Spring 2012, Vol. 1 - Grant Thornton LLP

CorporateGovernor
Providing vision and advice for management, boards of directors and audit committees Spring 2012 Vol. 1
Highlighting the results of the Chief Audit Executive Survey
Why GRC technology is
key for internal audit
Forward-looking internal audit
departments have seen the future, and it
revolves around a much greater reliance
on technology — specifically, automated
technology solutions that integrate the
governance, risk and compliance (GRC)
environments. As businesses continue
to accelerate their pace and expand their
scope, they are increasingly reliant on
internal audit to provide timely ongoing
information to ensure that the right risks
are being monitored and that controls
are working properly. GRC-specific
technology is key to internal audit’s
ability to carry out this mission.
Generally speaking, the technology
allows an organization to perform and
manage GRC-related strategy and
implementation such as cataloging
risks and compliance requirements
and the controls associated with them.
Organizations commonly use GRC
tools 1 for internal audit documentation,
Sarbanes-Oxley testing, internal audit
function management and administration,
and enterprise risk management.
But despite its recognized value, many
internal audit departments have been
slow to adopt a GRC tool. According to
Grant Thornton LLP’s 2012 survey of
approximately 300 chief audit executives
(CAEs) from U.S. companies, only 21
percent of respondents report that their
departments are using a GRC tool.
The majority (79%) say they are not.
Moreover, respondents seem to realize
they may be falling further behind when
it comes to GRC technology. Fully half
(50%) don’t believe their organization
leverages GRC-specific technology
effectively — and that’s up from
44 percent last year.
continued>
1 See www.GrantThornton.com/CAESurvey.

Why GRC technology is key for internal audit (continued)
Roadblocks to use
Respondents listed cost of effort and
time to deploy, cost of seat license, and
difficulty to maintain and support as
the top challenges to implementation.
While CAEs see some obstacles to
overcome — as there are with any
significant change management effort —
their willingness to adopt a GRC tool
is closely tied to their ability to enhance
audit quality and deliver greater value
to stakeholders. And with boards and
executives challenging internal audit
to find ways to add even more value,
CAEs can’t afford not to act. Indeed,
as the economy moves toward what
seems to be a period of greater growth
and stability, the timing may be ideal
for internal audit to embrace expanding
mandates and push for improvements
and investments in their departments
and organizations. These improvements
may include the implementation of
GRC-specific technology.
As CAEs explore the brave new
world of GRC technology, they’ll want
to consider how it can help them embed
best practices within their internal audit
departments and how to size up new
technology tools.
What’s in it for internal audit?
Internal auditors have an obligation
to warn management, the board and
the audit committee about potential
risks, but they also have an obligation
to optimize their internal operations.
Grant Thornton’s experience has shown
that effective use of GRC-specific
technology results in a significant
reduction in an organization’s compliance
costs and a significant increase in audit
team productivity and audit quality.
This allows internal audit to focus on
higher-value activities as opposed to
administrative tasks such as building
spreadsheets and formatting audit
reports. Additional benefits of a GRC
tool include:
• Better decision-making as a result of
greater access to information
• Heightened management and
organizational effectiveness
• Improved communication with
stakeholders
• Greater accountability within the
internal audit group and for business
process owners
• Increased confidence in the quality
and reliability of the organization’s
system of controls
Support for strategic objectives
A primary consideration in implementing
GRC-specific technology is the need
to align it with a company’s strategic
objectives. Business managers and CAEs
can use the technology to evaluate whether
strategic objectives are being supported.
For example, if a company wants
to expand its international distribution
network, the company may be working
with foreign agents and will need to
ensure that these agents are properly
trained with respect to anti-kickback
provisions. Part of the GRC process
would include having controls in place
to identify these agents and to ascertain
that appropriate training and monitoring
are taking place. Local (in-country)
management or compliance leaders
would update the GRC application.
The application would then be used by
internal audit to track training status and
success and to identify delays in training.
The GRC tool should provide real-time
training information to business leaders
along with internal audit and compliance
management. In this way, GRC-specific
technology can help internal audit
departments reduce risk by monitoring it
more effectively and less expensively.
continued>
A primary consideration in
implementing GRC-specific
technology is the need to align it with
a company’s strategic objectives.
2 CorporateGovernor – Spring 2012 Vol. 1

Why GRC technology is key for internal audit (continued)
Sometimes less is more
When it comes to choosing a GRC
tool, more is not always better. Some
organizations have not been able to
fully leverage the functionality of highly
sophisticated tools and have not realized
their expected return on investment as a
result. Departments should be realistic
about their needs and scope in order to
avoid purchasing a tool with features
that may go unused. Below are some
common features that companies may
find desirable:
What benefit(s) do you achieve from using data analytics?
Item
Total score*
More efficient internal audit process 738 1
Increased internal audit coverage 688 2
Quickly identify patterns, trends and relationships 662 3
Increased risk monitoring 645 4
Reduced time to perform internal audit 489 5
Reduced internal audit headcount 220 6
Other 143 7
*Score is a weighted calculation. Items ranked first are valued higher than the following ranks; the score is the sum of all
weighted rank counts.
Rank
• A software as a service (SaaS)
delivery model
• Web-based access
• Real-time audit planning, execution
and review features
• Security features to monitor and
control user access
• Document repository and document
management functionality
• Robust dashboard reporting
• Issue and remediation tracking
Still, not every functionality
is necessary for every company.
Organizations will need to evaluate their
technology options carefully in order
to find a tool that meets their unique
requirements.
Complementary tools: Data analytics
and continuous auditing
While companies have been slow to
embrace GRC-specific technology, other
automated auditing tools, such as those
that support data analytics and continuous
auditing, have seen broader acceptance.
According to the latest CAE survey, 64
percent of respondents say they’re using
data analytics tools to examine raw data
and draw conclusions. See the chart above
for the benefits of using data analytics.
Those respondents who were not
employing data analytics cited the
following obstacles to its use: the
expense of software, the lack of in-house
skills, the need for training, and change
management considerations.
The momentum behind continuous
auditing is also building, with 42 percent
of respondents performing it to some
degree, up from one-third in last year’s
survey. As its name suggests, continuous
auditing involves using analytical scripts
and tools to monitor data continuously
so that practitioners can identify
anomalies requiring further review.
Although internal auditors seem
to be growing more comfortable with
continuous auditing tools, the relatively
small percentage of time being dedicated
to the practice suggests that audit
departments could be doing a lot more
with the technology. More than half
(56%) spend less than 10 percent of their
audit hours on continuous auditing,
and almost 30 percent devote 11 to 20
percent of their time to the practice.
continued>
3 CorporateGovernor – Spring 2012 Vol. 1

Why GRC technology is key for internal audit (continued)
A three-legged stool
GRC-specific technology, data analytics
and continuous auditing tools all have
a place in forward-looking internal
audit departments. These tools can
work most effectively as a three-legged
stool, with each tool operating in a
different but complementary way to
provide decision-makers with real-time
information about business risks and
opportunities.
A GRC platform helps internal
audit become more efficient in planning,
executing and collaborating on audits,
while data analytics and continuous
auditing tools extend the reach of
internal audit across the organization
via more robust coverage that leads to
quicker pattern, trend and relationship
identification. For example, when paired
with continuous auditing, data analytics
can help organizations recover revenue
from instances of fraud or other sources
of lost revenue by allowing the company
to identify the root cause promptly.
Progressive internal audit
departments know that the tools are
out there to help them expand their
power and reach and serve their
stakeholders more effectively. The
challenge lies in deciding how much of
each type of tool is enough. One thing
is certain: Leading-edge internal audit
departments will need to think about
how they can modernize their practices
and optimize their ability to deliver the
ever-greater value their stakeholders
demand. As Partner and National GRC
Solution Leader Warren Stippich notes,
“Continued growth of use of the various
technologies is a positive step toward
streamlining operations and adding value
in today’s world.” •
About the newsletter
CorporateGovernor is published by
Grant Thornton LLP. The people in the
independent firms of Grant Thornton
International Ltd provide personalized
attention and the highest quality service to
public and private clients in more than 100
countries. Grant Thornton LLP is the U.S.
member firm of Grant Thornton International
Ltd, one of the six global audit, tax and
advisory organizations. Grant Thornton
International Ltd and its member firms are not
a worldwide partnership, as each member firm
is a separate and distinct legal entity.
For additional information on the issues
discussed in this newsletter, consult your
Grant Thornton client-services partner.
Contact information
For more information, contact a member
of the Governance, Risk and Compliance
Solution Group:
Warren Stippich
Partner, National and Midwest Region
Solution Leader
T 312.602.8499
E warren.stippich@us.gt.com
Priya Sarjoo
Director and Central Region Solution Leader
T 214.283.8166
E priya.sarjoo@us.gt.com
Bailey Jordan
Partner and Southeast Region Solution
Leader
T 919.881.2790
E bailey.jordan@us.gt.com
Erin Morrow
Principal and Northeast Region Solution
Leader
T 212.542.9533
E erin.morrow@us.gt.com
Leading-edge internal audit departments will need to
think about how they can modernize their practices and
optimize their ability to deliver the ever-greater value their
stakeholders demand.
Justin Hendrickson
Principal and West Region Solution Leader
T 206.398.2436
E justin.hendrickson@us.gt.com
Visit our website at www.GrantThornton.
com/CAESurvey.
Editor: Evangeline Umali Hannum,
evangeline.umalihannum@us.gt.com
Content in this publication is not intended
to answer specific questions or suggest
suitability of action in a particular case.
For additional information on the issues
discussed, consult a Grant Thornton partner.
© Grant Thornton LLP
All rights reserved
U.S. member firm of Grant Thornton
International Ltd
4 CorporateGovernor – Spring 2012 Vol. 1