Data-driven audit management at Dublin Airport Authority (daa)
“We’re carrying out a significant amount of extra work that we weren’t doing a couple of years ago. We’ve also saved significantly on headcount—so I mean we’re doing more work with less bodies, and we’re achieving much deeper penetration and the work is much more insightful. So it’s been of immeasurable benefit.”
Group Head of Internal Audit,
Dublin Airport Authority
Dublin Airport Authority (daa) is a state-owned organization that operates the two largest airports in the country, but it operates on a completely standalone commercial basis. It doesn’t receive any extra funding, so all its income comes from aeronautical activity and commercial business activities.
Up and running within days
Easy to Use
User-friendly & intuitive, without needing external support
Analytics are integrated into workflow
Cut down administrative burden of managing spreadsheets & documents
Interview with Kevin Goulding, Group Head of Internal Audit, daa.
How has the make-up of your team been shaped by the role of internal audit at daa?
Due to the wide range and the wide remit that we have in our work, it means that my audit team have to have a much wider skill set than one would have, say, in maybe something like a manufacturing business or even a financial service business. And I have been fortunate in that I’ve been able to recruit an excellent team, so I do have a strong team with very good skill sets. I think it’s my responsibility to make sure that my team are supported by the right tools and technology.
What does risk look like in your environment?
Our key risks that we have to focus on in the daa would largely be non-financial. That doesn’t mean that we ignore our financial risks, obviously. If you think of something that would, for argument’s sake, close the airport down temporarily, it’s unlikely to be something on the financial side really. Whereas if we had a significant security issue or a significant health and safety issue it could result in significant fines and more likely to have an immediate impact on the airport operations.
Why implement audit technology?
Before ACL GRC we were spending an inordinate amount of time updating, re-editing, sharing spreadsheets, word documents, all that sort of thing, which wasn’t the most efficient use of our time. With GRC, it has helped us to streamline all of those processes and cut out an awful lot of the administration side of auditing. So it means that we are actually able to focus on the core audit work, which is what we’re actually paid to do.
What stood out about ACL GRC when you were looking for an audit management system?
There was a couple of key deciders for us, and ease of implementation was actually a key deciding factor. There are a lot of very good other systems out there, but reality is a lot of them, whilst they’re very good, they’re actually very expensive to implement and they eat up an awful lot of time administering. That might be an option where one has a very large audit function, but we have a very compact function, so I didn’t really have the luxury of being able to tie somebody up administering a system or spending a significant chunk of their time on an ongoing basis doing that.
What we found was that with GRC it was very user friendly, it was intuitive, relatively straightforward to implement. Another selling point for us for GRC was the possibility of integrating our analytics testing into the workpapers management system directly. So that again was a key selling point for us.
What was the implementation and learning curve like in your experience?
With GRC it was a matter of days really. Effectively, my IT audit manager was able to implement it himself with fairly minimum external support. It’s hard to see the other systems that we reviewed that this would have been the case; I suspect much more external consultancy support would have been needed.
How would you describe the return on your investment in a data-driven audit management system?
We’re carrying out a significant amount of extra work that we weren’t doing a couple of years ago. We’ve also saved significantly on headcount—so I mean we’re doing more work with less bodies, and we’re achieving much deeper penetration and the work is much more insightful. So it’s been of immeasurable benefit really I would say.
If you had it to do again, what would you do differently?
I would probably do it quicker if anything. In that sense what I mean is that I would have made the decision maybe a bit quicker and implemented sooner.