The IIA's Core Principles for the Professional Practice of Internal Auditing use the term risk-based assurance instead of reasonable assurance, which implies that there are different levels of assurance based on multiple risk factors. That creates an opportunity for internal audit to move its work to a higher level by delivering enhanced assurance to the board and management.
Enhanced assurance does not imply reductions in risk. Instead, it refers to asking better questions about the risks that matter as well as the risks that should be automated for greater efficiency. It's about developing assurance at scale to cover the breadth of operations and strategic initiatives efficiently and cost-effectively.
Computerized fraud detection is one example of delivering assurance at scale. In 2002, WorldCom internal auditor Gene Morse discovered a $500 million debit in a property, plant, and equipment account by searching a custom data warehouse he had developed. Morse's mining of the company's financial reporting system ultimately uncovered a $1.7 billion capitalized line cost entry made in 2001, according to the Journal of Accountancy.
This example illustrates how fraud or intentional errors can occur in limited transactions with catastrophic outcomes. Enhanced assurance techniques such as data mining can uncover these transactions, which traditional audit techniques such as discovery, stratification, and random sampling may miss. Today's technologies can enable internal audit functions to automate their operations and provide enhanced assurance, but to do so, they must reframe their strategy.
Data analytics and audit automation platforms provide internal auditors with the means to build assurance at scale whether a novice or expert. The technologies also create the opportunity to form better teams.
Small, focused teams are more productive than large, consensus-driven teams directed from the top down, author Jacob Morgan notes. Writing in Forbes, Morgan cites Amazon CEO Jeff Bezos' "two-pizza" rule: "If a team cannot be fed by two pizzas, then that team is too large." Morgan says having more people on the team increases the communication needed and bureaucracy, which can slow the team down.
Collaboration with automation can modernize the performance of small teams. Intelligent automation can integrate oversight into operations, reduce human error, improve internal controls, and create situational awareness where risks need to be managed. Automation-enabled collaboration can help reduce redundancies in demands on IT departments, as well. However, efficiency transformations often fail when projects underestimate the impact of change on people.
The Human Element
Many of the biggest assurance risks are related to people, but too often the weakest link is related to auditing human behavior. The 2018 IBM X-Force Threat Intelligence Index finds "a historic 424% jump in breaches related to misconfigured cloud infrastructure, largely due to human error." IBM's report assumes decisions, big or small, contribute to risks. However, the vulnerabilities in human behavior and the intersection of technology represent a growing body of risks to be addressed.
Separate studies from IBM, the International Risk Management Institute, and the U.S. Department of Defense find that human error is a key contributor to operational risk across industry type and represents friction in organizational performance. The good news is automation creates an opportunity to reduce human error and to improve insights into operational performance. Chief audit executives (CAEs) can collaborate with the compliance, finance, operations, and risk management functions to develop automation that supports each of these key assurance providers and stakeholders.
The Role of Technology
Technology enables enhanced assurance by leveraging analy-tics to ask and answer complex questions about risk. Analytics is the key to finding new insights hidden within troves of unexplored data in enterprise resource planning systems, confidential databases, and operations.
Technology solutions that improve situational awareness in audit assurance are ideally the end goal. Situational awareness in auditing is not a one-size-fits-all approach. In some organizations, situational awareness involves improved data analysis; in others, it may include a range of continuous monitoring and reporting in near real-time.
Intelligent automation addresses issues with audit efficiency and quality. First, auditors spend, on average, half their time on routine processes that could be automated, improving consistency of data and reductions in error rates. Data governance allows other oversight groups to leverage internal audit's work, reducing redundancy of effort.
Second, smart automation leads to business intelligence. As more key processes are automated, they provide insights into changing conditions that may have been overlooked using periodic sampling techniques at points in time.
Most events are high frequency but low impact, yet auditors, IT staff, and risk and compliance professionals spend the bulk of their time chasing down these events. That leaves little time for them to focus on the real threats to the organization. Automation works best at solving high frequency events that are routine and add little value in terms of new information on known risks. Instead of focusing on the shape of risk, auditors will be able to drill down into the data to understand specific causes of risk.
Steps to Enhanced Assurance
Before buying automation, CAEs should answer three questions: How will automation improve audit assurance? How will automation make processes more efficient? How will auditors use it to improve audit judgment?
The CAE should consider automation an opportunity to raise awareness with the board and senior executives about enhanced assurance and better risk governance. To do so, internal audit must align enhanced assurance with the strategic objectives of senior executives.
To implement enhanced assurance in the internal audit function, CAEs should follow three steps:
- Identify the greatest opportunities to automate routine audit processes.
- Prioritize automation projects during each budget cycle in coordination with the operations, risk management, IT, and compliance functions.
- Consider the questions most important to senior executives: Which risks pose the greatest threat to the organization's goals? How well do we understand risk uncertainties across the organization? Do existing controls address the risks that really matter?
Assurance and Transformation
The World Economic Forum calls today's digital transformation the fourth Industrial Revolution and forecasts that it could generate $100 trillion for business and society by 2025. Every business revolution has been disruptive, and this one will be no exception. The difference in outcomes will depend largely on how well organizations respond to change.
Forward-looking internal audit departments already are delivering enhanced assurance by strategically focusing on the roles people, technology, and automation play in creating higher confidence in assurance. Other audit functions are in the early stage of transformation. Although these audit functions will make mistakes along the way, now is the time for them to build new data analysis and data mining skills, and to learn the strengths and weaknesses of automation. As these tools become more powerful and easy to use, enhanced assurance will set a new high bar in risk governance.