Print this article | Return to Article | Return to CFO.com
A fledgling software developer may be pointing to the future of audit technology and a boost to the internal audit profession.
David McCann, CFO.com | US
October 22, 2008
Software that supports the internal audit process is nothing new, but the field may be poised to head in a wholly different direction. In the best-case scenario, that direction will lead to more accurate audits, reduced costs for both internal and external audit, and elevated roles for internal audit executives.
Whether that potential will be fully realized is anyone's guess. But if it is, a developer that announced itself publicly only seven months ago — and which has exactly one customer using its flagship product — could become a central player.
The product, ReliantAuditor, provides "continuous monitoring" and "continuous auditing" of financial, compliance, operational, and IT transactions and internal controls. Its interpretation of "continuous," though, goes beyond fairly loose industry-standard definitions of the term.
The Institute of Internal Auditors, for example, defines continuous auditing as "any method used by auditors to perform audit-related activities on a more continuous or continual basis." To the American Institute of Certified Public Accountants, it is "a type of auditing which produces audit results simultaneously with, or a short period of time after, the occurrence of relevant events."
Since the Sarbanes-Oxley Act was passed, companies have increasingly preferred continuous monitoring and auditing over scheduled monthly or quarterly audits. However, auditing small samples of a company's transactions and events that are subject to business rules and processes — as many companies still do — fits within the commonly used definitions of continuous.
ReliantAuditor, developed by Laguna Niguel, Calif.-based Reliant Solutions, is designed to monitor and audit 100 percent of transactions and events, rather than a sampling — and in real time, not shortly after events occur.
A number of applications that can be adapted for governance, risk, and compliance (GRC) purposes provide continuous monitoring and auditing in some fashion, but may not achieve a 100 percent audit or work in real time.
Perhaps even more significant is ReliantAuditor's one-stop-shop approach. Other products can be configured, often with great effort by the user, to audit various specific internal controls — for example, segregation of duties, documentation management, work flow, access to critical transactions, and a multitude of others. But none of them comes close to providing the full range of audit analytics, according to observers of GRC automation.
Some are seeing ReliantAuditor as a breakthrough product because it provides, within a single application, an integrated solution — and one that addresses the specific and evolving needs of audit executives.
"We're recognizing that internal audit has a different role now that incorporates a lot of the characteristics of the different pieces of software used in the GRC space, and Reliant has packaged a lot of that together," said Kathleen Wilhide, research director for GRC and BPM solutions at IDC, the business technology research firm. "It's really targeted in its entire design to be sold into internal audit."
Filling a Void
Wilhide, a certified public accountant and a former SAP vice president who was responsible for that company's financial solutions, recently wrote a report outlining the advantages that spring from Reliant's approach. "The project management and testing tools of the past do not scratch the surface of requirements to tap into enterprise systems on a routine basis, analyze large volumes of transactions based upon business rules, and put these activities and results in the context of enterprise-wide risk and compliance activities," she wrote.
"What has been lacking," she continued, "is timely, context-based analytics that can provide audit teams with a continuous view of risk and control issues while at the same time providing audit evidence to support an auditor's risk assessment and findings."
Reliant comes prepackaged with a large library of controls based on commonly used business rules and processes. While it accommodates customization, a selling point is the opportunity to get up and running quickly. Wilhide is buying it. "The value is that it has these predelivered controls and business rules, which makes it much quicker to implement," she said.
Added Heriot Prentice, director of standards and guidance for The Institute of Internal Auditors, "Most of the [GRC software] products are not ones that you can just plug in and they suddenly run. If this new package is something that's quite intuitive and doesn't take a lot of end-user knowledge to get the thing working, it will have a huge advantage."
Vision of Transparency
ReliantAuditor is the brainchild of Dipak Shah, a retired investment banker. The product's genesis goes back to his days in that business, where he said he routinely observed accountants exiting companies just as deals were scheduled to go through. "Often there was an audit-related issue that came up at the 11th hour during the due diligence," he told CFO.com. "I started to wonder why there was no clear-cut visibility [on audit issues]."
Shah developed a vision of a continuous auditing tool that would provide complete transparency on all business processes and internal controls to a company's internal and external auditors, C-level executives, and operational managers.
In February 2006, he met Bill Hagerman, executive director of internal audit at Mindspeed Technologies, a publicly held semiconductor and networking solutions provider. Shah, as it turned out, was working in the very direction Hagerman wanted to go.
After going through Mindspeed's first year of Sarbanes-Oxley compliance in 2005, Hagerman had told his boss that a fully automated audit solution would be far preferable to the more manual documentation and testing processes he had used. He got approval to purchase software for the task, and started looking into what was available.
"I made the decision right off the bat that I wasn't going to buy five applications to do everything I needed — but there was nothing out there that consolidated everything," he said. "Then I ran into Dipak through a mutual acquaintance, and he shared the same vision I had."
Mindspeed became the beta client for the development of ReliantAuditor, a process that took more than two years. "Any time you start up with a beta, it's a risk, because you're sinking capital into it and you don't know if it's going to come to fruition," Hagerman said. "But I believed in Dipak's plan. We started on version 0.93 and when we went to 1.0, I knew we had a viable tool. Now we're on 2.5, and it is a kick-ass tool."
First of all, there is the convenience of having all the audit data in a single tool. "I like having all my information at my fingertips, where I can just point and click," Hagerman said. "I don't want to have to go in and out of applications to get the data I need."
More important, costs are being stripped out. It's less expensive to buy one application than five, of course, but the cleaner data being generated through ReliantAuditor has reduced Mindspeed's external audit costs by 25 percent. Hagerman said he told his Deloitte auditor, only half-jokingly, "Now that you have access to this tool, next year I don't even want you on-site. Don't bother to come in until year-end."
Internal audit costs are falling as well, because now that the software is enterprise-wide, Hagerman is doing a lot less traveling to the company's international locations. "This application makes my life easy, because I have visibility into all transactions that are posted by these locations," Hagerman said.
Hagerman has in mind a further level of efficiency for next year. Right now, he receives alerts that ReliantAuditor generates any time it identifies an exception to a business-process rule that the software is monitoring. He then must pull information necessary to perform an audit on the exception, or request someone in the field office where the exception occurred to locate the information. Next year, he plans to have the alerts directed to whoever input the data in the first place — "the people I'd have to talk with anyway."
"That will give me more time to do audit work. Right now I spend a ton of time gathering documentation for audit purposes," he said.
In fact, Hagerman thinks championing a cutting-edge tool like ReliantAuditor will have a direct impact on his career prospects. "We're looking at the future of internal audit with this product," he said.
IDC's Wilhide, too, addressed the potential for career enhancement. "By automating audit through Reliant's holistic approach, [chief audit executives] can elevate their focus on strategic rather than tactical issues that can positively impact operational performance," she wrote in her report. That dovetails nicely with the reality that, as she put it, "the role of internal audit is evolving within many organizations as a key stakeholder in governance, risk, and compliance strategies."
For his part, Reliant's Shah said of continuous monitoring and auditing generally, "What we're seeing in the audit profession right now is that those who have incorporated continuous monitoring and auditing are handsomely moving up in the value chain."
ReliantAuditor lies on top of a customer's enterprise resource planning system. It's been designed specifically for the SAP, Oracle, and Great Plains ERPs, but Reliant says it can be adapted to any system.
Wilhide's report further detailed the product's functionality. She wrote that it effectively brings together two subcategories of GRC applications that have evolved over the past several years: compliance and risk management solutions, including audit plan management, control testing and assessment, and remediation management; and business assurance analytic applications, including continuous controls monitoring and evidence management.
According to Shah, at least four new ReliantAuditor installations are likely to be implemented by year-end. Some very large companies are interested, he said, but because Reliant is a small firm, for now it may have to narrow the product's scope to a particular division or ERP system. The holy grail for Shah is partnering with one or more major public accounting firms, which he hopes to do if he gets 10 or 20 customers under his belt.
ReliantAuditor has two pricing models: a subscription fee based on the number of concurrent users of the system, starting at about $75,000 a year with maintenance included; and an enterprise license fee that starts at $500,000 plus 18 percent annual maintenance for any number of users.
Shah unabashedly calls his system the wave of the future in internal audit automation. "It's going to take about five years, but Corporate America will be doing audit the way we are suggesting," he said.
Waiving aside that optimism, Wilhide said, "You are going to see internal audit move in this direction, but five years is way too short — that's not the way the world works." Still, she added, Reliant is "on to something. There's no question about it."