Tuesday, November 26, 2013

Here We Go Again - Md. Woman Accused of Embezzling $5.1 Million


This one made the front page of the Washington Post (November 25, 2013) and ties in with the recent blog post on Fraud in Non Profit organizations. Key takeaways from this case:
  • Employee registered trade names and opened bank account that closely resembled legitimate vendors of the association
  • Employee had ability to generate false invoices and approved them for payment (inadequate segregation of duties)
  • When the checks were prepared she had them returned to her rather than sending them to the vendors
  • The employee had worked for the association for more than 10 years (long time trusted employee)
  • Started small with submitting false bills for registration fees for conferences (T&E fraud)
  • Well respected in the community by donating wedding gowns to military brides
This is a classic case of fraud with all the earmarks of other schemes employed by multitudes of other fraudsters. Clearly there is not much new in fraud schemes and the continued ignorance and avoidance by managers contributes to these situations. As long as managers do not take a proactive approach in detecting and preventing fraud by educating all employees, enforcing a zero tolerance policy, and accepting their management responsibility for establishing internal controls, fraud will continue unabated. 

Jim Kaplan
President and CEO 
AuditNet LLC
www.auditnet.org



Monday, November 25, 2013

Passing the Buck - Fraud at Non Profits

Another example of how non profit organizations cover up fraud by letting the fraudster off with restitution and dismissal. By allowing a fraudster to repay an embezzlement with an agreement for repaying the ill-gotten funds and then terminating their employment without criminal prosecution is a poor excuse for preventing occupational fraud. These terminated employees then go out and find another position at other non profits and often repeat their behavior. Once a fraudster escapes prosecution without any criminal record they pass their problem onto the next employer.

According to the follow up report in the Washington Post on November 24, 2013, an investigation of a fraud at the Progressive Policy Institute revealed that the officials did not call the police or alert donors of the incident. Instead they agreed to forgo legal action in exchange for restitution. The manager who embezzled the funds went on to work for nonprofit and political groups in Florida, serving as a finance director at one. Shame on the managers who agreed to settle so they could hide the fraud from the public and donors.

On the issue of occupational fraud organizations must have a zero tolerance policy and take all action necessary to prevent the fraudster from repeating their behavior and putting subsequent employers at risk. If organizations fail to do this then they are not performing the due diligence that is required for ethical behavior

Tuesday, November 12, 2013

Fraud Raised it's Head Again in Public Schools

We see continuing evidence of fraud in all types of organization including not for profits. corporations, government and yes, even in public schools. Today in the Metro section of the Washington Post there is an article  Fairfax school officials charged with embezzlement and money laundering. As a former Director of Internal Audit for Fairfax County Public Schools I repeatedly reported to the Superintendent about the lack of internal controls over educational staff. This particular embezzlement involved falsifying timesheets for personal gain. The Virginia State Department of Education requires public schools to regularly audit school activity funds administered by principals. As part of that audit the independent contracted CPA firm must conduct an evaluation of internal controls. During my tenure I reviewed the reports issued by the contracted CPA firm and found that control findings (comments) repeated from year to year with no changes or improvements. Internal auditors in public schools have a difficult task in that educators rarely place a high priority on fiscal oversight. Additionally there is a reluctance on the part of public officials to broadcast when fraud occurs as well as not pursuing criminal action or recovery of the ill-gotten gains.

The statement made by a school representative reinforces and sets the stage for leniency on the part of public officials when fraud is found:

Calling the matter tragic, Sandy Evans, the School Board member for Poe’s area, said Swansbrough “has been terrific” and was a warm, well-liked principal who “cares deeply” about Poe’s students. Evans said she wanted to hear the principal’s side.

Here again is an opportunity to report the embezzlement by adding the amounts stolen to the fraudsters tax reporting requirement by issuing a 1099 Misc. 

Monday, November 4, 2013

Why the Dead Get Government Checks

Agencies can't reliably tell who's alive so the checks keep coming.

This is not a new issue but apparently one that journalists resurrect from time to time. Auditors at GAO and other Federal Agencies have known of this issue for decades.  I recall attending a training session for IDEA software, an audit data analytic tool, in the 1990's. Auditors from GAO were in attendance and they referenced testing that they were doing where they matched their retiree database to the Death Index, a Social Security database of deceased persons to identify deceased retirees who were still receiving pensions.  State and local governments could request the Death Index from Social Security for a fee to run the same test on retiree data. Private companies could also subscribe to the index.

This type of testing is becoming a standard in many organizations as it allows the auditors to test large databases using automated techniques to identify anomalies in the data. The tests can be set up to automatically run against current data as a first step in detecting fraud and errors in systems.  The caveat in running these tests is the accuracy of the databases. If the Death Index includes names and social security numbers of those who are not dead then auditors must tread carefully in order to not reach erroneous conclusions.

The Washington Post article includes cases where relatives of deceased individuals collected social security and other benefits long after the beneficary had passed away. The sentences imposed on these individuals seemed rather light reinforcing the axiom that fraud does pay. I wonder if the federal government issued 1099-Misc for individuals that received these ill-gotten funds. Seems like another instance of fraud where the IRS could use the tax code to impose criminal and civil penalties.

The system for reporting deceased persons must be fixed. There should be reporting standards for federal, state and local governments. These systems must incorporate data from funeral homes, hospitals and other reporting entities.

Perhaps it was much easier in days past when we had more personal interaction. In the current environment much of our financial transactions take place without any personal or face to face contact. Electronic payments, online benefit applications and more have meant that we must rely on technology tools for internal controls. It is time that the federal government invests in technology to identify when things go awry.

Until these systems are fixed we will continue to see individuals that see the holes and take advantage of them at the expense of the taxpayer.

JK November 2013

Saturday, November 2, 2013

Reporting Fraud in Non Profit Entities - Congress and Attorney Generals are Shocked

Dateline Sunday November 2, 2013 Washington Post
Congress promises multiple investigations of possible wrongdoing at charities

In an ironic twist lawmakers and attorney generals expressed surprise and shock that non profit entities fail to report and follow up on fraudulent activity. When reading the article I had a mental picture of ostriches with their heads stuck in the ground.

The Association of Certified Fraud Examiners issues a biannual Report to the Nations on Occupational Fraud and Abuse. The report includes not-for-profits and clearly shows that fraud exists in these organizations. Perhaps what is more shocking is that while non profits must report misconduct or wrongdoing there is no equivalent reporting requirement on the part of for profit organizations. Shouldn't shareholders and the public have the right to know when companies they invest in or do business with experience frauds? One of the reasons why organizations whether for profit or not for profit are reluctant to report fraud is that it casts a shadow over management and it's ability to establish the proper controls. There are laws on the books protecting whistle blowers but the truth of the matter is that most frauds go undetected and not reported due to management concern about adverse publicity.

Perhaps corporate tax returns should include a similar disclosure requirement that applies to non profits. Frauds have a potential adverse impact on business continuity in for profit organizations. The cost of fraud in for profit businesses is viewed as a cost of doing business and is passed on the consumer. Frauds reduce the amount of money that non profits can use to provide services and drive the cost of products and services up in for profit organizations.

It is time that taxpayers, shareholders, regulators, politicians, and philanthropic donors paid attention to fraud in organizations that we have a stake in. Perhaps we need a campaign for fraud similar to that for terrorism: If you see something - say something! Report Fraud, Waste and Abuse and make fraudsters pay!

We welcome your feedback and comments and suggestions on how we can raise a debate on the issue of occupational fraud!
 

Monday, October 28, 2013

Reporting Fraud in Non Profit Entities - The Reluctance to Air Dirty Laundry

Dateline Sunday October 27, 2013 Washington Post front page news.
Millions lost by nonprofits with little explanation

Nonprofits are losing millions of dollars from fraud and embezzlement and not reporting the full extent of the losses on required filings with the IRS. Here are some of the additional issues in the article:

- under reporting of the extent of the fraud
- delaying notifying investigators of the fraud

Exempt organizations must file a 990 form every year. This is similar to tax returns that individuals must file. Part IV of the form covers Governing, Management and Disclosure. Question 5 reads as follows:
Did the organization become aware during the year of a significant diversion of the organization's assets? A diversion is considered significant if it exceeds $250,000 or 5% of the organization's receipts or assets. This is the place on the form to report embezzlement and fraud. Since 2008 more than 1,000 organizations disclosed a diversion according to the Post.

One would think that these organizations did not have access to resources, tools or guidelines to detect and prevent employee fraud. A simple Google search found hundreds of guides and documents that identify red flags and checklists for detection and prevention. The sad facts relating to this situation is that these organizations are subsidized by the U.S. Taxpayer. People give generously yo these charitable organizations with the expectation that that there money will go assist those in need. Instead the funds are walking out the door or lining the pockets of the staff and management of the organization.

These frauds such as investment schemes, embezzlements, purchasing fraud follow familiar scenarios occurring in companies and government agencies.

Here are some ideas that NFP's and other organizations should consider:


  1. If you suspect misconduct or wrongdoing by an exempt organization or employee plan Use Form 13909
  2. Embezzled income is taxable to the person who does the embezzling (revenue ruling 61-185, 1961-2 CB 9; revenue ruling 65-254, 1965-2 CB 50; James v. United States, 366 US 213 (1961), Ct. D. 1863). The embezzled amount should be included in the embezzler's gross income in the year of the embezzlement. In addition, the embezzler/employee may be subject to self-employment taxes on the embezzled amount. Since the embezzlement constitutes income to the embezzler, the entity that has suffered the loss should report it to the IRS. Proper reporting of the embezzled income to the IRS will provide the employer with documentation for deducting its loss and also meet the filing requirements of section 6721 and section 6722. It will, in addition, alert the IRS to possible unreported income by the employee. The employer should report the embezzled income on form 1099-MISC as non-employee-compensation. The employer must prepare a form 1099-MISC for each tax year the employee embezzled funds.
  3. Implement an employee fraud awareness program. Every employee is a stakeholder when it comes to due diligence on reporting fraud. By not following up on the mandatory disclosures or not investigating and reporting in a timely manner, the organization is at risk from a business continuity standpoint. Major frauds have a capacity to impact a business or NFP's ability for continued operation.
  4. If a fraud policy does not exist then the organization should develop one. Zero tolerance should be a part of this policy as well as following up on actions against the embezzler/fraudster. These include both legal as well as financial reparations. 
Here is a fraud prevention checklist for NFPs from the ACFE

  1. Is ongoing anti-fraud training provided to all employees of the organization?
    • Do employees understand what constitutes fraud?
    • Have the costs of fraud to the company and everyone in it – including lost profits, adverse publicity, job loss and decreased morale and productivity – been made clear to employees?
    • Do employees know where to seek advice when faced with uncertain ethical decisions, and do they believe that they can speak freely?
    • Has a policy of zero-tolerance for fraud been communicated to employees through words and actions?
  2. Is an effective fraud reporting mechanism in place?
    • Have employees been taught how to communicate concerns about known or potential wrongdoing?
    • Is there an anonymous reporting channel available to employees, such as a third-party hotline?
    • Do employees trust that they can report suspicious activity anonymously and/or confidentially and without fear of reprisal?
    • Has it been made clear to employees that reports of suspicious activity will be promptly and thoroughly evaluated?
  3. To increase employees’ perception of detection, are the following proactive measures taken and publicized to employees?
    • Is possible fraudulent conduct aggressively sought out, rather than dealt with passively?
    • Does the organization send the message that it actively seeks out fraudulent conduct through fraud assessment questioning by auditors?
    • Are surprise fraud audits performed in addition to regularly scheduled fraud audits?
    • Is continuous auditing software used to detect fraud and, if so, has the use of such software been made known throughout the organization?
  4. Is the management climate/tone at the top one of honesty and integrity?
    • Are employees surveyed to determine the extent to which they believe management acts with honesty and integrity?
    • Are performance goals realistic?
    • Have fraud prevention goals been incorporated into the performance measures against which managers are evaluated and which are used to determine performance-related compensation?
    • Has the organization established, implemented and tested a process for oversight of fraud risks by the board of directors or others charged with governance (e.g., the audit committee)?
  5. Are fraud risk assessments performed to proactively identify and mitigate the company’s vulnerabilities to internal and external fraud?
  6. Are strong anti-fraud controls in place and operating effectively, including the following?
    • Proper separation of duties
    • Use of authorizations
    • Physical safeguards
    • Job rotations
    • Mandatory vacations
  7. Does the internal audit department, if one exists, have adequate resources and authority to operate effectively and without undue influence from senior management?
  8. Does the hiring policy include the following (where permitted by law)?
    • Past employment verification
    • Criminal and civil background checks
    • Credit checks
    • Drug screening
    • Education verification
    • References check
  9. Are employee support programs in place to assist employees struggling with addictions, mental/emotional health, family or financial problems?
  10. Is an open-door policy in place that allows employees to speak freely about pressures, providing management the opportunity to alleviate such pressures before they become acute?
  11. Are anonymous surveys conducted to assess employee morale?
For more anti-fraud ideas and resources and training for detecting and preventing fraud visit AuditNet.org and FraudResourceNet.com


Sunday, September 8, 2013

Fraud is Alive and Well

Think that fraud does not happen in your organization. This week the Washington Post reported another fraud in D.C. This one was a District social services worker accused of benefits fraud. Complicated scheme? Not really. She created false identities and allegedly stole more the $700,000 in cash, food stamps and health benefits. The fraud took place over a 2 year period from 2011 to 2013. The individual was not a recent hire but rather had been working at the agency since 2005. This supports the fact that most frauds are perpetrated by trusted employees who have been with the organization for quite some time. What perhaps sets this apart from other frauds is that she was stealing and diverting funds that would otherwise be going to individuals who truly need the help. 

AuditNet has partnered with FraudResourceNet to provide Web based training for detecting and preventing occupational fraud. Fraud schemes fall  into specific categories and patterns and the types of frauds occur frequently in all types of organizations. If you would like more information on how to communicate with your employees on how to be fraud aware, then contact us. We need to take the theme of if you see something say something and apply it to the workplace to detect and prevent the flood of fraud taking place on a daily basis.

Jim Kaplan

Saturday, March 30, 2013

Survey of more than 1,500 Auditors Concludes that Audit Professionals are Not Maximizing Use of Available Audit Technology



Key findings from the survey include:
·        while audit software tools have been available for almost 2 decades, auditors and audit departments are not making full use of the technology
·         auditors use audit software tools mostly on an ad hoc basis with some repetitive use, and departments do not have a strategy or plan to integrate technology in the audit process
·         the main reason for limited use of audit technology tools is the cost of the software and training and  management resistance to change
Auditors have a number of technology tools and techniques available for each area of the audit process. Software vendors comprised of former technology audit professionals have developed products that can increase productivity and expand the capabilities of audit shops whether they are large or small. Despite this fact we have noticed that surveys performed by leading professional associations, consulting and auditing firms consistently report that while auditors have made gains in utilizing technology there is plenty of room for improvement.
The AuditNet® 2012 State of Technology Use by Auditors was launched in order to determine what tools audit departments are using, how the tools are being used, the level of use and where auditors see themselves on the Audit Utilization of Technology Optimization Scale (AUTOS). AuditNet® has been on the leading edge of the profession when it comes to encouraging auditors and audit departments to integrate the use of technology in their methodology.
Executive Summary
Information technology is now a way of life in the business community. The decreasing cost of hardware and the wide variety of software available has put computing power on the desk of most employees of even the smallest companies. This technology has also made it possible for auditors to undertake procedures that were previously impossible due to time constraints and cost.
From Application of Computer Assisted Audit Techniques using Microcomputers –
CICA 1994
Computers assisted audit tools and techniques (CAATTs) have been available for auditors since the early 1990’s. The 2012 AuditNet® Audit Use of Technology Survey found that despite the recognized added value that technology affords auditors a paradigm shift in maturity is not imminent. We received responses from almost 1,500 auditors and over 2/3 completed all the survey questions. The most widely used category of audit software used by auditors is data analysis software. That being said 59% of those surveyed said they were using data analysis tools on an ad hoc basis (when needed) or not at all. Only 21% were using data analysis tools and techniques on a repetitive basis (used for most audits). While few respondents indicated continuous use (used for every audit or project) There is clear evidence that using data analysis software results in cost savings as demonstrated by research from the Corporate Executive Board’s Audit Director’s Roundtable which reported in 2005 that Internal Audit Internal Audit Should Embrace Data Analytics:
Data analytic procedures are a much more cost-effective way to collect audit evidence. Analytic procedures cost $0.01 compared to $4 for a standard audit of the same evidence.
The survey results showed that other audit software technologies were either being planned or at the ad hoc use level. Repetitive use of audit software by most auditors is far from mature in all of the software categories included in the survey. For a profession that prides itself on embracing technology it was clear from our results that auditors are far from reaching an optimum maturity level.
Professional associations have promoted the benefits of enhanced technology to their members and have produced guidance on integrating technology in the audit process. The IIA implemented Standards requiring auditors to leverage technology stating that:
In exercising due professional care, internal auditors must consider the use of technology-based audit and other data analysis techniques. (Standard 1220.A2)
Professional associations have done significant research and invested significant resources into developing strategies and plans for greater use of technology by auditors however they have not openly disseminated this information to the global audit community. Association members have free access but non-members must purchase the guides. Additionally audit and consulting firms have spent significant time and resources to develop unique and separate approaches and methodologies on technology solutions. If we expect to affect a paradigm shift in audit use of technology we need standards, action plans and guidance coordinated through a task force of professional associations and audit and consulting firms. These “standards” and guidance should be widely disseminated to the global audit community. Social media and networks have facilitated communication to the global audience of auditors and could be effectively used to “raise the bar” on the audit use of technology maturity scale.  
Additional results of our survey showed the following:
1.      Training is primarily on the job as opposed to a formal setting.
2.      Software cost and lack of management support continue as significant reasons for not implementing technology
3.      Technology continues to be seen as the domain of IT auditors rather than all staff
4.       Most audit department have not:
a.      defined a strategy for implementing audit technology,
b.      defined the benefits of implementing audit technology,
c.       defined ways to measure the effectiveness of technology investments, processes, and activities
5.      Size of audit department has no apparent impact on maturity level of use of audit technology
6.      Most audit departments were at the lowest level of maturity on the audit use of technology maturity level (from little or no use to planning and ad hoc) and few departments have matured to repetitive or continuous use of audit technology.
Action Plan for Auditors
1.      Conduct an inventory of technology tools and create a matrix linking tools to activities
2.      Prepare a technology skills inventory for current staff and perform a gap analysis
3.      Perform a gap analysis to determine target areas for improvement and determine financial resources required for the software, training and maintenance
4.      Build a business case for integrating technology in the audit process
5.      Hire auditors with the necessary skills to fill the gap.
6.      Acquire technology for the target areas if not already purchased
7.      Assign a technology champion and influencer to lead the integration and develop a succession plan to ensure technology use continuity
8.      Develop an implementation strategy to integrate audit technology for administrative tasks and in each phase of the audit process
9.      Annually conduct an audit technology assessment and benchmark progress against initial initiative
10.  Develop metrics to demonstrate the impact of technology on the audit process to include outcomes as well as outputs.


AuditNet® 2012 State of Technology Use by Auditors Survey

Computers assisted audit tools and techniques (CAATTs) have been available for auditors since the early 1990’s. The 2012 AuditNet Audit Use of Technology Survey found that despite the recognized added value that technology affords auditors a paradigm shift in maturity is not imminent. We received responses from almost 1,500 auditors and over 2/3 completed all the survey questions. The most widely used category of audit software used by auditors is data analysis software. That being said 59% of those surveyed said they were using data analysis tools on an ad hoc basis (when needed) or not at all. Only 21% were using data analysis tools and techniques on a repetitive basis (used for most audits). While few respondents indicated continuous use (used for every audit or project) There is clear evidence that using data analysis software results in cost savings as demonstrated by research from the Corporate Executive Board’s Audit Director’s Roundtable which reported in 2005 that Internal Audit Internal Audit Should Embrace Data Analytics:
Data analytic procedures are a much more cost-effective way to collect audit evidence. Analytic procedures cost $0.01 compared to $4 for a standard audit of the same evidence.
The survey results showed that other audit software technologies were either being planned or at the ad hoc use level. Repetitive use of audit software by most auditors is far from mature in all of the software categories included in the survey. For a profession that prides itself on embracing technology it was clear from our results that auditors are far from reaching an optimum maturity level.
Professional associations have promoted the benefits of enhanced technology to their members and have produced guidance on integrating technology in the audit process. The IIA implemented Standards requiring auditors to leverage technology stating that:
In exercising due professional care, internal auditors must consider the use of technology-based audit and other data analysis techniques. (Standard 1220.A2)
Professional associations have done significant research and invested significant resources into developing strategies and plans for greater use of technology by auditors however they have not openly disseminated this information to the global audit community. Association members have free access but non-members must purchase the guides. Additionally audit and consulting firms have spent significant time and resources to develop unique and separate approaches and methodologies on technology solutions. If we expect to affect a paradigm shift in audit use of technology we need standards, action plans and guidance coordinated through a task force of professional associations and audit and consulting firms. These “standards” and guidance should be widely disseminated to the global audit community. Social media and networks have facilitated communication to the global audience of auditors and could be effectively used to “raise the bar” on the audit use of technology maturity scale.  
Over two thirds of our responses came from audit departments with less than 10 auditors. However, based on the responses provided there appears to be no variation in how auditors use technology. We have always assumed that the larger the department the greater the utilization of audit technology but based on the results of this survey that is not the case.  
Availability of Audit Technology Tools
Audit technology tools other than data analysis were not available in more than half of the audit departments according to the survey responses. The following chart represents the technology tools currently available by those who responded to the survey. This chart clearly demonstrates that of the nine categories of technology tools those used most and fully deployed are data analysis software (ACL, IDEA etc) followed by electronic working papers such as CCH TeamMate. Categories where little progress has been made include GRC, continuous monitoring and fraud detection/prevention software. The majority of audit departments had not even begun the evaluation process and had no plans to make technology tools available to their staff. Less than 5% were evaluating vendors. If audit technology tools are not available in more than half of audit departments then how reliable are results from other surveys regarding widespread use of computer assisted audit tools and techniques?
Proficiency with Technology
When asked to categorize their technology skill set 28% of the respondents indicated that few of their auditors were proficient with audit technology tools and 31% said some of their auditors were proficient. The IIA standards do not require all internal auditors to possess technology skills so the responses to this question are not surprising. The emphasis by professional standards is that technology skills should be available rather than having proficiency for all staff. This would be a good area to expand this question and correlate staff level to technology skill set. Perhaps the senior staff represents auditors without technology skills as their primary role is administration. Even so we would expect that some of the audit management tools involve technology skills.

Few of our auditors are proficient with our audit technology
27.7%

Some of our auditors are proficient with our audit technology
30.9%

Most of our auditors are proficient with our audit technology
24.0%

All of our auditors are proficient with our audit technology
17.4%

 
Technology Training
Most of the technology training received by both new hires and current audit staff is accomplished by on the job training. Only 7.5% reported formal training by third parties or outside the office. Training is an important factor in audit use of technology. Training must be supplemented by using the technology on a repetitive basis. Using audit technology on an ad hoc basis may result in loss of knowledge acquired from formal or on the job training i.e. use it or lose it.  According to TeamMate’s 2011 Internal Audit Technology Survey
 Despite the importance of the right “Tone at the Top” and technology skill sets, training does more than any other practice to help respondents utilize technology more effectively, according to the 2011 IATS results. In response to an open-ended question receiving dozens of responses, more than 50 survey respondents identified some form of on-the-job or formal training, whether delivered by in-house staff or a third party, as having done the most to help them enhance technology value and effectiveness.
Keep in mind, however, that technical skills fade quickly if they are not used; the “use it or lose it” saying has definite application when it comes to complex technology requiring frequent use in order to master and retain what is learned. For this reason, it is useful to conduct a strategic analysis of your training needs when it comes to technology, a process that includes determining what levels of proficiency are required for various members of your group in order to achieve departmental objectives. You may only need one expert in data mining or data analytics, for example, and this expert, in turn, would be asked to train others in the department in a systematic manner.
Therefore one of the critical steps in moving the bar on the audit use of technology maturity scale is training tied to repetitive or continuous use of the tools.
Inventory of Audit Technology Tools
How can an audit department maximize the use of audit technology tools if they don’t know what tools they have? The following chart shows that according to the survey responses most audit department do not maintain an inventory of audit technology tools. So the question is if audit departments do not inventory their audit technology tools how can they begin to put into place a strategy or plan to use technology? This may be an area for further study as turnover in audit departments would be a key factor in loss of institutional knowledge or a growing inventory of shelf ware (audit software purchased but not deployed). The question of available technology tools should be one of the questions asked by new hires or a new chief audit executive (CAE).
A current and updated inventory of available audit technology tools represents another critical step in the audit use of technology.
Current Use of Technology by Audit Departments
Almost two thirds of those responding said that their audit departments performed an assessment of the current use of technology by internal audit. A key metric to establish whether audit uses technology would be to measure the current state of technology use by audit. By benchmarking and measuring the current state of technology use by audit a CAE would be able to create a plan and then evaluate on a periodic basis (annually) whether the use of technology has matured beyond an ad hoc level. 
Auditor Maturity Ratings on the Use of Audit Technology 
The IIA Global Technology Audit Guide (GTAG) 16 Data Analysis Technologies provides the following group types of data analysis tasks:
AD Hoc
Repetitive
Continuous
Explorative and investigative in nature
Periodic analysis of processes from multiple data sources.
“Always on” — scripted auditing and monitoring of key processes.


Seeking documented conclusions and recommendations.
Seeking to improve the efficiency, consistency, and quality of audits.
Seeking timely notification of trends, patterns and exceptions.
Supporting risk assessment and enabling audit efficiency.
Specific analytic queries — per-formed at a point in time — for the purpose of generating audit report findings.
Managed analytics — created by specialists — and deployed from a centralized, secure environment, accessible to all appropriate staff.
Continual execution of automated audit tests to identify errors, anomalies, patterns and exceptions as they occur.



Using similar group types for all audit technology AuditNet© developed the Audit Utilization of Technology Optimization Scale (AUTOS) to measure the perceived maturity level on the use of audit technology by auditors. We asked respondents to rate their department maturity for the categories of audit software. 
The survey results demonstrated that most auditors are still at the ad hoc or lowest level of maturity for most audit technologies. For most of the audit software categories more than half of the auditors reported that they do not use the technology. For some categories such as governance, risk and compliance, continuous controls monitoring and fraud prevention and detection more than two thirds reported no use. The only exception was data analytics (ACL, IDEA Excel) where almost 38% reported not using the technology. Another 21% reported that they only use data analysis tools on an ad-hoc basis (defined below in GTAG 16). In the category of electronic working papers and audit management software (TeamMate, Pentana and other vendors) close to 50% do not use the technology. Based on subsequent survey questions one of the delimiters to greater use of audit technology is cost of the software and training. There is a significant opportunity for vendors to develop affordable tools to capture the market of those audit functions not currently using audit software technology. Additionally affordable training opportunities for each of the software categories could have a positive impact on audit departments moving the bar on the maturity scale.  
Satisfaction with Implemented Audit Technology and Leveraging the Tools
We asked survey participants to rate their satisfaction in each of the audit technology categories that their department has implemented. The responses demonstrated a relatively low level of satisfactions in most software categories. The only technology tool where more than half the auditors were either moderately or completely satisfied was Microsoft Office (Word, Excel and Access). For the data analytics (ACL, IDEA) and electronic working papers (TeamMate, Pentana and others) categories almost 40% of those surveyed were moderately or completely satisfied. In the data analytics and electronic working paper categories 10% of those responded they were not satisfied with the technology. When looked at in the context other survey responses the level of satisfaction is directly related to the ad hoc use of audit software, the training factor as well as support by senior management. If auditors are not using audit software technology on a repetitive or continuous basis they may not be seeing the positive impact results. If results from the use of audit software technology is not being measured or evaluated then satisfaction may be less than optimal.
We also asked the previous question from the perspective of how satisfied respondents were with the audit functions leveraging of the tools. For this question approximately 20% for each software category were not satisfied with how their departments were leveraging the technology. Again the highest ratings were for audit management software and data analytics. Leveraging the technology is highly dependent on whether the audit department has a plan on how to use the technology and it is clear from other survey questions that ad hoc use can be correlated to less satisfaction. If audit departments established a plan for how to integrate technology into all areas of the audit process we should expect a resulting shift in the satisfaction level by staff and management. The benefits of  leveraging technology to support the internal audit mission would become evident.
Detailed responses for this question are available in the full survey report.
Software and Training Costs are the Primary Reasons for Not Using Audit Technology
We provided a list of 15 reasons cited for not using audit technology and asked survey participants whether they agreed or disagreed. The main reason for not using audit technology is cost according to 57% of the responses. The next major reason for not using the technology was that their department had no funds allocated for training (50%). While software and training costs were the primary factors cited for not using the technology they were followed by audit management not supporting use and organizational roadblocks. Management buy in to how technology can help is a critical factor and a cost benefit analysis could contribute greatly to overcoming cost issues.  Management support is critical as reported in TeamMate’s 2011 Global Technology Survey where they found that tone at the top was the single factor that does the most to enhance technology effectiveness.  Developing a training plan that leverages internal knowledge can also facilitate the process. In some companies organizational roadblocks such as IT (Information Technology) management of the Chief Technology Officer (CTO) impact the use of audit technology. It is therefore important for audit management to make the case for acquiring audit technology and demonstrating how it can benefit the organization. Key stakeholders and management need to be part of the process.   Detailed responses for this question are available in the full survey report.
Audit Department Technology Plans and Strategies
The following chart shows responses to the question does your audit department have a plan or strategy to address key areas.  More than half of those surveyed reported that they did not have a plan or strategy for these areas. 


Auditors Rank Departments at Informal or Ad Hoc Use of Technology
Too few auditors and audit organizations have invested much thought and resources into computer-based tools and techniques, let alone information technology.
David Coderre from Internal Audit: Efficiency through Automation 2009
AuditNet© developed an Audit Use of Technology Optimization Scale and asked auditors where they would rank their department. More than one third (36%) of survey respondents ranked their audit department at the informal or ad hoc maturity level for audit use of technology. Another 18% ranked their department at the needs assessment level which means that they are not using any audit technology.
The responses from those surveyed would contradict many other reports from the profession, vendors and consultants that indicate that most auditors are using technology on a repetitive or continuous basis. In order for auditors to achieve the efficiencies afforded by technology they need to integrate and incorporate tools as part of the audit process. To move the bar on the Technology scale auditors need to be using available tools for all audits rather than on an ad hoc basis. As organizations have embraced technology in all of their systems and operations, auditors need to embrace technology to approach how they do their work and meet the objectives of their audits. This requires a cultural change that must come from the top down as well as the bottom up. The technology option must be considered from the planning phase of the audit right through to the reporting and follow up phase. Staff auditors should be encouraged to suggest how they can use technology to improve and facilitate the audit. Technology can be applied for risk assessment, planning the annual audit schedule and projects, fieldwork, reporting and follow up. 
Factors that will Influence a Shift in Technology Use
We asked what factors have the greatest influence on making a paradigm shift towards technology maturity.  The highest ranked areas were as follows:
1.      Financial resources – greater investment in audit technology
2.      Leadership – greater commitment  by the CAE to embrace technology
3.      Planning – having a clearly defined plan
4.      Training – ensuring that all staff receive training
5.      Human resources – hiring the right auditors with technology experience
The lowest ranked areas included compensation incentives, vendor suite of tools, and organizational infrastructure changes.
The issues identified coincide with surveys by other organizations that emphasize cost as a major factor. This is perhaps an area where organizations who do not have the financial resources can start their technology plan using available tools such as Microsoft Office and add Excel add-ins for data analytics. However, perhaps the greatest impact can be made by organizational leadership combined with planning, where the CAE and management embrace technology as an enabler to benefit the organization.
The final survey question was open ended and asked auditors to provide the one factor above all others that they saw as impacting a paradigm shift in auditors integrating audit technology in their audit function. More than 30% of the responses centered on the cost of either the software, training or overall technology and in many cases whether the benefit justified those costs. More than 20% indicated that management (CAE) support was the one most important factor that would contribute to a resulting shift.  Following are examples of some of the thoughtful responses from auditors:
·         Individuals are not willing to deal with change.  A lot of people are not willing to learn something new because they think they will not be able to master it.
·         Demonstrating value.  Once auditors being to see value in audit effectiveness, audit efficiency, results, management responsiveness and/or board responsiveness, they get the bug.  As data drives the entire business more and more, and more and more controls are automated, we will have no choice.
·         The more auditors that have used technology and are familiar with the benefits it brings, the more push there will be from within audit departments to adapt technology.
·         Biggest factor is the value of the technology.  The technology would have to significantly reduce current workload. Currently our audit staff is pressed for time on all audits.  Which means we don't have a lot of time for training on new software, but if we found a solution that could be integrated with our current financial systems (if required), and it was cost effective, and allowed us to reduce much of the current workload for conducting non-essential audit tasks, I could see a very good possibility of acquiring and using such audit technology.
·         Clearly demonstrated benefit / differentiation of using technology vs not using technology in audits.  What would help me would be hearing about real world examples of how things went wrong (got missed) at organizations who were not using technology in their audit function and how that cost the organization.  While difficult / unfair to necessarily pin such events squarely on IA, there's enough press re: "Where was Internal Audit?" for technology providers to be able to provide examples of how their product(s) could have helped.
·         In my opinion, the one factor impacting a paradigm shift is change.  For some experiences auditors, the technology is so very new to them that they will resist as long as possible.  For new auditors, without the skills with audit technology, they won't get the job to learn the technology.
·         Being open to change and willing to take the time to learn how new technology can be used.  They need to acknowledge that while using a new technology will seem like more work and that it takes longer in the short term, use and familiarity will increase productivity and the ability to think to new ways to expand effectiveness.
Clearly auditors gave great thought time and effort into responding to this survey and it represents insight into where auditors see themselves and their organizations in relating to use of audit technology. The complete results of this survey are available from AuditNet© and are provided as a service to the profession. Based on the response and the information gleaned from the survey we plan on repeating this to determine the trends with respect to audit use of technology.

For the summary survey results click here