It is no secret that audit activities, like all other business functions, have become difficult in the post-pandemic period. There are two reasons why auditing is more difficult than other functions in this process. One of them is that the audit studies include such close communication and intensive information-document scanning due to its nature. The other is that the audit function lags far behind central functions such as supply chain, finance, and human resources when it comes to digitalization.
The difficulty of conducting an audit remotely brings with it another very important side effect, such as the increase in fraud attempts. In this subject, I will share the article of ACFE regarding the increase in fraud cases in the post-pandemic business world.
All stakeholders regarding auditing in organizations need to do something. Because these vulnerabilities are very likely to increase exponentially. As the number and awareness of successful fraud attempts increase, variation of fraud attempts will evolve and the subject will become much more difficult.
So is remote audit possible? Companies such as SAP or Delivery Hero, which are already operating internationally and centralizing their auditing activities, have been implementing remote auditing practices for a long time. But how did they achieve that?
• Digitalized audit applications and
• It is necessary to use new generation technologies for the automation of controls. Here I look at this issue from a technology perspective due to my expertise. Of course, the subject has many non-digital dimensions.
The subject of this blog will include the first step. In other words, the first step to be taken in order to make remote auditing possible: transferring audit activities completely to digital. In my next article, I will touch on the automation of controls, which is a more trendy topic.
In order to adapt to digitalization in auditing, internal audit units need to set their digitalization targets well. The “Key Performance Indicators for Internal Audit Function” report prepared by PEMPAL is a great resource on this subject. When you examine the document, you see that it focuses on a very important but less studied subject. According to our experience, our customers generally focus so much on control automation that they may overlook the efficiency of digitalized audit work or the value it adds to the organization. The fact that this document is fully focused on internal audit effectiveness makes it a great resource on this subject.
For success in audit work, we first need to identify our stakeholders and then set appropriate performance criteria and targets as well.
Then, it is necessary to determine the key performance indicators in order to measure the value that the audit adds to the company.
Responsible | Key Performance Indicator | Explanation |
Internal Stakeholders | Number of findings | Reports the number of checks that resulted in a finding. This information can be used to measure the control maturity of the organization. |
Internal Stakeholders | Annual planned inspection rate | A low rate here may be an indication that the internal audit department is performing too many unplanned audits. |
Internal Stakeholders | The materiality of audit findings | It helps managers understand whether internal audits can identify serious issues. |
Internal Stakeholders | Percentage of corrective action taken | It can be a criterion for understanding whether follow-up operations on audit reports meaningful and value-creating recommendations are. |
Internal Stakeholders | Percentage of annual high-risk audit items audited | It allows monitoring the number of audits performed by the audit in high-risk areas and the audit rate of high-risk jobs. |
External Stakeholders | Rate of recommendation accepted by business units | The high rate of approval of the recommendations given by the audit unit shows that the audit activities are efficient. |
Internal Audit | Average audit time by process or risk | It can be regarded as a general criterion for the effectiveness of internal auditing. |
Internal Audit | The time between the last audit activity and the publication of the report | It is a criterion that follows the report writing process. This indicates that the audit was well planned to produce the necessary evidence. |
Internal Audit | Percentage of annual audit costs versus annual budget | It shows the efficiency of the internal audit department in cost planning. |
Internal Audit Partners | Number of recurring findings | It may indicate that chronic vulnerabilities are not being addressed. |
Internal Audit Partners | Process, risk, and region-based rates of outdated findings | Indicates weakness of action in business units belong to accepted recommendations. |
Of course, each organization’s metrics may be different, and the examples above could be multiplied by hundreds when it comes to measuring performance. For example, a low rate of planned audit may be seen as a failure in one company, but it may be a sign of agile auditing in another company.
SAP’s Audit Management product is a very powerful audit software that covers all processes from planning to reporting in internal audit and can be integrated with different software technologies. It is a collaboration tool that brings together auditors, business units, and external audit experts from different locations and time zones, especially in the post-pandemic period.
SAP Audit Management automates the audit report, which is perhaps one of the most time-consuming and “unpopular” tasks of the audit process. It is also a tool that saves tremendous time by communicating in real-time with internal control, risk management, and fraud teams.
To briefly summarize the internal audit practice that I would recommend you to digitize by centered on the SAP Audit Management product;
Planning: This phase begins with the introduction of the risk and control universes to the internal audit world. The risk-based audit practice is still the most effective audit management. At this point, I believe that a holistic perspective will also be beneficial. In many organizations, risks and controls are tracked by different people on a separate platform. Here, one of the benefits of SAP Audit Management is that you can transfer and synchronize risk and control universes via SAP Process Control and/or SAP Risk Management. Again, the process and organizational hierarchy that these 3 components use in common can be synchronized with each other. This helps both to monitor the data from a single place and to keep the three lines synchronized.
Preparation: At this stage, we expect the audit team to establish the audit universe, risk, control, process, and audit relationships, and establish the schedules, costs and, qualifications of audit resources. In addition, we can count the preparation of work packages about which process, organization, or investment will be audited at this stage. The standardization of the audit is a step that can make a great contribution to the efficiency of the company.
Execution: This is the part where the internal audit team does its own work without much interaction with other stakeholders. The audit teams can make time entries during the audit and document all studies within the previously determined work packages; We can gather the whole process from determining the findings and recommendations to the publication of the audit report under the heading of “Execution”.
Reporting: I think we have come to the magic moment of SAP Audit Management. After the audit findings and recommendations are identified, there is a workflow involving the audit leader or auditors. You can follow this process in SAP Audit Management. In addition, you can create an infrastructure that allows you to automatically publish the entire audit report in PDF or Microsoft Word format. The content of the report and how it will appear is entirely up to you.
Follow-up: In the follow-up process, recommendations regarding the findings are approved and action tracking within some key points like appropriate time constraints, process, region, risk, etc. You can even create an integrated report with other three lines components. Of course, SAP Audit Management has built-in reports. But data is such a beautiful thing that I have always advocated processing data on the best platforms. Therefore, if you have SAP Analytics Cloud or any other good analytics solution that you are already using, I strongly recommend that the reporting be done here.
In summary, when it comes to audit digitalization, we always get lost in topics such as control automation, RPA, machine learning, or big data. These issues are very important and I will address them in the second part of this article. However, it should not be forgotten that the issues I have just mentioned. It would be against the logic and principles of digital transformation to automate the audit without measuring its performance, value, and impact. Starting from creating a platform where all these rules can work together would be a more grounded strategy.