Don’t navigate risky waters without internal auditors: Guidance on leveraging audit analytics for risk assessment ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd Don’t navigate risky waters without internal auditors Contents Introduction What’s Risk Got To Do With It? Internal Audit’s Evolving Risk Role Why Bother? Redefining Internal Audit as a Business Necessity Risk is Not a “4-Letter Word” So Why Aren’t We There Yet? Enter Audit Technology Risk Assessment Process: At a Glance 10 Assessing Low, Medium and High Risk 11 Prioritizing Risk with Scorecards 12 Risk-Based Audit Planning 13 Staying Current with Changing Risk Profiles 14 Example Analytics for Identifying Risk 15 Case Studies 17 So Much Risk, So Little Time… 18 Insurance Against High Risk 19 Continuous Risk Assessment: Where the Rubber Hits the Road 20 Steps of Applying Analytics for Risk Assessment 21 Conclusion 28 ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd Don’t navigate risky waters without internal auditors Introduction Does this sound familiar? “Risk wah wah wah risk wah Wah wah risk.” – Miss Othmar, Peanuts Comics T here’s an ocean of information out there about risk You’re likely already feeling the pull of the tide for internal audit to be more consultative and assume a stronger focus on risk management As organizations navigate increasingly complex business environments, audit’s role is evolving and risk acumen is vital But what does it mean in practical terms for your internal audit team? Internal audit departments are in a unique position to help business leaders comprehend and navigate risk Traditional assurance roles are expanding to encompass fraud and risk management, and internal audit is expected to play a more active role in assessing higher-level risks in an organization Internal audit has access to extensive insight into the business via audit analytic technology How can this wide view of the organization and business processes be leveraged to help pinpoint areas of risk for management? And how you become more efficient and effective at pinpointing risk assessments? However, the problem with focusing more on risk is that you stop paying attention to things that have been deemed to be risk-free – and that assessment could be wrong, causing you to miss something significant Or, conversely, you may recommend excessive risk mitigation and be misaligned with corporate strategy, thereby decreasing your relevance and reducing the value you provide to your organization In this eBook, we’ll outline how to leverage audit analytics to test the controls designed to mitigate risk, identify areas where risk is not known, as well as become more efficient at managing low risk areas ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd Don’t navigate risky waters without internal auditors What’s Risk Got To Do With It? First, let’s be clear: Risk management is a management responsibility Internal audit’s role is to provide assurance around risk management Have we identified the key risks to our organization? Do we have processes, controls and strategies in place to manage or mitigate that risk? Internal audit departments already play a critical role in safeguarding organizations from loss and providing assurance around business activities There is no better place for organizations to look than to their internal audit function for a cross-departmental view of risk Within the COSO-based risk management framework, management’s role is to a top-down risk assessment for their organization and identify risks that are likely to negatively impact their objectives Appropriate controls – be they IT-based automated controls or policyenabled manual controls – can then be put in place to mitigate those risks While this is a management activity, internal audit departments are a key component in effective governance and can contribute significantly to improving overall risk management assurance Furthermore, successful internal audit departments have a unique understanding of business processes and the ability to analyze the transactional data that they generate This unique mix of business and IT domains enables internal audit to evaluate the operating effectiveness of these processes and the internal controls that have been put in place to mitigate business risks Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes The Institute of Internal Auditors (The IIA) “Standards and Guidance“ ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd Don’t navigate risky waters without internal auditors Internal Audit’s Evolving Risk Role Prior to the downturn, many organizations were focusing their Governance, Risk and Compliance (GRC) activities on evaluating risks in their financial controls for compliance requirements such as Sarbanes-Oxley (SOX) or similar legislation With the downturn, the tide swung back to pre-SOX days And since then there has also been giant leaps forward in the availability of data Operational risks are again keeping executives up at night and are now the focus of effective GRC strategies But, the tides have changed There’s increasing pressure on organizations to make better, more informed decisions and to gain greater insights into business risks That means more pressure on internal audit departments to provide heightened levels of insight into organizational risk With that has come a shift in the risk management role played by internal audit, and the role expected to be played in the future: ROLE DESCRIPTION Current Role Future Role No Role Informally provides consulting and advice on risk management practices 77% Is the catalyst in forming risk management 48% 14% 38% Has active participation in implementing risk management 45% 20% 35% Participates as part of a formal risk risk management 43% Provides independent assurance on risk management 40% Assists and advises a new, separate risk management function 28% 14% 30% 35% 21% Internal Auditing‘s Role in Risk Management (2011) The Institute of Internal Auditors Research Foundation, p 9% 27% 25% 51% Don’t navigate risky waters without internal auditors Why Bother? Redefining Internal Audit as a Business Necessity Why take on more, you ask? The IIA is calling for a self-assessment on the profession itself Do internal audit departments support their organization’s big picture goals? What value does internal audit provide? Is internal audit regarded as relevant? With an increasing focus on risk throughout organizations across most industries, internal audit departments are, fortunately, well-poised for demonstrating their relevance and the value they provide to any organization It’s time for internal audit to embrace its unique position and demonstrate the critical role it plays Relevant internal auditors are regarded by their stakeholders as indispensable assets and as professionals who are tirelessly committed to helping the organization achieve goals by providing independent, objective, and candid audits stemming from insightful, dynamic assessments of risk I urge all internal auditors to mitigate their risk of obsolescence by moving quickly to self-assess how they measure up against this relevance yardstick Denny Beran, CIA, CCSA, CPA, CFE, Chairman of the Board, The Institute of Internal Auditors Quoted in “Assess our relevance,” Internal Auditor Magazine, August 2011 “Age of Integrity” Business owns the integrity Internal audit’s role is to help the business identify the risks ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd Don’t navigate risky waters without internal auditors The Story of Risk in the Hundred Acre Wood One can draw parallels by looking at the characters in the Winnie the Pooh stories Some people are Piglets who worry, worry, worry and want to take no risks whatsoever Others are Eyores who are gloomy and resigned to the worst possible thing happening, so why fight it And then some are utterly confident and wise in their view that everything is under control and that nothing bad could possibly happen in their organization – clearly Owl – until their house blows down The only character who seems continually unperturbed is Winnie the Pooh himself What does he know that others don’t? Perhaps Pooh knows that taking risks – within your organization’s tolerance or risk appetite – can help your organization grow and achieve its goals Risk is Not a “4-Letter Word” What many forget is that all risk is not bad A complete absence of business risk virtually guarantees limited growth Taking risks within your organization’s risk tolerance and risk appetite can help organizations grow and achieve their goals You need to understand your organization’s risk appetite before you can audit it The recent spate of business crises and our organizational responses to them have highlighted a surprising misconception – that risk is the opposite of reward It is not: loss is the opposite of reward Risk simply represents the possibility that a loss or reward will occur Shayne Gregg, Partner, Enterprise Risk, Deloitte & Touche, “The New Chief Audit Executive: Leadership in the risk intelligent organization” ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd Don’t navigate risky waters without internal auditors So Why Aren’t We There Yet? Some common obstacles that get in the way of more frequent oversight of high-risk business processes include: Lack of availability of resources There just aren’t enough audit staff to increase assurance and value-add services and there isn’t enough money to hire more Sheer volume of business transactions It is time-consuming and difficult to scrutinize the enormous volume of data from complex, modern business applications that process all that data Communication challenges Where internal audit has the ability to identify control breaches or indicators of risk, how can this be communicated to management? The goal is to make these processes integral to risk assessment and audit activities, and to make them sustainable and repeatable How you that? This is where audit technology takes the helm ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd Don’t navigate risky waters without internal auditors Enter Audit Technology So, how does audit technology fit in? Internal auditors can use audit analytics to test the operating efficiency and effectiveness of the controls that are created by management to address risk, as well as to identify areas where risk is not known How does technology, specifically audit analytic technology, directly support the more detailed risk assessment process for auditors? 99 A drill-down approach to risk assessment can be used to drive development of a specific audit program and identify those areas that need greatest audit focus 99 Use analytics to determine where to focus audit attention Consider using a risk scorecard to assist with this process 99 Once this has been assessed within an audit program, consideration can be given to determine whether analysis technology can be used to improve efficiency and effectiveness of a given audit procedure 99 Once an area has been selected for internal audit, the first step may be to perform overall analytics review of activities within an area to assess more specific risk points that warrant detailed audit investigation For example: »» Why are overtime amounts significantly higher in one region than the norm? »» Why within one branch are very large volumes of expense transaction occurring just under threshold where additional approval is required? 99 By using technology to test 100% of transactions, an auditor is best able to determine that controls are effective and risks mitigated 99 Leveraging analytics to address lower risk areas enables the reallocation of key resources for higher-stakes risk Successfully addressing these demands requires a combination of leadership, processes and tools from internal audit These include, most prominently, a stronger role in boosting the organization’s overall risk management capabilities as well as greater use of automation and analytics, such as continuous auditing, to deliver greater efficiency and effectiveness Shayne Gregg, Partner, Enterprise Risk, Deloitte & Touche, “The New Chief Audit Executive: Leadership in the risk intelligent organization” ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd Don’t navigate risky waters without internal auditors Identify areas of risk across the organization AL PRIOR ITIZ E BAS ED O Allocate resources ES OU IG AT Prioritize risks and audit sites, as needed RCE S ASSE SS & RIS I TIFY EN D KS Re-assess risks by likelihood and severity D RIO PE IT Investigate findings D ST TE Risk Assessment Process: At a Glance EAC HA UD T ES INV Follow-up on resolution Link risks to audit areas PE SCO DIT AU RISK N Collect input from multiple sources AN NU Richard Chambers, Responding to Change, Internal Auditor Magazine (2010) Assess & score risks by likelihood and severity E AT A Assess overall impact of exceptions identified Evaluate how well controls are working CA ALLO TE R NI NG “Basing audit plans on an annual snapshot of risk is like relying on a security camera that films once a day for five minutes.” AN PL Prioritize: ƒƒ Risk coverage ƒƒ Financial coverage/ significant sites ƒƒ Operational projects ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 10 Don’t navigate risky waters without internal auditors Example Analytics for Identifying Risk To determine what to test with audit analytics, consider: What should your data look like if a mitigating control is in place and working? And what might be anomalous in the data if a risk is not being successfully managed? Simply put: 1) Know your risks 2) Test data to ensure risks are identified and managed Also, be aware that what you don’t know is risky Think about how reliable your master data is – bad data is in itself a risky scenario Let’s have a look at some potential risks and audit analytic testing opportunities in some example business areas: Travel & Entertainment: Duplicate Reimbursement Risk Scenario Challenge Employees may make charges on a corporate procurement card, and in addition to running these through the P-card payment process also submit these for cash reimbursement as part of the T&E process Travel & expense payment management systems are oriented towards timely capture and processing of employee claims and are rarely integrated with P-card processing and payment systems Using both exact matching and similar matching techniques, identify Analytic Solution claims submitted for reimbursement on both corporate purchase cards and employee T& E expense reports ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 15 Don’t navigate risky waters without internal auditors Travel & Entertainment: Supplier Spend Report (i.e Hotels) Payroll: Ghost Employees Risk Scenario Employees may not be using approved travel suppliers such as hotels and airlines, negating the impact of negotiated discounts with these suppliers Risk Scenario Challenge Accumulating useful management information from the detailed travel and entertainment expense data is often difficult to Challenge Utilize the travel & expense data gathered for control testing Analytic Solution to generate key performance indicators and other summary information which has value to decision makers FCPA: Suspicious Vendors & Customers Risk Scenario The Foreign Corrupt Practices Act (FCPA) imposes penalties on US Companies who engage in corrupt practices with foreign business or government entities Challenge Potential problems can be hidden within large volumes of transactions, but only a single violation can result in penalties Alert compliance teams to suspicious vendors using techniques including comparison of vendor name & address details against Analytic Solution external prohibited vendor lists (GSA, OFAC), Politically Exposed Persons databases, payment method and country of origin Payroll disbursements may be generated for fictitious employees Management is typically responsible for verifying employees, but there is a potential risk of management collusion Perform a variety of tests to detect potential ghost employees, Analytic Solution such as multiple disbursements to the same bank account, or employees with no system activity Payroll: P2P Examples: Split Purchase Orders Risk Scenario Employees are circumventing individual purchase authorization limits by splitting a single purchase activity across multiple POs Challenge No automated way of knowing when two or more POs together exceed an authorization limit Manual review of POs is not practical Identify cases where multiple POs relate to the same purchasing Analytic Solution activity & direct to an appropriate individual for investigation & follow-up ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 16 Don’t navigate risky waters without internal auditors Case Studies Let’s look at some examples of how a few companies are leveraging audit analytic technology to meet their risk assurance goals ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 17 Don’t navigate risky waters without internal auditors So Much Risk, So Little Time… Profile Risk issue Solution ƒƒ Food Lion LLC is one of the largest supermarket chains in the U.S., with 1200 stores in 11 Southeastern and Mid-Atlantic states and 73,000 employees ƒƒ Company stores sell more than 28,000 different products, including a growing number of private label products manufactured and packaged exclusively for Food Lion ƒƒ With retail stores located in 11 states, the Food Lion internal audit department needed an efficient way to conduct individual store audits ƒƒ They needed a reliable risk assessment solution that would select stores based on weighted risk factors and specific criteria in order to effectively audit all 1200 locations ƒƒ Internal audit team used ACL audit analytics to implement and run a Store Audit Risk Assessment application that quickly identifies the most susceptible stores based on weighted risk factors ƒƒ The audit team worked with management to select these factors, which include: Food safety, last audit date, falling store sales, etc ƒƒ Now the internal audit team can quickly pinpoint stores with highest degree of risk ƒƒ Results of the analytics also used to provide business management (i.e., Marketing, Loss Prevention) with detailed reports that outline in-store risk exposures ƒƒ Using audit analytic technology, Food Lion has enhanced business controls and gained critical transparency into retail operations through targeted risk assessments With ACL technology, we can now choose stores based on weighted risk factors, which results in more effective scheduling and timely audit planning The application runs within seconds and provides stores with a level of detail that has never been seen before in one report It’s as simple as one mouse click Danielle Kragnes, Internal Audit Supervisor ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 18 Don’t navigate risky waters without internal auditors Insurance Against High Risk Profile Risk issue Solution ƒƒ Fidelity National Financial is the largest title insurance company in the United States, insuring over 40% of the real estate transactions in the country ƒƒ The Audit Services Department’s (ASD) scope is to provide audit services for: direct title operations, agency title operations and the wideranging corporate function ƒƒ Direct title operations represent highest level of business risk with greatest potential for process improvements ƒƒ To mitigate this risk, ASD wanted to move from managed analytics to continuous auditing in this area ƒƒ Full population visibility enables the audit team to see ongoing issues, avoid errors, and detect potential fraud schemes on a near real-time basis ƒƒ ACL analytics investigate escrow files for fraud, fund misappropriation, suspicious ledger activity, and patterns of known fraud schemes ƒƒ Each analyzed file is automatically assigned an overall score, matched against a risk tolerance matrix If a test score exceeds a designated threshold or an individual test with a high risk factor reports an exception, the anomaly is flagged for follow up and resolution ƒƒ ASD’s work with audit analytics and continuous auditing has heightened interest across the organization The solution provides unprecedented visibility into some of Fidelity’s most critical business risks ƒƒ For the first time, the team can quantify production-side risks and potential control issues Podcast Listen to a podcast interview with David Riddell, Automated ACL technology has transformed how we assess risk in our organization Audit Solutions Manager at FNF on how they it David Riddell, Automated Audit Solutions Manager ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 19 Don’t navigate risky waters without internal auditors Continuous Risk Assessment: Where the Rubber Hits the Road Profile ƒƒ Fortune 100 firm with 180-200 corporate stores, Dollar Thrifty has 400 franchise operations and manages 500,000 transactions each month ƒƒ Together, Dollar and Thrifty have operations in over 70 countries around the world, including approximately 836 corporate and franchised locations in the United States and Canada Risk issue ƒƒ Overextended staff resources ƒƒ Suspected fraud and security breaches ƒƒ Inadequate random sampling procedures There is no way we could have been as successful assessing risk and detecting fraud without using ACL Alan Nixon, Staff VP and General Auditor Solution ƒƒ Charged with developing a continuous auditing environment for Dollar Thrifty, the team initially built five ACL analytics ƒƒ Today, they have over 30 fully automated analytics – which the team refers to as “living analytics” – to monitor payroll, retail transactions, uncover fraudulent activities and ensure compliance with SarbanesOxley regulations These analytics monitor for changes in the process or data and notify the team when changes to the scripts may be needed to accommodate a business requirement change ƒƒ Payroll analyses include 35 specific tests for each and every employee cheque The audit team is currently working on another 15 tests, which will bring the total up to 50 Sales agents receive incentives for selected sales, so it’s critical for Dollar Thrifty to monitor the retail environment for compliance with corporate policy and fraud ƒƒ Once a new process is automated, staff can move on to other areas and apply a rule of thumb that the average analysis can be fully automated with four to five additional hours of work ƒƒ Dollar Thrifty has already saved over 10,000 hours of manual staff labor, reduced commission expense by $750,000 annually, and pinpointed cases of fraud ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 20 Don’t navigate risky waters without internal auditors Steps of Applying Analytics for Risk Assessment So, where you start? Step by step, here’s a basic framework of how you can begin to apply audit analytics to assess controls in your organization While generic analysis software can get you started, purpose-built packages will support more complex and value-added testing and issue management, and longer-term sustainability ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 21 Don’t navigate risky waters without internal auditors Build a profile of potential risks ƒƒDevelop a profile of potential risks as part of a risk assessment ƒƒConsider using a risk scorecard ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 22 Don’t navigate risky waters without internal auditors Test data for possible indicators ƒƒInclude ad hoc testing in addition to more formalized or regular tests ƒƒConsider the spectrum of automated testing ranging from ad hoc to repetitive through to continuous, where appropriate ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 23 Don’t navigate risky waters without internal auditors Improve the process by implementing continuous analysis ƒƒUse continuous analysis to test and validate the effectiveness of your controls – on a timely basis ƒƒProvide management with immediate notification ƒƒCreate processes for control remediation ƒƒImplement on a comprehensive basis across business process areas ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 24 Don’t navigate risky waters without internal auditors Review Results ƒƒInvestigate patterns and indicators that emerge from your analyses ƒƒQuantify the risks ƒƒIdentify and target high risk areas ƒƒConsider risk monitoring dashboards ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 25 Don’t navigate risky waters without internal auditors Expand scope and repeat ƒƒThe process of building a profile, testing data, improving controls and reviewing information needs to be done on a regular basis ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 26 Don’t navigate risky waters without internal auditors Report ƒƒMake recommendations on how to tighten controls or change processes to reduce the likelihood of non-compliance ƒƒFollow-up and see if those recommendations have been acted upon and if they have had the desired effect ƒƒCommunicate – “Tone at the Top.” ƒƒWhy? Because unresolved exceptions have a negative impact on the business ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 27 Don’t navigate risky waters without internal auditors If you don’t have the time or the in-house expertise to figure out where audit analytics fit into your organization’s risk assurance, it may be time to talk to someone who can help Contact an ACL Services expert for a free consultation on how you can get the most out of audit analytics sales@acl.com 1-888-669-4225 Conclusion We’ve looked at how to start applying audit analytics to risk assurance What’s next? Use audit analytics to assist in assessing risks in your organization; it will help drive increased efficiency into your audit work and identify data driven indicators of emerging risks Organizations that have gained the most from this process are those in which internal audit leadership at the CAE level has been a strong advocate Take your maiden voyage by applying the six steps to a risk area in your organization There’s a lot to do, but you can always find help You’re now charting a course towards greater, and much more efficient, risk assurance ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 28 Don’t navigate risky waters without internal auditors Learn how ACL customers are applying audit technology at www.acl.com/success About ACL Services Ltd ACL Services Ltd is the leading global provider of business assurance technology for audit and compliance professionals Combining market-leading audit analytics software with centralized content management and exception reporting, ACL technology provides a complete end-to-end business assurance platform that is flexible and scalable to meet the needs of any organization Since 1987, ACL solutions have helped organizations reduce risk, detect fraud, enhance profitability, and improve business performance ACL delivers its solutions to 14,000 organizations in over 150 countries through a global network of ACL offices and channel partners Our customers include 95% of Fortune 100 companies, 85% of the Fortune 500 and over two-thirds of the Global 500, as well as hundreds of national, state, and local governments, and the Big Four public accounting firms Recover your investment quickly with ACL Solutions ACL technology enables the comprehensive examination of data, which is the evidence of what has occurred in an organization’s processes | Achieve immediate, significant financial payback by improving cost management and reducing revenue leakage | Apply audit analytics to effectively monitor and assess the effectiveness of your organization’s risk management and control procedures For advice on how to provide assurance around risk management using audit analytics, call 1-888-669-4225 or email sales@acl.com ©2012 ACL Services Ltd ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd 29 .. .Don’t navigate risky waters without internal auditors Contents Introduction What’s Risk Got To Do With It? Internal Audit? ??s Evolving Risk Role ... Role in Risk Management (2011) The Institute of Internal Auditors Research Foundation, p 9% 27% 25% 51% Don’t navigate risky waters without internal auditors Why Bother? Redefining Internal Audit. .. trademarks of ACL Services Ltd Don’t navigate risky waters without internal auditors Enter Audit Technology So, how does audit technology fit in? Internal auditors can use audit analytics to test the