Audit client expectations have risen steadily over the past several years, requiring internal audit to increase its value delivery and become more relevant to day-to-day business. Yet practitioners often struggle to meet these expectations, as reported in a 2016 KPMG report, Seeking Value Through Internal Audit. Only 10 percent of the financial executives and audit committee chairs surveyed agreed that internal audit adequately identified and responded to emerging risks. Respondents indicated that audit results too often confirm concerns already identified by management instead of identifying new issues and emerging risks. Some chief audit executives have been quick to explore new service and delivery models that can provide value to stakeholders beyond assurance, leading to the development of advisory services and consultative reviews. But these efforts have not always considered how to improve existing audits.
To address this challenge, internal audit teams at German automaker Daimler have looked for ways to improve assurance services and tap into the unrealized value of its process audits. Although the annual audit plan offered numerous ways to increase value to the organization, internal audit sought to explore new ways to add value within the framework of existing audits. To identify and exploit new opportunities, the team launched a program called Signature Audits, aimed at increasing internal audit's contributions during regularly scheduled client engagements.
Launching the Program
The audit team introduced its Signature Audit methodology by first selecting an engagement that offered a suitable environment to pilot the concept. Daimler was poised to launch new technologies and services considered strategically important to the organization and monitored by top management. To identify unknown risks and potential workarounds to processes being implemented, an unconventional audit approach was required. The audit team needed to look beyond existing
client policies and procedures to capture emerging risks and resolved to deploy audit techniques that are typically used less frequently during traditional processes. Practitioners used a hands-on approach that involved re-performance of controls or simulations such as mystery shopping — where the identity and purpose of the customer is not known by the group being evaluated.
In another type of simulation, two of the auditors created a fictitious account consisting of customer information from one auditor and bank account information from the other. The practitioners used this technique to determine whether the controls to validate customer identities would pick up the mismatched personal information (whereas in a regular, non-signature engagement, auditors might just verify that the customer's personal information was appropriately captured). Internal audit's objective was to assess real-life scenarios as opposed to conducting paper-based assessments that often rely solely on the audit of existing policies and their implementation.
The results of the Signature Audit pilot exceeded expectations. Findings captured critical risks that weren't identified by existing processes and required senior management to rethink certain aspects of the service to be deployed. The added value from the assessment became obvious as senior management immediately deployed corrective actions.
A Different Kind of Audit
Although Signature Audits resemble traditional process audits in many respects, fundamental differences exist between the two approaches. Signature Audits usually require more preparation, more resources, additional training, and a unique mind-set — to implement them, auditors need to be innovative, curious, and creative. For example, when Daimler auditors assessed controls around cargo access security within the company's supply chain, they knew that a review of delivery slips would not suffice. On paper, controls seemed to be in order — all inspection forms were completed and signed, without any deviation from normal procedure. But when the auditors decided to follow delivery trucks, track their routes, and conduct random checks on cargo security, different results came to light. Asset counts differed from what was documented, and cargos were discovered unlocked. The auditors found that key aspects of the process had been circumvented — something a traditional audit may not have captured.
Selection and Preparation
Not all process audits are appropriate candidates for the Signature Audit approach. Signature Audits have a better chance of success, and a more significant impact, when applied to strategic areas with a significant level of complexity. Moreover, the approach is often particularly effective if the strategic area involves new processes, such as the deployment of a new service or a new technology.
Signature Audits often require unique preparation, including the consultation of experts in the audited area who can help design creative test scenarios. Auditors may also need to improve their knowledge of the process, product, or service under review. They should be prepared, as well, to take a certain amount of risk. Creative audit techniques, such as the use of penetration testing tools or social engineering techniques, may involve a degree of deception. Senior management and the legal department should authorize internal auditors to perform these types of procedures, and the auditors should immediately inform these groups of any critical findings. For example, if auditors successfully manage to compromise a system's security, senior management must be made aware of the activities so they can initiate corrective actions without delay.
Extensive reconnaissance efforts may be conducted that require additional resources, such as laptops and penetration-testing software. Benchmarking research and market analysis may also be required, and travel could involve visits to multiple locations outside the audit client's office. Significant travel may be necessary, for example, if auditors visit similar plants in different countries to compare processes and identify best practices before audit fieldwork begins.
The performance of fieldwork in real-life conditions, as opposed to a paper-based assessment, is an essential component of Signature Audits. When reviewing a three-way match, for example, Daimler's auditors will consider the end-to-end accounts payable process and physically observe the receipt of goods instead of solely relying on the system data. Or, when assessing a warranty claim process, auditors will actively generate warranty claims in production and simulate real-life scenarios. Auditors can engage guest auditors with expert knowledge to help create these simulations, or hire consulting or other specialized expertise to accompany them during audit preparation and fieldwork.
Daimler's auditors are encouraged to identify creative ways to complete test work, using innovative tools and resources. Examples include unannounced site inspections, simulations of real-life conditions, social engineering, exploiting system vulnerabilities, and data analytics. In one instance, the auditors exposed a security flaw by creating a fake employee with full administrative rights. Using these credentials, they were able to add, delete, and manipulate data, as well as delete records of certain inventory entirely from existence. Although such techniques are occasionally used during regular process audits, Signature Audits rely on them extensively.
During Signature Audit fieldwork, practitioners often seek to circumvent processes as opposed to testing process effectiveness. For example, while auditing a new mobile application, internal audit decided to test a phone hotline established for customers experiencing difficulties. Signature Audit techniques applied to the call center in charge of the hotline revealed that the app's authentication controls could be easily bypassed by calling the center. Similarly, penetration tests on the call center systems revealed additional vulnerabilities and severe control weaknesses, leading to a significant change in the design of the service.
The reporting phase of a Signature Audit also features key differences from a regular engagement. Presentation of results, for example, is rarely done using standard PowerPoint presentations or Excel templates. Instead, communication relies on real-world demonstration of the concerns identified. The process may entail a field visit with the client and senior management to observe certain issues in person. Or it can be done through the use of audiovisual resources, such as playing video or audio recordings, performing live simulations (which are often effective when auditing IT and engineering), or displaying pictures of audit evidence.
Offering tangible evidence is an effective way to engage the client and communicate value to stakeholders — something that Daimler internal audit has confirmed with client feedback on its Signature Audits. Concrete audit results pointing to proven deficiencies and impact, as opposed to identification of control gaps that present a hypothetical risk, can lead to significant improvements in the acceptance of audit results and remediation efforts. Daimler's auditors observed this effect when they reported on information security vulnerabilities found in an online service — instead of simply reporting on control gaps in the vulnerability management process, the team showed senior management a 30-minute demo highlighting the damage that could occur. After seeing the ease with which vulnerabilities could be exploited, management took corrective actions immediately.
Management's reaction to the Signature Audit experience was typical — surprise at first and then ultimately, appreciation. Showing clients actual risk instead of simply telling them about risk potential elicits a much higher degree of engagement and helps increase the likelihood that corrective actions will be taken.
A Culture of Innovation
Implementing Signature Audits provides an effective vehicle to communicate the value of internal audit to the organization, including senior management and the audit committee. It provides an opportunity to showcase the audit team's ability to advance the organization's strategic goals and contribute to the identification and assessment of emerging risks. The focus on exploiting control gaps to illustrate the impact of deficiencies creates stronger buy-in from audit clients, improved remediation results, and increased trust from internal audit stakeholders. It can also lead to additional demand for audit services as stakeholders realize the value of this approach and decide to engage the audit department in other similar audits.
The Signature Audit concept also provides an opportunity to create a culture of innovation within the audit team. The explorative nature of Signature Audits offers a significant learning experience for practitioners as well as the ability to unleash their creative potential — it gives them a chance to ask what they would do differently to improve a product or service. As a result, auditors gain a more direct connection to organizational performance, which can increase their commitment and ability to deliver results. It can also improve the relationship between the internal audit function and other departments in the organization, due to the collaborative use of guest auditors during the preparation and fieldwork phase, and it helps increase internal audit's ability to retain and recruit talent by fostering a positive image of the function. The methodology can lead to numerous enhancements that benefit the audit department, promote business improvement, and enhance internal audit's stakeholder value proposition throughout the business.