Over the past few years, and again at the 2018 ISACA conference in Chicago, there have been lots of discussions regarding analytics strategies for internal audit teams.
Among the strategies, repeatable analytics (e.g. continuous controls monitoring or CCM) seems to be a fairly common theme. Is this the easier route or the appropriate one?
Here are some questions we need to ask:
- What is the role of the third line? Is it to assume management responsibility?
- Do internal audit teams still use rigid plans?
- Repeatable analytics - resurrecting CCM, without calling it that?
- Do teams continue to focus on the traditional rules-based approaches (and old tools)?
Without diving into explicit answers, perhaps we need to consider:
- One IIA position paper on 3LOD states
"Operational management naturally serves as the first line of defense because controls are designed into systems and processes under their guidance of operational management. There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequate processes, and unexpected events."
- The leading IA teams, with the exception of those that have significant supervisory oversight duties, have moved to more flexible, agile audit planning approaches (e.g. 3+9, 6+6).
- The views regarding CCM and where it should reside vary, but the position paper excerpt above provides some guidance - "first line ... controls in place ... highlight control breakdown".
- While the rules-based approaches have served IA folk well, it is time to move on; some of the traditional IA analytics software vendors have not progressed, and are keeping us in the past with them. This Deloitte article on fighting fraud talks about "investigate efforts" that can be impeded by, amongst other factors, "over-reliance on rules based testing".
With a recent series of reports highlighting failure by IA teams to leverage analytics, could this be the reason that the strategies are not working?
Some of those reports talk about repeatable analytics being a core component of the IA analytics strategy. Do you agree?