One of the highlights of GAM 2019 was a presentation outlining five approaches to risk-based auditing that can make a positive difference in the business, given by Lillian Scott, Vice President of Internal Audit at Total System Service, Inc (TSYS) and Rick Machold, Chief Audit Executive at TSYS. Lillian and Rick broke down tips and techniques for five risk-based auditing approaches they use at TSYS to alleviate audit fatigue for their customers and position internal audit as a value-adding service provider for their organization.
Does your internal audit team struggle to battle audit fatigue? Are your audit customers disengaged or resentful because audits drag on for months with little relevant output? Choosing the right approach can help internal audit be recognized as a trusted advisor, promote customer engagement, and lead to more productive and insightful outcomes.
Traditionally, internal audit has embraced a controls-based approach that inspects and verifies that compliance and financial controls are operating according to an established set of criteria. Increasingly, audit departments are turning to risk-based approaches, driven by a more forward-looking perspective aimed at addressing potential risks that could prevent an organization from achieving its objectives.
When risk-based approaches are paired with a service delivery mindset, it becomes apparent that internal audit should not use a one-size-fits-all approach. An effective audit department can create a palette of approaches, making it possible to select the optimal approach on a case-by-case basis.
Here are five proven risk-based audit approaches and techniques to enhance the customer experience of an assurance or advisory engagement, as well as the ideal audit profile characteristics, success factors, and audit skills for each approach.
1. Rapid Assurance: Pledging Just One Week of Fieldwork
Specifically intended to reduce audit fatigue in processes where documentation is strong, Rapid Assurance involves performing all steps of a standard assurance engagement in a shortened timeframe with a commitment to only one week of fieldwork. Rapid Assurance can typically be divided into three phases covering 3–5 weeks:
- Auditor Planning and Research (1–2 Weeks) involves reviewing prior audit work papers and public documentation, preparing the work program, sending the request list, obtaining view access to document repositories, and performing testing.
- On-Site Fieldwork (1 Week), during which the auditor interviews customers, performs testing, obtains follow-up requests, conducts “End of Day” status meetings, and communicates draft findings to customer in a “soft” exit meeting.
- Finalize Testing and Report Writing (1–2 Weeks) encompasses the completion of testing, finalizing work papers and the report, and documenting agreed actions, owners, and target dates in the report.
Approach Profile: Rapid Assurance works best with relatively stable processes, people, and technology such as client onboarding, call center operations, or a third party on-site review. Processes with strong documentation and records management practices make great candidates for rapid assurance, as do processes that have been previously audited with low-to-moderate residual risk.
Success Factors: It is important to plan ahead by giving early notification and getting a time commitment from the audit client. The audit engagement should have a well-defined and limited scope. Crucially, Rapid Assurance requires the auditor to maintain a singular focus and give full attention to only one audit at a time. The key to a successful Rapid Assurance is to recognize that complexity is neither created nor destroyed—it is simply transferred. The auditor shoulders more of the effort prior to and after the fieldwork so that the client can experience relatively light interaction during a swift week of engagement.
Audit Skills: Given the shortened timeframe, the auditor should have strong project management discipline and a deep knowledge of process to be audited.
2. Project Assurance: Real-Time Feedback and Real-Time Assurance
During a Project Assurance, the auditor evaluates the governance, risk management, and control capabilities of the project team to identify and manage project-related risks in real time. They also take on a facilitator role by promoting risk and control dialogue throughout a project.
Approach Profile: This approach is ideal for a large-scale tool, process, or program implementation with an established end date, such as a data center move, new card production site, or new work management tool.
Success Factors: Auditors need to engage early in the project to provide support from initiation and design through building and configuration, testing and training, and finally implementation and monitoring. In each phase, internal audit partners with the program manager and product sponsor to provide real-time feedback. The auditor should clearly identify scope components based on relevant frameworks such as the Project Management Body of Knowledge (PMBOK). For a process or initiative impacting a large portion of the company, it is vital that there be collaboration with all the stakeholder groups involved to ensure successful adoption.
Audit Skills: An auditor with prior project or program implementation experience would be a good choice to perform a Project Assurance approach, as would a subject matter expert or guest auditor who can help identify pitfalls.
3. Facilitated Self-Assessment: Helping Management Solve Problems
This workshop-style approach enables a department to examine and commit to improving governance, risk management, and/or internal controls for a process or function. After all, when someone is involved in identifying a problem, they are more likely to be energized to fix that problem.
Approach Profile: At its core, “facilitation” means to make an action or process easier, and this approach works well to assist leaders with expanded responsibilities to alleviate their challenges—particularly the tension between tactical execution and achieving a larger strategy. The session can be designed to help departments understand and identify their objectives, the risks associated with achieving those objectives, and the controls to address those risks. The workshop can instead enable the customer to become an internal auditor and assess their own processes. Facilitated Self-Assessment may also equip management to move toward a stronger risk and control culture by practicing real-life application of risk and control principles.
Success Factors: The visible engagement of a senior leader is crucial to empowering team members to be honest and transparent in identifying challenges. Rigorous work session design and planning enables the session to proceed smoothly, as does using referenced guidance from a credible framework. It is important to set the expectation that this approach may require testing to be performed on select key controls.
Audit Skills: To lead a workshop session, an auditor should have strong small group facilitation skills and the ability to adjust an approach on the fly. An outward mindset and the ability to influence strong risk management and control behaviors will go a long way toward helping a department identify and commit to improving their response to the specific challenges encountered.
4. Maturity Models: Framing Assurance as a Journey
Using standard maturity models such as the Capability Maturity Model Integration (CMMI) or creating customized models, a Maturity Models approach enables auditors and audit customers to assess the current effectiveness of a process while also identifying the capabilities needed to improve the process to meet objectives.
Approach Profile: This approach works particularly well with combative or defensive customers who have had difficulty accepting a finding(s). By framing their process within the construct of a Maturity Model, internal audit is able to give the customer credit for what they are doing well in the context of a journey that includes areas for future improvement. A Maturity Model approach is also ideal for corporate processes and areas impacted by M&A or organizational restructuring, for evolving their people, processes, and technology.
Success Factors: Breaking processes down into components enables the auditor to acknowledge strong controls while also identifying issues to be remedied. The Maturity Models approach can be useful in an independent advisory capacity or as an assurance engagement yielding actionable findings. The approach is particularly successful when it creates a more interactive experience of dialogue: the auditor allows the customer to weigh in on where they think they fit in a Maturity Model, and then requests evidence or facilitates a discussion to validate that perspective.
Audit Skills: The auditor must be comfortable explaining standard maturity models such as CMMI or their own methodology for creating a custom maturity model.
5. Data Analytics: Better Insight Through Data
Audit can incorporate data analytical techniques into engagements to provide richer insights, enhanced risk monitoring, and process efficiencies.
Approach Profile: Data analytics can be considered on every engagement and in all phases of an audit. It can be executed as a singular approach or coupled with any of the other four approaches. Auditors may need to get creative when assessing more qualitative data, but data analytics can be valuable in areas ranging from travel and entertainment to service desk incidents to enterprise program management.
Success Factors: Auditors must have the conviction that even the most basic data can generate insight when addressing full populations, and the ability to connect risk to data. Testing can be very quick, but only if rigorous planning has been first mapped out. Auditors must be prepared to investigate unanticipated results without jumping to conclusions.
Audit Skills: The ability to collaborate with database administrators and reporting groups will make a data analytics approach go more smoothly. Ideally, the auditor will be an analytical, technical, and logical thinker with the ability to write scripts. However, you should not let a lack of technical knowledge prevent you from utilizing data analytics.
With a service delivery mindset and your own collection of risk-based approaches to choose from, your audit department will be in a strong position to select the best approach to create a more trusted relationship with your customer as well as a beneficial engagement outcome. By thoughtfully tailoring the audit approach to each particular situation, internal audit can reduce audit fatigue, meet customers where they are, provide real-time assurance, and create a positive impact on their organization.