Internal control testing is a fundamentally important part of the internal audit process. Apart from helping determine how much of your scarce resources you need to commit to providing assurance on processes, it is also an early indicator of potentially more serious issues that could be hiding below the surface.
It is however, also extremely boring to test more than once. It’s repetitive, and it’s manual; while doing the testing, you hope and dream that this is the last time you will have to do it, and next time it can be handed over to someone.
The good news is that it is possible to hand it over, not to a person, but an automated GRC platform. The November 2018 release of the ACL GRC platform included, what was up to now the holy grail, automated internal control testing.
This is how it works:
Using the analytics capabilities of ACL Analytics Exchange or ACL Robots you are able to automate testing of your ERP system for exceptions. Testing all of your data, all of the time. It is like the proverbial canary in the coal mine, alerting you to issues you might not have been aware of.
For example, you could look for duplicate payments by analysing all of your payments. By doing this it is also a type of internal control test. Any duplicate payments detected would point to a breakdown in your payments process control environment.
Using these duplicate payment exceptions as a starting point, you can then create an Assessment Driver in ACL GRC.
You would setup an internal control testing project for the payments process in GRC and complete a risk and control matrix, weighting the controls at this time too. This would help you to define the relative importance of each control to GRC.
Once this has been completed, you can define certain parameters for the Assessment Driver. Is one duplicate payment enough for the controls preventing fictitious payments to be define as failed? Maybe it needs to be two before you consider them to have failed? You would set these thresholds based on your opinion of the maturity of the control environment.
This now a newly defined assessment driver which can be linked to your project. Viola! – instant automated internal control testing. You can setup as many internal control testing projects as you want and just as many assessment drivers. Since it is all data driven, it also provides automated assurance scores as well, for instant reporting. It is all very much set and forget; once it is setup, it will alert you only when a control has failed.
See below for a short overview of Assessement Drivers, or click here for a member of our team to get in touch with you