Copyright © 2006 ISACA. All rights reserved. www.isaca.org.
Why Companies Are Not Implementing Audit, Antifraud and Assurance Software…and How to Fix It
By Dean Brooks and Rich Lanza, CPA-CITP, CFE, PMP
hy doesn’t everyone have a comprehensive suite of audit software tools? This is an interesting question. In business, certain tools are taken for granted as being needed by essentiallyeveryone. Everyone who uses a personal computer has e-mail and a web browser, a spreadsheet and a word processor. A new hire sitting down at his/her PC for the first time would be astonished—maybe even insulted—if these basic tools were not available. Auditors have these tools like anyone else. But if we try to define even one software tool specific to the audit profession that is required on top ofthese basics, we fail. It does not matter if one breaks down the profession into categories and looks just at internal or external auditors, fraud examiners, IT auditors, audit managers, etc. No category has an indispensable tool that every person needs. The strange thing about this is that software excels at processing huge amounts of information in rigorous, repeatable ways—and auditing is nothingif it is not rigorous and repeatable. Why are so many proven, powerful productivity tools begging for users? In researching the 2005 Buyer’s Guide for Audit, Anti-Fraud, and Assurance Software, the authors studied more than 100 software products and spent more than 500 hours analyzing them. About half of these were designed specifically for auditors and accountants, often by other auditors andaccountants. In nearly every product area, a similar story was found: auditors are slow to adopt professional software created for their needs. It did not appear to matter very much whether the task was risk management, project management, control self-assessment, fraud investigation, data analysis or even routine tasks such as generating confirmation letters. The largest single share of work in anycategory was typically being done using Word, Excel and e-mails, which is memorialized in survey after survey of the audit profession. There is a real gap between the impression created by trade shows, advertising and enthusiastic sales people, and what actually gets implemented. It was very rare to find a vendor that held more than 50 percent of its potential market. Vendors often spoke candidlyof their main problem not being competition from other products, but their inability to get auditors to buy and use any product at all. This article will focus on three key reasons why this situation prevails: 1. There are too many new products out there, particularly related to Sarbanes-Oxley. 2. Getting data and doing analysis are very difficult. 3. There are insufficient resources—time, peopleand money— especially for enterprise-level solutions.
W
Too Many New Products
While researching the book, it was discovered that roughly half of the products available to auditors today had been launched since 2002, after the US Sarbanes-Oxley legislation was passed. Although many were Sarbanes-Oxley-related risk management or control self-assessment packages, there were new products (aswell as a dramatic rise in the pace of product releases) in most categories. In the Sarbanes-Oxley market in particular, the authors expect to see a shakeout among vendors, as the relatively small audit software market cannot support 20 or even 30 different products all chasing the same pool of buyers. Mergers and acquisitions are up dramatically already. This is a pattern familiar to everyone fromthe “dot-bomb” era of web-based businesses. What is more troubling for vendors today is that no one has proved, as yet, that SarbanesOxley software is necessary to maintain an affordable level of compliance to the new laws. There are bright spots in the way of case studies, but for every one, there is a company that uses Microsoft Excel instead of an audit-specific solution. SarbanesOxley tools…