It feels odd to have to continue to justify the need for and use of analytics. What can I add that has not already been stated many times over the past 20-30 years? Studies since the early 1990’s have pointed to the need for businesses and auditors to embrace the use of analytics. More recently, Deloitte’s 2021 Global Risk Management Study1 recognizes the potential for digital risk management technology to improve risk management effectiveness and efficiency while reducing ERM costs. According to the study, the use of technology can enhance the effectiveness of risk management by “reducing errors, improving controls, and identifying potential risk events in real time so that preventive action can be taken, among other benefits.” The Protiviti/NC State2 report presents similar analysis, stating: “managing today’s risks using outdated techniques and tools may leave the organization exposed to significant and potentially disruptive risk events that could obviate its strategy and business model and threaten its brand and reputation — even its very survival.
According to PwC analysis3, even if Board members and senior executives agree on the organization’s top risks, their overall vantage regarding how well a risk is being managed, its priority, and how connected it is with other risks may not align. This can ultimately hinder executives’ ability to make the best risk-informed decisions.
Add to the mix, the IIA’s recently updated Three Lines Model4 which clearly states the need for “collaboration and communication across both the first- and second-line roles of management and internal audit to ensure there is no unnecessary duplication, overlap, or gaps.” Given the complexity and interconnectedness of modern risks, it is pertinent for all three lines to integrate beyond merely communicating and sharing risk data with one another. As many audit, risk, and compliance professionals can personally attest, the different risk functions often monitor, asses and report on the same risks using different methodologies and approaches. This results in overlap, duplication of effort, inefficient use of resources, and, even worse, the potential for conflicting analysis and reporting. Even more disturbing, non-coordinated, siloed activities and varied reporting around the same risks can cause gaps or inaccurate description of enterprise-wide risk.
In addition, Chief Audit Executives have consistently stated that auditors should be trained in the development and use of analytics. Perhaps this is a bridge too far – asking too much of auditors who are already being stretched to their limits. They are continually being challenged to understand all business processes that they might be called upon to audit, to be able to identify and assess risks and to conduct adequate tests to be able to conclude and make recommendations on everything from P-Card usage to the controls safeguarding the international supply or materials required by a complex production system (an example from my experience: the integrity of a national food supply process). They also need the ability to identify the data requirements, extract the necessary data, and build sophisticated analytics to measure risk, test internal controls, prevent and detect fraud, and contribute to operational efficiency and effectiveness. Finding this skill set in an auditor is as rare as finding a unicorn. If you go the route of relying on IT experts and programmers, you have the reverse side of the problem – staff with a high-level of IT skills that will also need to understand the audit process and business processes, risks, and controls.
What can be done to do to address this challenge?
The ideal situation is one where you have at your disposal a consolidation of business process understanding, IT systems that support the business processes, knowledge of the controls, and the ability to identify and assess the risks. In other words, a unicorn leveraging the knowledge and functionality gleaned from years of experience and analytics proven in hundreds of enterprises. The solution lies in a software as a service delivery model that is designed to provide audit, senior management, and the board with ongoing monitoring of the critical risks and fraud exposures in the financial operations areas. Analytics that are linked to the audit process: criteria, condition, cause, impact, and recommendation; but also support internal control, compliance, risk, and anti-fraud requirements. Allowing financial operations, internal controls, risk management and audit to truly collaborate. Analytics that are designed, tested, implemented, and proven across numerous businesses. That provide concise not only the analytic reports, but also that identify the condition, impact, root cause, and specify the recommendations that should be taken to mitigate risks and improve operational efficiency and effectiveness. That allow the senior manager to view visually the impact on financial operations and drilldown into the supporting data; and to track the effect of actions taken.
CTRLmatters is the solution. A subscription service that combines the data acquisition (including cleansing and preparation), analytics, intelligent results analysis, dynamic visualization, and action-oriented recommendations to truly maximize the utility of data analysis for audit purposes. Running sophisticated tests against reliable data makes the process simple, consistent, and comparable. Finally, there is a solution that automates analytics and identifies quantifiable recommendations for action in plain language – all with the press of a button. Now every organization can have its own unicorn. And by the way, the costs are an order of magnitude less than if you tried to find your own!
Dave Coderre
Founder and Principal Analytics Architect
CTRLmatters Corporation
www.CTRLmatters.com