THE TURBULENT ECONOMIC EVENTS OF THE past months have demonstrated the needs for internal auditing to provide peace of mind that business risk is managed effectively. Company after company has experienced major problems that appear to be the result of managing risks ineffectively. The value of assurance that helps boards of directors and chief executives sleep during the storm is immense. In its breakthrough 2007 publication, Internal Audit 2012, PricewaterhouseCoopers (PwC) discussed the trends likely to shape internal auditing (emphasis added):
* "Throughout the next five years, the value of the controls-focused approach that has dominated internal audit is expected to diminish. As this occurs, internal audit leaders must adopt risk-centric mine-sets if they want to remain key players in assurance and risk management."
* "Some internal audit functions have begun to rethink their fundamental value propositions by shifting from an internal audit model focused on controls assurance to a risk-centric model where risk and control assurance are based on the effectiveness of risk management processes developed by management."
* "One of the five key trends that will drive this reshaping of internal audit by 2012 is technological advancement."
While there is a need for risk and control assurance--consistent with The IIA's definition of internal auditing as "an independent, objective assurance and consulting activity" that evaluates and improves "the effectiveness of risk management, control, and governance processes"--the optimal model for the future is one of continuous risk and control assurance. Internal auditing will provide its customers--the board of directors and executive management--assurance that the organization's risks are subject to appropriate and effective processes, including related systems of internal control. The assurance will be enabled primarily through continuous risk and control monitoring and auditing, with a much-reduced set of traditional audit projects.
Many organizations have recognized the power of technology that tests controls and data on a continuous basis. These organizations can replace the manual testing of a sample of transactions on a periodic basis with the continuous examination of all transactions. But internal audit departments need to ensure that their activities are consistent with the overall goals and objectives of the organization, and the controls tested are the result of a risk-based selection process. If the technology is deployed without a foundation built on risk assessment, internal auditing will appear busy but will not necessarily be testing the controls that ensure the organization's major risks are effectively managed within organizational tolerances.
The continuous risk and control assurance (CRCA) model takes continuous auditing and monitoring to a new level. It is a top-down model that starts with enterprise goals and objectives, and moves on to risks to the objectives, assessment and testing of the controls required to manage the risks, and data mining that can provide indicators of risk and control health. Each of the major elements of the model is discussed in more detail.
MONITORING KEY PERFORMANCE INDICATORS
Key performance indicators (KPIs) enable management at each level of the organization to monitor the business. They provide the information necessary to understand the success or failure of strategies, initiatives, and programs, and to take appropriate action.
KPIs are important sources of information for auditors as well. They provide insight into risk levels, especially when organizational goals and objectives are not being achieved. A failure to achieve goals and objectives, or financial and operational targets, is often a strong indicator that related risks are not effectively managed and related internal controls are not effective.
Monitoring KPIs should be a key component of the CRCA program, and the results should be considered together with those of the continuous risk monitoring program. Internal auditing should strongly consider periodic reviews or audits of KPI processes to ensure the indicators can be relied upon by management and for the continuous assurance program.
CONTINUOUS RISK MONITORING
The continuous risk and control assurance program relies on the quality of management's...