Maximizing Risk Management with Continuous Assurance

Continuous Assurance (CA) is becoming more widely accepted as senior leaders and Boards are looking at new ways to manage risks proactively. This is not surprising, given the increased reliance on digital technology and the increased perception levels of new and existing risks.

In Figure 1, we can see that supply chain collapse is the highest economic risk and one of the top 3 overall, with a strong relative influence over Geoeconomic confrontation that feeds into Interstate conflict. And another economic risk, the employment crisis, has a high influence over the high-risk Cost-of-living crisis. These examples show people, companies, and societies' interconnectedness regarding risk.

The important conclusion from Figure 1, related to CA, is that these risks must be managed proactively, and CA is one of the mechanisms that can help considerably in this regard.

I have discussed CA in a previous article , so I will only go into some detail here again. CA combines Continuous Auditing, done by Internal Audit, and Continuous Monitoring, done by various organisational units - HR, Operations, Engineering, Risk, Compliance, etc. Optimised CA, shown in Figure 2, is when Internal Audit shares their techniques and processes with other units to assist them with Continuous Monitoring.

There are many approaches to CA, but in this article, I want to share the one I've used in all CA implementations I have managed and delivered and the reasons behind it. This approach includes a data repository (DR), under the control of Internal Audit (IA), with interfaces going to applicable systems within the organisation and relevant external data sources. Figure 3 shows a high-level diagram of this approach.

Being under the control of Internal Audit does not mean that the IA team needs to be involved in the technical aspects of DR. The relevant technical team can handle the technical side. However, IA will be the "business owner" of DR.

There are numerous benefits to this type of CA implementation approach, but here I will focus on the following three:

• Protection - by having all data in a separate environment, IA and other parties can run any analysis without any impact on the source system. For example, if you run a query asking for all invoices over $5,000, that can slow down the Finance system considerably and impact business operations. However, if you run the same query on the CA system, it can slow it down, but the impact will only be for CA users, which is much lower.
• Forensic Independence - an independent DR allows IA and other teams to run various investigations without alerting people engaged in malicious conduct without alerting them. For example, several years ago, I had to assist in investigating HR-related misconduct in a large organisation. The investigation involved a hefty data component, and the data was coming from several organisational systems. As a result, I had to liaise with the technical team and organise the data extraction. Before I did that, the leading investigator approached me, gave me the contact details of someone from the tech team, and asked me to speak only with them about the investigation. Seeing my surprise, he explained to me that that person was the only one he trusted, and he didn't want any investigation news to be leaked before any conclusive results. I did so, and the investigation was completed successfully. This situation made me realise that if the data was under IA's control, we could run any investigation much more efficiently and with a lower risk of interference by interested parties. This control is easily achieved by having a CA DR to store all data.
• QA "Source of Truth" - a CA with its own DR can be used as an independent QA mechanism on major data conversions. When a replacement or significant upgrade of a major enterprise is underway, the CA environment needs to be modified as well. A CA system modification can be made much quicker since its functionality is less than an enterprise system. A faster CA modification will be tested and production-ready long before the existing enterprise system, including any data migration. Consequently, when the data migration on the enterprise system starts, the reports from CA can be used to verify that data conversion is correct. This happened in one organisation where the CA system was modified and running in production for ten months before the enterprise system it was monitoring. As a result, at the data conversion stage of the project, we worked closely with the project manager and helped shorten the process while providing a higher level of assurance.

The technical details of DR will vary between organisations. However, the underlying infrastructure must be based on a relational database management system (RDBMS). There is a plethora of the market. I suggest looking at Oracle Server by Oracle, SQL Server by Microsoft, and MySQL by Oracle. In all likelihood, if you work for a large organisation, there is already a "blanket" licence from Oracle or Microsoft that would allow IA to get a deployment for a CA DR with no licence cost. If that's not the case, you can look into MySQL Community Edition. It's free and is supported by one of the top enterprise database vendors - Oracle.

In summary, Continuous Assurance (CA) is a proactive way to manage risks. This is increasingly vital given our reliance on digital technology and the high levels of new and existing threats. By combining Internal Audit and other departments' activities, CA can help organisations detect and mitigate risks promptly. At the same time, implementing a CA system with a separate data repository under the control of Internal Audit can offer significant benefits, including protection, forensic independence, and an independent QA mechanism.

#ContinuousAssurance #RiskManagement #InternalAudit #DataRepository #DigitalTechnology #Governance #dataconversion #digitalrisk #audit