Internal auditors need a number of different tools in their toolkit to manage operational effectiveness. As with the acquisition of any IT solution, the IT auditor needs to determine their specific needs and conduct a selection process to identify which tool provides the best fit at the best cost and value. 

There are many available from a range of vendors; this article looks at a sample. The products mentioned in this article are not a recommendation or an endorsement.

Audit tools

Assessment/audit tools help to automate the assessment operating effectiveness of key controls. They take some time to set-up, configure and tune, but once this has been done, they can repeat the tests as often as you need.

For example, Huntsman Security SmartCheck is designed for monitoring, detecting and responding to cyber threats in real time. Its focus is on delivering automated security controls and providing an in-depth view of security posture for compliance and operational needs. 

Key features of the product include automated security control audits, real-time security monitoring, simplified compliance reporting, improved threat detection and incident response, dashboards for security posture visibility and integration with security information and event management (SIEM) and security tools.

SmartCheck aims to reduce the number of false positives, helping security teams focus on genuine threats and vulnerabilities. It can be used by audit teams and cyber security specialists alike. 

There are a number of other cybersecurity and compliance platforms that offer threat detection, compliance and monitoring solutions. These are more aimed at cybersecurity specialists and may therefore already be deployed within the organisation. 

Splunk Enterprise Security offers powerful SIEM capabilities, real-time threat detection, and analytics. It also supports compliance reporting and integrates well with other security tools. Key features are similar to SmartCheck but the product also lists compliance reporting, data enrichment and machine learning.

IBM's QRadar is a comprehensive SIEM solution that provides real-time insights and forensic capabilities for threat detection and compliance. It focuses heavily on integrating threat intelligence to enhance detection and incident response.

Recommendations tracking

There are several internal audit recommendations tracking tools available to help address and mitigate identified issues in a timely manner. They are designed to help audit teams to monitor findings, assign tasks and ensure timely resolution. 

AuditBoard is a cloud-based platform specifically designed for internal audit, risk management and compliance teams. It offers an integrated suite of tools for managing audit plans, tracking recommendations and automating follow-up tasks.

TeamMate+ is a widely used internal audit management solution. It offers modules for audit planning, execution and tracking of recommendations. It helps teams ensure that audit issues are being addressed in a timely manner.

Galvanize, now part of Diligent, offers a platform for risk and audit management. It includes robust audit tracking features and is known for its focus on data analytics to drive decision-making.

Each of these tools can be evaluated based on the specific needs of your audit team, organisation size, risk profile and complexity of your audit processes. When making your choice, it's important to consider its integration capabilities, customisation and automation features, reporting and analytics functionality and scalability.

Audit management

Audit management software helps organisations streamline their internal audit processes, improve risk management and ensure regulatory compliance.

Magique Galileo is a specialised GRC (governance, risk and compliance) software that supports audit management, along with risk management and compliance tracking. It is best for mid-sized to large organisations seeking a tailored GRC solution with strong risk management capabilities.

AuditBoard is an all-in-one audit, risk and compliance management platform designed specifically for internal audit teams. It is best for midsize-to-large organisations with a strong focus on audit and SOX compliance.

Galvanize HighBond (now part of Diligent) provides a robust platform for audit, risk, compliance, and IT management. It is best for organisations with a focus on data analytics and real-time risk assessment.

GRC tools

GRC tools are essential for helping midsize-to-large organisations manage their business risks to ensure compliance with regulations and implement effective governance practices. 

For example, RSA Archer is a comprehensive platform that offers customisable modules for different GRC needs, such as risk management, IT security and business continuity.

ServiceNow's GRC suite provides an integrated platform to streamline risk management, policy compliance and audit processes. It integrates well with other ServiceNow IT workflows.

Data analytics

Data analytics has come on a long way since the days of CAATS (computer assisted audit techniques). A vast array of tools is now available – everyday tools such as Excel and Access; specialist audit tools, such as Idea and ACL; and advanced tools such Business Intelligence (BI).

Internal audit data analytics tools help auditors analyse vast amounts of data efficiently, uncover patterns, identify anomalies and improve overall audit quality. The power of such techniques is the ability to interrogate 100% of the audit population and also comparing different data sets to identify anomalies. 

Businesses will need to invest time in setting these up, ensuring that the complete data set is extracted, writing data analysis scripts and testing.

ACL Analytics (Galvanize, now part of Diligent) is one of the most popular tools. It is specifically designed for audit professionals and enables users to analyse 100% of the data, identify patterns, anomalies, and issues in financial and operational data.

IDEA (Interactive Data Extraction and Analysis) is also specifically designed for auditors to perform detailed data analysis. Large datasets can be imported from multiple formats and sophisticated tests can be run on them. 

Power BI has gained popularity among auditors for its ability to connect to a wide range of data sources, and provide interactive reports and dashboards. It is highly customisable, cost-effective and part of the Microsoft ecosystem.

Robotic process automation (RPA) tools are increasingly being used in internal auditing to automate repetitive and rules-based tasks, such as data extraction, matching and reconciliation. Products such as UiPath, Blue Prism, Automation Anywhere can improve efficiency, reduce human error and enhance the ability to analyse large amounts of audit data.

Excel remains one of the most widely used tools in internal audit thanks to its flexibility and familiarity. It can be enhanced through add-ons like Power Query, Power Pivot and VBA scripting.

I can't emphasise enough the power of data analytics to the auditor: it increases the coverage of audit testing in a cost effective way, and thereby the quality of audit opinion. 

Gen AI

Using generative AI to summarise internal audit interview notes can offer efficiency and clarity, but it also comes with a long list of risks.

• Unauthorised access: Gen AI models often rely on cloud-based platforms, which might expose sensitive data if the information is processed externally. If the data leaves the secure internal environment, it can be vulnerable to breaches or unauthorised access.
• Information misuse: Internal audit interview notes may contain confidential details about financial practices, legal risks or security vulnerabilities. If AI systems retain or inadvertently leak this data, it could lead to regulatory violations, fines or reputational damage.
• Misinterpretation: AI may not fully capture the subtleties, context or intent behind human conversations, especially in complex topics such as risk management, compliance or governance issues. Misinterpretation can lead to inaccurate conclusions and faulty summaries.
• Lack of understanding: Audit interviews often involve technical jargon, legal or regulatory specifics and industry-specific knowledge. AI models might summarise these incorrectly without understanding the nuance, leading to misleading summaries that impact decision-making.
• Embedded Bias: Generative AI can inadvertently introduce biases in the summarisation process. This could lead to summaries that overemphasise certain points while downplaying others, introducing bias into audit reporting.
• Loss of judgment: AI does not have human judgment or critical thinking. It might fail to highlight important red flags that require further investigation, potentially undermining the integrity of the audit process.
• Non-compliance: If audit notes contain personal data (eg names, emails, financial records), using AI tools without proper data protection mechanisms could violate data privacy legislation. 
• Accountability: Summarisation using AI can potentially reduce transparency in how conclusions were reached, complicating efforts to maintain a clear audit trail. 
• Inconsistent or incomplete: If the interview notes themselves are incomplete or ambiguous, the AI may produce summaries that exacerbate these flaws. This can lead to misinformed audit recommendations.
• Over-reliance: Relying too heavily on AI might result in auditors overlooking critical information that AI might have misunderstood or omitted. Auditors need to remain engaged and not trust the AI's output uncritically.
• Cybersecurity threats: Cloud-based AI tools could introduce new attack vectors for hackers to access sensitive internal audit data. Breaches of audit-related information could expose organisations to risks like fraud, litigation or reputational damage.
• Third-party involvement: Using third-party AI tools may involve data-sharing agreements or expose sensitive information to outside vendors, increasing the risk of leaks or misuse.

Using AI can streamline the audit process, but it must be done with care to mitigate these risks. For example: use on-premise or secure platforms; remove personally identifiable information or sensitive data before feeding it into AI systems; pair AI-generated summaries with human review to ensure accuracy, context and ethical considerations are taken into account; and ensure the use of AI aligns with regulatory standards and your organisation's data governance policies.

Building an appropriate set of tools is essential for auditors today, but they need to choose their tools carefully and assess the cost/benefit of each. However, whilst these tools can assist internal audit function, there is still no substitute for skills, judgment and the 'auditor's nose'!

See also Mike’s articles  Equipping Internal Audit for the 21st Century - Knowledge (March 2024) and Equipping Internal Audit with the tools needed for the 21st Century – Frameworks (November 2024)

Mike Hughes, ChCSP, CISA, CISM, CGEIT, CRISC, CDPSE, MIoD of Prism RA is the past president and director of relationships for ISACA Central UK.