IMGCAP(1)]Have internal auditors become irrelevant? Perhaps.
But if so, chief audit executives and other internal auditors can return to relevance, according to Norman Marks of the Institute of Internal Auditors Professional Issues International Committee, by refocusing on providing assurance regarding how well management identifies, evaluates, responds and manages risks including the controls that keep risk levels within organizational tolerances.
The reference to controls leads to several promising steps internal auditors can take to repair their images and secure their futures. Here are a few:
Advocate for more automated controls covering more business areas. Organizations can spend a lot of time and money performing extensive audit sampling that yields an incomplete picture of the controls and data being audited. Under cost pressures, auditors have cut back the scope of audited business areas dramatically. The risk of cutting back too far is real.
By continuously monitoring key application controls, automated controls can limit the need for extensive sampling. Think of it this way: Automated controls let companies prove that source data did or did not change during the monitoring period. Giving companies a way to prove that nothing changed means they dont have to test and review unchanged data and controls. And thats going to save the organization time and money.
Better still, automated controls ensure the integrity of critical business information and configurations that drive ERP processes such as financial reporting, order-to-cash, and procure-to-pay. For example, if a company has a billing formula or product price settings, automated controls can confirm whether either of these has ever changed and if the control was continuously in place for the entire monitoring period.
How? Through the change records generated by the continuous monitoring system. No record of change means no change in the source data, no change in the control, and ultimately, correct invoices were generated to customers for the goods or services delivered, affecting the expected revenues and ultimately the financial reporting.
Automated controls will identify any changes authorized or not and issue alerts on changes that fall outside of policy. So if a billing formula is changed at 8:00 a.m. and changed back at 8:01 a.m., automated controls will catch the changes regardless of who or what (for example, an automated feed from another system) made those changes. This is the ultimate in error and fraud detection, and it mitigates business risk to a degree that sampling just cant match.
Risk capitalizing on compliance data. A natural extension of automated controls is the aggregation of compliance data. When it comes to risk management and mitigation, companies tend to focus on analytics while virtually ignoring the underlying compliance data related to their key business applications and controls. And with no data, theres nothing to analyze. Blame it on manual reporting processes that hamper systematic data collection, but this lack of data has a direct impact on the internal auditors ability to provide assurance regarding risks.
Now, auditors are in a position to reverse this data collection trend, with automated controls serving as a data acquisition layer that gathers compliance information during the testing and monitoring of controls and data.
And importantly, this compliance information is in a secure, segregated data repository that IT and the business cannot access for complete segregation of duties. With that foundational data layer in place, companies can more effectively manage risk because their analysis and the resulting mitigation options is directly informed by proven, trustworthy compliance information.
Elevating to a leadership role with governance, risk and compliance. Remember, finance owns the controls, and auditors evaluate the quality of controls for compliance. The information technology department supports the deployment of technology to automate the process of monitoring controls and gathering data to support compliance reporting.
In this interdepartmental ecosystem, auditors need to be a bridge between finance and IT, emerging as leaders who suggest better ways to simplify the compliance process for finance and IT. Automating the process gives finance early visibility into control changes, and that helps them better manage the business with higher levels of assurance.
Thats just good business sense. And IT benefits from automation that doesnt require them to take responsibility for systems in which the segregation of duties requirements would be broken and might diminish the security profile for the company.
Jay Muelhoefer is chief marketing officer at
