The Four Biggest Challenges of Traditional Audit Techniques
Navigating an audit in today’s rapidly changing regulatory environment is no easy task. With a sharp focus on attaining higher levels of audit comfort demanding less sample-based testing and more full population analysis, there is a natural gravitation to increased complexity.
This manifests as an expensive, continual, and often exhausting process for both audit teams and IT support. Teams are typically faced with ploughing through and interpreting reams of data held within key ERP systems to stringent timeframes, in order to meet an ever-evolving set of regulations and auditor needs.
With many companies still relying upon labour-intensive manual techniques to prepare for and complete an audit, it’s no surprise that teams are overwhelmed by data and suffering from audit fatigue.
What’s more, auditing costs are predicted to rise again this year. Indeed, a survey by Gartner shows that 62% of organisations expect their external audit fees to increase in 2021.
Here are four reasons why preparing for, and conducting, an audit manually has become a hindrance:
1. Manual auditing is prone to human error, leaving organisations vulnerable to fraud
For many companies, it’s simply not humanly possible to actively monitor all controls and configurations manually. Gone are the days of reviewing listings and spreadsheet outputs. Even in the most advanced and sophisticated ERPs, audit logs can be large and cumbersome, meaning that standard formats like Excel don’t scratch the surface, with organisations struggling with petabytes of data stored in data warehouses.
In addition, audit logs are often only available for a fixed period, commonly 30 days. Trawling a daily log generated by just one environment is challenging enough, but potentially having to analyse many days’ worth of data at a time is an even more daunting task. With so much to review, it is easy to overlook anomalies in behaviour and gaps in controls.
2. Producing audit evidence is time-consuming and requires specialist skills
It takes an enormous amount of skill to know exactly what to look for, and where, in amongst extensive audit logs. Internal auditors need technical expertise in the specific systems with which they are working, so they can distinguish between reasonable and improper behaviour. They must also be able to understand and infer implications from working patterns, which requires deep insight into the system and typical behaviours.
For example, if a HR administrator had legitimate access to highly sensitive information, an auditor would need to recognise potential abuse of this privilege, such as looking up colleagues’ salary records out of hours or on a weekend.
3. Even if the internal audit team detects an issue, they can’t always be sure if someone hasn’t exploited it
Identifying a problem is an auditor’s first step. But can they tell how long the issue has existed, or if anyone has abused it? Due to the volume of data produced, many audit logs are purged frequently, so the audit team only know what has happened for as long as the logs go back. Perhaps an employee has access to data they shouldn’t have, but nobody knows for how long or if they have already committed fraud or an infraction. If internal audit teams can’t prove either way, the business may well be vulnerable to penalties, or reputational damage related to data breaches.
4. Audit teams must check all environments, not just the live production instance
With compliance budgets stretched, companies often focus time and effort on auditing production environments or those services that are deemed most important. However, it’s vital that teams audit all application environments, including testing environments and sandboxes. Testing teams often make exact duplications of production environments when making large-scale changes. Because the testing platform is identical to production, it still carries all the same risks as the “live” environment when it comes to privacy. An extra concern is that sandboxes often automatically clear after every week, putting extra pressure on audit teams to detect inappropriate behaviour before evidence disappears.
Clearly, manual auditing isn’t a sustainable solution as both the volume and complexity of datasets that organisations generate and handle continues to grow. In addition, to keep up and respond to every regulatory requirement ensuring full compliance at minimal cost requires businesses to supplement their auditing capability with automation. The same Gartner study referenced above indicates companies that automate at least 25% of their internal controls pay 27% lower audit fees on average.
That’s why we’ve launched Smart Audit – a continuous automated auditing tool for Workday. It simplifies internal controls, cuts risk of non-compliance, and reduces auditing costs. With Smart Audit, you don’t need to be a Workday expert to identify and extract the information you need to create your audit reports.
Automating controls eliminates the need to manually analyse logs across a series of tenants, enabling auditors and auditees to compile months’ worth of data preparation in seconds, and produce thorough reports with just a few simple clicks.
Smart Audit filters out the “business as usual” actions and surfaces those that auditors need to investigate. In short, Smart Audit makes life much easier for both auditing teams, the auditee and supporting IT functions. This ultimately frees up valuable time for higher value; and more motivating activities. You can read more in the following whitepaper.