A common response to corporate scandals caused by significant control lapses is to question the performance and value of audits performed by internal audit, particularly the department’s role in providing assurance on enterprise risk management activities. To better identify and assess these types of risks, internal audit needs to provide more valuable audits that evaluate risks and controls, identify gaps, determine root causes, and recommend improvements.
Taking data privacy as an example, internal audit is expected to evaluate the security of databases where information is stored and determine who has access, how that information is used, and with whom it is shared. Additionally, auditors must provide assurance that the information is not being shared with anyone who should not have access to it. Yet, due to staffing limitations and tight deadlines for providing deliverables, internal audit departments often don’t have time to provide in-depth reviews on emerging risks.
One way to provide this service is to use technology to automate routine reviews so that they can be performed faster. This can free internal auditors to examine areas they may not have previously audited. Reporting on controls for these once-unexamined areas can provide assurance that controls are operating as designed or identify gaps where improvements are needed. Internal audit can therefore report valuable information about risks and controls that has not been included in prior audit reports.
A Large-scale Analysis
Value-added auditing is a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. It requires internal auditors to analyze risks and controls to identify the root cause of the ineffectiveness, recommend corrective action, and focus on continuous improvement.
To perform more valuable audits, internal auditors need time to focus on the overall risks to the organization, while obtaining detailed information to determine the root cause of the finding, not just identify the resulting error. Only then can auditors recommend functional improvements and follow up to ensure they have been implemented. By taking time to probe and understand the business risks and collaborating to develop functional solutions to challenges faced, auditors can move from being a reviewer to a business partner working to resolve problems and simplify complex tasks.
But internal audit must overcome certain obstacles to perform value-added audits such as having a check-the-box mentality, managing concurrent projects with limited resources, and breaking down information silos. Auditors must communicate relevant information to clients timely, and the department must be flexible enough to respond to changes and emerging risks. By automating routine reviews, auditors can work within the same constraints yet still issue an opinion on controls that may not have been examined previously. Automated reviews also may help auditors identify gaps or risks where there is no mitigating control. Such gaps could expose the organization to potential threats. The time gained to focus on additional areas can enable auditors to provide a larger scale analysis that encompasses strategic organizational goals.
Putting Data to Work
Technology is key to performing more valuable audits. Automating routine reviews allows for the quick identification of outliers in regularly examined data, a focused review on those specific occurrences, and budgeted time to examine additional areas. In lieu of spending time examining an excessive number of transactions that fall within the expected tolerance, internal auditors can define the normal tolerance and use software to identify the outliers and a small, random sample of normal transactions, then focus the remaining time on examining new areas, such as information security and privacy. Moreover, by leveraging technology, internal audit can set an example for how innovation enhances performance.
Electronic Workpapers Easily shared workpapers may allow a subsequent audit to leverage information identified in a previous exam. By using templates to document audit results, auditors do not have to recreate templates for each review. Linking documents, such as workpapers, support documentation for findings, and policies, allows for a quicker review and access to standards used in the testing and evaluation portions of the audit.
Data Mining Internal auditors should automate reviews to allow for continuous monitoring of routine tasks and to easily identify trends and anomalies that may require additional attention. For example, creating dashboards or setting up alerts can enable internal auditors to quickly identify transactions occurring outside the normal range. When continuously monitored, those outliers can be identified, examined, and, if necessary, corrected sooner than discovering them through a scheduled audit. Detecting outliers faster could minimize the impact of transactions that should not be allowed to continue.
Analytics Analyzing data can enable internal auditors to determine the impact of control weaknesses and the frequency in which they occur. This allows auditors to put issues in perspective and provide clients with a view of risks when there is a failure to comply. By analyzing performance trends and patterns, internal auditors can demonstrate how risks change by time and region. The analysis also can help clients understand the effectiveness of controls as well as determine where corrective actions are needed. Additionally, data analysis can assist management with regulatory and policy compliance in a way that minimizes duplication of efforts.
To analyze data effectively, internal auditors should set parameters to identify the data that lies outside the normal parameters. This can quickly show where the outliers and risks lie, allowing auditors to devote time to examining these risks.
Dashboards Auditors can use dashboards as a visual method of identifying anomalies and comparing them to other data. Dashboards can demonstrate current versus future states. Moreover, visual demonstrations work well for reporting, explaining findings to decision-makers, and driving change.
Finding More Value
Technology has an additional way to make audits more valuable. By automating routine tasks, internal audit departments can be better structured to perform audits that are more useful for improving governance, risk management, and control processes. This automation can give auditors more time to question what is being done and why, compare current practices to best practices and industry standards, and evaluate whether there is a more innovative approach. Internal auditors should explore opportunities to use existing technology to automate routine reviews, add value to the organization by reporting on additional areas, and minimize the impacts of risks to their organization