In this special five-podcasts series, Matt Kelly and I have been exploring the future of internal audit (IA), compliance and analytics. In the final episode, Part V, we discuss how IA can get started and provide some concluding remarks. We consider whether the technology is here today to implement the suggestions put forward this week. Can (or perhaps should) a company outsource internal control testing or internally develop a tool for analytics? We consider some of the biggest obstacles audit leaders cite for moving forward; lack of resources, business complexity, and lack of staff and how the Chief Compliance Officer (CCO) can aid IA in this evolution. We conclude with some thoughts that to succeed, an organization should know its objectives, get good data and think in terms of harnessing and channeling risk, rather than fulfilling compliance.
It begins with complete and accurate reports and all of the financial data present. You must begin with complete and accurate list of data. You need to think all of this through at the beginning and have strong internal controls around it because without good data you get bad data, which leads to bad internal controls and this leads to bad conclusions. From that point, Kelly noted, “everything we have talked about here goes out the window because it started with a bad foundation.”
From there it moves to the analytics. Fortunately there are multiple vendors which currently provide those types of products which have some type of data analytics capabilities. For instance, they exist in the gift, travel and entertainment (GTE) database space, third party management platforms and hotline reporting tools. The key is to have a central repository of data that you can trust, that is validated and tamper-proof. The next step is to extract the data out from its respective repositories with an analytics tool and present the data in a visualization tool.
The next requirement is staff. Right now (and for the foreseeable future) data analytics professionals can write their own tickets. So this may be a problem for startups or smaller companies. However, larger companies may have business analysts who could fill this role. Kelly said that you could potentially pair them with IA to perform analysis projects. IA are going to know how to audit and what questions to ask, however they may not know how to get the visualization and the analytics done well and that is where the business analysts come in.
The pairing of a subject matter expert (SME) with IA can also work. Kelly pointed to the example from the Cleveland Clinic where the Chief Integrity Officer, Don Sinko, has had success using employees from the nursing staff as they know the operations inside and out and when you pair them with an internal auditor it “creates a nucleus of operational knowledge.” Other examples are banks which use employees from the customer care centers because they have the greatest knowledge of the company’s problems.
Another key issue which Kelly pointed to was does the company truly understand its objectives? He stated, “What are the actual objectives? Does everybody know them? Does everybody know which one is ranked number one and which one is ranked two, three and four? You really need to think through this is what we want to achieve.” From there you should ask what are the risks that might prevent us from achieving these objectives? The next step is to then reverse engineer what business process controls are to minimize that is going wrong. Kelly said another way to consider it is that “you need to manage the risk and actually the more technical school of thought out there is, it’s an objective based risk management is what you need. What are my objectives? What are the risks to achieving them? How do I reduce those risks?” The implicit assumption is the business knows what its objectives are and which ones are more important than others.
The IA evolution that we have explored over this five-part series follows what I see as the evolution of compliance where it went from a paper program to doing compliance to operationalizing compliance and beyond that now. IA, compliance and a wide variety of other corporate disciplines really need to change their thinking about risk and looking at risk as not only an opportunity to harness and channel but also to more nimbly manage that risk going forward, not simply just fulfilling some legal compliance. Kelly added some thoughts from the compliance realm, which is that “many compliance officers’ wince at the idea of compliance as a bolt on addition which you engage in only at the end of the business process.” This outdated definition of the corporate compliance function, “is a drag at the end of the otherwise aerodynamic operation. It slows everything down and you don’t want that. You want compliance embedded throughout the whole organization and smart ethical conduct all the way through.”
This has a similar dynamic with IA because historically IA would do a financial statement audit and it would be bolt on because you only do the annual audit once a year. It was performed and completed after the end of the fiscal year. Now we are moving beyond this as Boards of Directors need more assurance on more risks. They need to know that risk is governed and it is governed all the way through from the risk management cycle.
Now overlay the same dynamic with the compliance function. As Kelly noted, “we’re talking about risk monitoring and internal audit as opposed to ethics and compliance and the compliance function. This is where internal audit needs to get to because this is where business processes are moving to. All information is becoming datafiedand you are able to monitor this data.” Kelly added a visualization when he said, “You are able to analyze when something drifts out of the Green Zone and into the Red Zone.” Kelly believes this is where we are headed and closed by stating, “I think we can probably get there, but there’s no reason why we cannot do so. With some good thinking and good use of technology now, there is no reason why you could not start your organization on that path right away.”