In its ‘PwC 2019 State of the Internal Audit Study’, PwC identified six ways to transform Internal Audit into a digitally fit function. This article explores the auditing of critical controls on a continuous basis as a way to advance to an agile Internal Audit function that enables the organisation to act on risks in real time.
The future is here
Martin, Head of Internal Audit of a large Swiss confectionery company, is on his way to the train station. He is going to present the 3-year Internal Audit plan to the company’s board, a plan that he and his team have been working hard to get right over the past weeks.
Suddenly, a notification pops up on his phone: the continuous controls monitoring app displays an alert: a major work accident occurred during the night in the company’s Belgian plant, which he had planned to audit in 24 months. Martin quickly checks the notification history for this plant that produces one of the company’s most popular chocolate bars. The number of average overtime hours per employee is on an upward trend and the rate of absenteeism has gone above the defined threshold seven times since the continuous controls monitoring implementation three months ago. Many questions come to his mind, but he has to rush and catch the train. Fortunately, he has a 30-minute train ride to the company headquarters to investigate the matter further and consider the impact on the Internal Audit plan prioritisation.
Martin’s morning walk to his train station might sound futuristic, but it will become – if it is not already – the new routine of many Internal Audit professionals.
In its ‘PwC 2019 State of the Internal Audit Study’, PwC surveyed more than 2,000 C-suite executives and board members around the world, trying to identify behaviours leading to more digitally fit risk, internal audit and compliance functions. Had Martin responded to the PwC survey, his Internal Audit team would have been considered as part of the Dynamics group, the most digitally fit Internal Audit functions. And you? Would you be a Dynamic, an Active (the next most-digitally-fit group) or a Beginner?
Continuous auditing for a more agile Internal Audit function:
The example of continuous controls monitoring
Continuous auditing has become a much-discussed topic for Internal Audit professionals as stakeholders increasingly expect Internal Audit to identify emerging risks in a timely manner and determine if Management has effective controls in place to manage these risks. The ability to obtain early indications on major risks that an organisation faces is critical to allow the Internal Audit function to act as a trusted advisor for its stakeholders.
The ‘PwC 2019 State of the Internal Audit Study’ shows that 73% of the Dynamics have implemented the monitoring of critical controls on a continuous basis using data-driven and technology-driven capabilities to enable their organisation to act on risks more proactively.
Is your function conducting or planning to conduct the following service-related activities based on the availability of digital technologies? (Percentage of respondents by category who answered ‘Doing now’ to the question)
Source: PwC 2019 Global Risk, Internal Audit and Compliance Survey
To learn more about other methods, services and innovative tools used by digitally fit Internal Audit functions – such as key risk indicator dashboards and other visualisation tools – as well as the associated challenges with data governance, please see Gain digital fitness together with Internal Audit to act on risks in real time.
Mutual benefits for management and Internal Audit
Continuous controls monitoring is intended to be used by management in the first place. By providing real-time information on key control activities, continuous controls monitoring allows management to quickly take corrective actions.
Internal Audit professionals will also see great benefits of being informed about potential control deficiencies, fraudulent activities and emerging risks on a continuous basis. Amongst others, continuous controls monitoring allows the Internal Audit function to:
- get a real-time overview of the state of internal controls,
- identify control gaps, weaknesses and override of controls at an early stage,
- establish a more risk-based and focused Internal Audit plan,
- adapt the Internal Audit plan more frequently thanks to the continuous insights gained,
- increase coverage to an entire population, as opposed to the sampling method, thus reducing effort in audit fieldwork for sample selection, sample data collection and testing.
What are the challenges and how can Internal Audit help?
Though the benefits are clear, organisations can face challenges when trying to implement continuous controls monitoring. Many questions arise: How and where to start? How much will it cost? What are the best practices, and what are the pitfalls? What technologies should be used?
In Europe, 25% of the respondents of the ‘PwC 2019 State of the Internal Audit Study’ have already implemented the continuous monitoring of critical controls, and 41% expect to implement it within the following two years. In both cases, Internal Audit has an important role to play before, during and after the implementation of continuous controls monitoring.
Is your function doing or planning to do the following service-related activities based on the availability of digital technologies?
Source: PwC 2019 Global Risk, Internal Audit and Compliance Survey
Before its implementation, Internal Audit can provide insights as management identifies key risks, defines high risks that should be monitored on an ongoing basis, and what the associated controls and control exceptions are. Furthermore, experiences from internal audits can be shared to help management select meaningful key risk indicators and insightful contents of monitoring dashboards. Internal Audit can also provide feedback to management on the technology requirements it has set for the continuous controls monitoring solution (e.g. on data quality, data availability, timing of reporting, security).
In the implementation stage, Internal Audit can review if the continuous controls monitoring solution is working effectively and efficiently as well as delivering the expected insights to management. Internal Audit can also asses if the solution adequately covers the high risks faced by the organisation.
Once the solution has been implemented, the role of Internal Audit evolves. Thanks to the continuous controls monitoring solution, the management monitors controls on a continuous basis. This can reduce the efforts of Internal Audit when it comes to performing detailed testing of controls. As an independent and objective assurance provider, the role of Internal Audit may then gradually shift towards ensuring that the continuous controls monitoring solution is effective, efficient and fit-for-purpose.
Where are you in the digital journey?
As the example of continuous controls monitoring shows, digitalisation brings Internal Audit functions new opportunities and challenges. In a digital world, Internal Audit professionals have a role to play at each stage of their organisation’s digital journey. This will change how Internal Audit works and the speed at which Internal Audit can react to changes in risks; ultimately helping Internal Audit in becoming more effective in its remit to key stakeholders.