LAVASTORM lavastorm.com. Five Technologies that Transform Auditing to Continuous Business Improvement

Transcription

1 Five Technologies that Transform Auditing to Continuous Business Improvement

2 Executive Summary Internal Audit groups collect very valuable information about business operations, but in many organizations that information is not used to improve business performance. To provide more strategic value to their enterprise, Internal Audit groups can transform standard, periodic audits focused on compliance to business controls. Business controls are continuous audits that are enriched with other analytic capabilities and are used to feed business people information they need to improve business performance. The emergence of a new breed of process-oriented analytic software, called operational intelligence platforms, gives Internal Audit a platform with which it can implement continuous auditing and transform standard auditing functions into business controls. Turning Audits to Business Controls Internal Audit groups play an increasingly important role in businesses due to the continued expansion of regulations and compliance requirements. Tasked with identifying risk and assuring that risk management, governance, and control systems work as desired, Internal Audit is viewed as an essential function in most large enterprises. Even so, in many of those same enterprises, Internal Audit is not considered to be adding strategic value to the business. Executives and business leaders ask, Can Internal Audit add more value? In fact, in a recent survey only 44% of enterprises reported that Internal Audit helps them achieve business objectives. 1 To play a more valuable and more strategic role in the enterprise, Internal Audit must go beyond standard compliance and risk assessment activities and instead provide insights to business managers and executives that can improve business processes and performance. Insights can include: Policy changes that lead to cost reductions or margin improvements Discoveries that improve business process performance Strategies that reduce business risk This is an achievable goal. Internal Audit is already collecting very valuable information on business operations and is, therefore, in a strong position to assist business groups. To turn the information to business value, Internal Audit can do two things: 1. make information more available to the business, and 2. in some cases, perform incremental analysis on audit data so that the audit goes beyond compliance checking to expose information that can be applied to business monitoring or business process improvement initiatives. A critical difference between Internal Audit groups that play a pure compliance role and those that play a more strategic role is whether they can move beyond providing backward-looking, periodic audits and instead provide business controls. We define business controls as 1 Unlocking the strategic value of Internal Audit, Three steps to transformation, Ernst & Young, 2010 Page 1

3 continuous audits that not only track compliance and identify risk, but also feed decision makers with up-to-date information that can be used to improve the business. The difference between audits and business controls comes down to differences in the frequency, focus, scope, and ownership of the audit (see table 1). When compared to audits, business controls tend to be more frequent, more complete, and more focused on business process improvement. Internal Audit organizations that want to add more strategic value should look for opportunities to complement their periodic auditing activities with the creation of these business controls. Internal Audit can not only use these business controls to monitor and assess risk, but also to provide additional recommendations on business improvements. If implemented on a shared infrastructure, even business groups themselves can directly use these controls for monitoring day-to-day business performance. Characteristic Audits Business Controls Focus Compliance Business Process Improvement Frequency Completeness Connection to the Business Process being Evaluated Ownership Less frequent often quarterly or monthly Less complete often sampled data Disconnected audits are periodic events that look at past business performance and can disrupt the present day execution of the business process Almost exclusively initiated and executed by Internal Audit More frequent sometimes continuous More complete often all data available is evaluated Connected evaluations are part of the business process, can be executed in real-time, and directly feed back into the business process to improve the process Initiated and executed collaboratively by the business owner and Internal Audit Strategic Value Limited Essential Table 1 Audits compared with Business Controls. Internal Audit organizations may be closer than they realize to being able to transform audits to business controls, but it requires a new combination of technologies to make it operational. The emergence of a new breed of process-oriented analytic software, called operational intelligence platforms (discussed later in this document), gives Internal Audit a platform with Page 2

4 which they can implement continuous auditing and transform standard auditing functions into business controls. 2 Making Business Controls The Role of Continuous Auditing Internal Audit groups are well aware of the potential risk management benefits of continuous auditing. Continuous audits eliminate the delays associated with periodic audits and can consider all the relevant data, making it less likely that issues would go undetected. Continuous auditing is also an essential capability that allows Internal Audit groups to turn standard, periodic audits to valuable business controls. Just as continuous auditing can expose compliance gaps and risks, it can also provide critical visibility into business process efficiency and performance. For example, continuous auditing can identify gaps in business processes or data anomalies that hurt performance. Continuous auditing, therefore, not only results in better audits, but can also reveal insights for continuous process improvements that Internal Audit can make available to the business. As Table 1 shows, however, continuous auditing alone is not enough to transform audits to business controls. While a continuous auditing system provides a foundation that offers comprehensive data, additional technology, policies, and management practices must be in place if the data is to be used to improve business performance. Examples of those capabilities include analytic functions that can uncover the root cause of business process defects and a feedback mechanism that provides audit results to business process owners who can then take corrective action. Five Technical Capabilities for Continuous Process Improvement Several technical capabilities enable Internal Audit to go beyond continuous auditing to enable continuous process improvement. These are listed below: Complex logic creation and pattern matching The ability to create business rules, including complex rules with highly conditional logic, gives Internal Audit the ability to identify intricate patterns that form the basis of both audits and business controls. Big data analytics This allows Internal Audit to acquire and analyze high data volumes, highly varied data, and fast-moving data. The capacity to process high data volumes makes it possible to perform continuous audits and to sift through the data to find intricate patterns. Highly varied data (e.g., data from different sources, including unstructured documents, social media and non-relational databases such as MongoDB) and transient data (e.g., data from machine-generated data) are increasingly used to run parts of the businesses and Internal Audit also needs to consider these data sources. 2 Commercial Operational Intelligence Platforms Are Coming to Market ; W. Roy Schulte, Jim Sinur, and Janelle B. Hill; Gartner; 10 April 2013 Page 3

5 Alarms and alerts A set of controls for sending communications (e.g. , SMS) and publishing information to management dashboards when patterns are detected gives Internal Audit a mechanism to provide real time notifications to business people who can take action when specific situations arise. Workflow or orchestration engines These facilities allow Internal Audit or the business group to initiate and manage automated or manual actions based on a specific analytic result. Workflow and orchestration engines, which can coordinate actions across various systems, make it possible to shorten the time between the detection of specific patterns and responsive actions. Flexible data model A flexible data model, as compared to that used by traditional operational systems and BI platforms, enables Internal Audit to combine dissimilar data sources (e.g., data silos from different operational systems or departments), add new data sources, and explore new analytic queries without having to undergo a significant data modeling exercise or without re-architecting a data model that already exists. This is important because it allows the organization to conduct ad hoc audits, respond to new regulations easily, and to adapt to changes in the business, including changing supplier and partner relationships. A New Breed of Auditing System the Operational Intelligence Platform A new breed of software systems, dubbed operational intelligence systems by Gartner, combines the capabilities mentioned in the previous section along with administrative and authoring capabilities to provide Internal Audit a platform that they can use to perform continuous audits and also elevate those audits to business controls. Operational intelligence systems increase situation awareness for Internal Audit and business groups, enabling them to sense and respond more quickly to changing conditions. 3 These systems can acquire data from virtually any source and continuously audit operational data for patterns that expose exceptions, threats, and opportunities. Some can also orchestrate manual and automatic actions to respond to specific conditions. Unlike analytics built into an ERP, CRM or other purpose-built system, operational intelligence platforms can look for patterns that span systems. This is an important consideration especially as regulations increasingly require monitoring of key metrics that cross different departments and even different companies. According to Gartner, organizations should use operational intelligence systems to complement, not replace, business intelligence reporting and analytic systems and they urge organizations to look for areas where the benefits of continuous auditing and follow through can be realized. Operational intelligence platforms also promise to make continuous auditing more practical. While well understood, continuous auditing has historically not been easy to implement. Organizations such as The Institute of Internal Auditors have pointed out that technology is key 3 Commercial Operational Intelligence Platforms Are Coming to Market ; W. Roy Schulte, Jim Sinur, and Janelle B. Hill; Gartner; 10 April 2013 Page 4

6 to enabling such an approach, but finding suitable technology capable of handling the frequency and completeness it entails has not always been easy. 4 Traditional business intelligence (BI) platforms and audit systems typically lack the data processing capacity and flexibility to fulfill the promise. For instance, BI platforms often force organizations to make compromises because they do not have the flexibility to easily support complex data models that span multiple operational systems or the pattern matching capability to identify anomalies in the data. Traditional audit software did not have the data management capability to combine all the data necessary to comprehensively audit the critical business controls. Typical Uses of Operational Intelligence Platforms Operational intelligence platforms can be used for audit and business process improvement initiatives in any area where Internal Audit is focused. Areas where they have been applied include: Fraud investigation Comparing KPIs of individuals, departments or locations to expected metric levels or averages to look for outliers, abnormal behavior, or exceptions to rules. Bill validation or revenue assurance Comparing bills to services rendered to see if they match Operational performance Checking the accuracy and productivity of operations, e.g., checking order accuracy for a cable company or evaluating the efficiency of individual call center representatives The Changing Relationship between Internal Auditors and Business Managers Operational intelligence systems can be leveraged for both internal audits or for business control. The opportunity exists, therefore, for Internal Audit and operating groups to standardize on a single operational intelligence platform. For example, Internal Audit could use the platform to develop compliance-focused audits and, with a bit more effort, add further analytics to turn them into business controls that can then be leveraged by the business managers for continuous monitoring of business performance. In addition, business groups could use the same platform to create their own business controls or to perform ad-hoc analytics. By using a single platform, the enterprise can eliminate redundant data collection, data cleansing, and analysis efforts that often occur when Internal Audit and the business groups use different systems. With the overlap between audits/business controls and the potential to standardize on a single platform for both, there is also the need for a tighter and more collaborative relationship between the Internal Auditors and business managers. In fact, some operational intelligence tools are designed to foster collaboration on requirements and analytic design, which can be 4 Global Technology Audit Guide, Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment, The Institute of Internal Auditors, Page 5

7 quite valuable if the Internal Auditor does not have strong technical skills, but can sit down with a business analyst with stronger technical skills. They can collaborate on tasks such as: Identifying patterns or rules that indicate exceptions, opportunities or risks Revealing defects in current processes Establishing processes for follow-up to mitigate risks Algorithms and calculations done as part of the pattern matching process Collaboration need not jeopardize any independence or impartiality on the part of the auditors. It simply enables the two parties to agree on a common data infrastructure and to base their individual work upon that common ground. Working from a single shared system should reduce any conflicts from two different methods being applied to the same process and as long as the operational intelligence system reveals the underlying data, business logic/rules, and actions to both parties, it makes auditing the business a more efficient, effective, yet still independent, process. Improving Business Performance with Lavastorm Lavastorm is an agile analytic platform that can be used for operational intelligence and, therefore, can be used by Internal Audit for periodic or continuous audits and to elevate audits to controls that can help the business groups improve processes and performance. The core components of Lavastorm are: A powerful, visual and versatile analytic development environment that gives analysts and auditors the ability to acquire data from any source (including big data sources), integrate the data using a flexible data structure that does not require an over-arching data schema, build analytic models to look for patterns, and run data continuously through the system. A highly configurable web-based alarming, case management, workflow, and reporting environment that allows users to understand and resolve issues identified by Lavastorm s analytic processes. Examples of Audits that Improve Business Performance The benefits and advantages of using an operational intelligence platform are best shown through the experience of PwC, a global network of audit firms operating in 158 countries with close to 169,000 employees. PwC firms audit many of the world s best-known companies and thousands of other organizations both large and small. PwC Russia Controls Distribution of Valuable Materials at Manufacturer For a large Russian manufacturer of pipes for energy, transport and industrial uses, PwC Russia used Lavastorm to create a continuous audit process to control the use and reduce theft of valuable raw materials. The manufacturer, which has approximately 30 people in their internal audit department, uses several hundred different raw materials in its production cycle. Some of Page 6

8 these raw materials are very expensive and special measures are in place to control their usage in production. PwC created a continuous audit that tracked material usage against projected usage (i.e., the amount of material they expected to be used for completed product). This process identified materials where uncontrolled disposal exceeded expected limits. If that condition occurred, a special investigation would be automatically triggered to determine if the uncontrolled disposal was due to theft. The results of this project included: Additional expensive materials that were not yet controlled were identified. Business controls were put in place to stop the theft of these materials. The use of Lavastorm automated troublesome manual data acquisition and manipulation steps associated with the periodic audits they previously performed. For example, data files were text-based, and, prior to using Lavastorm, the company used to load all the text files into spreadsheets and link information from the different files. The new solution removed this requirement. The visual model that was created in the Lavastorm not only performed the continuous audit, it also served as documentation of the control process which could then be shared with others. For more information on business controls created by PwC, visit More Information on Lavastorm For additional information on the Lavastorm and its ability to help turn audits to business controls, visit Page 7