Copyright © 2006 ISACA. All rights reserved. www.isaca.org.
Why Companies Are Not Implementing
Audit, Antifraud and Assurance
Software…and How to Fix It
By Dean Brooks and Rich Lanza, CPA-CITP, CFE, PMP
hy doesn’t everyone have a comprehensive suite of
W audit software tools?
This is an interesting question. In business, certain
tools are taken for granted as being needed by essentially
everyone. Everyone who uses a personal computer has e-mail
and a web browser, a spreadsheet and a word processor. A new
hire sitting down at his/her PC for the first time would be
astonished—maybe even insulted—if these basic tools were not
available.
Auditors have these tools like anyone else. But if we try to
define even one software tool specific to the audit profession
that is required on top of these basics, we fail. It does not
matter if one breaks down the profession into categories and
looks just at internal or external auditors, fraud examiners, IT
auditors, audit managers, etc. No category has an indispensable
tool that every person needs.
The strange thing about this is that software excels at
processing huge amounts of information in rigorous, repeatable
ways—and auditing is nothing if it is not rigorous and
repeatable. Why are so many proven, powerful productivity
tools begging for users?
In researching the 2005 Buyer’s Guide for Audit, Anti-Fraud,
and Assurance Software, the authors studied more than 100
software products and spent more than 500 hours analyzing
them. About half of these were designed specifically for
auditors and accountants, often by other auditors and
accountants. In nearly every product area, a similar story was
found: auditors are slow to adopt professional software created
for their needs. It did not appear to matter very much whether
the task was risk management, project management, control
self-assessment, fraud investigation, data analysis or even
routine tasks such as generating confirmation letters. The
largest single share of work in any category was typically being
done using Word, Excel and e-mails, which is memorialized in
survey after survey of the audit profession.
There is a real gap between the impression created by trade
shows, advertising and enthusiastic sales people, and what
actually gets implemented. It was very rare to find a vendor
that held more than 50 percent of its potential market. Vendors
often spoke candidly of their main problem not being
competition from other products, but their inability to get
auditors to buy and use any product at all.
This article will focus on three key reasons why this
situation prevails:
1. There are too many new products out there, particularly
related to Sarbanes-Oxley.
2. Getting data and doing analysis are very difficult.
3. There are insufficient resources—time, people and money—
especially for enterprise-level solutions.
JOURNALONLINE
Too Many New Products
While researching the book, it was discovered that roughly
half of the products available to auditors today had been
launched since 2002, after the US Sarbanes-Oxley legislation
was passed. Although many were Sarbanes-Oxley-related risk
management or control self-assessment packages, there were
new products (as well as a dramatic rise in the pace of product
releases) in most categories.
In the Sarbanes-Oxley market in particular, the authors expect
to see a shakeout among vendors, as the relatively small audit
software market cannot support 20 or even 30 different products all
chasing the same pool of buyers. Mergers and acquisitions are up
dramatically already. This is a pattern familiar to everyone from the
“dot-bomb” era of web-based businesses. What is more troubling
for vendors today is that no one has proved, as yet, that Sarbanes-
Oxley software is necessary to maintain an affordable level of
compliance to the new laws. There are bright spots in the way of
case studies, but for every one, there is a company that uses
Microsoft Excel instead of an audit-specific solution. Sarbanes-
Oxley tools remain a “nice to have” for the estimated 80 percent or
more of public companies that completed year one without buying
new software. There is understandable hesitation to buy from any
vendor when the requirement is uncertain and no one knows which
vendors will emerge as dominant in coming years.
In more established audit software categories, such as
workpapers, data analysis or forensics, there is some pressure
on vendors from new arrivals and changes in technology. This
may be a reason for some not to buy, but the basic problem
remains that many audit shops (particularly small departments,
small accounting firms or sole practitioners) have not gotten
around to implementing even the tools that have been available
for a decade or more. In these categories, one must look for
other explanations—see the next two sections.
Finally, in many niche categories, such as
telecommunications analysis software, presentation software,
wireless communications, flowcharting, spreadsheet checking
and web demonstration software, the main problem seems to be
that auditors are often unaware that the category even exists, or
they are too busy to investigate. Groups of auditors have been
asked about cheap, easy-to-implement and highly useful
products, such as an electronic bank and accounts receivable
confirmation system or a spreadsheet audit tool. Most
respondents either have not heard of the products or have never
seen one in use. These products typically do not require a
license for every member of the department or long training
times, and they cost no more than Excel or Word. They rarely
involve an all-or-nothing commitment in which every job must
be done using the tool, or none. They make an ideal case for
casual, gradual implementation. But, auditors are generally
unaware of their many options here.
Getting Data Is Too Difficult
This is a multipart problem. First, audit departments do not
always have a strong, cooperative relationship with IT. Audit
needs are low priority and only become a high priority when
there is a “hot” fraud case or senior management request.
Second, even when electronic data files are available, a
certain level of experience and knowledge is needed to deal
with all the technical issues relating to file formats,
inconsistent spelling and entry errors, multiple sources, etc.
Larger departments tend to delegate all such tasks to one
person, who becomes their internal IT resource. But this option
is not available to smaller organizations, and even where it is
available, succession planning is rarely done, so the
organization’s resource is lost every few years, and much of the
practical knowledge gained goes elsewhere.
Third, even when data have been properly reformatted to
allow complex tasks such as continuous monitoring, data
analysis or fraud investigation, the skills involved in visualizing
data manipulation or writing scripts are not widely found among
auditors. The authors estimate that half of the work done in the
data analysis area is performed by no more than five percent of
auditors, most working in large organizations.
The rest of the audit world either does the analysis the hard
way, by printing hard copy reports, or transferring the data to a
spreadsheet, or simply does not do this type of analysis. This is
unfortunate, in the authors’ opinion, because an organization’s
ability to do intensive data analysis is closely related to success
in implementing enterprise-level software projects. Generally,
if there is no one in the organization who is already running
automated testing using some desktop tool and who is familiar
with all the data sources and data issues, it will be much harder
to get any benefit from enterprise-level continuous monitoring
or risk management. A single skilled individual can sometimes
accomplish more in a week with a company-issued copy of
Microsoft Access on a laptop than a department of 50
unprepared people can with US $250,000 in business process
management software (BPM) and months of struggling. This is
not a complaint about BPM software; it is a fact about human
skills and motivation.
Data analysis must be made much easier to do, so a
higher percentage of auditors can do it routinely. However,
more user-friendly tools are only part of the solution. The audit
culture must also change. Auditors must see technical skills in
data analysis as a professional requirement.
Not Enough Time, People or Money
Despite the new post-Enron glamour of audit and accounting
as a career and the higher priority given to audit by
management, audit departments still do not have the resources to
do everything at once. By the time they catch their breath from
all of last year’s work, they are off to the races again for the
upcoming year’s compliance. The concern here is that there are
simple steps that can be taken to increase productivity without
huge investments in new software or training, and these should
generally be taken first, before implementing companywide
Sarbanes-Oxley-related risk management databases or other
complex projects. Often, an organization finds itself in a panic
to reach goals in one year that would have been easy had they
started a year or two sooner.
The authors’ advice is to take a step-by-step approach:
• Find more than one “champion” in the organization for the
positive benefits of automating risk management, control
self-assessment and data analysis.
• Support the champions with a modest but steady budget for
new software, freedom to attend training and conferences and
to do peer networking, and focus the attention and interest of
higher management.
• Focus on achieving a real, measurable return at each stage,
such as reducing or eliminating a particular kind of error,
cutting labor costs for quarterly or annual audit tasks, or
obtaining substantial monetary recoveries from analyzing
inefficient payables operations.
• Ensure that the annual audit plan contains efforts to
automate, whether through audit process enhancement or
improved data analysis.
Conclusion
The old cliché about the glass being half full or half empty
applies to the present half-commitment of audit to using
productivity software. There is much that has not yet been
done, but ought to be. When it is, auditors will not only make a
larger contribution to the success of the organization, but they
will enjoy better working conditions, more job satisfaction and
higher confidence in their organization’s success.
Dean Brooks
is president and owner of Ekaros Analytical Inc., a publishing
and consulting company that focuses on audit and analysis. He
has edited and published numerous audit-related books. He is a
coauthor on the newly released 2005 Buyer’s Guide to Audit,
Anti-Fraud, and Assurance Software.
Rich Lanza, CPA-CITP, CFE, PMP
has more than 13 years of experience using audit, antifraud and
assurance software. This knowledge and experience was
codified into his recent publication, the 2005 Buyer’s Guide to
Audit, Anti-Fraud, and Assurance Software. Lanza also founded
AuditSoftware.Net, a free web site devoted to using technology
for generating bottom-line results.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to
the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT
Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of
authors' content.

© Copyright 2006 by ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.
Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly
prohibited.

www.isaca.org

JOURNALONLINE