The internal auditor needs to consider issues of risk at a number of levels in the course of fulfilling the internal audit mandate.

1. At a high level this involves evaluating and improving the effectiveness of the organization’s risk management processes.
2. During the course of developing an annual audit plan, it involves a risk-based approach to selecting a specific area for audit.
3. At an audit execution level, it involves an assessment of risk in terms of deciding detailed audit procedures to perform in support of a specific audit.

Technology is important within all three levels, its role generally falling into two broad categories:

1. Establishing a documented repository of risks within an organization – at different levels. Typically the risks are matched to the various forms of control procedure that serve to mitigate the risks. Such systems also track the current state of assessment of the effectiveness of risk management procedures. Both the business and audit make use of this.
2. Using data analysis and monitoring technologies to support the risk assessment process, to monitor risks directly and to monitor the effectiveness of risk management procedures.

This article will focus on the second category, as this is the area where technology is most critical. Technology provides the ability to examine entire populations of transactions and business activities – on a timely basis – to look for indicators of risks that are not effectively mitigated or controlled.

Continuous Monitoring
According to Gartner, a leading technology analyst firm, $9.2 billion will be spent in 2010 on technology for GRC (Governance, Risk Management and Compliance). Of 10 areas in which the expenditure will occur, software for compliance management is the leader, followed closely by business process management and continuous monitoring.

Continuous monitoring may be considered to include several areas.  At the highest level, it can involve monitoring overall operational business performance – for example, sales trends, margin trends and the mix of asset portfolios. The next level includes two components:

1. Monitoring application control settings, including segregation of duties in systems access and authorization tables, and
2. Monitoring financial and operational process transactions within business areas.

Let’s look at some practical examples of how technology can monitor risks and controls’ effectiveness within business areas. Technology can be used to continuously monitor or audit transactions as they flow through business processes such as purchase-to-pay, payroll or general ledger. The analysis typically involves testing transactions to determine if they are in compliance with the controls that are intended to be in place.
 
Within the purchase-to-pay cycle, for example, some key risks that typically should be addressed through effective controls include:

1. Payments that contravene the Foreign Corrupt Practices Act
2. Fraudulent payments by an employee to a “phantom vendor” company
3. Large purchase orders approved – perhaps fraudulently – by a manager well beyond their formal approval limits
4. Payments paid twice in error
5. Attempts made to conceal fraudulent payments through unapproved general ledger journal entries

Apart from examining financial and operational transactions, analysis technology can also be used to monitor control settings within applications and systems. For example, if a critical control setting has been turned off – say one that prevents invoices or journal entries from being approved by an unauthorized individual – then the risk of loss obviously increases.

In these and many other areas, analysis and monitoring technology can help to assess risk and determine whether controls are being circumvented or simply not followed.

Assessment of Risk Areas
Continuous monitoring is generally considered to be the responsibility of business management. However, the technology and techniques used are very similar to those used by audit for continuous auditing.

Let’s then look at how either continuous monitoring or auditing impacts the role of internal audit. Assume financial and operational transactions are being tested and monitored and that exceptions are reported in a number of areas across the organization. Internal audit can then examine the results and reports from the monitoring processes and determine those areas where controls appear to be effective and risks satisfactorily managed, as well as where there are apparent problems. This can be a highly effective way to assess risk areas and decide which areas should be subject to audit as part of the overall high-level audit planning process.

Using Technology to Support the Changing Mandate
Internal audit is increasingly expected to play a more active role in assessing higher-level strategic risks to an organization. The challenge for audit is to have the time and resources to get involved in these areas. However, if an organization is performing widespread continuous monitoring, or internal audit is performing widespread automated continuous auditing, audit is often in a better position to free up time and resources from more routine non-automated audit procedures and become involved in those more strategic areas. 

Where to Focus Efforts
Let’s now look at how technology – specifically data analysis technology – directly supports the more detailed risk assessment process for auditors. Once an area has been selected for an internal audit, the first step may well be to perform an overall analytics review of activities within the area to assess more specific risk points that warrant detailed audit investigation. For example, why are overtime amounts significantly higher in one region than the norm? Why within one branch are very large volumes of expense transaction occurring just under the threshold at which additional approval is required?

This “drill-down” approach to risk assessment can then be used to drive the development of a specific audit program and identify those areas that need greatest audit focus. Once key audit objectives have been established within an audit program, then for every audit procedure, consideration can be given to determine whether analysis technology, whether in the form of continuous monitoring, continuous auditing or ad hoc testing and analysis, can be used to improve the efficiency and effectiveness of a given audit procedure. Whichever approach is used, the overall premise is the same – by using technology to test 100% of transactions an auditor is best able to determine that controls are effective and risks mitigated.

Technology is Critical
A question to consider is how an organization can effectively monitor and assess the effectiveness of risk management and control procedures without using a technology-based approach. The traditional approach has been to rely on the effectiveness of specific key controls and periodically test them. But as business managers or auditors, how do we know that controls are working effectively on an ongoing basis? How do we know that sufficient and appropriate controls have been designed in the first place, particularly when processes and systems tend to change dynamically?

The comprehensive examination of data, which is the evidence of what has actually occurred within an organization’s processes, is arguably the most effective method of determining the extent of risks that are being incurred. It can also be a powerful indicator of trends that warn of increasing risk in specific areas.

The Way Forward
These concepts are, of course, not new. They have been discussed in the audit and assurance and risk and control professions for years. Some organizations have made great strides in their practical adoption. For many, they remain a desirable but far from immediate goal.

What are the typical barriers to adoption? The focus used to be on limitations in technology itself. However, analysis and automation technology has made great strides in recent years and is constantly improving. The most significant issues now are usually those of people and process, including lack of sufficient buy-in from the business, limited support from IT departments, lack of skill sets and knowledge around the processes involved.  Some organizations make good progress when a technology driven risk assessment process is driven by an internal champion, but lose impetus when resources change. The goal is to make these processes integral to risk assessment and audit activities, and to make them sustainable and repeatable.

In my experience, organizations that have gained the most from these approaches are those in which internal audit leadership at the CAE level has been a strong advocate. The good news is that it is not just auditors who are now aware of the benefits of using technology in the risk assessment process.  The Open Compliance and Ethics Group (OCEG) is a leading organization in the world of risk management and compliance. OCEG’s technology roadmap and “Red Book” specifically recognize the key roles that audit analytics, continuous auditing and continuous monitoring play in risk assessment – both within the business overall and at an audit and assurance level.