applied practices for using technology to gain efficiencies documents/applie… · applied...
TRANSCRIPT
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 1
Applied Practices for Using Technology to Gain Efficiencies
Today’s ever-changing business environment presents challenges for internal audit to
provide timely information to their stakeholders and audit efficiencies. This article offers
four case studies of internal audit functions that used technology solutions for data
analytics and to become more efficient. Through these stories, discover how four different
organizations effectively tackle modern-day obstacles.
Thomson Reuters’ Audit Solution
Improves Texas-Based Bank’s Internal
Audit Data Sharing and Collaboration
The Challenge
Faced with ever-increasing regulatory scrutiny, risk liability, and workloads, internal audit
departments are under immense pressure to manage demands. Quite often, audit teams are
working with manual, labor-intensive processes, which can overload resources and
increase time and costs. Additionally, for organizations with smaller audit teams, these
challenges are compounded. These conditions make for a strong case for the
implementation of an automated audit workflow solution that eliminates manual processes,
increases productivity, and reduces costs.
An independent, family-owned community bank based in Texas, USA had been using an
electronic audit solution for years, yet the functionality wasn’t always reliable. This forced
the audit team and others to resort to manual processes. Upon the vendor’s abrupt closing,
the bank sought a new long-term partner that could offer a reliable internal audit solution
capable of electronic audit data sharing and collaboration.
Delivering the Solution
Leading an audit staff of just three people, the Executive Vice President (VP) Director of
Audit at the Texas-based bank needed a solution that would be easy to learn, incorporate,
and navigate in order to maximize his staff’s productiveness.
“Time is a huge issue for us. We have nineteen branches, a mortgage company, an
insurance company, an investment company, and a technology company. We’re auditing
all these things, besides all the normal functions that you have within a bank,” the
Executive VP Director of Audit at the bank says.
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 2
While conducting an internet search for internal audit workflow solution vendors, the
Executive VP Director of Audit at the bank noticed that several people recommended the
Thomson Reuters Accelus internal audit solution, which offers a single, shared, and secure
system to standardize and conduct audit processes. In addition to comprehensive planning,
risk assessment and reporting capabilities, the solution gives audit teams the ability to
electronically add and share audit data, and replicate processes, which improves workflow
and enhances accuracy.
“We thought the solution’s ability to share and collaborate between the audit side and the
risk assessment side would be very helpful to us, as well as the ease of documenting your
work”, he explains. “Also, many of the comments online noted that the support from
Thomson Reuters was extremely good, and that was a big selling point for us.”
To get his staff trained, he opted for remote training via web conferencing. “The online
training option was most cost effective and practical for us, and the trainer did a really
great job,” he says. “The trainers walked us through, step-by-step, on what we needed to
do and were very good at answering questions.”
Customer Benefits
The Executive VP Director of Audit at the bank believes the Accelus internal audit
solution they implemented is an improvement over the bank’s previous program. “Our
previous program was pretty rudimentary.”
With this solution, internal audit staff can send audit findings electronically and designate
one or multiple people who need to respond or add recommendations. All the responses are
captured within the system and are built into the staff’s final report. This electronic
capability satisfied the bank’s need for sharing and collaboration between the audit and
risk assessment teams, and eliminated the bank’s previous process of manually cutting and
pasting responses.
“That’s been a time-saver and probably the thing that’s helped us the most,” he explains.
“The electronic piece on sharing and collaboration has been great.”
Future Implementation
The internal audit solution met the bank’s needs. Given its small audit team, not every
function of the solution is currently used; however, the Executive VP Director of Audit at
the bank mentions that incorporating the solution’s scheduling capabilities could be a
possibility in the future. “It will help the staff to plan their year’s worth of work much
better than what we’re doing right now,” he says.
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 3
CaseWare Analytics Technology Lead
to Root Cause Analysis and Business
Improvements
Washoe County, covering Reno, Nevada felt the 2008 economic crunch more than most
counties in the United States. With a 15 percent decline in property and sales tax revenues
impacted by the mortgage crisis, the State of Nevada planned to divert US$48.5 million in
pledged funds. The county had to reduce spending by US$123 million over a four-year
period. They also had to cut 16 percent of the workforce, leaving fewer than 6 full-time
employees (FTEs) per 1,000 population [national average is 10 FTEs per 1,000]. In
addition, the county had two frauds prior to 2010.
Being Effective with Scarce Resources
Staff reductions within the internal audit department, left Alison Gordon, internal auditor
for Washoe County, with the sole responsibility of addressing high-risk issues such as
disbursement controls, segregation of duties, and fraud prevention. The main challenge to
the county’s success was detecting control breakdowns across various systems to have
them addressed appropriately before they made a negative impact on the county. The
county also wanted greater ability to discern root causes to make widespread improvement
of several processes.
Based on their risk-based assessment, Gordon concluded that accounts payables held the
greatest potential to impact their overall objectives. The sheer volume of transactions made
it impossible for the staff to review each payment. The finance team needed a way to
quickly ascertain the legitimacy of each transaction. The county decided to implement a
continuous controls monitoring system called CaseWare™ Monitor to focus on
disbursements — the main area of operational and reputational risk.
Figure 1. Highlights High Risk Areas and Analytics to be performed.
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 4
Automated Analysis and Insights
The system identifies and resolves duplicate payments and other anomalies within their
SAP® system as well as reviewing 100 percent of transactions. CaseWare™ Monitor
highlights risk and control issues within a given audit area. The data analysis is fully
automated and scheduled, with immediate reporting of duplicates to assigned persons in
the specific departments. The extensive automation and gathering of insights is beneficial
as this frees internal audit to do more analysis, even with limited resources, ultimately
improving audit’s value to the organization.
Figure 2. Status of Disbursement Controls.
Business Process Improvement
In addition to reducing losses, the intelligence on root causes has helped Gordon address
some of the organization’s key risks. She is now able to get feedback on the resolution of
control breakdowns. For example, internal audit discovered that many vendors listed post
office boxes rather than physical addresses, which could be an indicator of illegitimate
vendors. Washoe County now requires all vendors to have official proof of physical
address during the vendor onboarding stage.
Based on root cause analysis, process controls requiring modification have been identified
and recommendations are in discussion, to make even further improvements. Since
implementing continuous monitoring in 2012, the operations teams have had huge amounts
of money recovered and continue to proactively review payments. The technology has led
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 5
to business improvements and has allowed the internal audit department to make a positive
impact on a limited budget.
Figure 3. Risk Level for Internal Controls
“CaseWare Monitor helped us identify true duplicates and research the root causes, which
uncovered a disbursement procedure that needed adjusting for strong controls. We’ve
taken that success and secured more county agencies to participate in reviewing their own
duplicates. Each agency is doing its part to combat fraud, waste and abuse.”
>> Related Resource: Watch Video Q&A with Alison Gordon on CaseWare Analytics
Continuous Monitoring
TeamMate Solution Enables Internal Audit
Reporting Efficiency
Internal audit teams often waste hours or even days attempting to collate disparate bits of
information from far flung parts of their organization, inputting it manually into
spreadsheets and struggling to reconcile incompatible formats, errors and missing details.
The how then takes over from the what, causing a massive headache for everyone — not
least for the directors who have to make sense of the reports. And as soon as you finish,
you have to start the process all over again.
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 6
In an ideal world, internal audit teams could focus on the critical business of conducting
audits, investigations, and control reviews and using the information they gather to inform
senior management and enable business growth. In this world, information gathered would
be instantly accessible and clearly presented to provide the level of detail required. Internal
audit teams could then focus on reviewing and analyzing data and delivering
recommendations.
These are some of the challenges that faced the internal audit team at Aviva, a British
multinational insurance company headquartered in London, England. Jonathan Chapman,
one of its internal audit directors, started looking for a more efficient system to support the
work of Aviva’s audit teams operating in 22 locations across 15 countries. After
considering various options, his team unanimously selected TeamMate, a system
implemented and hosted by Wolters Kluwer.
Focus on What’s Important
After a year of use, he is so pleased with progress that he is optimistic of achieving his
main goal of being able to take focus off of the system and concentrate instead on what it
is enabling the team to do.
“You have to remove any blocks that prevent your people from being effective and allow
them to focus on what really matters,” he says. “What we want is no noise or discussion
about the IT system. We want to focus all our energy on our audits and our work.”
Like other complex multinational organizations that have grown rapidly, Aviva evolved
with a network of different IT infrastructures and models. “We needed to move away from
focusing on making the systems work to using the systems to make internal audit effective
across the whole organization,” Chapman explains. “In the past we spent far too much time
discussing the system and not the outcomes.”
Timing was crucial. Collecting a full suite of consolidated and local information took
Aviva about ten days and could be done only once a month. Achieving this involved input
from every team, plus some external support. “By the time the information was presented
to the board it could be two months old,” Chapman says. “Furthermore the information
was recorded on spreadsheets and research has found that 95 percent of spreadsheets
contain errors.”
Timely Access to Key Information
Working with TeamMate has enabled Aviva to pull together all the management
information it needs in a matter of hours at the start of the month. This can then be updated
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 7
in a couple of hours at any point if needed. Not only is the new management information
more flexible — enabling audit to provide either detailed specific information on a region
or business area or to consolidate data from several regions — but the quantity of
information has reduced 40 percent, largely by removing duplication or unnecessary
material.
“We now have the confidence to say to the top team, you’ll get regular, timely information
and if you need any extra information at any time, we can get that too,” Chapman says.
“It’s made us far more efficient, has freed up internal auditors to do more audits and we are
now able to use the data to look forward and spot potential problems before they happen.”
Aviva is currently going through a successful transformation process, he adds, and
TeamMate has enabled him to demonstrate a marked improvement in the speed, efficiency,
value, and cost of the internal audit function, which is now achieving more and being far
more effective without extra resources.
“Change management is not about servers and code; it’s about people — understanding
why change is occurring and working to achieve it. This has involved partnering not just
with TeamMate, who really understood what we wanted to achieve, but also with internal
auditors across the organization. We’re now at the stage when the system is no longer a
discussion point,” Chapman says.
ACL Audit Management Software Helps
Demonstrate Audit Value to Leadership Team
New regulations, increasingly stringent compliance requirements, and increased
stakeholder expectations are taking a heavy toll on companies across a wide array of
industries, particularly finance and healthcare.
In order to help ensure compliance and avoid fines that could significantly impact the
bottom line, Self Regional Healthcare (SRH), an acute care hospital in Greenwood, South
Carolina, has worked hard to stay ahead of the curve. Deadlines to implement new systems
and processes under the Patient Protection and Affordable Care Act loom large; Anna
Cuson, Senior Internal Auditor, and the internal audit team have been facing the challenges
head on.
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 8
Strategic Risk-Based Auditing
Risk management, regulatory compliance, and transparency are always critical areas for
auditors and business executives, but during times of regulatory change these areas must
be closely and continuously monitored. Otherwise, minor issues can quickly grow into
massive problems.
Self Regional’s internal audit department proactively took steps to provide management
with straightforward answers about which risks are top priority based on likelihood and
impact. It was clear early on, however, that the department would be required to do more
without additional staff or resources.
Data-Driven Audit Management
As part of their risk-based audit strategy, Cuson planned a comprehensive risk assessment
at all levels of the organization including function level, the C-Suite, and the Board of
Trustees (Board). Management was also looking for ways to automate the process. Cuson
needed to roll out the risk assessment, collect and analyze results, and present the audit
plan to the Board within six weeks.
To ensure that nothing fell through the cracks, the internal audit team considered risks at
all levels. In this case it was crucial to view the full population of risks related to key
activities including patients, records, common practices, management concerns, staffing
levels, and other risks present within a healthcare entity.
Given the tight deadline to turn around a clear and concise report for stakeholders, it was
necessary to implement a flexible solution that would allow Internal Audit to store
historical data and accommodate adjustments to the audit plan based on SRH’s needs.
To effectively tackle the multitude of challenges, SRH’s Internal Audit deployed ACL™
GRC, an audit management software solution that manages the process of assessing risk,
planning and organizing projects, analyzing data, communicating issues, and visually
sharing findings.
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 9
Figure 1. Sample violations report, illustrating which department had the most violations.
Seamless Audit Process & Executive Reporting
Historically, the audit process involved disparate solutions, including data analytics tools,
Microsoft Excel, Word, and PowerPoint. In addition, audit reports had to be separated into
different versions to address the needs of specific stakeholders: one for the business owner,
another for the audit committee, and a high-level report for the Board. Producing multiple
levels of reporting — and managing edits across all versions — requires a significant time
commitment. Cuson and her team needed every hour spent on this task to be focused on
value-add activities.
With ACL GRC’s ability to collect and visualize findings, internal audit is able to focus on
presenting data that explains issues rather than spending time on redundant clerical tasks
that add no value. For example, instead of adjusting the report for each stakeholder by
overhauling entire spreadsheets and then transferring information to the preferred version
of document, the auditors were able to simply adjust a setting in the ACL GRC system and
immediately deliver the desired information. The entire audit history was saved
automatically in one place and everything could be accessed by any professional across
different departments through the user-friendly interface of the cloud-based platform.
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 10
Figure 2. Example issues tracking; illuminates existing control gaps related to organizational risks
and quantifies using data.
Reducing Time Spent on Administrative Tasks by 75%
“Not only did we meet our deadline, but time spent on administrative tasks was reduced by
75 percent, allowing us to expand our scope of audits and allocate more time toward one-
on-one time with management,” said Cuson.
The visual, easy-to-decipher reports have been a hit throughout the organization.
Executives and Board members can identify specific risks and the impact each risk would
have, allowing them to prioritize issues quickly and to develop a remediation plan for
potential damage.
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 11
Figure 3. Sample heatmap, illustrating a summary of all risks and their performance across an
organization.
“ACL GRC was instrumental in meeting our deadline and delivering comprehensive
reporting that exceeded the initial goal,” said Cuson. “While the software took care of the
time consuming administrative tasks, my team was able to focus on audits for the risk
assessment and delivering the highest quality information to executives and the board of
trustees — valuable insight into risks and opportunities for which our internal audit team is
now sought after.”
>> Related Resource: Watch a video Q&A on ACL GRC with Anna Cuson
Copyright © 2015 The Institute of Internal Auditors. All Rights Reserved. 12
DISCLAIMER
Copyright © 2015 by The Institute of Internal Auditors (IIA) located at 247 Maitland Ave.,
Altamonte Springs, Fla., 32701, U.S.A. All rights reserved. Published in the United States
of America. Except for the purposes intended by this publication, readers of this document
may not reproduce, redistribute, display, rent, lend, resell, commercially exploit, or adapt
the statistical and other data contained herein without the permission of The IIA. The
views, opinions and positions expressed by the authors and those providing comments in
these case studies are theirs alone, and do not necessarily reflect the views, opinions, or
positions of The IIA.
ABOUT THIS DOCUMENT
The information included in this document is general in nature and is not intended to
address any particular individual, internal audit activity, or organization. The objective of
this document is to share information and other internal audit practices, trends, and issues.
However, no individual, internal audit function, or organization should act on the
information provided in this document without appropriate consultation or examination.
ABOUT THE AUDIT EXECUTIVE CENTER®
The IIA’s Audit Executive Center is the essential resource to empower CAEs to be more
successful. The Center’s suite of information, products, and services enables CAEs to
respond to the unique challenges and emerging risks of the profession. For more
information on the Center, visit www.theiia.org/cae.