Lesley W. Beasley Jr., IT Audit Director, International Paper
The Audit Methodology typically consists of a risk assessment, a planning phase, a fieldwork phase, and a reporting phase. The risk assessment is a very manual and tedious process which typically begins with face to face formal interviews with the company’s senior leadership. During these meetings, the leaders in the organization articulate what they believe to be the company’s highest risk areas. After gathering this information, the audit organization develops a risk based audit plan. This entire risk assessment process typically takes one to two months with utilizing nearly the entire audit organization.
The planning phase is where the audit staff is introduced to the business area that they will be auditing. Requests for Information (RFIs) are sent out to the business area and walkthroughs take place during this time to gain a comprehensive understanding of the business area.
The fieldwork phase is the core of the audit process. It is during this phase of the audit process that all substantive testing is performed. A sampling approach is usually employed to gather what is needed from larger volumes of information and tested independently by the audit staff. The audit staff renders a conclusion on all individual test results.
The reporting phase is the final phase in the audit methodology. In the reporting phase a draft report is created and shared with all interested parties. After the draft report has been issued and feedback has been obtained from all interested parties, a final report is issued with an overall opinion of the control environment based on the collective opinion of the findings from the testing phase of the audit.
Audits are typically scheduled for three months from beginning to end, inclusive of two to four weeks of planning, four to six weeks of fieldwork, and two to four weeks of compiling the audit report.
Audit teams are spending more time on audit engagement planning and fieldwork due in great part to an increase in time spent on integrated and end-to-end process audits according to the global research and advisory company Gartner.
So whether auditing one procedure or hundreds of processes across multiple facilities, it takes a lot of time and effort. However, automation techniques can help optimize the process.
For the Internal Audit function to remain relevant and increase its value proposition it must begin to capitalize on intelligent automation
According to Gartner’s audit state of the function report for 2019, two of the top ten challenges for audit departments are as follows:
• Inefficiencies in engagement execution
• Insufficient or ineffective use of audit technology
With the hours continuing to trend upward for planning and fieldwork activities coupled with the challenges that most audit organizations face with effectiveness and efficiency along with the constraint of having limited resources, how will internal audit organizations continue to add value? Organizations must automate to remain relevant.
I’ll touch on a few areas that I believe are high value areas in the internal audit function that could benefit from automation.
Continuous Risk Assessment – Internal Audit organizations must find a way to not rely solely on interviews and surveys, which are highly subjective as the only data point inputs to their risk assessment process which is typically done once a year. Use Data Analytics to leverage data points that should also include objective information around financial trends, known gaps or control weaknesses, non-compliance, security, and reputational and operational metrics that are being monitored continuously.
Advisory Services - Internal Audit organizations must provide more advisory services to the business. These services should include guidance on process improvements, control design, special projects, recommendations for corrective actions, and industry best practices and frameworks that can be leveraged. Internal audit can help identify opportunities to embed automation-enabled control activities into business processes and functions. The results of such engagements should lead to productive and beneficial change in the organization and lead to more effective and efficient audits.
Control Optimization - Internal Audit organizations must execute an exercise to streamline controls by rationalizing key control activities, reducing redundancy, eliminating unnecessary controls, identifying opportunities for automation, and properly aligning controls to financial statement assertions. The completion of these activities will lead to an increase in external auditor reliance, a reduction of performance costs, and an improvement of audit effectiveness and efficiency.
Agile Auditing – Internal Audit organizations must adopt an agile auditing approach. The approach is not necessarily from the perspective of following the Agile Methodology to the letter by having a scrum master, daily scrums, a Kanban board, and sprints. Although you can adapt all of these activities to fit your specific needs, but the auditing approach should be taken from the perspective of having a continuous risk assessment in place and a reserve of hours in the audit plan to audit things that are trending negatively on the risk assessment dashboards immediately.
Data Analytics (DA) - Internal Audit organizations must leverage Data Analytics to improve the effectiveness and efficiency of audit operations as well as provide valuable insights to the business. Leveraging Data Analytics in the audit process is imperative. Data Analytics increases the audit department’s ability to test complete populations of data without having to employ sampling techniques.
For the Internal Audit function to remain relevant and increase its value proposition it must begin to capitalize on intelligent automation. The time is now.