Changing Technology, Changing the Audit Mindset
Technology is changing the audit mindset in much the same way that it has changed everything else in society. As auditors have more access to more data, they need to approach their audits with this in mind. In the past, companies used internal audit to check all processes and all policies. Using detailed testing, auditors checked off boxes while filtering through pages of documentation. As organizations have become more complex, internal auditors and the c-suite need to change their audit mindset to match the substantial increase in information.
Traditional Audit Mindset, Traditional Audit Values
Reading into the history of internal audit, the process initially started during the Industrial Revolution to help companies report and control costs. This created a backward looking, reactive process. Due to the nature of technology, audit became focused on reviewing current processes, finding problems, then telling companies to fix them.
Traditional Audit focus on audit cycle (time duration, when last audit occurred), focus on deficiencies in controls, and cases of non-compliance with policies and procedure manual which may be outdated sometimes…. traditional auditing an understanding of Business Unit operations is built through time consuming process mapping exercises and might rely on outdated P&P manuals and audit staff spread all over the company trying to cover the audit universe which sometimes extend to more than one year
In the traditional audit mindset, auditors intended to review the company processes as a whole. The goal of this would be to send in someone unaffiliated with the company to determine whether managers engaged in the most efficient and legal processes. This approach positions the auditor as an enemy by creating a divisive relationship of critique.
Managers manually collected all information for audit, spending hours seeking out the testing materials and aggregating records not integral to the business. As companies grew in size, analyzing policies and procedures between large organizations and small ones became untenable. The backward looking process fell out of favor with forward thinking regulators and trade associations over the last thirty years.
Transition to Risk-based Audit Mindset
Automation began making the traditional audit mindset and process inefficient. However, companies continued to use traditional audit methodologies due to early systems while retaining some of the original audit perspectives. In 2012, the AICPA noted the need to change audit mindset in a white paper,
[A]uditors collect and analyze audit evidence and form opinions pertaining to internal controls as well as reliability of the information provided by management. At the engagement conclusion, auditors present a formal report expressing their opinion. In fact, this approach reflects the twentieth century methodology whereby there are high costs and significant time delays associated with information collection, processing, and reporting. … [B]asic CAATS (Computer-aided Audit Tools) contain capabilities to enhance audit effectiveness and efficiency. However, they do not operate on a 24/7 basis and therefore fail to construct a truly continuous auditing environment whereby exceptions and anomalies may be identified as they occur. Alternatively stated, they do not work with real-time or close to real-time data streams and, thus, are not able to address questionable events such as potential fraud or irregularities in an optimized fashion….With this in mind, one could argue that the traditional manual and retrospective audit is becoming an untenable position.
This risk-based focus then intended to streamline the process to focus on those business areas most prone to causing the company reputational, legal, or financial risk. Since the new systems began to address events in real time allowing for faster responses by companies thus further mitigating risks, the risk-based approach became more popular. The risk-based approach transitions the auditor from being an enemy to being a partner in business success. GRC automation makes this partnership easier and the risks more transparent. Be eliminating unnecessary reviews, organizations save time. Being about to map risks across multiple frameworks in a GRC tool offers the added benefit of times savings that correlates directly to money saved.
The COSO Framework
When discussing risk management audit models, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the COSO ERM – Integrated Framework historically act as benchmarks. In 2013, COSO released an updated Internal Control -Integrated Framework. In the Executive Summary, they noted
Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed.
A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal controls ineffective.
In adopting the new guidance for risk assessment and other Framework components, internal audit will ordinarily be responsible for the facilitation of the mapping of controls to principles. Implementing controls and remediating control weaknesses, however, will generally be the work of the CFO, the controller’s function and general counsel, and others such as internal audit. Boards and audit committees also have an important role to play in ensuring that any deficiencies in internal control noted by those charged with monitoring and reporting, including external bodies, are corrected. Overall responsibility, however, falls to management: It is their responsibility to ensure that the checks and balances in the organization exist for a sound system of internal control.
While the transition to COSO 2013 may take a great effort for some companies, the new guidance around risk assessment presents an opportunity to achieve important operational objectives. When implemented, the Framework can be more than just a compliance exercise — the requirements can help improve operational efficiencies and increase productivity.
Under this framework, management bears the responsibility for ensuring the ongoing strength of the organization’s controls. For many long time industry professionals, this new approach required some effort and buy in. Under this framework, management and the audit team need to work together to ensure productivity. Using an automated tool creates ease of collaboration. Lowering the time spent communicating means lowering the cost of compliance.
The Risk-Based Audit Mindset and Profit
Profitability creates buy in for the Board and c-suite. Risk-based audit models save time which increases profitability. By focusing on those areas whose noncompliance could cause the most damage to the company, risk-based audits lead to more focused results. Keeping in mind that audit originally intended to streamline business practices, the greater efficiency of risk-based audit makes historical sense. According to Jason Mefford, the writer of Risk Based Internal Auditing and writer of Risk Based Internal Audit Training,
Risk based auditing is about focusing on those areas that stop an organization from meeting its key objectives instead of just looking at controls. Too often auditors are focused on testing low impact processes and controls, while ignoring a focus on key objectives. When auditors take a risk based approach, focusing on those forces and events most likely to impact an organization meeting its key objectives, that is when the provide the most value to their organizations, helping increase profitability.
Information technology audits under the risk-based audit mindset can provide the same types of corporate savings. Greater risk in the IT realm means loss of money or reputation due to a breach. Those costs are the same types of savings as a manufacturer identifying time saving processes in its labor stream.
Viewing the risk-based approach as a profitable exercise fosters a greater corporate culture of compliance. In addition, this transitions the audit mindset from conflict to camaraderie. When all audit parties view one another as financial assets, they cooperate more fully. GRC tools help audit parties collaborate which in turn adds financial value to your organization’s compliance stance.
Automating the risk-based Audit
Since audits no longer seek to test the entire organization, automating the compliance space when using the risk-based audit model makes the process even more efficient and profitable. By integrating risk control information with the the internal audit goals, the organization can stream line the execution of risk and compliance work. Further, by coordinating documentation in one shared space, critical evaluations and risk assessments will make creating the audit scope smoother. When the audit goes more smoothly, the profits increase. With this ease of access to information and documentation, the application of the risk-based audit approach becomes more appealing.
Shifting a mindset takes time and energy. People find change difficult and frustrating leading them to rely on old habits. However, automation can make the company’s audit mindset transition easier.
If you want more information on how to use automation to help change your organization’s audit mindset, contact one of Reciprocity’s GRC specialists today.