The Internal Audit function has always been an integral part of any organisation, giving independent comfort to stakeholders that the governance and the control environment are operating as expected and and in an effective way. As part of that work, recommendations to improve systems and processes are often provided.
The starting point for any risk-based internal audit is to understand the risks associated with key business functions or processes, and the controls that mitigate either the likelihood of the risk occurring or its impact.
An audit plan is then prepared to address key risk areas over a certain time period. Each audit in the plan is then executed with work-papers being completed, audit reports and findings issued to relevant stakeholders.
How can enterprise risk management software help this process?
If we think about the core basics of an enterprise risk management (ERM) system we should see:
Risk and control self-assessments done at the business unit level
See connected information (RiskInMotion) to form an opinion as to how well the risk is being managed. For example, a large number of control test failures, incidents and metrics outside of the expected operating range for a key risk would direct audit activities to that area or process.
However, we can also apply technology to support more of the audit process.
Firstly, an ERM application with flexible form technology allows internal auditors to capture audit plans for a certain time horizon. The plan ‘form’ references library information already in the application such as business units being targeted, auditees (users), risks and controls being addressed and the expected time the audit will be executed. At this early stage, we see a clear connection to the risk assessments being done by the divisions, and the risks being addressed by the audit.
Assuming most auditors still like executing work-papers outside of the application, the ERM application can still be a repository for completed reports and their associated findings.
Findings in traditional internal audit roles have the following weaknesses:
Findings are not connected to a risk – making aggregation against the risk profile difficult if not impossible.
Findings are kept in an excel file for tracking with manual emails generated to owners to provide an update on recommended actions that is then transposed into the master excel file.
For the first weakness, internal audit findings can be connected to the central library of risks and controls. In the screenshot below we can see the connected risk for this finding, being fed from the central library of risks.
For the second weakness of findings stored in excel files, an ERM application resolves these key problems by:
Centrally storing the findings
Automatically generating emails for update requests and closure reviews.
Allowing owners to directly update the finding and or associated actions in the application.
This activities reduce the amount of time the internal audit team is spent administrating the findings. Audit trails in an ERM application are also more robust than an excel file, to see how the finding has been modified over time.
Finally, a good ERM application has the ability to quickly generate live dashboards for Audit and Board reporting, again reducing the administrative burden for internal auditors. They should also show a clear picture of the internal audit findings and their overall impact on the risk (RiskInMotion).
For more information about Protecht.ERM and how can we help you, please visit our website.
This is the time for a well-developed, well-embedded and well-operated enterprise risk management framework and processes. It is not a time to throw away risk management thinking. It is a time to bring it into action.
David Bergmark consults on a variety of market and enterprise risk management issues and is actively involved in the development and implementation of Protecht's risk management software (ERM and ALM).
David started out in the audit division of Price Waterhouse in 1990, handling clients such as Macquarie Bank and Bankers Trust. By 1994 he was Risk Controller for Carrington Securities - a financial markets trading company.
In 1996 David left Carrington to head up the Risk Management Department at IBJ Australia Bank (IBJA) where he was responsible for the development of all risk disciplines at the bank – market, credit, liquidity and operational.
Get the latest thought leadership on risk, compliance, health and safety and internal audit industry trends, challenges, methodologies, and insights. You will receive notifications directly in your inbox once a month.