Very few people really talk about this topic, so I thought I would. There are some solid internal audit software systems out there and there are some legitimate GRC or ERM platforms out there that will (if you can modify them to suit your operation) help you gather risk information about your operation and see the results.

It turns out doing a good job of both internal audit and GRC is not easy. Internal audit systems are hard to build properly. Even harder is to intelligently fold in concepts that will allow you to also run (say) a SOX compliance program and operational risk initiatives on the same software.

Some vendors have, internally, abandoned the idea of trying to merge these tool sets into an integrated product and are actually selling separate products with a thin veneer of integration; like reporting. This is fine if you know what you are buying and the debate for integration vs. best-in-class modules is one that I would prefer to take up in another post. Back to internal audit.

Internal audit is really an expert process. You are helping people move through a sequence of logical steps as part of an investigation. The steps cannot always be proscribed. Many vendors of such systems have ultimately lost clients because they forced you to do things a certain way. This is economical from a software design point of view but ultimately leads to problems down the road. As well, auditors spend a great deal of time interacting with their tools, so the overall user experience needs to specifically appeal to them. One can’t present a collection of (albeit well thought out) GRC concepts like forms and assessments and workflows and expect auditors to jump for joy. They need to see their desired process captured in the system and expect to be presented with tools that generate efficiency at each step. In other words, the software better do more than organize their “work papers”.

At BPS we know something about this; we have had some success in both internal audit and GRC. We have also remained committed to the concept of having a single code base (one product). When we started out, we decided to offer the feature depth that everyone was asking for. Risk management libraries with automatic versioning built in, in-line reporting, multiple hierarchies with many-to-many relationships, endless cross-referencing, Microsoft desktop integration and a host of management tools to schedule, report and direct all the traffic. This was GOOD but not great! To be GREAT we would have to really make our tool a pleasure to work with every day. We noticed that of all our users, the auditors were the most vocal so this seemed like the right place to start. For example, having your internal audit offering maintain two-way communication with a centrally managed library of the company’s risk information is a good feature (and not easy to get right either). This feature is also a solid GRC concept. It, however, adds complexity to how one sets up audits and ultimately how these audits are finalized. To the auditor these extra steps can seem foreign or awkward; particularly if you are not big on the centralized library of standards idea. Naturally with more investment in product and feedback from our clients, we think we did a good job making this more elegant. There are at least 20 other examples that we worked through of the how broad concepts often espoused by GRC platforms collide with the “feature depth” required by expert users like auditors.

We spend a lot of time and effort with these questions so I wonder why the industry pundits don’t look at how well vendors accomplish this balance. There are no legitimate Magic Quadrant style reports that compare Audit products; only GRC platforms. Being a good GRC platform does not (as it turns out) automatically give you a good, let alone great, Audit product. We think the auditors represent some of the most discriminating potential users of a GRC or ERM system so making them happy while still keeping your broader value proposition alive is a high achievement.

We have a new release of our product coming out in March. I think this release will have incorporated more user feedback than any previous one we have done. We look forward to everyone’s comments.