Audit Analytics and Continuous Monitoring
Controlling Risk Beyond the Checkbox
By Peter Millar, Director of Technology Application, ACL Services Ltd.
If the current economic crisis has taught us anything, it’s to be more aware of business risks and how to better manage those risks to ensure a profitable and sustainable business. Sadly, it’s become all too apparent what happens when this is ignored.
There has been a great resurgence in the topic of risk management, and risk-based auditing also seems to be at the top of the agenda in audit committee discussions. What is interesting is the divergence of opinion in how to manage or mitigate risk.
What is the right balance of risk?
One common definition of risk is: “…any possible event which, if it occurs, may impact an organization’s achievement of its business or strategic objectives.”[1]
It is useful to consider risk as being an event which is causal. Many people initially think of risk in terms of impact: the results of the risk actually happening and the effects it will have on the organization. Impact is important to prioritizing risks, but identifying the cause or risk event is an even better place to start. What many forget is that all risk is not bad. A complete absence of business risk virtually guarantees limited growth. Taking risks within your organization’s risk tolerance and risk appetite can help organizations grow and achieve their goals.
So the question is, how can organizations return to profitability and sustainable growth in today’s business climate while not repeating the mistakes of the past? Further, what new risks have surfaced as a result of the economic downturn and how can we monitor today’s risks and not those of yesterday?
A refocus on operational risk
Prior to the downturn, many North American organizations were focusing their Governance, Risk and Compliance (GRC) activities on evaluating risks in their financial controls for Sarbanes-Oxley (SOX) compliance requirements. With the downturn, the pendulum has swung back to pre-SOX days. Operational risks are again keeping executives up at night and are now the focus of effective GRC strategies.
Within the COSO-based risk management framework, management’s role is to do a top-down risk assessment for their organization and identify risks that are likely to negatively impact their objectives. Appropriate controls – be they IT-based automated controls or policy-enabled manual controls – can then be put in place to mitigate those risks. While this is a management activity, internal audit departments are a key component in effective governance and can contribute significantly to improving overall risk management assurance.
Moving beyond the checkbox to risk management
Internal audit departments play a critical role in safeguarding organizations from loss and providing assurance around business activities. There is no better place for organizations to look than to their internal audit function for a cross-departmental view of operational risk. Furthermore, successful internal audit departments have a unique blend of business process knowledge and the ability to analyze the transaction data where activities in business processes are recorded. This unique mix of business and IT domains enables internal audit to evaluate the operating effectiveness of internal controls that have been put in place to mitigate business risks.
Audit departments can really step up to the challenges of today’s economy by changing the way audits are conducted and the frequency with which their value-add services are provided. Traditionally, auditors conducted cyclical ad hoc audits of different areas of the business. It could be several years between the time that an audit was conducted – say, in an insurance claims department – and the next scheduled time the auditors returned. What sort of damage could a fraudster do over a period of three years? What sort of losses due to errors or inefficiencies could add up over time? In areas where the likelihood of events which could impact an organization is high, additional scrutiny by both management and audit may be called for.
Overcoming the obstacles
One of the obstacles getting in the way of more frequent oversight of high-risk business processes is the availability of resources. There just aren’t enough audit staff to increase assurance and value-add services and there isn’t enough money to hire more. Another obstacle is the sheer volume of business transactions. It is time-consuming and difficult to scrutinize the enormous volume of data from complex, modern business applications that process all that data. Finally, where internal audit has the ability to identify control breaches or indicators of risk, how can this be communicated to management?
In order to overcome these obstacles, both audit and business process owners can embrace audit analytics technologies to evaluate and monitor the operating effectiveness of internal controls. With audit analytics, organizations can monitor how well automated controls are working (e.g. Are controls still switched on? Are people end-running controls?), and establish detective controls for semi-automated and manual controls. When audit analytics are automated and run on a continual basis, they form the core of a continuous auditing or continuous monitoring system. Automation also acts as a productivity multiplier for internal audit by eliminating time-intensive manual testing. It frees up time for auditors or business process owners to chase down indicators of failed controls, inefficiencies or fraud in the high-risk areas that jeopardize their organization’s goals and objectives.
By automating analysis of key business processes, organizations are able to detect vulnerabilities in processes and weaknesses in their control environment. This can be quantified in terms of hard dollars and increased levels of assurance – and is key to safeguarding the business from risk and improving overall business performance.
Peter Millar, Director of Technology Application, ACL Services Ltd.
Peter is the Director of Technology Application at ACL Services Ltd. For the past 12 years, Peter has been involved in the evolution of analytic solutions for audit departments in industry and government. His combination of experience and expertise has helped audit departments in some of the world’s leading organizations to create value-added opportunities by implementing efficient and sustainable audit analytics solutions. He has more than 18 years experience in the high tech industry in various software and systems integration companies.
Peter sits on the Advanced Technology Committee of The Institute of Internal Auditors (The IIA) and was a contributor to The IIA’s “Practice Guide: Internal Auditing and Fraud.” He was the Project Manager and technology contributor to the “Global Technology Audit Guide (GTAG)-3 – Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment.” He is also co-author of the “Global Technology Audit Guide (GTAG)-13 – Fraud Prevention and Detection in an Automated World.”
[1] “A New Approach for Managing Operational Risk – Addressing the Issues Underlying the 2008 Global Financial Crisis” Society of Actuaries, 2009
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®