GRC Tuesdays: Going Beyond Financial & Compliance Audit
I think everyone will agree: a common thread within organizations is that they want to optimize their investments. If the company can identify additional ways of leveraging a production tool they have – in our case a software, then it’s a clear win! Especially if this doesn’t require modifications to the installation itself.
In this blog, I’d like to address a topic that I see arise more and more and that relates to extending the use of audit tools.
Historically, many organizations have licensed audit tools for financial and compliance audits, and then some departments have licensed different audit tools for quality audits or environmental, health and safety audits, etc. As for any business process, this creates a silo effect that prevents efficient collaboration.
Today, many companies ask how they can merge all into a single tool to register all audits in a shared system to re-use the results and create synergies across teams.
Not yet convinced?
Then let’s take a simple example.
During an ISO certification audit, chances are that the auditors will go over the processes in detail and, even if process improvement is not in scope of their checks, they may come across some possible optimization options. Since this is not in scope of their engagement, there is a high likelihood that these findings won’t be documented during this cycle.
Rather, they will be documented later during a quality or a performance audit. Not only is this a missed opportunity to improve the process much earlier, but also, it creates duplicate effort for the auditors.
What if, instead, all audits were recorded in a single tool? And that certification auditors could also leverage the findings of operational audits, compliance audits, etc. for their benefit.
Another use case could relate to HR audits. Payroll for instance is generally closely monitored in compliance and anti-fraud audits. But when reviewing the payroll process – let’s say the last payroll cycle after termination, what about not just looking for deficiencies? Surely helping the payroll run more smoothly would be of interest to management! Are all the employee data up to date (including address for tax purposes for instance), absences calculated accordingly, gross and net pays accurate, etc. Not all these checks will be included in a usual payroll compliance audit, but since the audit team is already reviewing the process why not include 2-3 additional checks? Surely, it won’t be an additional effort that will put the entire audit budget at risk!
Since these GRC Tuesdays blogs are also about technology after all, allow me to share my suggestions on how to do this in a software solution, going anti-clockwise on the audit management process below:
1. Expand list of auditable item & prioritize them based on risk levels
As one would expect, the first step is really to make sure that you have the foundation in place to include new audit missions.
This would therefore include the additional organizations (lines of business, departments, etc.), auditable items (processes, projects, etc.) and all their associated risks.
To then prioritize auditable items, a risk-based approach is very efficient in my opinion. In addition to collecting the risk instances assessed by the business, I have also found that the following methods help get background information:
- Activity risk review => by asking the activity owner (i.e.: program or project manager, asset owner, etc.) to review the list of their risks and provide inputs on exposure levels and mitigation strategies
- Risk workshop => especially relevant for new risk types or new business areas that haven’t been involved in the process before. In this approach, a “risk expert” from the risk or audit team meets with the stakeholders from the relevant business area and guides them on performing a risk identification and assessment
2. Adapt the staffing
In the engagement planning phase, resource allocation is key. All auditors, regardless of their domain should be listed in the tool and their skills documented.
This will then help the audit lead to select the best profile for each engagement. And maybe even remove some of the bias that could build when audit teams have been working on the same topic for an extended period of time, or due to repeat audits.
3. But also adapt the engagement
To avoid any misunderstanding on the audit scope, audit preparation should carry on as for any other engagement with the distribution of an announcement and so on. But the auditees should be able to quickly identify the scope, especially if the announcement is distributed via their usual compliance and financial audit tool.
Using different templates for different audit type has shown great results – for a minimal investment.
Now, remember when I suggested to simply “include 2-3 additional checks”? I fully understand that this might be much easier said than done. Timelines are always tight, and resources constrained.
As a result, I’d also wish to propose an option for this suggestion as well: leverage automated controls!
Include automated rules within the work program itself so that these checks can be performed effortlessly by auditors, simply by triggering an automated job with the click of a button.
If the automated controls retrieve anomalies but that these do not impact the scope of the current audit, then why not record them and propose an action item for the other auditors to have a more detailed look at it? This creates a true collaborative culture across various audit functions and helps surface issues more rapidly.
4. Customize the report on findings and recommendations
Now that the scope has expanded, that internally recognised experts are using the same technology, it’s time to open the gates and publish the results.
As for the recommendation to adapt the announcement letter, I believe the same applies to the audit report.
Different audit types should leverage different templates. First of all, to set the right expectation when a recipient will be reviewing the document. But also because the information conveyed won’t be the same depending on the scope. Having different templates provides more flexibility.
By expanding the usage of an audit software from compliance, financial and IT audit to quality, EH&S, certification, ethics and beyond with HR and any other process, the company will be able to transform from conventional audit to a continuous risk-based audit process.
It will also accumulate knowledge and data along the way that can then be used as feed for process improvement exercises.
Of course, this won’t be achieved over night, so creating a roadmap of additional scope to be included over time is always a good idea to ensure that the progression is managed.
So why not give it a try?
And, in case you are wondering what a typical audit tool could look like, I have also included below a short introduction video to SAP Audit Management:
What about you, does your company segregate audit topics in different tools? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard