The Internal Audit function has always been an integral part of any organisation, giving independent comfort to stakeholders that the governance and the control environment are operating as expected and and in an effective way. As part of that work, recommendations to improve systems and processes are often provided.
The starting point for any risk-based internal audit is to understand the risks associated with key business functions or processes, and the controls that mitigate either the likelihood of the risk occurring or its impact.
An audit plan is then prepared to address key risk areas over a certain time period. Each audit in the plan is then executed with work-papers being completed, audit reports and findings issued to relevant stakeholders.
If we think about the core basics of an enterprise risk management (ERM) system we should see:
With this information in a single application internal auditors can:
However, we can also apply technology to support more of the audit process.
Firstly, an ERM application with flexible form technology allows internal auditors to capture audit plans for a certain time horizon. The plan ‘form’ references library information already in the application such as business units being targeted, auditees (users), risks and controls being addressed and the expected time the audit will be executed. At this early stage, we see a clear connection to the risk assessments being done by the divisions, and the risks being addressed by the audit.
Assuming most auditors still like executing work-papers outside of the application, the ERM application can still be a repository for completed reports and their associated findings.
Findings in traditional internal audit roles have the following weaknesses:
For the first weakness, internal audit findings can be connected to the central library of risks and controls. In the screenshot below we can see the connected risk for this finding, being fed from the central library of risks.
For the second weakness of findings stored in excel files, an ERM application resolves these key problems by:
This activities reduce the amount of time the internal audit team is spent administrating the findings. Audit trails in an ERM application are also more robust than an excel file, to see how the finding has been modified over time.
Finally, a good ERM application has the ability to quickly generate live dashboards for Audit and Board reporting, again reducing the administrative burden for internal auditors. They should also show a clear picture of the internal audit findings and their overall impact on the risk (RiskInMotion).
For more information about Protecht.ERM and how can we help you, please visit our website.
David Bergmark consults on a variety of market and enterprise risk management issues and is actively involved in the development and implementation of Protecht's risk management software (ERM and ALM). David started out in the audit division of Price Waterhouse in 1990, handling clients such as Macquarie Bank and Bankers Trust. By 1994 he was Risk Controller for Carrington Securities - a financial markets trading company. In 1996 David left Carrington to head up the Risk Management Department at IBJ Australia Bank (IBJA) where he was responsible for the development of all risk disciplines at the bank – market, credit, liquidity and operational.