Audit and compliance functions are designed to evaluate how a business unit actually operates compared to ideal operations. Generally, audits review past performance for a defined period and frequently use sampling to form an opinion of how the business operated overall.
This means that audit assurance – that is, our confidence in the auditor’s opinion – is directly tied to the sample size and the audit period. A large sample size in a small time frame gives you high confidence in that opinion, and likewise, a small sample size over a long period makes you wonder if the audit results give a true and accurate picture of how things are really running.
What if there was a better way to assess operational risk? This article will cover:
Operational risk is defined as the difference between the risk factors identified by a business versus the actual risks present from day to day. This manifests in a number of different ways, and it may be best illustrated if we think about the challenges faced by our local five & dime:
This is, of course, oversimplified, but it gives you some context about the types of risk businesses might face. A business might protect itself from external fraud, for example, by putting up security cameras to catch shoplifting, without realizing the risks that could be eliminated by switching to a more durable price tag.
The classic method for identifying operational risk is to audit a business’s procedures and processes. There are several levels of auditing. The simple audit is simply to ask the business unit to provide their processes or procedures, usually in the form of a written policy. Auditing through inquiry in this manner provides the business little to no information about what is actually happening at the operational level – it is simply an inquiry into how the business would run in an ideal state.
A slightly more complex audit would be to observe individuals engaged in the task. This is a relatively small sample and can be quite time-consuming if the task is complex or involves multiple steps. Additionally, businesses tend to engage their best performers for this type of audit, and so it may not give you an accurate picture of how these processes and procedures are done on average. In auditing terms, this method may involve a high degree of deviation, given that the process may be performed differently under different circumstances.
To increase confidence in the auditing process, an auditor may inspect evidence of how the process was performed in the past. The reliability of the audit conclusion is directly tied to the amount of evidence the auditor examines – for example, looking at one hundred results of a business process is exponentially more informative than reviewing ten results. Additionally, an audit team may actually re-do a process on their own to see if the results come out the same, particularly if the process is automated.
To provide the highest assurance that a process is operating as intended is to use computer-assisted auditing, an auditor uses technology to examine information with computer-assisted auditing techniques. A larger dataset provides high confidence of how the process is running because a computer can validate a tremendous volume of information, and that information can be harvested from a vast array of time periods, typically from near-real-time to as far back as the records are kept. Additionally, using recently created data allows a business to be agile in identifying operational risk – the issue can be caught quickly, rather than having to wait for the results of an annual audit.
The various techniques can be expressed like this:
Because computer-assisted auditing can cover a large sample size in near-real-time, it is the optimal choice for identifying operational risk. Often one of the biggest challenges is simply installing a system that can capture data on an automated basis. As an efficiency, businesses look for points where data is already being exchanged as a way to tap into compliance data – in our five & dime example, this might be the point-of-sale system.
In this scenario, our store can increase their audit assurance by reconciling information from the point-of-sale system against their inventory and ordering system, and particularly if any discrepancies are researched until they are resolved.
To the business, the best auditing techniques are worthless if the information isn’t shared in a meaningful way. When using an automated system, it’s important that the system alert its users when it identifies an issue. Perhaps just as critical is actually operationalizing the audit findings – management must actually correct defective processes or otherwise remediate points of failure to correct the problem.
Management must re-examine the business process to identify other possible data sources and key risk indicators, or maybe more important parts of a process where there is no measurement as those are possible blind spots. In this way, measuring operational risk never stops, but rather is a continuous cycle of defining a process, performing it, measuring it, and making correcting errors and incremental changes to seek improvement.
At NeuAnalytics, our compliance and risk management systems deliver you reports in real-time about how your organization is functioning. With a fully automated system, your staff can remain confident in their compliance efforts, while reducing possible risks. Connect with us about how NeuAnalytics can provide custom solutions tailored to your needs.