Like clockwork: automating internal controls

COMMON sense dictates that all organisations must ensure that the risks they face do not threaten their operation or limit their potential. Reducing residual risk to an optimal level is also critical in providing assurance to relevant stakeholders that the organisation is compliant with regulatory obligations, and minimising the likelihood that fraudulent activities are taking place.

This requires ‘controls’ to be in place. These are mechanisms to prevent or detect an ‘exception’ occurring in any of the business systems that, without the appropriate action being performed, could leave the enterprise open to unacceptable risk.

For example, ‘detective reports’ should be run and reviewed after each payroll to identify duplicate payments, with any exceptions identified being investigated and corrected.

Internal Audit’s (IA) key role is to identify and understand the risks faced by an organisation and to provide an independent assessment of the design and operating effectiveness of the controls implemented to mitigate them. IA also needs to be aware of emerging risks within their organisation’s industry.

The use of best-practice control frameworks, as well as expert industry knowledge, provides IA with sufficient guidance to determine the risks relevant to their organisation, and the type of controls necessary to mitigate them to the appropriate levels.

However, the majority of controls are manual, so reviewing their operating effectiveness also needs to be performed manually, and a great deal of IA time is taken up on laborious sample-based auditing. As a result, many organisations spend significant resources to ensure compliance with corporate policies, industry regulations, audits and standard operating procedures.

But the minimal return on investment they see on this activity is a major problem. The new age of controls monitoring Continuous Controls Monitoring (CCM), whereby an automated controls-based system enables controls to be operated and monitored more cost-effectively, is increasingly being implemented to resolve this issue.

Developed and expanded by various vendors as they recognised its potential, CCM is a concept that uses various technologies to improve IT security and governance-related financial activities.

CCM changes the nature of the control operators’ role. For instance, in the payroll example mentioned previously, any duplication of payment is automatically flagged up to the relevant manager who can take appropriate action. As such, a proactive manual review of the report does not need to be performed and, as the monitoring process is continuous, anomalies are identified immediately. This benefits control operators who only have to respond to control exceptions / alerts, rather than proactively reviewing reports and performing other controls, and can therefore focus on their day-to-day responsibilities.

There are also huge advantages for IA. A CCM system ensures that all of the controls operated by a company have been formally defined and implemented. In addition, there is also a full audit trail of the operation of each control and the actions taken.

Investigating exceptions no longer requires IA to search through huge amounts of documentation to find evidence of a controls operation, because all controls-related information is stored in the central ‘hub’ of the CCM system. This also reduces the workload for management in terms of assistance required to provide the necessary information.

Increased assurance and IA productivity, decreased compliance effort

Continuously monitoring controls allows instant access to all control activity over a given time period and enables IA to strive for the holy grail of ‘continuous auditing’.

But CCM does far more than increase confidence in the control environment. No longer burdened with the duty of prioritising compliance-related tasks over those that add value to the business, IA’s remit can become wider.

For example, they can now review emerging risks and ensure mitigation. They will also have time to perform operational reviews that enable management to identify improvements in business processes that can increase efficiency and reduce costs.

This role change can significantly alter the organisation’s internal perception of auditors. In particular, they are not required to spend days at a time sitting with control operators and requesting vast amounts of information (which, although necessary for compliance, is seen as a drain on resources and inefficient to the business).

Instead, they can become more involved in activities that add value to the enterprise, and therefore are no longer regarded purely as a cost-centre. Viewed from this perspective, there can be no doubt that CCM offers huge strategic benefit to both the internal auditor and the overall organisation.

In doing so, it also demonstrates that, intelligently managed, compliance and regulation issues need not cast a shadow over the all-important day-to-day activities that enable a business to realise its potential.

Marc Jackson is the manager for audit and risk management at Turnkey Consulting. Turnkey Consulting (www.turnkeyconsulting.com) is a specialist IT security company focused on combining business consulting with technical implementation to deliver information security solutions for SAP systems.