An inconvenient truth: Companies are struggling with technology in audit
How well companies implement technology in audit depends upon how well they’ve dealt with the basics. And more often than not, there’s still a lot of work to be done. What should you consider before moving forward with technology in audit?
Organizations have made significant steps towards implementing technology in audit over the last few years. However, although many companies are discussing and investing in emerging technologies such as blockchain and robotics, most still struggle with concepts like data analytics, control automation and digitalization of business processes.
In fact, we regularly see clients struggling with issues that emerged nearly a decade ago. According to the Harvey Nash/KPMG CIO Survey 2018, businesses still list their top three operational priorities as improving business processes, delivering a stable IT environment and increasing operational efficiencies.
Why are businesses unable to move beyond these issues?
Audit fatigue, control mindset and security awareness
There’s no doubt that technology maturity in audit has improved and that organizations are making relevant investments in that area. According to the CIO Survey, 69 percent of organizations that responded implemented intelligent automation within IT or expect to do so; but the stakes are much higher than they were just a few years ago. Today, companies face increasing competition, intensifying regulatory pressure and rising expectations from customers, investors and shareholders.
Audit fatigue sets in as businesses are bombarded by endless requirements such as data privacy, financial statement reporting, cybersecurity, contractual obligations, vendor management, etc. As a result, companies don’t have the time and resources to address simple audit issues that would significantly reduce their risk exposure.
Most successful cyber-attacks, system interruptions or fraud cases aren’t due to sophisticated state-sponsored hacks targeting critical systems. The greatest threat comes from a lack of basic IT controls such as default passwords not being changed, users sharing generic accounts, developers accessing production environments or no enforcement of segregation of duties (SoD).
Another issue is an employee’s lack of a “controls mindset” as they complete daily tasks and activities without considering their actions’ impact on the organization. From clicking on the attachment in a suspicious email to granting someone access without validating the business need, these actions often result in system disruptions, data leakage or audit findings.
The last concern organizations face is key stakeholders’ (executives or board members) high-risk appetite when it comes to technology in audit – a mindset often blinded by a lack of understanding and awareness of the critical role IT plays in supporting business operations.
What can be done to address these issues?
A balancing act
Organizations first need to define the right balance between stability and innovation: starting with an evaluation of their environment from a regulatory and compliance perspective in order to determine where the most critical audit risks lie. Because every sector is different, the requirements can go from securing the crown jewels (personal data, intellectual property, etc.) and responding to regulatory and governing bodies to ensuring the high availability of customer-facing applications.
This risk assessment must then feed into an overall technology strategy meant to address the most critical issues, starting with basic IT controls and extending to the enhancement of monitoring and reporting. The organizations’ objective should be to enable an approach where traditional auditing of its systems (Audit of IT) is no longer the norm.
Basic IT controls are not complicated to implement and are considered low hanging fruit that significantly reduce risks and audit findings. Such controls include:
- enforcing strong authentication mechanisms to systems and applications
- timely removal of access
- disabling or monitoring of default accounts
- appropriate testing
- validation of changes being made to production
- periodic testing of backup-restore.
In order to ensure that all controls are designed and operating effectively, (some of the IT controls require more capabilities and oversight such as SoD monitoring or periodic review and evaluation of user access) it’s necessary to conduct a simple evaluation of the requirements and a current-state analysis. It’s highly likely that many have already been tested by independent parties like internal or external auditors. So, companies already know where they stand and what issues exist within their environment.
From audit of IT to IT for insights
Once all of these IT controls have been addressed and strong, effective processes are in place, organizations can focus on innovating and making more intelligent use of technology, like advanced analytics or control automation, for audit and insights. Gartner reports that 98 percent of audit departments have recently made at least one investment in analytics technology, but only 26 percent use analytics regularly.
These next steps will allow management to more effectively address audit risks, make better informed decisions, and inspire trust and confidence. They can also significantly reduce the level of effort required to conduct audits and provide increased assurance that business processes are effectively and efficiently implemented.
Refer to KPMG’s Clarity on Dynamic Audit to see how technology reshapes the audit and delivers more value.