstacles to its use: the<br />
expense of software, the lack of in-house<br />
skills, the need for training, and change<br />
management considerations.<br />
The momentum behind continuous<br />
auditing is also building, with 42 percent<br />
of respondents performing it to some<br />
degree, up from one-third in last year’s<br />
survey. As its name suggests, continuous<br />
auditing involves using analytical scripts<br />
and tools to monitor data continuously<br />
so that practitioners can identify<br />
anomalies requiring further review.<br />
Although internal auditors seem<br />
to be growing more comfortable with<br />
continuous auditing tools, the relatively<br />
small percentage of time being dedicated<br />
to the practice suggests that audit<br />
departments could be doing a lot more<br />
with the technology. More than half<br />
(56%) spend less than 10 percent of their<br />
audit hours on continuous auditing,<br />
and almost 30 percent devote 11 to 20<br />
percent of their time to the practice.<br />
continued><br />
3 CorporateGovernor – <strong>Spring</strong> <strong>2012</strong> <strong>Vol</strong>. 1
Why GRC technology is key for internal audit (continued)<br />
A three-legged stool<br />
GRC-specific technology, data analytics<br />
and continuous auditing tools all have<br />
a place in forward-looking internal<br />
audit departments. These tools can<br />
work most effectively as a three-legged<br />
stool, with each tool operating in a<br />
different but complementary way to<br />
provide decision-makers with real-time<br />
information about business risks and<br />
opportunities.<br />
A GRC platform helps internal<br />
audit become more efficient in planning,<br />
executing and collaborating on audits,<br />
while data analytics and continuous<br />
auditing tools extend the reach of<br />
internal audit across the organization<br />
via more robust coverage that leads to<br />
quicker pattern, trend and relationship<br />
identification. For example, when paired<br />
with continuous auditing, data analytics<br />
can help organizations recover revenue<br />
from instances of fraud or other sources<br />
of lost revenue by allowing the company<br />
to identify the root cause promptly.<br />
Progressive internal audit<br />
departments know that the tools are<br />
out there to help them expand their<br />
power and reach and serve their<br />
stakeholders more effectively. The<br />
challenge lies in deciding how much of<br />
each type of tool is enough. One thing<br />
is certain: Leading-edge internal audit<br />
departments will need to think about<br />
how they can modernize their practices<br />
and optimize their ability to deliver the<br />
ever-greater value their stakeholders<br />
demand. As Partner and National GRC<br />
Solution Leader Warren Stippich notes,<br />
“Continued growth of use of the various<br />
technologies is a positive step toward<br />
streamlining operations and adding value<br />
in today’s world.” •<br />
About the newsletter<br />
CorporateGovernor is published by<br />
<strong>Grant</strong> <strong>Thornton</strong> <strong>LLP</strong>. The people in the<br />
independent firms of <strong>Grant</strong> <strong>Thornton</strong><br />
International Ltd provide personalized<br />
attention and the highest quality service to<br />
public and private clients in more than 100<br />
countries. <strong>Grant</strong> <strong>Thornton</strong> <strong>LLP</strong> is the U.S.<br />
member firm of <strong>Grant</strong> <strong>Thornton</strong> International<br />
Ltd, one of the six global audit, tax and<br />
advisory organizations. <strong>Grant</strong> <strong>Thornton</strong><br />
International Ltd and its member firms are not<br />
a worldwide partnership, as each member firm<br />
is a separate and distinct legal entity.<br />
For additional information on the issues<br />
discussed in this newsletter, consult your<br />
<strong>Grant</strong> <strong>Thornton</strong> client-services partner.<br />
Contact information<br />
For more information, contact a member<br />
of the Governance, Risk and Compliance<br />
Solution Group:<br />
Warren Stippich<br />
Partner, National and Midwest Region<br />
Solution Leader<br />
T 312.602.8499<br />
E warren.stippich@us.gt.com<br />
Priya Sarjoo<br />
Director and Central Region Solution Leader<br />
T 214.283.8166<br />
E priya.sarjoo@us.gt.com<br />
Bailey Jordan<br />
Partner and Southeast Region Solution<br />
Leader<br />
T 919.881.2790<br />
E bailey.jordan@us.gt.com<br />
Erin Morrow<br />
Principal and Northeast Region Solution<br />
Leader<br />
T 212.542.9533<br />
E erin.morrow@us.gt.com<br />
Leading-edge internal audit departments will need to<br />
think about how they can modernize their practices and<br />
optimize their ability to deliver the ever-greater value their<br />
stakeholders demand.<br />
Justin Hendrickson<br />
Principal and West Region Solution Leader<br />
T 206.398.2436<br />
E justin.hendrickson@us.gt.com<br />
Visit our website at www.<strong>Grant</strong><strong>Thornton</strong>.<br />
com/CAESurvey.<br />
Editor: Evangeline Umali Hannum,<br />
evangeline.umalihannum@us.gt.com<br />
Content in this publication is not intended<br />
to answer specific questions or suggest<br />
suitability of action in a particular case.<br />
For additional information on the issues<br />
discussed, consult a <strong>Grant</strong> <strong>Thornton</strong> partner.<br />
© <strong>Grant</strong> <strong>Thornton</strong> <strong>LLP</strong><br />
All rights reserved<br />
U.S. member firm of <strong>Grant</strong> <strong>Thornton</strong><br />
International Ltd<br />
4 CorporateGovernor – <strong>Spring</strong> <strong>2012</strong> <strong>Vol</strong>. 1