You have a choice that you may not be aware of when you’re looking to perform a risk assessment. You can either be an auditor or you could be a unicorn. Maybe up until now, not understanding your options, you’ve only chosen to be an auditor. But what if you can be both?
Sure, you could go about doing risk assessments the same way you’ve always done them, performing walkthroughs, asking leading questions in your initial risk assessment discussion, and praying that Bob sends you that project plan you requested three days ago, called about yesterday, and cornered him in the lunch room this afternoon over.
Above are all great risk assessment choices! But what if you took a different approach?
The root of most risk comes from the processes that keep the auditee group running. Are they the right processes? Are they actually being performed? Can anyone actually prove these processes are being done or not? Most of the time, when you first step into a risk assessment, you’ll give them your best audit smile, shake their hand, introduce yourself, and ask the million dollar question, “What keeps you up at night?”. But what if, instead, you went in armed with analytics about the group and the ability to create more focused questions based on those analytics?
We could all use a few risk assessment unicorn tactics, so below we’ll present a couple of specific analytics you can develop to help inform your next risk assessments.
Analyze process maintenance with employee retention analytics
Take one of our favorite examples for understanding risk: employee retention against process maintenance. Using data analytics, an auditor can form some solid initial conclusions about turnover rates.
Let’s say you’re walking into an assessment group and you already know that the group has had a 60% turnover rate in the last year. An auditor would probably conclude that not all the processes that are supposedly in place are getting passed along. In another group, the average seniority of the group is 15 years, and the average time in each of the roles in the group is over five years. You could probably bet money that their processes are outdated and that Fran will most definitely not be interested in your fancy Excel macros or new-fangled Windows XP.
Unicorn Tip: Analyzing employee retention can be tricky, so knowing your HR system, or separation process in general, can really help you along with creating the above analysis. To give you a hoof up, some helpful starting data points to pull are listed here:
- Length in current role. This data can be used to assess the average ‘knowledge’ age within the group.
- Total seniority with the company. This is useful for understanding if processes may be too ingrained in the group (e.g., if everyone has been with the company for 20 years, they’re probably not going to be changing everything they’re doing any time soon).
- Number of open positions in the area. This data can identify processes that maybe circumvented from lack of resources (e.g., we normally have two people authenticate, but since we’re so understaffed, we’ve been skipping it).
- Employee hierarchy in the area. This information will help you understand the ratio of employees to leaders in the group and if there may be a possible lack of oversight.
Assess flight risk with the two unspeakables: time worked and pay disparity analytics
There are always topics people aren’t supposed to talk about, but we all know that they do. Shannon over in accounting will definitely spout spoilers about whoever died last night on Game of Thrones, loudly and possibly with a megaphone, the morning after it aired. Gary will definitely make a comment on how late John gets in, and how `does he even afford that fancy new Mustang?`. Everyone will complain about how crappy the toilet paper is in the bathroom. (Seriously, is that some kind of countrywide company policy?)
Point is, people talk about a lot of stuff. And the places most auditors don’t think to look, but that can give you a huge insight into a group’s dynamics and temperament, are the two places we don’t like to talk about: pay disparity and time worked.
They are sensitive topics, hard to pull together, and you have to be careful with how you discuss them. But who better than Internal Audit to add these aces up their sleeves when determining whether an area is a risk or not for the organization?
There are two risks to keep in mind when looking at either or both of these analytics. The first is that a group that is underpaid and overworked compared to their peers is more likely to be dissatisfied with their role and an overall flight risk for the organization. The second is that those same employees are also more likely to circumvent processes in place or checks that are supposed to ensure things are performed properly. Keeping both angles in mind is important when developing and incorporating the analytics into your assessment.
On to the actual analytics! Let’s tackle hours worked first. Here is an example to give us context: one group works 80 hours a week while their sister group, who reports up to the same senior leader and sits next to the overworked one, only puts in 50 hours a week.
Just like Gary above, people notice that others are working way less than they are, and they’re definitely not making sure they’re following each rule to the letter. By creating an analytic showing this, you’ll better be able to walk into an assessment already knowing an area of stress for the organization and ask the right questions to the auditees.
Unicorn Tip: Being able to review hours worked is going to depend on how your network or badging systems at your company are set up. More importantly, though, you’ll need to have a discussion with your senior leadership about putting this together before you do, and ensure that the information does not pass beyond Internal Audit. A couple of ways you can approach pulling this together would be the following:
- Network logs and badge scans. Review logs and scans for all employees in the area for a set period of time, including first login/scan and last logout/scan. You’ll need to take time to understand the individual systems, but don’t get discouraged. Even if you can get 80% of a population, that’s still great knowledge that you didn’t have before.
- Remote login systems. A lot of companies have remote login systems for people who work from home (WFH). Piggybacking off those systems’ information is a great way for you to get a view of how WFH is actually working in your company. Combined with the above information, you can also get an idea of remote/in-
All right, we’ve got hours worked under our belt now, so let’s tackle pay disparity. By looking at the pay disparity of a group, you can begin to understand a couple things: inherent skill level (if one group is far underpaid from the other) or if there are large variances within a group itself. You can also combine this data with the hours-worked analytic above to review if some groups are overworked and underpaid, which is a perfect storm of someone definitely not going above and beyond to make sure things are running smoothly.
Pay disparity and overworked employees feel inherently risky, but having analytics on hand can lend validity to assumptions made during your assessment. Think about your own workplace: we don’t work in silos, never communicating or looking around. Do people talk about how little they’re paid or how much they work more than others? Of course they do.
Unicorn Tip: There’s one caveat to analyzing pay disparity: pay disparity issues should only be reported to the director or CEO. This is not an issue you want to publicize to all of middle management, and it should not be widely distributed.
Data analytics aren’t just myths or sample pulls from populations. Well-built analytics can be the magic that drives the risk assessment, helping auditors know what questions to ask and which areas to audit. But be aware: if you’re going to refer to yourself as a unicorn, you better have a can of magical whoop-ass to back up your assessments.