Since the emergence of Sarbanes-Oxley (SOX), the use of technology in processes related to risks and controls has truly started to take meaningful shape in many organizations. However, when looking across the risk and control functions in most organizations, technology is still typically used on a departmental or point-solution basis.
As an example, let’s look at the use of technology across the The Institute of Internal Auditors’ “Three Lines of Defense in Effective Risk Management and Control” model that specifically addresses the “who and what” of risk management and control.
Third line (internal audit) use of risk & control technology
Throughout the past decade, surveys of internal auditors have consistently identified the more effective use of technology as a pressing issue facing the profession. Specifically, these surveys have revealed the need for increased use of technology for audit analysis, fraud detection, and continuous auditing. A shortage of sufficient technology and data analysis skills within audit departments has also been highlighted.
Much of the driving force for increasing the use of technology is based on the desire to make the audit process itself more efficient and effective, as well as to deliver more tangible value to the rest of the organization.
Over time, the role of the internal audit function itself has changed considerably. The traditional focus on cyclical audits and testing internal controls has evolved into one in which internal audit is expected to assess and report on the effectiveness of management’s processes to address risk overall. This often includes providing guidance and consultation to the business on best practices for managing risk and compliance within business process areas and maintaining effective control systems.
Technology is an increasingly critical component of these best practices and in some cases internal audit is able to champion the implementation of high-impact, high-value technology within the business’s risk management and compliance processes, based on their own experiences of using technology for assurance purposes.
There is considerable variation in the extent to which internal audit departments leverage technology. However it is certainly fair to say that for audit to be truly valuable and relevant within the context of organizational strategy, a significant improvement is required across the board. Internal audit as a profession simply is not moving forward at the same pace as technology.
Second line (risk, compliance, financial controls, IT) use of risk & control technology
Outside of audit, in other areas of risk and compliance, some organizations have acquired specialized departmental software, but the majority use only basic Microsoft Office tools to maintain inventories of risks, document controls and perform risk assessments. In larger enterprises, it is not unusual to have a variety of technologies and approaches applied in different operational entities or in different functional areas. This approach is usually more costly and less effective than one based on a common platform.
Effective testing methods using technology are usually unavailable or go unconsidered. In fact, second line of defense functions often rely heavily on inquiry-based methods such as surveying, which are proven ineffective at identifying the actual manifestations of risk in the organization. If analytical software is used in the business for investigations or monitoring transactions, in many cases it involves standard query tools or some form of generic business intelligence (BI) technology. Although good for providing summary level information or high-level trends, BI tools struggle to show the root cause of problems. And while they may have certain capabilities to prevent fraud and errors occurring, or to flag exceptions, they are not sufficient to effectively trap the typical problem transactions that occur.
First line (management) use of risk & control technology
While in some cases, first line management have access to better technology for use on specific pain-point areas (e.g., continuous transaction monitoring technology used within finance departments), there is a common tendency for management to place far too much reliance on core business systems for effective control. While the large ERP and other system vendors seem to have extensive capabilities for preventing control deficiencies, the reality is that these are extremely extensive and complex systems, and internal controls are usually afterthoughts of those implementing them, not a core focus. For example, in many cases certain control settings are turned off to enable the ERP system to run more efficiently. An integrated and collaborative approach to managing risks and monitoring controls in collaboration with the second and third lines of defense, using a common, independent methodology and technology platform, typically proves the most effective in accomplishing management’s key risk mitigation strategies.
Considering the mix of technologies used, and the generally disjointed way in which technology is applied across GRC-related processes, it is clear that a new approach integrating common methodologies and supporting toolsets is required.