Internal audit can guide your citizen developers


Innovative organizations know how to tap into their employee ingenuity, to uncover quick and efficient solutions to problems. That opportunity is fueling a surge in citizen developers.

“A lot of times, employees have ideas which can fix problems that are unseen by leaders,” Grant Thornton Growth Business Development Executive Patty Bogosh explained. Those employees often don’t have the opportunity to escalate or implement these ideas, but citizen development tools can empower their creativity and value.

In fact, citizen developers will soon outnumber professional coders 4 to 1, according to a 2021 Gartner research report that predicts the pandemic is propelling many employees to become more independent in their work-from-home settings.

“Citizen development is definitely being embraced by many organizations, and understandably so,” said Grant Thornton IT and Cybersecurity Internal Audit Partner Scott Peyton. “The question is: As these organizations take advantage of the positive side of citizen development, have the potential risks been considered in equal measure?”

The concern is that organizations need transparency into programs and processes, with governance around citizen development, to lessen their exposure to a host of risks. They need to keep gains and efficiencies and avoid new issues.



Where is development already underway?


Business intelligence (BI), often called management reporting, is one area ripe for citizen development. Some departments can’t afford to wait on IT for metrics, and they’ve moved beyond Excel into the world of analytics tools like Microsoft Power BI and Tableau. To have access to constant reporting and performance management, employees take ownership of the BI application after IT sets it up.

However, this can prove hazardous down the line. Risks arise from business users running the application — the application’s access to change financially critical reports — and ultimately from the application’s ongoing state of implementation. Blake Montie, manager, Grant Thornton’s Risk Advisory practice, noted that a common risk with a BI application is that “It never materializes into a functional application with rules, controls and understood expectations from both the end user and the organizational leadership.”



The biggest risk by far is granting these applications access to data, creating the potential for leaks and multiple versions of the truth.

One of the strengths of citizen development is its potential application throughout the organization. When business units understand the capabilities and identify opportunities in their areas, they work with users to implement those capabilities. That organic expansion can be valuable, but it can quickly foster bad habits and a gap in governance. Leaders need to recognize this, and document policies and procedures to form guardrails on BI platforms.

Control should be balanced. The strength of these applications comes from their speed in development and results. Excessive control requirements weaken this strength. Montie said, “Be respectful of the speed and pace that BI platforms are looking to move. This calls for taking into consideration not only the current state but also the future state.”



How can you balance control?


How can organizations give their citizen developers a degree of freedom while ensuring that their organization, data and IT ecosystem are not at risk?

The answer lies in governance of the platform and personnel. Platform governance establishes rules for strategy, solution selection, execution and change management. Personnel governance establishes policies and procedures, documentation, execution and change management.



Organizations should know, at a high level, how a tool is used, what data goes into it and who has what permissions in the application. Organizations need a clear general strategy for BI solution selection. Montie listed a few questions that managers should ask itself before selecting a BI application:

  • Why are you looking to use this, both now and in the future?
  • Does that impact which solution you want to use and the growth potential?
  • How do you want this to grow?
  • At what rate do you want it to grow?
Headshot of Blake Montie

“Citizen developers need to understand where their jobs start and stop. IT professionals need to understand where their jobs start and stop, and companies need to have some sort of an interface between the two of them.”

Blake Montie

Grant Thornton Manager, Risk Advisory Services

One key to a successful structure is open communication between citizen developers and IT. These two parties need to constantly communicate and remain aware of what the other party does.


“Citizen developers need to understand where their jobs start and stop. IT professionals need to understand where their jobs start and stop, and companies probably need to have some sort of an interface between the two of them,” Montie said.



How can you create safe environments?


Peyton identified two steppingstones that can help an organization create a safe environment for citizen developers.

  • Inventory: “It’s difficult to manage what we don’t measure,” observed Peyton. Identify where your citizen developers are working and the impact of the solutions they create.
  • Advocacy: After identifying where impactful citizen development is happening, make a case for IA and IT to partner with the citizen developers, so that a leading practice model can be created.

When citizen development becomes embedded into processes, it can be difficult to distinguish between what an application is supposed to do on its own and what it’s being made to do.

This is where an internal audit can help determine whether the governance surrounding citizen development activities is strong enough.



An example in reporting


Many organizations spend extensive time creating monthly operational and financial reporting packages, because they lack more efficient tech solutions. To see where citizen development might help, organizations can start by leveraging internal audit to conduct current-state design workshops across departments. In the future, IA can conduct assurance audits that include reviews of technical configurations, processes and controls.

Technical configuration reviews can take an end-to-end look at data — where it originates, how it moves, where it’s stored and who can see it. Evaluate whether the organization has effective controls for BI applications already in place, and any yet to be implemented. The process and control reviews can evaluate what any citizen-developer-implemented changes are doing within applications.



The reviews within an audit can reveal areas for improvement, and interviews can help identify potential citizen developers. Work with these key employees to build sustainable changes that address your reporting needs.




Our audit insights