Internal Audit Provides Continuous Assurance with Reliant
IDC OPINION
IDC research shows that close to 70% of organizations hold internal audit responsible for internal controls monitoring and testing. While this initially was a response to the onerous workload put upon internal audit by Sarbanes-Oxley, the role of internal audit is evolving within many organizations as a key stakeholder in governance, risk, and compliance (GRC) strategies. Findings include:
- This evolving role expands the purview of internal audit, in particular moving away from periodic reviews of a sample of transactions to continuous monitoring and assurance across all transactions based upon assessed risk.
- As the requirements of internal audit change, IDC expects that software solutions will evolve to support not only internal audit team processes and documentation but scalable, enterprisewide assurance analytics, monitoring, and testing.
- Internal audit groups should assess current technology solutions that are emerging to help them be successful. Automation is an integral part of next- generation internal audit strategies that will arm teams to meet evolving GRC requirements with measurable benefits in cost, time, and audit fee reduction
IN THIS INSIGHT
This IDC Insight highlights Reliant Solutions' strategy and the related business need for continuous assurance analytics and monitoring that is emerging as a best practice. Reliant Solutions provides continuous audit and risk management software focusing on the needs of the evolving role of internal audit. Reliant has recognized organizational requirements for continuous monitoring of transactions coupled with the expanding requirement for audit executives to provide a risk-based audit approach and methodology.SITUATION OVERVIEW
The Evolving Role of Internal Audit
Organizations are moving away from the traditional definition of internal audit and are defining the accountability of internal audit teams as a critical component of corporate governance, enterprise risk management, and optimized compliance strategies. Based upon a study performed by the Institute of Internal Auditors, IDC expects that companies with revenue in excess of $1 billion should expect to spend between 0.03% and 0.2% of annual revenue for an effective internal audit function to support Sarbanes-Oxley requirements, with an even higher percentage expected for smaller companies. Many companies have placed internal audit in a critical fulfillment role for financial compliance requirements, resulting in a significant increase in responsibility for monitoring and testing internal controls on a regular basis. More forward-looking firms as well as those that are highly regulated or decentralized are embarking on a more strategic definition of the internal audit function, supported by automated processes and leveraging the use of technology for analysis and exception management.
Evolving guidelines such as Audit Standard No. 5, approved in 2007, advise businesses to adjust their audit approach to a risk-based methodology. Redefining the role of internal audit within the context of companywide GRC strategies is emerging as a best practice. Many organizations that rely on internal audit to document and test internal controls have seen these departments grow significantly, sometimes tripling in size. Internal audit teams now include a strong mix of information technology skills in response to the requirement for auditing enterprise systems, but the sheer volume of transactions and manual processes requires new tools.
As a result, internal audit must leverage the use of technology to optimize their own efforts. In fact, the smaller the audit team, the greater impact software can have in effectiveness. The project management and testing tools of the past do not scratch the surface of requirements to tap into enterprise systems on a routine basis, analyze large volumes of transactions based upon business rules, and put these activities and results in the context of enterprisewide risk and compliance activities.
A Look at Reliant
Reliant Solutions Inc. recently launched a software solution to provide audit executives with continuous monitoring and continuous audit tools that support the evolution of Internal audit from a document-driven to a data-driven function. The ReliantAuditor solution integrates continuous monitoring of internal controls within a risk-based framework, providing an integrated approach to automating audit operations.
While IDC considers ReliantAuditor part of the GRC software solutions market, Reliant has taken a unique approach by developing an application to automate audit operations from the perspective of the chief audit executive. ReliantAuditor combines key capabilities that many times exist in a disconnected and incomplete approach within separate applications as manual process, or may not be happening at all.
IDC defines two subcategories of GRC applications that have evolved over the past several years. In effect, Reliant has brought together capabilities in both areas to arm the audit function:
- Compliance and risk management solutions. These applications support the process automation and documentation requirements of several governance processes, including the assessment and certification of business/internal controls, policy and procedure management, audit management, and enterprise/operational risk, among others.
ReliantAuditor capabilities in this area include:
- Audit plan management. Managing the audit plan in an integrated manner to meet internal audit requirements and concurrently mapping these activities to compliance frameworks such as COSO
- Control testing and assessment. Deploying a risk-based framework for assessing controls and collecting evidence, and automating test plans where applicable
- Remediation management. Providing closed loop process support and documentation, providing evidence of identification and remediation of control weaknesses and potential risks
- Business assurance analytic applications. These applications support detailed, rule-based analytics to perform proactive analysis to support continuous monitoring at the transactional level to assess controls, support audit requirements, identify fraud, and uncover potential business risk.
ReliantAuditor capabilities in this area include:
- Continuous controls monitoring. Transaction-based continuous controls monitoring and test execution
- Evidence management. Gathering risk- and control-based audit evidence from IT systems effectively and efficiently and with improved quality
The combination of the above capabilities are integrated with ReliantAuditor to support a dynamic risk framework that provides a continuous status of audit results across the enterprise, changing the paradigm of the internal audit function, as shown in Figure 1.
FIGURE 1
A Framework for Automating Internal Audit Operations
Source: Reliant, 2008
Automating the internal audit function with solutions such as ReliantAuditor can yield many benefits, including:
- Reduced time and effort needed to prepare, conduct, and report on key areas of risk, controls, and compliance
- Quick time to value and rapid deployment through predelivered content and structure within the applications in the form of out-of-the-box controls and audit plan templates that represent best practices
- The transformation of the audit function from a "point in time" assessment of risk to a continuous, exception-based function that serves as an early warning system and supports an ongoing and more effective utilization of audit resources
ReliantAuditor demonstrates the vision and capabilities to automate the internal audit function within the context of broader enterprise GRC initiatives, thereby transforming internal audit into a dynamic program of continuous assurance.
FUTURE OUTLOOK
Organizations are challenged to manage and mitigate potential errors, fraud, and process inconsistencies that can lead to financial loss and increased levels of risk. An evolving global regulatory environment and rapidly changing business conditions create the need for continuous assurance that controls are working effectively and risks are being managed.
Chief audit executives are central in creating this new paradigm and need to make audit processes more dynamic and efficient, have access to more robust analytics and reliable test data, and have continuous visibility into risks, controls, and audit results.
Solutions such as ReliantAuditor are designed to deliver the integration of a risk- based framework for managing audit and compliance initiatives coupled with continuous monitoring required to execute on this vision.
Certainly, software to support internal audit is not new, but what has been lacking is timely, context-based analytics that can provide audit teams with a continuous view of risk and control issues while at the same time provide audit evidence to support an auditor's risk assessment and findings.
Effective audit analytics and continuous monitoring not only help identify audit areas that present higher risks but can support an auditor's assertions of lower risk, which can support reduced internal control assessments and lower audit fees.
In the course of the next few years, "reacting" to regulatory requirements will subside and organizations will use technology to support broader governance requirements: repeatable processes, information transparency, and risk visibility. The inflection point driven by the peak of legislative scrutiny in 2003 and the resultant increase in compliance requirements in essence kicked off a period of learning for enterprises. Many of the required process enhancements, or weaknesses uncovered, have a business risk and efficiency impact that make them worth addressing without compliance hype. Internal audit plays a key role in this new landscape
LEARN MORE
R e l a t e d R e s e a r c h
* Worldwide Financial Governance, Risk, and Compliance Applications 2007-2011 Forecast (IDC #206907, May 2007)
C o p y r i g h t N o t i c e
This IDC research document was published as part of an IDC continuous intelligence service, providing written research, analyst interactions, telebriefings, and conferences. Visit www.idc.com to learn more about IDC subscription and consulting services. To view a list of IDC offices worldwide, visit www.idc.com/offices. Please contact the IDC Hotline at 800.343.4952, ext. 7988 (or +1.508.988.7988) or sales@idc.com for information on applying the price of this document toward the purchase of an IDC service or for information on additional copies or Web rights.
Copyright 2008 IDC. Reproduction is forbidden unless authorized. All rights reserved.
All IDC materials are licensed with IDC’s permission and in no way does the use or publication of IDC research indicate IDC’s endorsement of Reliant Solutions' products and/or strategies.
Filing Information: July 2008, IDC #213001, Volume: 1 Financial Compliance Applications: Insight
