There are many recent studies out there showing that internal audit has not yet fully embraced digital transformation and is therefore not making use of the full potential of analytics.
In this short blog, I’d like to offer my thoughts as to what could be the benefits for internal audit on leveraging enterprise-wide risk management and compliance platforms. These go under different names, but in essence, I’m referring to these software tools that capture risk and controls information, including key indicators, and reflect them together side-by-side rather than in separate silos.
This is the most common cited benefit for leveraging these types of solutions. When internal audit focuses on the critical business areas whose risk levels have increased or where mitigation strategies such as controls are not effectively reducing the threat to an acceptable level, then they act as an expert firefighter—ensuring that the fire is controlled and providing inputs to reduce it further.
Of course, this will be helpful in better allocating the limited resources that all internal audit departments have. But to me, it’s still very much a reactive approach and I think there are two more layers to this three-layered cake.
By reviewing the business, operational, and strategic risks associated to the company’s objectives and by comparing the residual risk level against the risk appetite documented, internal audit can focus its attention on what matters the most for the business.
Even if the risk levels aren’t critical, if the internal audit is able to focus on the risks that would seriously endanger important objectives, then it no longer has to be considered as a super firefighter, but as a true business partner with the very same intent in mind as all business owners – making the company run better and sustainably.
In this approach, internal audit becomes more proactive and only with the support of complete risk and control profiles can it really achieve this objective.
Now, what can happen when internal audit unleashes the full power of governance, risk and compliance (GRC) integration and data analytics?
The Icing on the Cake: Preventative Auditing
“Preventative” is a term more familiar for those who have worked in asset intensive companies where “preventative maintenance” is the ultimate goal—mend a machine before a failure is even detected. Not only because the cost of doing so is less than a full-blown repair, but also because this prevents unplanned shutdowns.
Well, to me, this can be applied to auditing—prevent business disruptions. This time not linked to a deficient asset, but to a deficient process or a negative context.
Internal audit could, in my opinion, focus as much on key risk indicators as it does on risk levels. Indeed, internal auditors are extremely knowledgeable of the business and the context in which the organization operates. As much as risk owners, they are able to detect that key risk indicators are demonstrating signs of a “pattern of failure.”
Taken in isolation, it might not be easy to detect what this means for the organization. But consolidated and aggregated at the department, business unit, or even company level, they could signpost clear and existing danger.
Using all the information available in risk and control solutions, and its own knowledge of the business, internal audit is in a perfect position to offer its support in helping the organization navigate to less troubled waters. Doing so, internal audit would achieve the role that I personally believe it deserves – true strategic partner.
Do auditors in your company already leverage the wealth of risk and control information to plan their next audits? If not, are there any plans on doing so in the near future?
For more on auditing topics, read all our GRC blogs.
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard