Richard Chambers, President and CEO of the Institute of Internal Auditors recently blogged “There is no question that technology is making continuous auditing a powerful tool for both internal auditors and managers, alike. However, despite the growing popularity of continuous auditing, I believe one of the true challenges in the next decade will be to continuously assess risks.”
Richard mentions that in addition to a formal approach to monitoring key risk indicators there is a need to continuously monitor for changing conditions and factors that signal a new type of risk that needs to be considered. This makes a lot of sense to me, both at the macro level in terms of major economic and market trends, as well as at the detailed micro level.
What do I mean by this? Well, for both continuous auditing and continuous risk assessment – which I think should be considered as very closely related and complementary to each other – there is the issue of “you don’t know what you don’t know.”
At the macro level it may be fairly obvious when new types of risk arise; for example, when technology innovation causes a product line to become suddenly obsolete. You don’t know when and if this is going to happen, but you can have a process in place that takes at least the possibility into account.
At what I will call the micro level, it can be far harder to take account of changing risks that are due to changes in the way that some very specific and detailed business process works. It is relatively easy to establish automated technologies that monitor for indicators of certain types of risks that are predictable and common to most businesses and business process areas e.g. the risks of corrupt payments or duplicate payments or fraudulent payments. The problem that can arise, however, is the sense of complacency and false assurance that can be established when continuous auditing and monitoring systems are in operation. Large volumes of transactional data can be tested every day to look for the typical indicators of the various forms of inappropriate payments. But how do you know when some small business process change occurs that means the test that was being run now has a big gap in its effectiveness?
This can be a very real risk – but one that can be addressed by a combination of approaches. One approach is to always consider continuous auditing and monitoring as being part of a dynamic process. (Part of the challenge, and fun, of being a good auditor is to think of all the things that could go potentially happen. Back in my own days as a practicing auditor, I used to find this to be one of the most rewarding and surprisingly creative parts of the job.)
Another approach is to make use of the pooled knowledge of many auditors and risk assessors. Let’s take a simple case like duplicate payments. A test can be easily designed to detect instances of the same invoice number being paid to the same vendor. But there are probably at least twenty different combinations of ways in which duplicate payments can still occur and be undetected through a simple test. Over the years, ACL has built up a large library of tests – currently in the thousands – that address many of the permutations and combinations of the ways that systems can work and create risks of problems being undetected.
Another way in which technology can be used to help in dynamically assessing changing risks is through a visual approach to analytics. This can be a very effective supplement to the use of large libraries of structured automated tests. By looking at entire populations of transactions, grouped in various different ways, it can become quickly apparent when something has happened that does not fit a typical model and understanding. This can be a good way of providing an indicator of something “you did not know you did not know.” ACL has always had the capability to Classify enormous volumes of data in this way and look at the results graphically. As technology for data visualization advances, it will not be too long before auditors and risk assessors can expect some exciting new ways to visualize data with ACL.