Digitizing Internal Audit - Make or Buy?

November 25, 2021
Santhosh Nellayappan

Digitization today is no more a futuristic step; it is not a strategic advantage; it is mere a catching up. If you are reading this and have not digitized the Internal Audit process, you are already behind by a year if not more!

This may sound a bit rustic, a bit straight or a bit rude, but it is the reality.

Why Digitize in the first place?

We all know; at least theoretically, that digitization leads to efficiency and adds to effectiveness of any process. It is no different for Internal Audit (IA). The IIA in general and many forums organized by IIA or otherwise have been discussing the need for digitization and the immediacy and importance for some time now.

It is not very long ago that Richard Chambers (Then President and CEO of IIA) wrote about speed of risk. The IA team in any organization needs to be prepared to handle newer risks at the speed they are coming. That speed is beyond prediction or anticipation. The best example to this is Covid19, the associated change in work style (Work from home) and the associated risk. Many organizations across the world were caught off guard. Not all, as some of the organizations and their IA team was prepared better? Did they know what was coming? NO! They just were more efficient and therefore were able to handle this better.

The IA team needs to be always working at their efficient best and need to be prepared for such risk coming at unprecedented speed. Is that possible when they are caught in operational activities? Is that possible when they are always running a race against time? Is that possible when they are 'over-worked' to meet the plan for the year?

A close analysis of this situation would reveal that mundane operational activities are sucking their time. Even if they wish to, they are not able to spend time on qualitative aspects of the audit as there is too much to do operationally to make sure that they meet the plan.

Who is to be blamed here? The Internal Auditors? I would say definitely and absolutely not! It is the responsibility of the organisation, in their own interest to enable them to give their best, to equip them with technology, which will help them do more in less time.

No alt text provided for this image

Let's go digital, let's make a tool ourselves!

It seems to be the easiest decision to take and why not? Most of the organizations are very well equipped technically and most make their core business application themselves. The second option is to approach the core technology supplier to give IA as a module in their application.

Are these the best options?

Making internally - I was on the other side few years back and I use to think it is easy to make an enterprise software with a team of 5 good developers. After all, we know what features are required in the software, all we need is a team of good developers who can turn it in to an application. Well, ~9 years later, I think differently. Making a quality application is not everyone's cup of tea. I am not taking away any credit from exceptional technology platforms developed by organizations internally, but they would be with me when I say that it takes a lot of effort to make one, it is not a cakewalk. It does need quality time, mindshare, and money as investment.

Even when there is a strong tech team that is working on a core application there are few questions that we need to consider before backing the decision.

  1. Does the team have the time and bandwidth to invest in another software?
  2. Does the IA team have the luxury of time, to be on wait?
  3. Does the team have enough knowledge on IA?
  4. Does the CAE, HOIA or Audit Head have the time to invest into software development?
  5. Is it as cheap as it seems to be? (is the cost only of the developers? Or it is also of the time that is being spent by the IA team to give them core business knowledge?)

These questions are most often not asked. Even if we consider that the answer to all of this is considered, a fair estimate of time, to make a good enterprise application would range be a couple of years! Yes. The simplest way to realist this is to see what time it took to build the core application to the shape that it is today? Rome was not built overnight!

By the time the software is made considering the wait period and the actual development and testing time (2 years) the business would have changed, rather evolved beyond what was thought [Remember speed of risk!]. All the thought that was put in was to make a software that is two years behind, in process. That is where the real effort starts, to get the software to meet current needs; it is a never-ending saga.

Consider the second option of the core software provider (external) giving this as an additional module. They may be willing to do it; who does not want more business? But can they give the best solution for IA? Do they have the required business knowledge to make it? Again, there may be some who can do this, but the question to ask is how many core business software have a good, renowned, proven IA module? If we start writing down their names specific to our business, we will realize this.

Making the software as per internal requirements through a dev contract is also a third option, but most of the challenges outlined with internal development, applies here as well.

No alt text provided for this image

That leaves only two options - BUY or SUBSCRIBE

It is not an easy decision. After all nothing is. It takes a lot of time to arrive at what is needed. Then short-list solutions and evaluate them. But it is an activity worth doing.

There are few factors here to consider.

  1. Most application providers are do that for a living, they understand the art and science of software making. - Do validate!
  2. They have knowledge about IA - Again worth validating.
  3. They have a software/solution that has been in use for some time.
  4. They are expected to be aware of how the business (IA in this case) and technology is evolving - Never take this for granted. Do verify.
  5. They talk to many organizations and CAE/HOIA/HIAs, if they are receptive, the knowledge they have is of "collective intelligence".
  6. A product helps a faster start.
  7. It may not take you from 0 to 100 in 7 seconds as a Merc or Audi does, it is a software, but you start your journey. You may be able to move from 0 to 50 in no time, and then build from there.

To subscribe, is even more easy. It gives you all the above advantages without making a Capex investment. It allows you to hop on to a solution that you feel best suits your requirement today. You are not stuck with it for lifetime, you may exit as and when you feel it is not working out, or it is not growing along with your need. There is nothing wrong in doing this, not everything goes right in the first attempt.

Now the last part - Cost

Look at what you are spending as investment and not as cost. Even if you look at it as cost, do also look at opportunity cost - that of being able to move with time, that of efficiency, effectiveness and most importantly that of the time that you would save if you were to involve in making a software internally. All of this comes on top of many other benefits that digitalization can bring you.

The idea of writing this, is not to persuade you to buy. But to urge you to digitalize; as, if that is not done right now, you may be left out. Buy or subscribe appears to me as the fastest among available options, but you are the best Judge of your case!


Bangalore Corporate Office
1st Floor, Samvit Bldg,
21st Kanakpura Main Road,
Udayapura, Bangalore - 560082

Block 1,
Surucha's Mundapatt Residency,
Gokhiware Main Road,
Vasai East, Palghar 401208


Sumeru Nigeria
Plot 44, Block H,
Jimoh Odutola Street,
Off Eric Moore,
Surulere, Lagos


Massans gata 18,
412 51 Gothenburg, Sweden


Sumeru Inc.
2401 15th Street, NW,
Washington DC - 20009


Sumeru Australia
Shelvin Narayan
+61 408 598 864


Sumeru Tech Afriken
Devna Pandit
+254 722 525928


Newtech Bangladesh
Saddique Ali
+880 1711 520698


Sumeru Nigeria
Akshay Kumar Jain
+234 90 4433 2222

Sri Lanka

MillenniumIT ESP
Champika Fernando
+94 77 771 2290