Internal auditors have traditionally led the charge in risk assessment and control monitoring and testing techniques. We have excelled in adopting new technology designed to improve our testing effectiveness and efficiency. It’s time for us to share our tools with other risk and control functions in our organizations. We are in a fantastic position to act as a trusted advisor and business partner to those in our organizations who share responsibility for managing risk. Based on the Three Lines of Defense Model1 most risk management processes can be organized into three groups: Management Oversight, Control Monitoring (e.g. SOX, Quality Control, EH&S, etc.), and Internal Audit.
Management Oversight as the first line is responsible for monitoring and controlling processes
Control Monitoring groups as the second line ensure properly designed processes and controls are in place
Internal Audit as the third line provides independent assurance over processes and controls
In many organizations, the monitoring and testing processes used by management in the first line are overly dependent on manual review with limited or no use of technology. When we audit these areas, we can very quickly test controls and find management is not getting the timely information they need for proper oversight due to a lack of technology. Control monitoring functions may be more advanced in their assessment and monitoring activities, but their technology or software solutions may not integrate with those internal audit is using for similar tasks.
When we look at all of the technology available across the spectrum of assessment, monitoring, and testing of processes, risks, and controls, there are several opportunities to increase the effectiveness of organizational risk management while increasing the efficiency of internal audit’s role through the use of software solutions and tools. Many of these tools are already in place in most audit departments.
Three of the most critical methods for leveraging technology across three lines of defense are:
Internal auditors have a secret weapon that we need to share with the rest of our organizations: data analytics. We are certainly not the only people who use analytics, but we may be the only ones using it for monitoring and testing. Other groups use analytics for data modeling and decision making. All too often we perform a test in an audit, and the process owner is shocked we found any exceptions. It would be in everyone’s best interest to give management access to our data analytics tools and teach them to perform continuous auditing on their own. Their management process will be more effective, and auditors will spend less time testing exceptions that could have been identified in advance by management.
From a control perspective, we can share a common library of controls to be owned by management, monitored by control teams, and audited against by the internal audit department. By using controls management software, we can ensure there is only one current version of each control documented in our organization, and we can speed up the process for control testing and monitoring.
Audit departments are required to have a risk-based audit plan. However, many other functions in an organization perform risk assessments for a variety of purposes. ERM teams are looking at the risks that impair meeting strategic objectives, internal audit is trying to determine the audit plan, and other groups like SOX and EH&S are managing compliance risk related to specific regulations. Other groups may have a deeper understanding of their respective areas and we can incorporate their information into our annual plan. If we all use a common risk assessment tool, which may already be included in your audit management software, we will be able to share results and leverage the work done by each team. By relying on the efforts of the entire organization, we can even get closer to achieving continuous risk assessment.
We have an opportunity to improve the overall risk management of our organizations while expanding the view of internal audit as a partner to management. Take an inventory of the technology you already have in place in the audit department and consider how these tools could be leveraged by all three lines of defense. If you find that the technology at your disposal does not include the capability for sharing data analytic tools, risk assessment results, and a common control library, it may be time to revisit your standing on the audit technology maturity curve2 .
1IIA Position Paper – The Three Lines of Defense in Effective Risk Management and Control (2013)2IIA Special Report - Developing an Effective Internal Audit Technology Strategy (2012)
Toby is a Certified Internal Auditor (CIA) who holds an MBA with an Internal Audit specialization from Louisiana State University. He is also certified in Control Self-Assessment (CCSA), Risk Management Assurance (CRMA), Internal Control (CICA), and Fraud Examination (CFE). His professional background includes identification and documentation of weaknesses that result in heightened business risk, while recommending solutions to such situations. Toby began his career in internal audit with Macy's Inc. He then worked as an implementation and training consultant for Wolters Kluwer. As a Senior Market Development Consultant at Wolters Kluwer, Toby works with organizations that are looking for software solutions to their audit, risk and compliance needs.
Throughout his career, Toby has assisted numerous internal audit departments create, perform, and supervise financial, operational, and compliance audits to evaluate control frameworks, financial systems and operating procedures.