By Raj Sawhney and Parm Lalli
New compliance policies and emerging risks, such as cyber security, have led to dramatic changes in internal auditing over recent years – and companies need to continue adapting processes to keep up with such developments. Executives and boards should no longer think of auditing as a series of periodic, calendar-driven check-ups and instead recognize its role in creating real-time situational awareness of business risks and operations so that they might spot hidden opportunities as easily as oversight lapses or threats.
But despite the growing stakes, most organizations are failing to make progress. They cling to yesterday’s auditing tools of spreadsheets, printed documents, emails and other cumbersome, time-consuming and error-prone manual approaches. These approaches amount to onerous one-off exercises that feel insightful but in truth have little value because they ultimately view just one moment in time, while business environments swiftly evolve and new risks emerge.
Fundamentally, the end goal is an auditing mechanism at a company that can give management and the board the intelligence that comes from credibly answering questions such as: “Which cyber-threats present the most potential for damage to our network and systems?” “Can unauthorized parties access and/or remove our proprietary and/or sensitive information?” “Are we exposing ourselves to additional risks through systems configurations and new applications?” “Are we losing money because of fraud?”
Internal audits conducted using the continuous-auditing approach are driven by processes, transactions and controls to automatically and systemically collect risk evidence and indicators. The benefits are that this is more repeatable, more highly scalable and more sustainable than traditional methods. With that foundation in place, businesses can implement a continuous-monitoring auditing approach, where real-time data is available for both risk managers and executives to inform critical corrections and business decisions.
Just as importantly as helping firms spot problems in real time, continuous monitoring also offers a way to view historical information over time in a more accessible and drill-down fashion compared with poring over file caches from manual audits. As such, continuous monitoring can help companies track progress on fraud, waste, cyber-vulnerabilities, compliance and other topics on C-level executives’ and board members’ minds.
Only 37% of internal audit functions that use analytics leverage it for continuous auditing.
Despite continuous auditing and monitoring’s advantages, it is striking how few organizations have adopted this approach. Among audit functions that use analytics, only 37 percent apply continuous auditing, according to a Protiviti report. Among those surveyed, just 15 percent conduct ‘very mature’ continuous auditing with functions such as usable dashboards and drill-down capabilities.
Here are a few strategic points risk managers and audit teams can use to build cohesive cases for continuous and data-driven auditing:
Chief audit executives and their teams often adopt a less mature ‘checklist’ approach to comply with Sarbanes-Oxley Section 404 top-down risk assessments (TDRA) and other regulatory requirements. They scramble to validate that they’re dotting the ‘I’s and crossing the ‘T’s to pass yearly audits – then breathe a sigh of relief until it’s time to do it again.
This instills false confidence because TDRAs move at the speed of laws, not risks. Cyber-adversaries are creating threats every day and firing them at corporate IT departments that are constantly introducing new and vulnerable cloud, mobile and shared systems. Only a continuous approach to tracking these changes and vulnerabilities can effectively let managers weigh productivity and technology against digital avenues for risk.
In September 2016 the American Institute of Certified Public Accountants’ (AICPA) assurance services executive committee issued proposals for developing consistent criteria on cyber-security risk-management. ‘Our primary objective is to propose a reporting framework through which organizations can communicate useful information regarding their cyber-security risk-management programs to stakeholders,’ said Susan Coffey, AICPA executive vice president for public practice, at the time.
Under the proposed reporting framework, authorized third parties would conduct examinations to determine whether companies’ risk-management programs and existing controls align with AICPA's criteria. Those criteria are therefore likely to encourage automated, continuous assessments, monitoring and controls.
In auditing and IT, every change feels intimidating – but such fears are usually misplaced. We see a number of successful steps different organizations can take regardless of nuances in their software, processes and leadership. These include:
Editors Note: A version of this article originally appeared in Corporate Secretary.