Flying blind: The critical risks of abandoning your audit management system

Imagine piloting a plane without instruments — risky, right? Yet, this is the reality for audit teams operating without an Audit Management System (AMS). Some teams facing budget cuts are even ditching their AMS, thinking it is a smart cost-saving move. However, this decision could weaken the very function they are trying to protect.

Removing an Audit Management System (AMS) to cut costs is a strategic misstep that risks undermining internal audit’s visibility, effectiveness, and influence. An AMS is not just a tool — it is essential infrastructure for delivering meaningful assurance, insight, and governance. To support teams who find themselves needing to make the case for internal audit technology, I break down the for adaptable, value-driven alternatives rather than complete abandonment, reinforcing that audit teams must not lose the clarity and structure needed to operate effectively.

Strategic risk disguised as budget savings

Initially, removing an AMS might appear manageable. Many, including myself, recall the era of audits conducted via spreadsheets and email trails. But today's internal audit expectations are much higher. We are not just checking controls; we are mapping assurance across complex risk landscapes, providing insights into root causes, and helping the organisation anticipate what is around the corner. Without a system, it is like trying to navigate a maze blindfolded.

Losing an Audit Management System brings with it far more than just a reduction in visibility — it dismantles the structural backbone that enables internal audit to operate with clarity, purpose, and strategic alignment. Below are six likely outcomes:

• Fragmented assurance is one of the immediate consequences of the loss of an audit management system. Without a central system to coordinate and monitor coverage, audit teams risk duplicating efforts in some areas while leaving other high-risk zones unchecked. This fragmentation diminishes the ability to provide a comprehensive assurance map to those charged with governance.
• Erosion of connected risk insight. Modern AMS platforms are designed to link individual audit findings directly to strategic and operational risks. This capability enables the identification of cross-cutting themes, recurring control weaknesses, and systemic vulnerabilities. In a manual environment, this connectivity is lost, and the risk picture becomes siloed and assessed in isolation, with key interdependencies overlooked. It is a step backward to a time when risk management and internal audit operated in parallel rather than in partnership.
• Weakening of root cause analysis. Audit management systems allow findings to be tagged, tracked, and analysed in ways that surface patterns and underlying causes. This analytical power transforms audit from a reactive compliance checker to a proactive source of organisational learning. Without such tools, teams may only skim the surface, addressing symptoms without ever uncovering what truly needs fixing.
• Timeliness and relevance of reporting: In the absence of automation, compiling reports becomes slower and more resource-intensive. By the time insights reach decision-makers, they may already be out of date. Delayed reporting reduces the value and impact of audit findings and risks internal audit being seen as a function that looks backward rather than forward.
• Action tracking and follow-up: The manual environment also hampers action tracking and follow-up. An AMS allows for seamless monitoring of audit recommendations, making it easy to see which actions are overdue. Without this functionality, follow-up becomes a laborious, error-prone process, and critical issues risk falling through the cracks.
• Governance oversight: The cumulative effect of all these weaknesses is a serious blow to governance oversight. Audit committees and senior management rely on timely, accurate, and holistic information to discharge their responsibilities. An AMS provides the tools needed to generate assurance insights at a strategic level. Without it, internal audit loses its position as a trusted advisor, and governance bodies are left flying blind.

To top it all off, internal audit’s hard-won credibility and influence are at stake. The lack of a structured, professional digital infrastructure can send a damaging signal to the organisation — that the audit function is under-resourced or not valued. This perception can undermine the Chief Audit Executive’s ability to influence senior leaders, challenge risk owners effectively, and gain traction on key findings.

Making the case for technology investment

This risk is explicitly recognised in the Global Internal Audit Standards (2024), which place a clear obligation on the Chief Audit Executive (CAE) to ensure the internal audit function is suitably resourced, strategically planned, and enabled by appropriate technology. Standard 10.3, Technological Resources, requires the CAE to evaluate and communicate the impact of technology limitations on audit efficiency and effectiveness, and to pursue opportunities to enhance digital capability. The Standards also highlight the importance of maintaining the tools necessary to support engagement quality, insight generation, and timely reporting — all of which are difficult to achieve without an AMS.

For the Audit Committee, the exposure is twofold: firstly, the quality and timeliness of assurance may deteriorate; secondly, without the ability to systematically link audit results to strategic risks, critical oversight gaps may go unnoticed. These gaps undermine the Committee’s ability to discharge its responsibilities under the governance framework, particularly in relation to effective risk management and internal control.

I’ve written about leveraging the Standards to make the case for investment in technology, I would advise the CAE to take a risk-based approach. Demonstrate the value of automation through missed efficiencies, highlight compliance obligations in the Standards, and articulate the cost of inaction in terms of delayed reporting, fragmented insight, and diminished influence. This case should be framed not as a technology upgrade, but as a safeguard of assurance quality, a pillar of audit credibility, and an essential enabler of governance effectiveness. Where full systems are unaffordable, a phased or shared-service solution — such as using SharePoint or collaborating with Risk or IT — can be presented as a practical compromise.

A smarter kind of resilience

Dropping your audit system might seem like a necessary sacrifice during tough times. However, it is more than a technological loss, it is a regression in oversight, assurance, and influence. Eventually, that cost may be far greater than the subscription saved.

Audit must stay efficient, insightful, and forward-looking, even under pressure. That means protecting the core tools that allow us to do the job well. Where budgets do not cover ideal solutions, we adapt — but we don’t accept operating blind.

Abandoning your audit management system isn’t just an operational downgrade, it’s a strategic risk. Make the case for keeping or rebuilding the infrastructure that underpins the value of internal audit.

About the authors

David Hill is the former CEO of SWAP Internal Audit Services based in the UK. David has nearly 40 years of audit experience, and is a former member of the Global Guidance Committee. Connect with David on LinkedIn.