Audit, the Last Line of Defense
IMGCAP(1)][IMGCAP(2)]Internal audit as a line of defense against inappropriate levels of risk is a time-honored concept in the U.K., South Africa and Australia that is now becoming a popular paradigm in the U.S.
For example, it has been embraced by leaders at the Institute of Internal Auditors, as in this position paper. The three-lines-of-defense model draws a distinction between three separate functions: management, risk and control oversight functions (such as risk management and compliance) that report to management and internal audit. (Some have added external audit as a fourth line of defense.) It describes the interaction between those that own and manage risks (the first line of defense), those that provide oversight (the second line) and those that provide independent assurance.
Internal audit not only provides independent assurance that risks to the achievement of objectives are managed at acceptable levels, but also provides assurance that oversight functions are operating as desired.
As the third line of defense, internal audit should avoid unnecessarily duplicating the efforts of the control and risk oversight functions; it should endeavor to place a level of reliance on their work. This is achieved by auditing their processes, including staffing and reporting models, and when they are assessed as sufficient relying on their work (which is periodically audited) to reduce direct testing of controls and processes. This approach is similar in concept to how external auditors assess internal audit before placing any degree of reliance on our work.
But there are problems with the three-lines-of-defense model, primarily the notion it advances that risk management is all about “defence”.
Beyond Defense: Advisory and Assurance Activities that Contribute to Offense
To run the business and optimize profitability, organizations must take risks. In order to grow the business and deliver value to stakeholders, organizations must ensure that they make intelligent decisions (which is how they take and then manage risks) based on a clear understanding of the risks involved.
The notion that risk is something bad and should be avoided will lead to overly cautious organizations and management teams that are unable to take the right risks, seize opportunities and survive in a competitive world.
Audit can provide assurance that management’s processes and controls ensure that risks that may inhibit the achievement of objectives are managed effectively. We can provide assurance that the organization’s defences are solid.
But audit should do more.
Audit can help with assurance that the organization’s people, processes, organization and systems enable them to make intelligent decisions about the future with a clear understanding of the positive and negative results of those decisions.
Audit can also, through advisory or consulting activities, help the organization ensure that changes to the organization (such as new computer systems and other major projects and initiatives) are successful.
In other words, the internal audit activity can enable the offense to be more effective, not just the defense.
The key is to recognize that consulting or advisory services may provide assurance that the organization will be able to take the right risks going forward, not just looking back in hindsight. Audit needs to focus on the risks that matter to the achievement of objectives, and sometimes those risks are in the future not in the current state (or past state) of processes and controls.
In fact, because the greatest risks are where there is change, a strong argument could be made that audit should focus on providing assurance and consulting areas where that change is happening. Wayne Gretzky said that the secret of his success was that he skated to where the puck was going to be. Shouldn’t audit be looking and devoting the majority of their efforts on areas where the risk is going to be?
In other words, should we not talk about a lines-of-offense model—or at least a model that balances defense and offense—rather than one that focuses only on defense?
Primary Challenges for Audit Today
A recent survey by KPMG of 1,500 members of audit committees worldwide found that “internal audit’s role should extend beyond the adequacy of financial reporting and controls, to include other key risks facing the business.” Another survey by PwC concluded that many stakeholders do not believe internal audit is meeting expectations. “Fewer than half of senior management believe internal audit adds significant value,” it found. A majority of respondents complained that audit was not relevant and did not address the risks that matter.
Richard Chambers, president and CEO of the Institute of Internal Auditors, emphasized the need for a dynamic audit plan that is reviewed frequently (quarterly, if not monthly) in his book “Lessons Learned on the Audit Trail.” Ideally, this would include some element of continuous auditing. He also stressed that auditors must communicate well with stakeholders.
Best Practices Address the Challenges
Best practices are reshaping the roles and relevance of audit, the IIA noted in a recent article. Best practices in audit provide assurance at the speed required by the business on issues that matter at that moment. Best practices also mean that audit will “go where the puck is going to be”—in other words, that it will anticipate where the next major risks will be and enable the organization to move forward with confidence.
Best practices in the use of technology offer significant opportunities. Organizations should strive to make the most of available tools for following up on audit recommendations and measuring performance.
Many are moving to risk dashboards and these might include audit indicators. Streamlined reporting, with intuitive graphics, has a greater and more immediate impact. While appearing simple and high-level, it has links to more detailed information.
Beyond reporting, best practices include a quality assurance and improvement program, or QAIP. The goal of a QAIP is to improve organizational operations of audit itself, so it runs both periodic and ongoing internal assessments, as well as an external assessment once every five years. The QAIP results are communicated to the board of directors.
Top management may have a negative view of the proliferation of new technology, such as smart phones and personal tablets, since these can be the source of reputational risk events. A more positive view is that these same devices can be usefully deployed by employees to quickly monitor and respond to risk events.
To achieve relevance and credibility, audit needs to embrace available technology. Monitoring risk, for example, can benefit from the use of big data analytics that provide a granular picture of how key risk indicators are changing. The planning and execution of an audit cycle—perhaps formerly handled through spreadsheets—can be handled in a dynamic way, with larger amounts of data, and different kinds of information, if moved to an all-encompassing platform.
A platform-based approach can create value by addressing the significant pain points. Once proven, the approach can then be extended to other areas. Technology, if wisely chosen and well designed, will transcend the organizational silos.
At the core of audit exists the information data model. To build a value-based audit universe, the model must be flexible and forward-looking in terms of both data and the business needs.
The risk library connects with auditable entities (business units, processes, policies and so on) through the key risks identified. In turn, the entities are linked to an annual audit plan that has its own universe, projects and key risks.
In general, each audit project comprises several items: tasks and milestones, paper documents, and drafts and final reports. To expedite the auditor’s work, the project draws on a set of templates such as checklists and questionnaires. At the end of each audit cycle, the solution generates the necessary metrics and reporting providing real-time visibility.
Since the target is risk-based, the solution should be risk-based. The solution should do more than simply connect business units, processes and applications identified with a particular risk. The optimum solution should align the audit with the risks, organizational goals and objectives. This will ensure the necessary coverage and coordination across all lines of defense.
Technology Enhances Reporting
For maximum impact, management reports should have a prominent audit section on the dashboard. The section would highlight anticipated audit concerns. The reports would contain advanced analytics for decision making—for both current scenarios as well as for “what-if” scenarios—that can be seen side-by-side with audit concerns. The audit section would identify gaps and provide insights, and would assist management in tracking issues through to resolution.
Audit faces challenges of remaining relevant and useful to organizations that must make decisions based on a timely and accurate understanding of risk. Technology can be leveraged to assist audit in monitoring risk, creating an agile audit planning and execution environment, and delivering audit quality at the speed required for today’s organizations. The optimal technology solution is risk-based and occurs on an integrated platform that transcends the organizational silos.
Norman Marks, CPA, CRMA, is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. Anurag Jain, senior director of MetricStream, has nearly 15 years of experience in technology consulting, business development, sales, partnerships and strategic marketing.