For the past several years, international business leaders have been sharply focused on meeting and maintaining regulatory compliance. Sarbanes-Oxley legislation and more stringent reporting requirements from both industry and governments have engaged global companies in complex compliance planning, testing, and assessment activities.
That laser focus, however, is shifting.
In early 2008, AMR Research released a study called “The Governance, Risk Management and Compliance Spending Report: Inside the $32B GRC Market,” which predicted a 4.6 percent increase in GRC spending in 2009. The study revealed that GRC spending has been steadily rising, year-over-year, since 2007.
While the report – which surveyed over 420 IT and line-of-business leaders across all industry sectors in the U.S., Germany, and Japan – was conducted during rosier economic times, the results are still eye opening. A full 32 percent of respondents identified better risk management and mitigation as the most influential issue driving their firm’s GRC spending. Just 10 percent deemed the risks and costs of noncompliance as the leading issue.
Clearly, GRC assessment and execution is a critical mandate for international businesses – even in a tough economy.
Adding to this strategic shift is the changing role of Internal Audit. Based on its Internal Audit 2012 survey and report, PricewaterhouseCoopers concluded: “For internal auditors who have not done so already, it is time to adopt a strong risk-centric mindset and redefine IA’s role and value proposition accordingly; to broaden IA’s focus to include risk management as well as controls; and to determine how to harness and manage the power of data in order to audit better, faster and at lower cost.”
In many organizations, Audit is driving risk mitigation through data analytics and is influencing business process management to assume more responsibility for maintaining controls. Analytics technology can be applied for risk assessment, transactional and controls testing, and continuous auditing and monitoring.
Data analytics play a critical role throughout the audit cycle and now, more than ever, can add significant value through both controls monitoring and bottom-line savings and recoveries. Why? Well, as budgets tighten, the risk of fraud and errors increases. Transaction monitoring can reduce fraud and error, while effective analytics add measurable efficiencies to audit and GRC processes. Corporate mergers and divestitures can also expose new risk areas by introducing different (and sometimes incompatible) business systems, data platforms and operational procedures.
According to a recent AMR report on the GRC landscape, authored by John Hagerty, Koppel Verma, and Dennis Gaughan, “As companies’ GRC approaches mature, software plays an essential role in managing – not just reacting to – risk and compliance concerns in all corners of the enterprise.” Data analytics can provide significant one-time revenue recoveries, such as identifying a large duplicate payment or uncovering vendor fraud, while preventing subsequent leakages.
Dramatic examples of the bottom-line benefits audit analytics provide can be found across industries and international borders. For example, one large government department has achieved over USD $20 million in annual savings through an expense approval and monitoring program. Another major telecommunications firm increased its annual billings by $750,000 when analytics technology uncovered an invoice generation error that was undercharging hundreds of thousands of customers. And to highlight the need for automated data testing, one of the world’s largest multinationals now uses data analytics to monitor all purchase-to-pay transactions for over 900 entities on a daily basis.
In a few more unusual (and entertaining) examples, data analytics revealed an employee of a well-known organization had spent over $12,000 on tarot card readings, while another firm learned that its employee was using a company credit card to purchase cattle for his ranch. More examples of both quick, bottom-line results and ongoing business value from audit analytics are numerous and reinforce the need to manage risk and GRC processes with technology.
As companies implement data analytics, however, they quickly experience an audit and compliance analytics continuum that moves from one-off analysis and testing through to repetitive processes. At the far end of that spectrum lies the continual execution of automated audit and monitoring tests – representing the greatest opportunities for organizations to achieve dramatic benefits and efficiencies.
According to the same AMR report on the GRC landscape, “the best way to ensure GRC activities are repeatable, sustainable, and cost effective is to automate as many processes as possible with technology. Systematically managing these projects gives more visibility into possible risks and exposure, ultimately providing more ammunition to do what’s right, not just what’s the cheapest or quickest.”
So why do some organizations achieve enviable, quantifiable benefits from their technology investment while others seem to flounder? The answer lies in best practices that make the analytics both sustainable and well managed. It’s also important to stop thinking of analytics purely in terms of technology, and understand that managing people and processes is equally key to ongoing success.
Strategic leadership, for example, is essential to any continuous monitoring program. Management must take responsibility and “own” risk and control monitoring, and provide support for technology-driven audit activities. Analytics also need to take prominence in the planning process, to ensure testing and analysis processes result in maximum efficiencies and eliminate as much manual intervention as possible.
Data quality and security represent another best practice mandate, whereby data is housed in a secure environment and analytics are useable for all audit staff, not just technically-proficient auditors and IT leaders. By developing a shared platform that supports training and team analytics use (rather than confining the work to specialists), knowledge remains with the organization – even during times of staff turnover. When it comes to people, defined roles are key. Management will also benefit from a central audit environment that makes it simple to review audit procedures to ensure the analytics are fulfilling business objectives.
In a recently released vendor profile, AMR Research states: “The more mature the GRC world gets, the more it encompasses the auditor’s point of view. Any activities that can reduce external auditor efforts should deliver cost savings to the bottom line in the form of reduced audit fees and more efficient verification of internal controls.”
With data analytics, success comes from applying sustainable technology across broad financial, operational, and business systems. With effective, automated data monitoring, control gaps can be plugged and problem transactions can be repaired in real time. By combining audit analytics with management’s responsibility to monitor risk and controls, forward-thinking organizations can move toward a more integrated approach to audit and GRC – and that’s smart spending, in any economic climate.
An acknowledged thought leader on audit analytics, continuous auditing and continuous monitoring, Verver is an inaugural member of the Center for Continuous Auditing’s advisory board. He was a key contributor to The IIA’s General Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment and is a frequent speaker at global audit and control conferences.
John Verver can be contacted through the ACL Services website.