In internal audit departments today, the need for greater efficiency reigns supreme. So much so, in fact, that audit teams are constantly fighting the battle to hit audit plan targets, meet deadlines, and stay within budget. While these are all important objectives in the grand scheme of things, finding additional time to hit Director-level targets is only part of the battle. Understanding the logic that drives decisions relating to WHAT to audit is critical. Risk-based auditing is becoming a more widely adopted principle as best practice for Risk Assessments. However, for better or for worse, repetition and historical patterns are still present in today’s audit plans.
As repetitive as it may be, audit coverage and risk mitigation can often still be (and sometimes must be) cyclical in nature. “We audited this location/region/process last year and my audit plan is telling me to go audit this same thing again,” says Mr. or Ms. Audit Director. If this is the case, what can we do to eliminate arduous administration and manual work around tasks that should be well defined and automated?
Let us explore where we can stop reinventing the wheel and utilize technology to standardize best practices.
Audit programs come in many different shapes and sizes, based on how technology shapes the format and how team members interact with the data. Many times these audit files are stored in a pre-determined folder system and then stacked on top of each other. The end result: integrity issues and multiple versions that represent different truths. If we submit to the notion that multiple versions and edits can increase the risk of poor-quality working papers, then there has to be a better answer.
A common convention must be followed by the entire team to ensure standard practices are upheld. This represents the top level of audit files, broken into Planning, Fieldwork, Results, Reviews, Issues and Follow-up, to name a few variations. Underneath—at the Process, Objective and Procedure/Control level—is where modifications tend to cause problems with integrity and version control.
One of the great advantages of using an audit management system like ACL GRC is that the software allows for protected storage of Standard Audit Templates that reflect the master copy of that financial or operational process. This flows the previously identified Process, Risks and Control data into the latest and most effective template for the team. ACL GRC simplifies the next step by performing a “rollforward” to activate a copy of that template. In fact, anytime an audit is closed and stored in the Library, ACL GRC immediately provides the opportunity to create a template off that version.
Having standard business processes (P2P, O2C, PCARD, T&E, GL) in template form now gives us an entire library of Risks and Controls linked to those processes. In the case where a location audit is being performed and multiple processes are being reviewed, it would be helpful to have instant drag and drop capability for sharing those risks and controls.
“I have some controls around the processing of POs in my P2P cycle and it would be great if I can point and click share those controls over to a similar audit being performed at a different location!” Cutting and pasting can be a big pain. Period. With ACL GRC, users can perform a simple CLONE to send common processes, risks and controls of one active audit over to another.
What would a 10-25% increase in audit efficiency do for your department?