Don’t forget to audit controls!
There’s a lot of talk about auditing culture and other significant sources of risk.
I am all for focusing our audit plan on the risks that matter to the enterprise as a whole.
But, let’s not forget that we need to be providing assurance on whether management has the right controls to address those sources of risk and whether they are operating effectively.
A survey or other assessment of the current state, whether of culture or something else, seems to have value.
But it is transitory value. It is an assessment at a point in time. Time marches on and how do we know the conditions we found don’t change as well?
Similarly, there’s a lot of talk about using data analytics as an audit tool to identify potential problems. It also appears to have value. But does that value last?
Years ago, there was a healthy debate on how to audit environmental compliance (the debate may continue, I don’t know).
The two sides to the debate were:
- Perform an audit that assesses the current state of compliance
- Perform an audit that assesses whether management has a system of internal control that provides reasonable assurance of compliance
I was and remain very firmly in the second camp.
Not only does this avoid having to express an opinion as to whether the organization is in compliance or not (consider the problem if they are not in compliance), but our work has continuing value.
I feel the same way when it comes to auditing culture, cyber, governance, or any other source of enterprise risk.
Help management fish for a lifetime (we can but hope) rather than feed them fish for a day.
- Does management understand the culture existing within and across the enterprise?
- Do they know whether it is consistent with what they need (whether it be risk-taking, ethics, compliance, teamwork, customer orientation, or any other dimension)?
- How do they know when it changes?
- Do they have adequate controls to ensure the above and then to take actions as necessary?
The same concern applies to data analytics used by internal audit to find issues.
Unless it is part of a fraud investigation assigned by the board to internal audit, I would prefer to have management detect issues and audit assess whether those detective controls are adequate. Internal audit should not be performing controls. They should be auditing the controls.
What do you think?
Do you share my view that the drumbeat for internal audit to use analytics to find issues is taking us in the wrong direction?
Do you agree that internal audit should not directly assess culture but instead audit how management ensures an appropriate culture?
I welcome your comments.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Definitely agree with you Norman. IA should be providing an opinion as to whether controls are reducing risks to levels acceptable to the board and that therefore objectives should be met, now and into the foreseeable future. Since risks and controls are the responsibility of management, this opinion is an opinion on their competence.
It is therefore the role of management to continually monitor the proper operation of controls. When I was a CIA, i persuaded payroll department to acquire an interrogation program in order to carry out monitoring. When I was a manager of AP,AR, payroll and fixed assets, I set up daily and monthly reporting to monitor the effectiveness of key controls.
There is no value in auditing controls when you know maturity is not there and controls are absent. This will just kill all the credibility of the IA, and management will once again talk about zero business value and theoretical approach of the team. Instead, in my opinion, this shall be two-way approach: from one side proper practical assessment of the current state shall be performed, and results shall be used to support observations in the control assessment. When you link actual issues (from the assessment) to the root causes (internal control failures) and governance problems (causing issues in internal control), this provides much more value to the management and it is much harder to use political games to avoid additional responsibility and imminent changes. IA now more and more turns out to work like checklist testing monkeys, which is like a doom to our profession, as we could be easily replaced if we dont change the approach.
Another example will be typical ITGC testing, now performed by a lot of internal and external auditors. They proudly report that system of internal controls in respect of ITGC are providing reasonable assurance and is perfectly fine in accordance to the best practices etc. But when you go down the ground and perform, for example, penetration testing (ethical hacking), you see that there are hell of a lot issues, with majority of the root causes coming back to basic ITGCs. If IA will not try to assess the problem from boths sides, we will just be providing false assurance, just like the auditors in the example above.
Summarizung the above, i would say the IA shall dive deep in the dirt at least for the first time, and only after keep the hands clean in upcoming years.
I agree that if the controls are not there, there is no point in trying to test them. Instead, inform top management and the board and explain the risk to the business. Then see if you can provide constructive advice so management can establish an appropriate system of internal control.
If the controls appear to be adequate, they can be tested and white hat hacking is one of the tools I have deployed in the past.
IA is repeated many times and to be an IA one has to be a qualified accountant, at least in my country. Risks and the controls are NOT confined only to IA as if only IA are the professions that has the skills to do it (granted they have vast FINANCIAL skill set but not Fire risks, protections systems, etc), the ordinary staff should be able to understand risks and to audit the controls, hence a layman approach is so very critical. Locally we do not have sufficient accountants let alone IA to carry out such audits.
In my opinion there is nothing wrong with IA using data analytics and process mining to prove the existance and effectiveness of internal controls (or the lack of) to be able to report this to senior management. This may not be to replace management’s task to verify the effectiveness of internal controls. However, when management does not fullfill this task it is obvious that they will be confronted by senior management with the auditor’s report.
The organisation’s actual culture may differ from the desired culture. IA may be able to see and report the gap. I don’t know if they have the ability to say what should be done to change this. Common auditor’s are no experts in human behaviour and organisational change management.
Frans, data analytics usually only tests the data and does not provide any evidence that controls are present and functioning. For example, if your home has not been burglarized, does that prove that you closed and locked the door every time you left home?
If we start from the view that IA is an independent assurance function, most of Norman’s conclusions follow directly. Many views on IA start with a different view, that IA is a pool of very clever people, with no other distinction. I prefer to stick with the independent assurance view.
As an independent assurance function, the focus of IA is assuring that the organisation’s actual risks are consistent with the risks understood and accepted by the board of directors. To do that, IA should test whether risks are adequately recognised, managed and disclosed. IA testing includes independent risk analysis to validate management’s understanding of risk. IA testing also includes audit verification of controls. Risks is not adequately managed if risk assessment assumes, but does not verify, the continuous effective operation of controls.
‘Controls’ have an operational image. Historically auditors have spent most of their time on risk and control in operations, especially the operations that feed ledger transactions. There is plenty of scope for IA to expand into strategic or other categories of risk and control. The need to verify ‘controls’ does not change.
It also follows from ‘independent assurance’ that auditors should not perform the controls. There is no assurance when it is only the assurer who keeps the system safe. Yet there is a long history of auditors performing controls when innovative techniques come along. In the 1980s auditors introduced periodic system testing and ‘integrated test facilities’. There was also ‘data integrity’ checking by auditors, typically a scan for obviously invalid data. Those scans have a continuous line of descent to today’s innovations in ‘analytics’. In more recent times, I saw a case where it was only auditors who ever reconciled the transactional system of record (bespoke) with the financial ledger (SAP). The relevant dollar figures had eight digits before the decimal point.
Arguably ‘risk management’ is also one of those innovations in which auditors are the first to perform controls. Risk management is necessarily and essentially a (control) function for executive and line management. It populates the first and second lines of defence. Yet IA, the third line, is one of its leaders. Formal standards even recognise risk management leadership as a role for IA, with some strict boundaries. [IIA IPPF Practice Guide ‘Assessing the adequacy of risk management using ISO31000’, December 2010; IIA IPPF Practice Guide ‘Coordinating Risk Management and Assurance’, March 2012; Standards Australia HB158—2010.]
I’m with Norman in that auditors should not perform controls.IA should instead protect its independence. I just note that on this front, there is compromise and confusion everywhere, and always has been.
I prefer to perform an audit that assesses internal control system in the business process, it is more valuable for the company and could be a way to show the role of internal audit as a strategic tools. Anyway what kind of audit that we perform is depends on the aims of the management assignment, but we should propose to the board this kind of audit on our annual activity plan.
Why? Modern thinking is to have a risk-based audit program. Effective internal control provides reasonable assurance that risk is at acceptable levels (COSO et al).
I can’t agree with you more. We might be drifting away from the core. The use of data analytics can only detect fraud, errors and the likes which is reactive to me, while auditing the adequacy of internal control systems will go a long way in tackling the issues from the source. It is just unfortunate that most audit partake in the formation of these controls, hence, the self-review threats.
The audit of culture compliance needs to start from the top management. If it is wrong at the top, then you can expect lot of non-compliance issues the middle & low level management.
Thank you
Fundamentally IA’s role is to provide independent assurance on the system of control to the Board and stakeholders. Putting aside the planning process in which we determine what and when to audit; we’re faced with one of a number of possible scenarios at the start of each individual audit: a business area that is perceived to be well controlled but isn’t; one that is perceived not to be well controlled and isn’t; one that is perceived to be well controlled and is etc etc. If the business area has risk exposures outside of risk appetite or control deficiencies then these should be already transparently reported by senior management to the Board – which is a big part of where the above perception comes from and also reflective of culture.
To provide valuable independent assurance in the first instance therefore we need to confirm or otherwise that the assurance provided by senior management to the Board is actually appropriate, balanced and accurate. Retrospective auditing of the existence, adequacy and effectiveness of the controls in place is part of this – and data analytics may have a useful role to play here. I would argue however that if IA has better tools or methods than the business area to assess these things then it should hand them over! The IA report is then effectively concluding whether senior management has been controlling its risks adequately and, importantly, reporting upwards appropriately about this such that the Board can place day to day reliance on this area of management. When notable issues are identified we should ask: did management know about this but not report it transparently? Or did they not know about it? Both are of concern and require different solutions.
I believe that IA should also look at the sustainability of the system of control taking into account possible future environmental changes and applying basic stress testing techniques. How confident are we that management and the system will proactively anticipate, scale and adapt to these challenges? What do they need to do to give us (and the Board) a good level of confidence? This is more difficult to audit but potentially an extremely valuable part of the assurance so we should not shy away from it. It requires more of a strategic mindset from IA but is probably the real value add.
It depends on how robust and relevant the analytics is and how IA is assured that the input data they use in analytics are free from material error and bias. Nonetheless, analytics is just part of the procedure and shouldn’t be solely relied upon. IA should be versatile and resourceful enough to adequately capture risks worthy of attention.
++++