control, and governance
Automating Transaction Testing
An integrated, technology-enabled approach to testing transactions can enable audit, compliance, and risk management functions to deliver more value to the board and management.
Recent years have seen considerable change in the roles of internal audit, risk management, and compliance functions within organizations. Legislation such as the U.S. Sarbanes-Oxley Act of 2002 and the more recent U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act, as well as renewed attention paid to the U.S. Foreign Corrupt Practices Act (FCPA), has resulted in substantial efforts and investment of resources around risk and control issues. Initially, the focus tended to be on avoiding the risks of fines, penalties, and damage to the organization’s brand. More recently, there has been increasing awareness that intelligently designed risk management activities can have positive benefits to overall performance management.
Technology has played an important role in achieving these benefits in everything from supporting the processes of identifying and assessing comprehensive inventories of risks across the enterprise to performing detailed testing of controls and monitoring of business activities. This frequently involves the ongoing analysis of financial and operational transactions and testing them to look for indicators of fraud, regulatory noncompliance, and abuse. Analyzing entire populations of transactions as they flow through systems — such as purchase-to-pay, order-to-cash, payroll, and the general ledger — can be a productive way of assessing the effectiveness of controls as well as identifying risks and problem transactions.
Apart from looking for fraud and noncompliance, subjecting transactions to a broad range of automated data analysis tests can identify errors and inefficiencies that, when addressed appropriately, can result in significant improvements to business performance and profitability. For example, transaction testing often reveals instances of duplicate payments or missed billings caused by control gaps. By fixing both the transactions and the control weaknesses, an immediate benefit can be achieved, and the risk of ongoing problems can be avoided.
MULTIPLE FUNCTIONS PERFORMING MULTIPLE TESTS
While technology-enabled practices are becoming increasingly commonplace among audit, risk management, and compliance professionals, there often is a gap between the potential value of the activities and their actual use by senior management. Take, for example, a financial institution where the compliance department has implemented a system to test purchase and payment transactions to look for signs of corrupt payments under the FCPA. The department has identified detailed lists of exceptions and investigated them to determine whether there is a problem transaction. At the same time, the organization’s internal audit department is independently testing payment transactions to look for duplicate payments. If auditors identify an issue, they produce a list of exception items and probably submit an audit finding. Elsewhere in the organization, a separate team is testing controls and data around loans for issues with loans granted by employees that are not at arms-length terms.
In this scenario, testing across multiple groups of data is contained within independent silos. However, the greatest value from audit, risk analysis, and control testing can be obtained when all of the activities are streamlined and connected directly to the hierarchy of strategic and operational risks that really matter to the CEO, chief audit executive, chief financial officer, and chief risk officer.
Imagine if the financial institution’s C-suite team had access to a categorized visual summary of key strategic and operational risks directly connected to the results of the ongoing assessment and testing activities. By looking at trends in results over time, by geography, and functional area, executives could see clearly where risks are increasing or are being compounded by various combinations of events. Although the term “dashboard” tends to be over-used, this technology can be a sufficient, powerful tool to gain insight into risk and control activities and ensure effective management and response. Ideally, a risk management dashboard should be one component of an overall financial and operational performance dashboard for executive management.
TRANSFORMING THE VALUE OF ASSURANCE
This integrated, technology-enabled approach to audit, risk management, and compliance may seem out of reach to some organizations, especially those that are in the early stages of implementing enterprise risk management processes and are still dependent on a disconnected set of activities and technologies. In practice though, it is not difficult to achieve substantial benefits by focusing on a few key issues: 1) maintaining good communication and cooperation among respective functional management; 2) making a strategic decision to use integrated enabling technology; and 3) keeping it simple by starting with areas of “low-hanging fruit” that can be implemented easily.
Other organizations may consider audit, risk management, and compliance processes to be primarily functional necessities that add little real value. However, by using technology to deliver timely insight into risks and areas where financial and operational performance can be improved, the leaders of audit, risk, and compliance functions can transform the value of their contributions.
John Verver, CA, CISA, CMC, is vice president, Product Strategy & Alliances at ACL in Vancouver.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.