Don’t Use GRC app to do Workpapers!

eat internal audit dog foodI consulted with a company that implemented a new GRC package, and unfortunately they are using an application designed for GRC to do audit workpapers.

That wasn’t the only move that was questionable…

I didn’t have anything to do with the GRC project; I was there performing an audit. But I saw many auditors scream and slither as if they were slugs bathed in salt.

It was painful to watch. I suffered too.

The app, which was not created with audit workpapers in mind, was hard to master and use. So the audit group spent a lot of money to customize the app so that it “works” for workpapers.

I’m sure some systems that do GRC do workpapers just fine, but I haven’t seen one yet. I haven’t seen all the major GRC packages, but the ones I have used make auditors wish they were still working with paper (if you missed the pun, you better back up).

Management said they picked this package because they expect the GRC features to be used across the organization eventually. (In the meantime, let’s torture as many auditors as we can.)

I am so weary of audit departments not eating their own dog food. In other words, auditors insist everyone else follow good project management practices, ensure proper controls are implemented, and processes are efficient and timely, and yet they fail to follow those same requirements for their own projects. And they never write up audit issues about for their own failures!

Here’s a few of the doggy treats this audit department refused to swallow:

  • Determining what the project requirements are before selecting a product.

One auditor told me that early in the project, she asked whether the selected application could search for words and phrases across all audits, workpapers, attachments, issues, and other data. Audit management told her it was “too early in the process for determining requirements, after all, we’re still in the contract negotiation stage.”

Since when do you negotiate prices before determining whether the system will do the tasks for which it is purchased?

(In all fairness, while it wasn’t purchased primarily for doing workpapers, that is one of its most frequent and time-consuming uses of the app.)

  • Doing a security review of the product, vendor, and hosting environment prior to purchasing the product.

The security review was performed in while the product was being installed and configured (in other words, after some money was already committed). Halfway through the process the configuration was halted due to security findings. After the vendor resolved the issue, configuration resumed, but most of the vendor’s key people were onto different projects, which severely delayed the final configuration. As a result, the audit department had to reschedule some of their audits as well as internal IT people helping with the project. Several months were wasted.

  • Ensuring that all appropriate key personnel were involved in the project. 

No RITA (real IT auditor) was invited to join the audit team that worked on the implementation. As a result, several items that a RITA would have identified right away were not noted until later, which made the fixes more costly. Go figure.

  • Ensuring that data was protected in transit.

Since this is a cloud solution, various types of data are transmitted between the company’s audit group and the cloud solution during different processes. No one checked whether all the data transmissions were encrypted (where’s RITA when ya need her?). Whether they turned out to be encrypted or not, the point is that they did NOT check.

  • Selecting a product that makes 1 thing better for some staff, but 10 things worse for most of the staff.

Like too many GRC products, this one isn’t workpaper friendly. One auditor told me that creating workpapers in this product is like drinking Earl Grey tea in a biker bar–you are likely to get hurt, even before you enjoy one sip of tea. Instead of being able to type in your narrative and embed attachments, you type all your data in separate, little boxes which scroll poorly and provide no spell check. Then at a different level of the program, you add attachments.

So what is this app good at? Reporting! Since you have to enter items like audit year, audit name, control objective number, control objective name, workpaper number, workpaper name, test steps, etc., in separate boxes, the app is great at creating boxy reports which management loves.

So make things easy for management to report at the end of an audit, the end of a month, the end of a quarter, and the end of the year, but make the poor auditor struggle with those stupid boxes EVERY DAY.

Evidently, many of the auditors on the implementation team felt this was not the right package, but they were too afraid to question audit management.

These are the same auditors who call company management to task on occasion. I guess the difference is that when you challenge company management, you have audit management watching your back. When you challenge audit management, who will watch your back? No one, so you watch your own back, I guess…

This reminds me of another post I wrote a while back, entitled Who Audits the Auditors?

What dog food does your audit team (or a “friend’s”) need to eat?

What system do you use to create workpapers, and how do you like it?



Filed under Audit, Security, Security Scout, Technology

11 responses to “Don’t Use GRC app to do Workpapers!

  1. >> But I saw many auditors scream and slither as if they were slugs bathed in salt.
    Eeewwww!! :-)

    Ironically, our IA dept. uses a popular application that is specifically designed for workpaper management, but its user interface is so awful, I always dread the painful task of writing, editing, approving, and commenting on workpapers.


  2. I see a lot of internal audit shops using TeamMate to varying degrees of success.

    As related to the Project Management Life Cycle – YES. It’s kind of funny how you can know all of the steps, ding auditees on them, but follow so few of them. These are the type of things that come up in a QAR (Quality Assurance Review = An audit of the internal audit department by a third party).


  3. Sadly the best audit workpaper software I have seen are home-grown tools. I’ve worked in 4 different audit shops that have used 4 different workpaper tools. Each customized to their way of auditing and documenting. You could argue that itself is a problem – but this was 4 different industries and it made sense. The last shop decided to replace their tool with an off the shelf product. Unfortunately they were falling into the trap of modifying their tried and true processes to fit a tool – rather than find a tool that fit their operation.


    • Sometimes the best tool is a few excel workbooks and a carefully managed shared drive. Other times it is an audit workflow tool. The nature of the various projects make it difficult to have a one-size-fits all management solution. I think that is why almost every shop seems to rely on something different.


    • Steve,
      Your comment is priceless:
      “Unfortunately they were falling into the trap of modifying their tried and true processes to fit a tool – rather than find a tool that fit their operation.”


  4. Going through this right now. For complex work paper documentation, I’ve reverted to putting it all in a MS OneNote notebook (basically free form) and attaching that to the GRC work paper. My reviewers have so far accepted that approach, but all in our group might not. I definitely identify with the slug in salt comment.


    • Don,
      I feel for you. If I ever go back to that company, I’ll try OneNote and see how that works. I’ve played with OneNote a couple times, but it never grew on me. I know some people who love it like Mac folks love Apple.

      Once in a while I print to OneNote, but other than that, I haven’t used it.

      Thanks for your comment.

      p.s. Glad you were pulled out of the mud and mire. I was pulled out at a younger age than you. Also, I’ve been to Memphis several times and always liked it.


  5. I find it interesting that no one has yet named a GRC or workpaper application that they like….anyone using the ACL GRC WP app?


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.