In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit (IA), compliance and analytics. In Part II, we go through the three steps of evolution that an IA function must traverse so that it can move beyond its traditional audit duties under Sarbanes-Oxley (SOX) compliance and testing of financial controls. These three steps of evolution are: (1) Strengthening internal controls for financial reporting and SOX compliance; (2) Enhanced analytics; and (3) Risk optimization for other business functions. Kelly believes that companies must go through these three steps of evolution and in this prescribed order.
The profession has been working as a whole since the passage of SOX back in 2001. It included strong internal controls for financial reporting, disclosure controls and compliance controls. Here companies would see which of these they had in place, which were working or effective and which could be removed or deleted. SOX 302 governs the disclosure controls and SOX 404 governs internal controls over financial reporting. The key is that once you have the appropriate internal controls required by SOX you can begin to test, see how they work and see what types of data they are generating. The fundamental bedrock is strong internal controls. If you have bad controls, they will give you bad data that will lead to bad conclusions and trouble at some point.
From this foundation of step one, the IA function is ready to move to a more analytics-based function. Kelly provided an example, “you could see how many of our invoices are paid before a purchase order arrives and you could see how often we are closing the books at the end of the month, within seven business days after the end of the month as opposed to out in 10 days.” It would allow an analysis of whether your finance function is narrowing that window or not? Finally, once you are able to build up a sufficient body of analytics, you can then move to a more risk monitoring, risk management and optimization for other business functions. This is a more robust risk management process. Kelly emphasized that you cannot take these steps out of order.
This evolution drives the importance of data governance up the priority list for internal auditors, compliance officers and risk officers. Kelly said that you need to consider the taxonomy of your data. This would include the “data you are generating, validation that the data is fitting, that it makes sense from a value perspective.” It would also include issues such as whether the data is in the right format and is it complete? While such issues as completeness of data, accuracy of data, validations and clear data taxonomies, all have long been considered by external audits for their financial audits, IA will now need to be more vigilant on such questions.
Kelly believes this will make “data governance closer to becoming an effective internal control, even like an entity level control.” Data governance is going to have to apply across all business processes to achieve this. It would allow you to document your risk management process, in a very data driven way and harbor the confidence in it because your data governance is robust. Kelly said, “it is such an important thing that we have nailed it time and time again. Internal audit and the business functions all work together to understand this is the data we have, this is how we classify it, this is how we validated, this is how we know it's all complete.” This also means that a Chief Audit Executive will need to work with the Board of Directors and C-Suite executives to ensure data governance has their attention as an entity level concern.
This also brings up the issue of taxonomy which Kelly described as “the dictionary or vocabulary of data”. He provided an example from the compliance arena, third parties. What are all the types of third parties your organization engages with and what is the taxonomy you are going to apply to such a diverse group as resellers to joint venture partners to sales agents? Further, do you want a taxonomy that splits it down to “sales agents by region, by country or something else?” There must be some type of definition so that all compliance professionals are clear on the definition of what a third party is, so they can be tagged for data analysis. They would all fit in this taxonomy and then a you can analyze the data presented as there is a clear understanding of each definition.
In Part III, we consider some specific examples.
Over the next five podcasts, Matt Kelly and I will be exploring the future of internal audit, compliance and analytics. In Part I, we introduce the topic, explaining why internal audit (IA) is in the midst of a profound transformation, how this transformation will enable to move past its traditional detect function into a more proactive prevent role and how all of these transformations will lead to a more robust, operationalized risk management process.
Kelly believes IA is in midst of profound transformation. He explained IA itself is getting better and better technology. It has much more data analytics capability, so they can do a lot more with the data and do it faster but, at the same time, all the other departments in an organization, whether it's marketing, legal, compliance or operations, are receiving that same advance in technology too. This means other departments that IA is supposed to keep an eye on is also advancing with their technology too. Subsequently, their ability to throw off new data that can be analyzed is increasing exponentially at the same time. Kelly termed this as the “datafication” of the business process.
This is coupled with Boards of Directors wanting more bang for their buck out of the IA budget. This translates into the questions of how does IA add strategic value? The answer is a bit of a delicate thing because as IA works for the Board of Directors, it is supposed to be an independent and objective reviewer of business processes and of risks to the business. One of its functions is to recommend ways to reduce risks to acceptable levels. However, with this datafication it becomes much easier for IA to become much more of an analysis function to do more risk monitoring.
The tech revolution is creating more ability to move beyond traditional audit duties of Sarbanes-Oxley (SOX) compliance, such as the confines of just reviewing financial statements and specific processes at fixed increments every few years. Does this mean that IA can move from a detect function to a more proactive prescriptive function? Kelly believes, “The question is to what degree should it, because there are always going to be these questions about how Internal Audit functions maintain their independence.”
Interestingly, Kelly believes that while the Boards of Directors are directly driving this change, the ultimate pressure is coming from a wide variety of players, including shareholders, regulators, consumers and other stakeholders. All these groups want to see the Board do a better job of managing strategic risk and not be caught with its collective jaw hanging off the floor when a scandal hits an organization. This pressure on Boards of Directors is driving them to ask for more and somewhat different approaches by IA. Kelly believes IA is being pushed beyond its traditional boundaries to “help Boards fulfill a new mission” to help more in the overall risk management process.
This process is also helped by the maturation of the IA function in its control design and testing requirements deriving from SOX. Technology has helped it move away from simple spreadsheets to more sophisticated reporting tools. Now IA has the ability to better interpret the information coming out from these controls. This will allow a greater operationalization of risk throughout an organization. IA can work with business process owners to write algorithms to allow greater self-monitoring of risks at the business or functional unit levels. They can then work to oversee the entire process to make sure the business processes stay within acceptable or defined risk parameters and report back to the Board of Directors.
In Part II we consider the three steps of evolution that IA must go through to move to a more robust role in the overall risk management process.
The General Data Protection Regulation (GDPR) went live on May 25, 2018. What has happened since then in the data privacy and data protection world? In this episode, Jonathan Armstrong, partner at Cordery Compliance and I explore what is going on publicly and what has been going on behind the scenes as well. Armstrong provides his thoughts, reflections and observations on the activity which have and will impact companies and individuals going forward.
Some of the highlights of this podcast include:
For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.
What is the purpose of rehabilitation in a best practices compliance program? In this episode, I use the recent trade by the Houston Astros for closer Roberto Osuna last week as an introduction into several areas around compliance, discipline, punishment and zero tolerance. Osuna had been charged with violating the Major League Baseball (MLB) policy on domestic abuse. This weekend Osuna came off a 75-game suspension. It involved an incident for assault, for which Osuna pleaded not guilty to in a criminal case in Ontario. As part of this discussion, I consider several questions.
For more reading see my blog post Due Diligence, Zero Tolerance and Compliance.
As we begin the dog days of summer and the long spell between July 4thand Labor Day, the Everything Compliance gang returns to its four focused topics. After the commentary we follow with rants.
The members of the Everything Compliance panelist are:
The host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist.