For many years internal auditors depended on sampling and transaction testing to determine if controls were operating as intended. The idea was to apply audit procedures such as observation of activities, and document inspection to individual transactions to determine if a control had failed and the underlying risk event had occurred. This practice was tedious and time-consuming, but by leveraging the power of Key Risk Indicators (KRIs), internal auditors can use data to get a more objective understanding of risk dynamics sooner and identify changes in the risk profile within the organization for more timely intervention and review.
The Standards require internal auditors to remain independent and objective in performing their work (Standard 1100). Due to this requirement, internal auditors must not perform control activities, which means that while engaging in continuous controls auditing, caution is required to refrain from engaging in day to day management activities within processes that may constitute the performance of controls. So, when designing continuous auditing procedures, auditors and management must think through what the metrics are, and what thresholds would trigger the auditors’ desire to gain a better understanding of operational issues. The following are two examples to illustrate this concept.
Consider an organizational procedure consisting of payment receipt and processing, where payments received must be credited to the corresponding customer accounts.
The related controls have two components:
- The generation of an exception report when the customer cannot be identified, and
- The items on the exception report must be corrected within two days to ensure the prompt handling of the payments and customer credit.
If on a given day a payment’s beneficiary is unknown, that night the system generates an exception report showing the funds received, but no corresponding customer credit, so the amount is placed on a suspense account. If the beneficiary is identified the next day, the payment is credited to the corresponding customer and this shows that the control worked as intended.
If the correction is not made that second day, the exception report should show the unapplied payment on the second day’s exception report as well. If the payment is cleared the third day (two days after the payment was received), the control has worked and there is no need to escalate the situation.
At the end of the third day, however, if any payments are still pending resolution, it means that the control was not performed as planned. The question then becomes, should the internal auditor be notified about this situation now? For a routine payment processing activity, the risk may not warrant such notification. It may, however, warrant escalation of the situation within management ranks so they are aware of the control failure.
So when could KRI’s be activated to warn the internal auditor?
In traditional payment processing environments, the auditor could be notified after payments have remained unprocessed for 25 days or so, because at this point the control failed to work after 2 days, and 23 days later, the problem has not been addressed yet. What is likely to happen in this scenario, is that when monthly invoices are produced again, the unapplied payments won’t be reflected on the newly-produced invoices and this will trigger customer calls, and letters and customers will reciprocate with e-mails, phone calls, office visits, and complaints. With a notification procedure in place, the auditor can remain independent, yet become aware of the growing problem around day 25 and contact management to make sure the matter is being researched because the control has clearly failed.
Let’s consider another example. By monitoring the number of mild, medium and severe accidents, internal auditors can get an early warning indicator of problems. Business activities should be performed accident-free, so by getting an early indication that accidents are occurring, internal auditors can support management effort to reign in the problem. Potential causes include rushing production activities, poorly training workers or skipping safety practices.
By identifying the problem early on, internal auditors can help management:
- Prevent the overall number of accidents from increasing, and
- Prevent minor accidents from becoming more severe ones.
After all, increasing production and generating more accidents is a dangerous combination since it will undoubtedly raise the risk of government regulation, lawsuits and in general a breakdown of ethical operating practices.
Continuous auditing provides unparalleled opportunities for today’s operational auditors. Whereas the review of one fiscal year at a time was the norm for decades, that legacy from financial reviews should be re-examined. As long as the data is reliable and complete, it is possible to extract, analyze, organize and opine on virtually any type or amount of data. Sampling and manual records often provide a limited view of operational dynamics and may provide an incomplete picture to examine the process under review.
Since it’s management’s responsibility to establish the processes that support business objectives and monitor the performance of those processes, they should also implement continuous monitoring activities. By focusing on KPIs and KRIs, management can identify anomalies promptly as part of the work of the First Line of Defense. It is also important for problems to be identified by the Second Line of Defense during their monitoring work. Internal auditors, as the Third Line of Defense, can add value by focusing on erratic KRIs and receiving risk-based escalation notices, so they can work promptly with management before broken controls become significant risk events.