Protecht.ERM Showcase: Manage all your risks with an easy to use and configurable system (Thu 27/08 10am BST)
Register Now

The Internal Audit function has always been an integral part of any organisation, giving independent comfort to stakeholders that the governance and the control environment are operating as expected and and in an effective way. As part of that work, recommendations to improve systems and processes are often provided.

The starting point for any risk-based internal audit is to understand the risks associated with key business functions or processes, and the controls that mitigate either the likelihood of the risk occurring or its impact.

 

An audit plan is then prepared to address key risk areas over a certain time period. Each audit in the plan is then executed with work-papers being completed, audit reports and findings issued to relevant stakeholders.

How can enterprise risk management software help this process?

If we think about the core basics of an enterprise risk management (ERM) system we should see:

  • Risk and control self-assessments done at the business unit level
  • Control testing done by the first line
  • Continual monitoring through key risk indicators and compliance questions
  • Incident capture
  • Treatment plans

With this information in a single application internal auditors can:

  • Quickly view the risk and control assessments for departments to understand the key risks.
  • See connected information (RiskInMotion) to form an opinion as to how well the risk is being managed. For example, a large number of control test failures, incidents and metrics outside of the expected operating range for a key risk would direct audit activities to that area or process.

However, we can also apply technology to support more of the audit process. 

Firstly, an ERM application with flexible form technology allows internal auditors to capture audit plans for a certain time horizon. The plan ‘form’ references library information already in the application such as business units being targeted, auditees (users), risks and controls being addressed and the expected time the audit will be executed.  At this early stage, we see a clear connection to the risk assessments being done by the divisions, and the risks being addressed by the audit.

Assuming most auditors still like executing work-papers outside of the application, the ERM application can still be a repository for completed reports and their associated findings.

Findings in traditional internal audit roles have the following weaknesses:

  • Findings are not connected to a risk – making aggregation against the risk profile difficult if not impossible.
  • Findings are kept in an excel file for tracking with manual emails generated to owners to provide an update on recommended actions that is then transposed into the master excel file.

For the first weakness, internal audit findings can be connected to the central library of risks and controls.  In the screenshot below we can see the connected risk for this finding, being fed from the central library of risks.
Internal Audit Blog 1

For the second weakness of findings stored in excel files, an ERM application resolves these key problems by:

  • Centrally storing the findings
  • Automatically generating emails for update requests and closure reviews.
  • Allowing owners to directly update the finding and or associated actions in the application.

This activities reduce the amount of time the internal audit team is spent administrating the findings. Audit trails in an ERM application are also more robust than an excel file, to see how the finding has been modified over time.

Finally, a good ERM application has the ability to quickly generate live dashboards for Audit and Board reporting, again reducing the administrative burden for internal auditors. They should also show a clear picture of the internal audit findings and their overall impact on the risk (RiskInMotion).

Internal Audit Image Blog

 For more information about Protecht.ERM and how can we help you, please visit our website.

 

Featured Articles

feature image

Managing Risk and Compliance in a COVID-19 World

This is the time for a well-developed, well-embedded and well-operated enterprise risk management framework and processes. It is not a time to throw away risk management thinking. It is a time to bring it into action.
feature image

Redefining Risk - Never Look at Risk the Same Way Again

What was once a backstage concern must now play a leading role. The reality is, if you want to be better as a company, you need to get better at taking risks.

Get practical resources in your inbox every month.

Thought leadership content on risk management, governance and compliance.

Subscribe Now

Related Articles

feature image
Enterprise Risk Management, Risk Management, Internal Audit, Internal Auditors

The 20 Critical Questions Directors Should Ask About Internal Audit Resourcing 

Organisation requirements 1. Does the internal audit function have the right amount of competent and professional resources to provide the right...
Read more
feature image
ERM, Risk Controls, Risk Manager, Risk Management Software, Videos, Webinars

Controls Assurance Webinar

Awesome Controls Assurance: The Confidence to Go Faster This event was done live on Oct.22nd 2019. Access the recording here. “The greatest potential...
Read more
feature image
Key Risk Indicators, Risk Management Framework

Some features of the Protecht.ERM 8.4 release.

In this short video, Peter Walker, Chief Technology Officer at Protecht, gives a quick overview of  some of the new features that the development...
Read more