by Bruce McCuaig, GRC Product Marketing, SAP

USA, New Jersey, Jersey City, Architect working on digital tabletSAP has now entered the audit management software space. The opening keynote presentation at the SAPinsider GRC2014 Conference in Orlando next week will include a brief demo of SAP Audit Management powered by SAP HANA.  Internal audit is a profession that is ripe for transformation. SAP Audit Management provides the first step in that transformation.

Watch for these key events at the conference. And follow the conversation at #GRC2014 and @SAPAnalytics:

  • Tuesday March 18: SAP Audit Management demo in the keynote address by Christian Rodatus
  • Wednesday March 19: Breakout Session by Jochen Thierer “Reduce auditing expenses and improve the efficiency of your GRC landscape by using SAP Audit Management”
  • Wednesday March 19: Microforum by James Chiu “How to support the audit management process with the latest technology”
  • Friday March 21:  “Speed up audit processing” (live demo) with James Chiu


The Eyes and Ears Riddle

Years ago, I was appointed general auditor of a public company.  Having an enlightened board, I reported to an audit committee as well as to the chief executive officer (CEO) rather than the chief financial officer (CFO), which was more common in those days.

The CEO’s first instructions to me were, “Bruce, as general auditor, I need you to be my eyes and ears.” With a staff of about 80, I had plenty of eyes, ears, arms, and legs ready for the challenge.

Many internal auditors are given the “eyes and ears” speech. Some embrace the role.

That’s precisely the transformational opportunity.

Providing a Lens to Look Though and Levers to Pull

There’s one major flaw in an internal auditor accepting the eyes and ears role. Let’s look at an example.

Imagine a new fire chief being instructed to find and report all fires in his jurisdiction. His mandate is not to identify fire hazards or to prevent fires. Just to find and report them so that they can be extinguished by others. (Being responsible for both finding and extinguishing fires is presumed to impair the fire chief’s independence.)

It seems silly, but it’s not.

Under a specific set of circumstances, giving a fire chief the eyes and ears role when it comes to finding fires, and giving a chief internal auditor the eyes and ears role in the area of finding internal control issues, makes perfect sense.

What are the circumstances that can justify the eyes and ears role for a fire chief? If fires broke out randomly, and their location, frequency, or magnitude couldn’t be predicted or explained, then just finding and reporting them would be a logical, valuable, and necessary role.

But of course that’s not the case here. All fires have known causes, are predictable, and avoidable. Fires occur only if there is a flammable material, something to ignite it, and oxygen to allow combustion.

In that situation, the fire chief should provide both a lens to look through (to explain where, how, and why fires might occur), and  levers to pull (to explain precisely what must be done).

Pushing the analogy even further, the fire chief also would have a fire loss reduction role. He would take steps to ensure fires didn’t happen, and reduce fire mitigation measures where they weren’t needed.

The Role of Internal Audit

My view is that giving an “eyes and ears” role to internal audit implicitly assumes that internal control weaknesses and deficiencies of all sorts are random, of unknown cause, and unavoidable.

Transformation of internal audit means understanding the causes of these things, predicting their occurrence, and proving specific remedial actions to prevent them from occurring. The role of internal audit must shift to providing a lens to look through and levers to pull.

How Technology Will Transform Audit

Auditors need to use technology to continuously monitor the causes of fires, predict, and prevent them. Auditors must:

  • Stop performing “hit and run” audits looking for fires
  • Find the cause/effect relationships that explain why problems will occur by utilizing the power of Big Data
  • Use, understand, and promote risk management and the use of predictive technology to anticipate problems
  • Use automated survey and self-assessment tools to enlist the business in this effort
  • Stop issuing single topic audit reports and shift to dashboards to provide a lens to look through


A Word of Caution

Analogies such as the one I used here can be very useful devices. But they need to be tested with reality. Here‘s the problem with this one. Fire chiefs don’t get rewarded based on the number of fires they find. Fires represent failure, not success.

Auditors, on the other hand, do use audit “findings” as a measure of success. But if the conditions and events that lead to audit findings are, like fires, truly predictable and avoidable, then audit findings must also be failures.

If an event or condition isn’t random and spontaneous, but predictable and avoidable, failure to do so must lead to accountability. If events and conditions leading to corporate failures and catastrophic loss events are truly random and spontaneous, why waste time auditing for them?

So my question is this – if audit findings are seen as failures, not success or productivity measures, will technology innovations be more or less likely to be adopted?

I am interested in your views. Have you been asked to be the “eyes and ears” for your organization? Have you succeeded? Does the idea of providing a “lens to look through and levers to pull” make sense? How should technology be used? How are you using technology?