Corporate Finance, DeFi, Blockchain, Web3 News
Corporate Finance, DeFi, Blockchain News

Auditors Don’t Just do Audits

Lately, there has been a significant resurgence in the topic of Continuous Auditing and Continuous Monitoring (CA/CM) in operational and financial circles. The main focus of this talk has been with a view toward leveraging these approaches and technologies to better manage business risk. Much of this interest is driven by the increased expectations management and audit committees have to gain better insight into business performance and better manage risk. So it’s understandable that attention has turned toward those whose mandate it is to evaluate and improve the effectiveness of risk management, control and governance processes – Internal Audit.

According to The Institute of Internal Auditors (IIA), the official definition of its profession is:

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Many are familiar with the definition in terms of the systematic, disciplined approach to evaluating controls and governance. It is, after all, what many internal audit departments have been asked to do in a post-Sarbanes-Oxley world. But with a significant realignment in the business world owing to the financial crisis, concern over internal controls assurance from a legislative perspective is taking a back seat to effective risk management and improving overall business performance. That’s where the other half of the definition of internal auditing comes in, the value-add consulting internal auditing can provide to help improve an organization’s operations and overall risk management processes. It’s with an emphasis on internal audit to help improve risk management—and the technologies that they use—that this opportunity arises.

Take, for instance, a case where internal audit uses data analysis or audit analytics to evaluate how efficiently its organization’s inventory process is operating during the normal course of its audit work. The insights internal audit deliver can help identify:
- Low inventory turnover
- Items past their “best before” date
- High-demand items on back order, etc.

Not only did the audit identify these issues, internal audit was also able to identify emerging risk to the business i.e., high inventory levels for goods near their expiry date.

Another example is in a standard business process to all companies and organizations, the purchase-to-pay (P2P) cycle. By looking carefully at P2P data, organizations can identify a wide variety of business risks that otherwise might go unidentified. Consider the risks inherent in buying goods and services from vendors not in your vendor master file:
- Are these vendors selling approved goods and services?
- Is the organization diluting its buying power by dealing with multiple vendors of the same goods and services?
- Are these vendor organizations on debarred lists or prohibited vendor lists?

The list of possible errors and anomalies in the data reflecting what is actually going on in this business process is long, but it’s exactly these sorts of things internal auditors look for when they are auditing the P2P cycle using audit analytics. A forward thinking Accounts Payable department could gain invaluable insight into how to look at its processes by turning to internal auditors for consulting services on managing the risks inherent in its part of the business. It could leverage this audit knowledge and its technologies to establish a Continuous Monitoring system to manage its specific business risks going forward.

Deeper and more frequent analysis of an organization’s data can provide enhanced insight into business risk. By extension, it will also enable organizations to better manage risk. A balanced application of people, process and technology will facilitate better decision making and optimally better risk taking. In the end, it’s not about avoiding risk, it about taking better risks with the objective of driving business growth.

Why not leverage the technology, knowledge and insight of your internal audit department and use it on an ongoing basis as a Continuous Monitoring activity? It is in this capacity that internal auditors who understand internal controls, business processes and risk assessment can be management’s secret weapon to help drive better business performance.

By Peter Millar

Jeudi 9 Juin 2011