Source:- ACL Blog, Author John Verver
“Ongoing progress will be made in internal audit’s focus on a broader set of risk areas than those that have traditionally been subject to audit.”
I spoke with at least two audit teams in the past year that had started to look for the first time at areas that were considered to include strategic risks – product development and sales operations. Both were outside of the standard business process areas they typically audited. One of them made the point that in order to free up resources for this, they had moved to a data-driven continuous audit approach for the Purchase-to-Pay cycle. It looks as if the trend will continue – though at present audit teams venturing into the really strategic risk areas seem to be the exception rather than the rule.
“New technology driving increasing collaboration and integration between audit, risk management and compliance functions.”
In the past few years ACL has been in a leadership position among software vendors in terms of constantly enhancing the functionality of its product offerings while providing a consistent and genuinely intuitive and clean user interface. All of this is designed to support collaboration and integration among multiple ARC functions. It was good to see ACL’s leadership recognized in September when receiving three GRC Innovation Awards for Expert Content, Interpretive Visual Remediation, and Mobile Capabilities.
While on the topic of collaboration among ARC functions, it has been notable in 2015 that the IIA’s Three Lines of Defense Model is getting increasing recognition and acceptance. It continues to be a useful tool in communicating and aligning on the respective functional roles of Internal Audit, Controls and Compliance and Operational Risk and Control. Although there is widespread acceptance of the validity of the model, there were some interesting ideas put forth during the year around the notion of “offense” rather than “defense”, particularly for front-line management and their roles in risk management.
“IT and data related risks will remain very high profile.”
It was pretty hard to get this one wrong. Cybersecurity and data privacy risks, as well as major IT implementation project risks continue to rank highly among the risks that executives worry about.
The jobs of IT managers and others responsible for ensuring IT and data security may not seem to be particularly enviable ones at present. Something ACL recently did was publish an eBook, specifically for IT managers, on getting to a state of audit-readiness. It is designed to provide some guidance to IT managers who want to take a technology-driven process for addressing IT risk and control issues, enabling risks to be put into appropriate context and hopefully leading to actions that will avoid major findings when the auditors come around.
“Those internal audit departments that have been slow to embrace technology will do what their leaders have been saying should be done for the past 5 years – and actually use technology to transform audit quality and productivity. Data analysis will be a big part of this – though just one technology aspect of overall audit transformation. Auditors will be more proactive in advocating the use of data analysis and automation in risk and compliance functions – so that auditors can then take account of this usage in their own audit planning and risk assessment.”
Slow – but steady – progress continues on this one. Despite all the surveys and reports that say auditors need to do more with data analysis there are still many audit teams that are struggling to get going. The IIA’s 2015 Common Body of Knowledge study resulted in one report entitled “Driving Success in a Changing World: 10 Imperatives for Internal Audit”. Number seven on the list of imperatives was “Enhance Audit Findings Through Greater Use of Data Analytics”. The report refers to approximately 50% audit teams using data analysis in various audit activities.
There are various reasons for the slow progress overall. One is the lack of understanding among audit leadership about what is actually involved in implementing data analysis. Addressing the combination of people, process and technology issues is critical. It doesn’t have to be complicated – but it takes leadership to drive real change and derive all the benefits that data analytics can provide. My New Year Wish for 2016 is that the IIA will be more proactive in recommending the use of data analysis and incorporate requirements into Audit Standards.
The AICPA has taken more of a leadership role in this area with a task force that produced Audit Data Standards and is working on standards for analytics for specific audit areas. It would be good to see the IIA and perhaps ISACA working alongside the AICPA on this initiative.