New demands, New possibilities
In recent years, external auditors and regulators have increased their expectations on the reliability of both internal controls and the ongoing monitoring of those controls. As both the number and complexity of regulatory and other compliance requirements have continued to broaden and increase, organizations have sought to reduce this additional cost burden by adopting new approaches and new technologies — not only for achieving compliance, but also for documenting and proving their compliance more efficiently and convincingly.
As a result, two assurance limitations that were previously unavoidable are now being eliminated from the operation and testing of internal controls:
1. Your sampling days are over.
In the years before technology advances first made it possible to automate both the execution and the testing of many internal controls, it was usually impossible to test 100% of transactions. Control testing could be performed on only a sample of those transactions, and the risk of a non-representative sample limited the audit assurance that the test results could provide. Today, however, tools like EagleEye 365 have eliminated this limitation.
2. How often should you test controls? The new answer is: Continuously.
The more manual effort is required to test a control and analyze the results, the less frequently that control can be tested. Historically, most controls were manual, and testing frequencies have usually ranged from weekly to yearly. With the recent emergence of control automation and continuous monitoring technology, it’s now possible for EagleEye 365 to test every relevant control for every transaction, 24/7, and to monitor and report the results in real time.
Internal Audit dashboards
- Risk ratings
- Status of planned audits (not started, completed, etc.)
- Results of completed audits (satisfactory, unsatisfactory)
- Remediated observations vs. All
- Observations by business process
- Observations by remediation deadline status
How many useless internal audits were on your audit plan last year?
In the 19th century, retail industry pioneer John Wanamaker voiced this frustration: “Half the money I spend on advertising is wasted; the trouble is I don’t know which half.” Internal audit departments understand his pain all too well. Each year, they invest many hours reading management’s subjective responses to internal control questionnaires and risk scoring worksheets that rely more on hunches than on data. These outdated rituals are performed in pursuit of the elusive goal of devising an annual audit plan that focuses only on the highest-risk areas and effectively mitigates these risks. The auditors are right to worry, however, that this year’s audit plan will turn out to be no wiser than last year’s, when many of their days were wasted on low-risk audits that EagleEye 365’s continuous control monitoring reports could have warned them would be useless. EagleEye 365 can also eliminate the redundancies when audits are designed to respond to multiple frameworks through automation, such as HIPAA/HITECH, COSO/ERM, ITIL, NIST, ISO, COBIT, and others.