Sourcing Risk Information for a Value-Added Audit
Author: Ladd Muzzy, Principal at Nasdaq BWise
Audit continues its need to mature. Changes in professional standards, technological innovation, evolving compliance and regulatory requirements, and an increasing competitive environment are forcing the discipline to be more nimble. The audit department continues to divest itself from being seen as having a policing role to one of adding value. As organizations grow and become more sophisticated, the amount of risk and control data increases, adding new risks and morphing existing risks into varying exposures. Audit must respond, not only in its fiduciary role of providing an independent view of the risk and control environment but in understanding how the organization is responding to the changing risk environment.
Create Value and Enhance Performance
The mindset to managing risk is changing. There are two distinct (Figure 1), but blending philosophies (1) preserving and (2) creating value. Preserving value is all about maintaining conformance; ensuring that the organization is kept out of trouble. This means establishing a formal governance model, building and implementing world-class and sustainable practices, and reducing or eliminating fines and settlements. The other is value creation, or how the organization creates value, and enhances performance. This is all about making the business better. Examples include coordinating risk management activities, optimizing controls, and effective and efficient technology use. Organizational risk management functions have primarily focused on the preserving value side assuring that harmful risks are mitigated to within appetite and tolerance levels. Today, audit, as well as support functions sitting in the 2nd line of defense, are being pushed to justify their tasks of the business; justifying the importance of using capital, people, and taking time away from making money for the organization.
So how does audit strike the right balance between these two perspectives? Regardless, audit must continue to provide insight. Few functions have insight across the organization the way audit does. This poses unique opportunities to share leading practice, deter non-value add activities, and optimize the control environment. The breadth of audits scope can assist the business by focusing on the most salient risks and understanding the activities and outcomes across the lines-of-defense the business and support functions.
Prioritize the most important risks
Organizations are faced with a myriad of risks and controls. For example, one large global bank had over a thousand risks and five thousand identified controls. The challenge is how to find the most pertinent risks to the organization. This becomes exacerbated given the different priorities of the business and support functions. For example, those in compliance are incented to create a process that forces the assurance that laws and regulations arent violated. The business is incented to take risks to generate revenues. Although these objectives frequently align, there are times when they may not. As a result, groups will have their own interpretation of what a critical risk actually means. This results in output where there are actually a bunch of essential risks to the organization without any way of filtering them.
Audit can provide insight into the organizational, business, and functional risk profiles. The key is to maintain the autonomy and needs of the business and functional specific goals whilst simultaneously taking a step back and providing perspective on what the risk environment looks like across the organization. Audit understands the business and functional objectives and knows how the control environment aligns with key business value drivers and supporting processes. This information can be shared with groups like risk management who provide a risk view to executive and risk committees as well as the Board of Directors and regulators.
In one example where this process did not work well was when audit and risk did not share information. The risk functions reported up through the risk committee while audit reported into the audit committee. Both ultimately report into the Board. When the Board of Directors met, they received conflicting information about what were perceived to be the most critical risks to the organization. Risk had one view while audit another. This created confusion at the Board level, placed distrust in the underlying process, and questioned whether the allocation of resources (both capital and people) were being used appropriately. The result was a revamp of the process to ensure that there was greater collaboration between audit and risk managements findings, recommendations, and reporting.
Risks are tied to the achievement of objectives that are subsequently tied to the strategies of the organization. Prioritizing risk necessarily means tying to the goals of the business. Moreover, these goals are aligned with the risk appetite and tolerance of the organization. For example, the business may have an objective of acquiring 10% new customers during the fiscal year, but must do so without any compliance violations. Thus, prioritizing risk means the underlying risk processes must be aggregable to align to the organizations strategies and objectives. This helps to establish the critical risks that are either supporting the growth of the organization or detracting from its success.
There are a few key questions that should be asked in order to help drive the efficacy of a sound program to address the most salient risks facing the organization:
- Have resources been aligned against the critical risks?
- Do we gain insights on the risks of our key business partners and customers?
- Do we have the proper oversight of key controls?
- Do we escalate unwanted risk exposures on a common and consistent basis?
- Does our process cover emerging risks?
- Can we improve alignment and coordination in risk and control activities?
Audit also plays a key role in understanding and helping to articulate efficiencies across the lines-of-defense. Risks and controls are not only bespoke to the business and the supporting business activity, but should be made as common as possible to gain the greatest economies of scope and scale as possible. One example of this is by putting in a cyber defense system that can deter threats across multiple businesses. Audits role of not only providing attestation for a particular area, but also for the organization makes understanding what the business and support functions philosophy and approach is to managing risk becomes critical in arriving at organizational conclusions on the control environment.
Audit should be asking key questions across the lines-of-defense model:
- Are risks and controls clearly tied to business processes?
- Have key risks been prioritized and have resources been aligned accordingly?
- Can we improve alignment and coordination in risk and control activities?
- Do we have gaps in our overall risk coverage is accountability clear?
- Do we have the proper oversight on key controls?
- How are risks and controls monitored what escalation protocols exist?
- Are we efficiently focusing on key risks in support of business performance?
- Where would we identify the greatest opportunities for improvement?
The answers to these questions provide rich insight into the management and control environment and how risk is managed on a day-to-day basis. Moreover, this data will enable a more robust audit planning process where resources can be educated and allocated to the most pertinent and risky areas of the company. Likewise, the audit department has the fiduciary responsibility to share information back with the business on control efficiencies, deficiencies, gaps in coverage, and leading management practices. Audit will then will be acting in an advisory capacity and adding back value.
Technology also plays a significant role in a value added audit. It helps to enable the process by having risk and control information in a central repository enabling efficient access as the audit takes place. Examples include electronic work papers where risk information, like the risk and control assessment, can be readily visible. Supporting documentation can be uploaded and attained quickly. Dashboards, which depict the audit, risk, and control environment in a single view, allows users to drill down to specific supporting information such as what is driving various findings. Reporting also helps to codify the risk profile, which can be compared to findings and information obtained from the lines-of-defense efforts to thwart exposures or to take advantage of opportunities.
BWise® Internal Audit software
BWise software solutions facilitate an integrated approach to IA, while keeping IA independent, and protecting sensitive information. With a strong heritage in managing business processes, BWise enables the efforts of people in the first, second, and third line of defense to be focused on getting the process right. All BWise technology solutions focus on that goal. Understanding the true differences in the lines of defense in order to facilitate one approach and one integrated software platform brings efficiency and savings to Internal Auditors and a compa¬ny. Capabilities in support of the IA function include audit planning, work paper management, a variety of reporting tools, dash-boarding, off-line auditing, and findings monitoring. Uniquely integrated, BWise offers capabilities for continuous monitoring and continuous auditing with other systems, like Oracle, SAP or other business supporting software.
Nasdaq BWise offers best practices through Rapid Deployment Solutions on top of the internal audit software. These IIA (Institute of Internal Auditors) based best practices provide less mature organizations a solid baseline for their technology implementation. Larger and mature audit teams typically base their software implementations on their own requirements, which can be configured in BWise. However, in some cases the best practices can also be used by more mature audit teams to shorten the duration of implementation and improve their audit processes at the same time.
Nasdaq BWise believes that IA technology is an essential enabler. Software helps IA achieve a larger strategic goal, im¬prove results, and does so at lower costs. Applying a best in class automated system can facilitate an organizations growth and allow IA to maximize assurance.