Internal audit is a cornerstone of governance for South African organisations operating under King IV, the Public Finance Management Act (PFMA), or the Municipal Finance Management Act (MFMA). But many audit teams still rely on spreadsheets, shared drives, and email to manage their entire audit lifecycle — from planning to reporting. The result is inefficiency, version control failures, and findings that get lost between audits. Internal audit software changes this fundamentally. This guide explains what to look for, what to expect, and how to evaluate options in the South African context. Organisations seeking integrated GRC and audit management can explore GRC software built for South Africa.
Why Internal Audit Teams Adopt Software
The move from spreadsheets to dedicated audit software is driven by four persistent problems that manual tools cannot solve:
- Version control: Multiple versions of audit workpapers circulating simultaneously, with no single source of truth
- Follow-up failures: Management action plans agreed during audits that are never tracked to completion
- Reporting bottlenecks: Consolidating findings from multiple engagements into a coherent audit committee report takes days
- Audit universe management: Without a system, it is difficult to demonstrate that the audit plan is risk-based and covers the full audit universe
Good internal audit software eliminates all four problems by providing a centralised platform for the entire audit lifecycle.
Alignment with IIA Standards
The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) defines how internal audit should operate. The 2024 Global Internal Audit Standards update significant aspects of the framework. South African internal audit functions are expected to conform with these standards.
Internal audit software should support:
| IIA Standard Area | Software Capability Required |
|---|---|
| Risk-Based Audit Planning | Audit universe management, risk scoring, plan documentation |
| Engagement Management | Engagement planning, workpaper management, time tracking |
| Finding Management | Finding documentation, rating, root cause, management response |
| Issue Tracking | Action plan assignment, due dates, status tracking, escalation |
| Reporting | Engagement reports, audit committee reports, dashboard analytics |
| Quality Assurance | Review and approval workflows, supervisor sign-off, QAIP documentation |
King IV and Internal Audit
King IV requires the governing body to ensure that the internal audit function is independent, adequately resourced, and that its work supports the combined assurance model. Audit software that links audit findings to the organisation's risk register provides direct support for combined assurance — demonstrating to the board that assurance activities are coordinated and risk-focused.
Must-Have Features for South African Audit Teams
1. Audit Universe and Risk-Based Planning
The audit universe should be maintained within the system, with each auditable entity linked to risk scores. The annual audit plan should demonstrate coverage of higher-risk areas, with documentation of why lower-risk areas are deferred. This enables the CAE to defend the audit plan to the audit committee.
2. Workpaper Management
Electronic workpapers with review and approval workflows, version control, and cross-referencing to findings. This replaces physical files and email chains with a structured, searchable record of work performed.
3. Finding and Observation Tracking
Findings must be documented with severity ratings, root cause analysis, and recommendations. Management responses must be captured, with agreed action plans linked to named owners and due dates.
4. Issue Management and Follow-Up
The most common audit department failure is inadequate follow-up on agreed actions. Software should provide automated reminders to action owners, escalation to management when actions are overdue, and a live status view for the CAE and audit committee.
5. Audit Committee Reporting
The CAE must report to the audit committee on findings, issue status, and conformance with the audit plan. Good software makes this a matter of clicking a button rather than a multi-day consolidation exercise.
6. Integration with Risk Management
For organisations implementing combined assurance under King IV, audit software that integrates with the risk register enables direct linkage between audit findings and organisational risks — closing the loop between risk identification and assurance.
Evaluating Audit Software: 5 Questions to Ask
- Does it support the full audit lifecycle — from universe management and planning through workpapers, findings, action tracking, and reporting?
- Is it configurable for your methodology — can you adapt rating scales, report templates, and workflow steps to your organisation's standards?
- How does it handle action plan follow-up — automated reminders, escalation rules, and management access to update status?
- Does it provide meaningful analytics — not just data storage, but trend analysis, aging issues, and audit plan progress?
- Does it integrate with your GRC platform — so that audit findings feed into risk and compliance data rather than sitting in a separate silo?
Summary
- Spreadsheets and email create four structural problems: version control, follow-up failures, reporting bottlenecks, and poor audit universe management
- Internal audit software should align with the IIA IPPF across all phases of the audit lifecycle
- King IV's combined assurance model is best supported by software that links audit findings directly to the risk register
- Issue tracking and automated follow-up are the highest-value features for most South African teams
- Evaluate software against the full lifecycle — not just workpaper management or reporting in isolation
- Integration with the GRC platform is a differentiating capability for mature governance functions
Frequently Asked Questions
Is internal audit software required under King IV?
King IV does not mandate specific technology. However, it requires that internal audit be independent, adequately resourced, and effective. In practice, meeting these requirements without appropriate tools — especially for issue tracking and reporting — becomes increasingly difficult as organisations grow. Software is a practical enabler of King IV compliance, not a formal requirement.
What is the difference between internal audit software and GRC software?
Internal audit software manages the audit lifecycle — planning, workpapers, findings, action tracking, reporting. GRC software manages the broader risk, compliance, and governance programme. The best implementations integrate both: audit findings feed into the risk register, and risk data informs audit planning. Some GRC platforms include internal audit as a module, eliminating the need for separate systems.
Does the PFMA or MFMA specify requirements for internal audit software?
Neither the PFMA nor the MFMA specifies audit software requirements. However, National Treasury's Internal Audit Framework and IIA standards — which apply to public sector audit functions — require documentation, evidence trails, and quality assurance processes that are very difficult to maintain without proper tools. Agsa audits also scrutinise the quality and adequacy of internal audit work.
How long should audit workpapers be retained?
The IIA recommends that audit documentation be retained for a minimum of seven years. South African public sector requirements may differ. Organisations should check their specific retention obligations under applicable legislation and align workpaper retention policies accordingly. Electronic retention in audit software simplifies retrieval and ensures long-term accessibility.
References
1. Institute of Internal Auditors. Global Internal Audit Standards, 2024.
2. Institute of Directors South Africa. King IV Report on Corporate Governance, 2016.
3. National Treasury South Africa. Internal Audit Framework. 2022.
4. Auditor-General of South Africa. Annual Report 2024/25.
5. Institute of Internal Auditors South Africa (IIASA). Guidance for South African Internal Auditors. 2024.
