The Internal Audit function has always been an integral part of any organisation, giving independent comfort to stakeholders that the governance and the control environment are operating as expected and and in an effective way. As part of that work, recommendations to improve systems and processes are often provided.
The starting point for any risk-based internal audit is to understand the risks associated with key business functions or processes, and the controls that mitigate either the likelihood of the risk occurring or its impact.
An audit plan is then prepared to address key risk areas over a certain time period. Each audit in the plan is then executed with work-papers being completed, audit reports and findings issued to relevant stakeholders.
How can enterprise risk management software help this process?
If we think about the core basics of an enterprise risk management (ERM) system we should see:
- Risk and control self-assessments done at the business unit level
- Control testing done by the first line
- Continual monitoring through key risk indicators and compliance questions
- Incident capture
- Treatment plans
With this information in a single application internal auditors can:
- Quickly view the risk and control assessments for departments to understand the key risks.
- See connected information (RiskInMotion) to form an opinion as to how well the risk is being managed. For example, a large number of control test failures, incidents and metrics outside of the expected operating range for a key risk would direct audit activities to that area or process.
However, we can also apply technology to support more of the audit process.
Firstly, an ERM application with flexible form technology allows internal auditors to capture audit plans for a certain time horizon. The plan ‘form’ references library information already in the application such as business units being targeted, auditees (users), risks and controls being addressed and the expected time the audit will be executed. At this early stage, we see a clear connection to the risk assessments being done by the divisions, and the risks being addressed by the audit.
Assuming most auditors still like executing work-papers outside of the application, the ERM application can still be a repository for completed reports and their associated findings.
Findings in traditional internal audit roles have the following weaknesses:
- Findings are not connected to a risk – making aggregation against the risk profile difficult if not impossible.
- Findings are kept in an excel file for tracking with manual emails generated to owners to provide an update on recommended actions that is then transposed into the master excel file.
For the first weakness, internal audit findings can be connected to the central library of risks and controls. In the screenshot below we can see the connected risk for this finding, being fed from the central library of risks.
For the second weakness of findings stored in excel files, an ERM application resolves these key problems by:
- Centrally storing the findings
- Automatically generating emails for update requests and closure reviews.
- Allowing owners to directly update the finding and or associated actions in the application.
This activities reduce the amount of time the internal audit team is spent administrating the findings. Audit trails in an ERM application are also more robust than an excel file, to see how the finding has been modified over time.
Finally, a good ERM application has the ability to quickly generate live dashboards for Audit and Board reporting, again reducing the administrative burden for internal auditors. They should also show a clear picture of the internal audit findings and their overall impact on the risk (RiskInMotion).
For more information about Protecht.ERM and how can we help you, please visit our website.