How good is the quality of your internal audit process — really? (And what you need to know about the impact of technology on QAR and QAIP) — John Verver
Given this unique role and the potential value that such a role can contribute to the organization overall, it would seem logical that internal audit needs to be a high-performance team that employs the very best in people, processes and technology. In some organizations, this is already the case — often driven by a chief audit executive (CAE) who has the full support of the audit committee and senior executive leadership to achieve best-in-class performance.
Yet many other audit teams still have a long way to go to achieve anything close to their full potential. Many haven’t made any fundamental changes to their audit approach in the past few decades. The Institute of Internal Audit (IIA), of course, has taken steps to help ensure that audit teams are conforming to standards and to encourage many forms of continuous improvement. The IIA’s Quality Assessment Reviews (QARs) and Quality Assurance and Improvement Program (QAIP) provide processes and guidance in best practices that should steer audit teams in the right direction and provide the impetus for change.
The QAR opportunity
One of the greatest potential benefits of QARs and the QAIP is the opportunity to make real change in the way that audit fulfills its mandate and delivers value to the organization.
Perhaps there is something of the “cobbler’s children having the worst shoes” syndrome taking place. Internal auditors spend a lot of effort proposing how different functional teams can improve their processes — but how much effort do they put into making sure that their own processes are working optimally?
Core business units often invest massively in transforming their processes and leveraging technology to deliver previously unachievable results. Internal audit doesn’t have the budget to do things on the same scale — but there are still many things that can be done by using QARs and the IIA’s Quality Assurance Checklist as the catalyst for change.
Driving change and best practices through QARs and QAIP
The QAIP and QA Checklists refer frequently to best practices. It is hard to think of best practices not involving the ideal combination of processes and technology to help ensure that auditors roles can be performed in a substantially better way.
Just to take one example, the QAIP refers to evaluating “The contribution to the organization’s governance, risk management, and control processes.” You could consider what audit’s contribution looks like at present and how it compares to a situation in which audit is using a centralized risk and control repository and continuous transaction testing system to assess risks and control on an ongoing basis. You could also think about audit promoting the value of business areas taking over responsibility for selected monitoring of transactions and controls.
The QAIP refers to “Coordination and division of assurance effort between internal audit, external audit, and other internal governance and assurance functions” and the extent to which “Internal Audit has championed and/or documented a suitable ‘3 Lines of Defence’ model.” Such an approach can be very powerful in transforming governance and assurance activities — but it takes a transformation in audit processes and the use of risk management and audit management software, as well as data analytics, to achieve. It certainly cannot be achieved through the use of traditional audit technologies and siloed, home-grown or outdated audit and risk management systems.
Your team is, no doubt, currently doing something to ensure that “Internal audit planning is linked to organization strategic objectives and risks.” But is this based on a spreadsheet listing of identified strategic objectives and risks that are unwieldy, prone to error and hard to share across user groups? Or is audit planning based on a risk assessment process in which objectives, risks and controls are all linked together within a common system and analytics used to constantly assess existing and emerging risks, driven by examining all transactions and assessing control effectiveness in key process areas?
In terms of efficiency around scarce audit resources — what percent of your team’s time is spent on testing and assurance activities that could be handled far more effectively through automation to free up time to focus on higher risk areas?
The QAIP refers to part of the quality assessment process as “Acquiring feedback from audit clients and other stakeholders.” The chances are that feedback is a lot more positive when based on using audit techniques that demonstrate a different level of value. What if instead of reporting that deficiencies were found in certain key controls, the audit findings are precisely quantified and that:
“12 key controls were tested by examining all transactions within the business process for a period of 12 months. A total of 3.5M transactions involving payments of $5.7B were tested for compliance with the controls. As a result, 59 instances of failures were found in 4 controls leading to fraud and error totalling $245,000. In addition, analysis showed that errors occurred in processing $450,000 of billing transactions that were not subject to any existing effective control. Because of this a new control was implemented and is being monitored on an ongoing basis by analytics performed by the unit department.“
5 important technology capabilities for internal audit improvement
There are several key technology capabilities that help to assure the quality of internal audit and support improvements in its processes:
- Design excellence and simplicity of use. These may seem like overused words — but, in practice, it is very important that an integrated audit management and risk and control assessment system is attractive to use (so that people will actually use it), as well as being dependable in terms of the information it is providing.
- Close integration and automation of data analytics. In traditional audit software, analytics were treated as something of an add-on. Analysis work was often performed using a generic tool and results somehow attached to audit working papers. As analytics are now well recognized as critical to the audit process, it makes sense that their use is fully integrated into audit software. Risks and controls should be closely linked to the audit procedures performed, including the range of analytics available to perform specific control testing and substantive audit work. It should be a simple task in which data access is automated and on which a simple decision can be made whether to run an analysis as a one-off process or set it to run automatically on an ongoing basis.
- Integration of transactional control testing into a closed-loop resolution and remediation process. One of the big challenges of using traditional “add-on” data analysis is what to do about the results that are generated, particularly when they are part of a continuous testing process. Software should be able to support the entire workflow of routing exceptions and control test anomalies to appropriate individuals for investigation and resolution. Since the analytics are directly linked to specific risks and controls, the system should also support remediation efforts to address control weaknesses. This becomes part of a closed loop of risk assessment that looks like this: ->control definition->testing->exception resolution->control remediation->revised risk assessment.
- Audit process status monitoring. How well does your current system provide immediate oversight of the status of all audit activities and response to findings? Modern systems provide the ability to view the big picture through an up-to-date dashboard, as well as drill down into details of audit progress and findings.
- Monitor audit performance and client satisfaction. The QA Checklist refers to obtaining feedback from auditee management on performance of the auditors. Auditee satisfaction with the audit process is just one of the important measures that can be used to measure performance of the audit function. Audit management software should be able to automate the measuring of auditee satisfaction through survey systems that invite management response. Results of the survey system should be automatically complied and reported as part of an overall audit performance monitoring system.
Who audits the auditors?
QARs and QAIPs are hugely important for the audit profession. Without this form of combined self-monitoring and external assessment, internal audit risks losing credibility and lacking accountability. The IIA guidance is not very specific about how technology and specific best practices can be implemented — but the opportunities arising from assessing how well internal audit is currently doing — and what they could be doing — are great. Some of the questions about “how good a job are we doing” may require the audit mindset of critique and recommendation to be focused inwardly for a change. It may also require some effort and research to fully understand the potential of what can be achieved through best practices.
In the end, the important thing is not to think of QARs as a painful requirement — but as an opportunity to transform the way that auditors perform their work and the value they deliver.
Sign up to receive email updates from ACL
Originally published at www.acl.com on December 7, 2016.