Continuous Assurance - the Communication Aspect

In one of my previous articles on Continuous Assurance (CA), I listed two critical success factors: close consultation with the business and a data repository owned by Internal Audit (IA), and I mentioned a third one. The third critical success factor is promoting СА as widely as possible. This is an absolute must to ensure an adequate buy-in from the business and get the most value out of CA.

СА-related communication has to start at the beginning of the implementation, continue throughout it, and become an ongoing activity after CA goes live. Since we're already consulting the business, the first part should not be a problem. And during the actual implementation, we must talk regularly to the business about our tests, approach, results, and timelines. There are two objectives here:

1. The tests, their results, and generated exceptions need to be fine-tuned jointly with the business. IA doesn't have an intimate understanding of the process that the business does. For example, in one of the CA implementations I managed, we developed an excessive accumulated annual leave test. We included a parameter for a yearly standard leave of 4 weeks inside the test. While that worked for most departments, for one of them, it generated a large number of exceptions. As it turned out, the standard annual leave was 5 weeks in that specific case. After correcting the parameter, only reasonable exceptions were generated by the test.
2. Being regularly informed of CA's capabilities and progress will make the business much more open-minded when CA goes live. Then when the actual exception reports begin to be generated and must be addressed by the business, the process will be much smoother.

Finally, after CA's "go live", the main communication work starts. Like any other software, CA will not be embraced by everyone with open arms since it will require new training and a change in the process. This will occur equally within the IA team and the business units. In addition, CA can uncover process deficiencies and new risks, which will not be welcomed by everyone again. This is because they are likely to result in repercussions and additional work.

To alleviate these issues, demonstrating CA output and operation, as well as getting feedback from a wide range of stakeholders, is vital. In one of my CA implementations, I consciously asked for one of my KPIs to be the number of meetings I have with divisional management teams. Every quarter I will ask for a 15-minute slot to let the management team know what the results from CA are and what new functionality is planned for CA. I also asked for input on what risks are not covered and which ones need to be covered by CA. These presentations made people familiar with CA and showed how it could benefit their division. While in the first couple of quarters, people were sceptical of CA, this started changing gradually, and the benefits of CA were recognised both by IA and the business.

When embarking on a CA implementation, care must be taken of the "soft" factors and the technical side. CA can deliver significant value to an organisation, but it will also bring disruptions and changes that must be managed well.

What do you think of the communication side for Continuous Assurance? Is it something that you are paying attention to? Feel free to drop me a direct message or leave a comment.

#communication #continuous #assurance #softskills #audit