Gartner published their Market Guide for Audit Management Solutions in December 2014 to provide audit teams with insight into the market and offerings available. Here's the link to their report: Market Guide for Audit Management Solutions
Gartner defines the market as solutions that automate internal audit operations through core and value-added offerings. Core offerings are those that primarily address the needs of internal audit departments, while value-add offerings position internal audit to add value to business operations, growth and innovation. Per Gartner, the use of core offerings far outweigh value-adds, which are growing at a much slower pace. Demand for mobile devices for conducting audits is growing quickly and by Gartner's estimate, 40% of internal audit teams will use portable devices to conduct audits by 2017.
Gartner further divides the audit management solution market into two segments - pure-play solutions and governance, risk and compliance (GRC) applications. They state that internal audit teams use both pure play and GRC; some groups integrate with their GRC organization's systems while others use standalone systems. The core offerings market is mature and well-defined, whereas GRC systems are newer and evolving.
RSA Archer's Audit Management Solution was highlighted for audit planning and risk assessment capabilities, which is a crucial part of the entire audit lifecycle that is available in Archer's solution. In selecting a solution, Gartner recommends audit departments prioritize their requirements and differentiate based on them, as well as on price and delivery option. They recommend considering GRC applications (like Archer) when more than one department in the organization has made a purchase or is considering investment in GRC applications. They feel that SaaS is a more cost-effective solution, but on-premises implementations may be dictated by the need to secure sensitive data in highly regulated companies.
What we've seen in our research and interactions with hundreds of audit departments around the world is very few are not considering GRC capabilities mainly because audit committees, regulators and market conditions are demanding that internal audit play a more significant and strategic role in defining and mitigating risk, validating compliance and shoring up the three lines of defense.