Changing Technology, Changing the Audit Mindset

Technology is changing the audit mindset in much the same way that it has changed everything else in society. As auditors have more access to more data, they need to approach their audits with this in mind. In the past, companies used internal audit to check all processes and all policies. Using detailed testing, auditors checked off boxes while filtering through pages of documentation. As organizations have become more complex, internal auditors and the c-suite need to change their audit mindset to match the substantial increase in information.

Traditional Audit Mindset, Traditional Audit Values

 
Reading into the history of internal audit, the process initially started during the Industrial Revolution to help companies report and control costs. This created a backward looking, reactive process. Due to the nature of technology, audit became focused on reviewing current processes, finding problems, then telling companies to fix them.
 
These traditional audit values were outlined by Almutaz Bakry Sidahmed in 2015,

Traditional Audit focus on audit cycle (time duration, when last audit occurred), focus on deficiencies in controls, and cases of non-compliance with policies and procedure manual which may be outdated sometimes…. traditional auditing an understanding of Business Unit operations is built through time consuming process mapping exercises and might rely on outdated P&P manuals and audit staff spread all over the company trying to cover the audit universe which sometimes extend to more than one year

In the traditional audit mindset, auditors intended to review the company processes as a whole.  The goal of this would be to send in someone unaffiliated with the company to determine whether managers engaged in the most efficient and legal processes. This approach positions the auditor as an enemy by creating a divisive relationship of critique.

Managers manually collected all information for audit, spending hours seeking out the testing materials and aggregating records not integral to the business. As companies grew in size, analyzing policies and procedures between large organizations and small ones became untenable. The backward looking process fell out of favor with forward thinking regulators and trade associations over the last thirty years.

Transition to Risk-based Audit Mindset

Automation began making the traditional audit mindset and process inefficient. However, companies continued to use traditional audit methodologies due to early systems while retaining some of the original audit perspectives.  In 2012, the AICPA noted the need to change audit mindset in a white paper,

[A]uditors collect and analyze audit evidence and form opinions pertaining to internal controls as well as reliability of the information provided by management. At the engagement conclusion, auditors present a formal report expressing their opinion. In fact, this approach reflects the twentieth century methodology whereby there are high costs and significant time delays associated with information collection, processing, and reporting. … [B]asic CAATS (Computer-aided Audit Tools) contain capabilities to enhance audit effectiveness and efficiency. However, they do not operate on a 24/7 basis and therefore fail to construct a truly continuous auditing environment whereby exceptions and anomalies may be identified as they occur. Alternatively stated, they do not work with real-time or close to real-time data streams and, thus, are not able to address questionable events such as potential fraud or irregularities in an optimized fashion….With this in mind, one could argue that the traditional manual and retrospective audit is becoming an untenable position.

This risk-based focus then intended to streamline the process to focus on those business areas most prone to causing the company reputational, legal, or financial risk. Since the new systems began to address events in real time allowing for faster responses by companies thus further mitigating risks, the risk-based approach became more popular. The risk-based approach transitions the auditor from being an enemy to being a partner in business success. GRC automation makes this partnership easier and the risks more transparent. Be eliminating unnecessary reviews, organizations save time. Being about to map risks across multiple frameworks in a GRC tool offers the added benefit of times savings that correlates directly to money saved. 

The COSO Framework

When discussing risk management audit models, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the COSO ERM – Integrated Framework historically act as benchmarks. In 2013, COSO released an updated Internal Control -Integrated Framework. In the Executive Summary, they noted

Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed.

A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal controls ineffective.

With the implementation of this framework, COSO solidified risk as within the purview of both internal audit and the c-suite. Warren Stippich of Grant Thornton, LLC noted,

In adopting the new guidance for risk assessment and other Framework components, internal audit will ordinarily be responsible for the facilitation of the mapping of controls to principles. Implementing controls and remediating control weaknesses, however, will generally be the work of the CFO, the controller’s function and general counsel, and others such as internal audit. Boards and audit committees also have an important role to play in ensuring that any deficiencies in internal control noted by those charged with monitoring and reporting, including external bodies, are corrected. Overall responsibility, however, falls to management: It is their responsibility to ensure that the checks and balances in the organization exist for a sound system of internal control.

While the transition to COSO 2013 may take a great effort for some companies, the new guidance around risk assessment presents an opportunity to achieve important operational objectives. When implemented, the Framework can be more than just a compliance exercise — the requirements can help improve operational efficiencies and increase productivity.

Under this framework, management bears the responsibility for ensuring the ongoing strength of the organization’s controls. For many long time industry professionals, this new approach required some effort and buy in. Under this framework, management and the audit team need to work together to ensure productivity. Using an automated tool creates ease of collaboration. Lowering the time spent communicating means lowering the cost of compliance. 

The Risk-Based Audit Mindset and Profit 

Profitability creates buy in for the Board and c-suite. Risk-based audit models save time which increases profitability. By focusing on those areas whose noncompliance could cause the most damage to the company, risk-based audits lead to more focused results. Keeping in mind that audit originally intended to streamline business practices, the greater efficiency of risk-based audit makes historical sense. According to Jason Mefford, the writer of Risk Based Internal Auditing and writer of Risk Based Internal Audit Training, 

Risk based auditing is about focusing on those areas that stop an organization from meeting its key objectives instead of just looking at controls. Too often auditors are focused on testing low impact processes and controls, while ignoring a focus on key objectives. When auditors take a risk based approach, focusing on those forces and events most likely to impact an organization meeting its key objectives, that is when the provide the most value to their organizations, helping increase profitability.

Information technology audits under the risk-based audit mindset can provide the same types of corporate savings. Greater risk in the IT realm means loss of money or reputation due to a breach. Those costs are the same types of savings as a manufacturer identifying time saving processes in its labor stream.

Viewing the risk-based approach as a profitable exercise fosters a greater corporate culture of compliance. In addition, this transitions the audit mindset from conflict to camaraderie. When all audit parties view one another as financial assets, they cooperate more fully.  GRC tools help audit parties collaborate which in turn adds financial value to your organization’s compliance stance. 

Automating the risk-based Audit

Since audits no longer seek to test the entire organization, automating the compliance space when using the risk-based audit model makes the process even more efficient and profitable. By integrating risk control information with the the internal audit goals, the organization can stream line the execution of risk and compliance work. Further, by coordinating documentation in one shared space, critical evaluations and risk assessments will make creating the audit scope smoother. When the audit goes more smoothly, the profits increase. With this ease of access to information and documentation, the application of the risk-based audit approach becomes more appealing.

Shifting a mindset takes time and energy. People find change difficult and frustrating leading them to rely on old habits. However, automation can make the company’s audit mindset transition easier.  

If you want more information on how to use automation to help change your organization’s audit mindset, contact one of ZenGRC’s GRC specialists today.

Based out of California, Jason Mefford is a well-known speaker on all things ethics, corporate governance, risk management, GRC, compliance and internal audit related. He has authored two books, Risk-Based Internal Auditing and Masters of Success.  He was also a contributing author on the OCEG GRC Capability Model v3.0. Mr. Mefford sat down with ZenGRC to discuss his new training platform, cRisk Academy, as well as changing an organization’s approach to risk.

ZenGRC: What’s interesting about cRisk Academy is that you bring with you both auditor and trainer experience. What was the catalyst for cRisk? How does your background uniquely situate the academy?

Mefford: I spent many years as both an external and internal auditor, was a Chief Audit Executive at two large companies, was responsible for information security, risk management, ethics & compliance, and have now been a trainer for many years. I understand the information that I needed to do my job better as an auditor, what I needed for the employees who worked for me, and now the needs of students I have in my courses.

Most people have a desire to understand risk better. Since the business context now changes rapidly, as a result of new technologies, it’s more important now than ever for individuals to understand how forces, events, and changes in condition impact their organization’s ability to meet their objectives. Companies that have been at the top of their industries now no longer exist, and some companies are now worth billions of dollars didn’t exist a few years ago.

Risk-based professionals need training to improve their professional competencies, but unfortunately many organizations have cut back on training budgets and often require professionals to “take vacation” in order to go to training. I also see a large demand for risk-based professionals outside the US wanting high-quality training. I spend most of my year traveling the world speaking and teaching, but I know I can’t reach everyone in person.

Also, as a trainer I personally wanted to provide a better option for authors. Many of the training companies and platforms do not pay authors enough to make a living, which I believe is very unfortunate. I realized there needed to be an option for students to get affordable training that they need, but also to fairly compensate expert authors. Since I couldn’t find one that existed, it seemed like the right thing to create one.

ZenGRC: What is your intended audience for cRisk? CISOs? CIOs? Auditors? Developers? Do you have any future plans to expand that audience?

Mefford: Our intended audience is anyone who considers themselves a risk-based professional and/or wants to “see” risk more clearly in their organization. That could be anyone in audit, risk management, governance, compliance, GRC, IT, etc… and even management. While many of our trainings are focused on helping practitioners do their jobs better, many of our courses are applicable to everyone in the organization, even the C-Suite.

We have an agreement with AuditNet® an online digital network where auditors share resources, tools, and experiences including audit work programs and other audit documentation. AuditNet® has been doing live webinars for many years and has a significant library of previously recorded webinars on internal audit topics. Our agreement allows us to publish the previously recorded AuditNet® webinars, and make the valuable learning available to auditors all over the world in an on-demand format. One of the problems with the webinar business has been once the webinar is over, the great content presented by experts is not longer available. We are happy to be able to provide a platform so auditors can now gain access to these previously recorded webinars from AuditNet®.
Many of the courses on our platform now are from AuditNet®, so they are specifically focused on improving internal audit practitioners skills.
We do have plans to add many more courses on corporate governance, risk management, ethics, and many more topics that are relevant to any risk-based professional.
 
ZenGRC: Talk to me about your platform. Since we’re all computer folks around here, what’s the difference between your platform and other training sites? Is this like a Netflix for webinars? Or an Amazon rental for webinars? 

Mefford: This is a great question and a great analogy to other entertainment platforms. Since my partner and co-founder has a background in the entertainment industry, we built our platform to match what people are used to doing with entertainment. We offer webinars, webinar replays, and on-demand training through our platform. Let me explain how it works using the entertainment analogy.

I personally have subscriptions to Netflix, Hulu, Amazon Prime, HBO Now, cable, and use Apple’s iTunes TV service. Most of those are subscription based, except for Apple. I pay monthly for the ability to watch movies and TV shows through those platforms whether I use the services or not. I don’t really like that option, especially my monthly cable subscription. I pay for cable so I have the ability to watch live sporting events, that are not available on one of the other platforms, but I also pay for many channels and programs that I don’t ever watch.

With cRisk Academy we wanted to provide an option that put the student in control of their schedule, and only have them pay for the content they want, without being locked into a subscription. I tend to find that even though I have several subscriptions, I am often left going back to Apple to find an on-demand option, so I have the flexibility to see what I want on my schedule.

I personally really enjoy the show “Game of Thrones,” and we can use that show to help illustrate how our platform works. “Game of Thrones” is an HBO original content program. If I want to watch the show I have a few options. I can watch it each week when a new episode is released on HBO. I can watch it through the HBO Now application. I can purchase it through Apple.

Since I travel often, it is difficult for me to watch the show at the appointed time each week. Watching at the appointed time is like attending a live webinar. It’s a lower investment, but I have to be available to consume the content at the appointed time, and I only get to watch it once.

Another thing about watching live TV is the commercials. Someone has to pay for the content. When we choose to watch live TV as a viewer we “pay” by having to watch the commercials from companies who are sponsoring the cost of the program. Most “free” webinars fall into the same category and require you to essentially watch a commercial from the organization sponsoring the webinar so you can watch for “free.”

We wanted a different approach where the student pays a small fee for the webinar, but receives hundreds of dollars in value from the presenter. Not only do the students get great content, to improve their career and help them do their job, but they also receive practical tools and special offers the presenter would normally charge their clients hundreds of dollars to receive.

If HBO offers reruns of the show, I could see when “Game of Thrones” was playing and watch a rerun. I would still have to schedule my time to be available for the rerun, but since there are usually several reruns, I would have more options.
This is like our webinar replays, only our platform allows students to select from several different time slots in the future, both during and after business hours, based on their time zone. No longer does one have to attend a webinar in the middle of the night.

Lastly, is the on-demand option. Since my schedule didn’t allow me to watch “Game of Thrones” live or as a rerun, I had the ability to purchase the entire season through Apple and watch it when and where I chose. Even though I have an HBO Now subscription, I am often blocked from using it when I am traveling internationally and can’t watch it on the airplane. For these reasons, I chose an on-demand option by purchasing the entire season through Apple. I paid more for the convenience, but then I could watch it when it was convenient for me. Another benefit, I can now watch the series as many times as I desire.

This is like our on-demand option. Once a student registers for the course, they can watch it when and where they like, as long as they have an internet connection. They can also watch and rewatch the training as many times as they want. All of the training remains in the student’s account forever.

Just like Apple, where I have the ability to purchase individual episodes or the entire season, we also offer the ability to register for individual 1-2 hour sessions, or get the entire “season” what we call bundles. You save when you purchase a bundle, just like you save when you get the whole season.

By offering training as webinars, webinar replays, and on-demand we are trying to provide students with flexible options to meet their schedule.

ZenGRC:  From the perspective of a client, I love that these are individually priced. My state recently instituted a CLE requirement that makes it cost ineffective for me to retain ongoing licensing. Explain to me what the options are for individuals in my situation.

Mefford: Your experience reminds me of an experience from my own life. I had just moved to California and had just gone through the reciprocity process to get my California CPA license. I was already a licensed CPA in Idaho, but now that I had a license in two states I was hopeful my employer would support me in paying for my CPE training and licensing in both states.
When I approached my boss he said, “I know you spent a lot of time and effort getting your CPA. Most people who get it would hate to let it go.”
He was thinking exactly what I was thinking. I would hate to let any of my certificates or licenses lapse because of the time and effort I put into getting them. It’s unfortunate some companies are not supporting their employees now in their professional development. The employees really want to maintain them and shouldn’t let all that hard work go down the drain because of lacking CPE.

Luckily for me he was very supporting, and my company at that time and helped pay for my licenses and CPE training. Now that I am on my own, I pay thousands of dollars a year to maintain all of the certification, licensing, and CPE on my own. I do that because I worked so hard to obtain those certifications and licenses in the first place, that I don’t want to let them lapse.

As I mentioned before, many people who work for large organizations are asked to pay for it themselves. One reason for creating cRisk Academy is to help people have access to CPE at a much lower cost, on their time schedule.

We have also taken an approach to make our trainings available in smaller sizes (1 or 2 hours) and bundled into larger courses of multiple hours or days. This was a way to help students customize their learning experience so they only get what they need, and what they can afford, when they want it.

I remember a story from business school one of my professors told us about toothpaste. Toothpaste is something we use each day and don’t really think about. We buy large tubes and use it for weeks or months at a time. The story he told us was about how some consumer products companies that make toothpaste actually create special “one-time-use” packaging for certain parts of the world. It seemed odd to me at first until he explained they needed to do that because some people in the world can only afford to pay for a single serving of toothpaste. To them, brushing their teeth was a luxury they couldn’t afford everyday.

That story has stuck with me, and I guess one reason we do this is to help people that only need a “single” serving of training, instead of a full three-day course. It also is helpful for individuals who get to the end of their CPE year and see they are a few hours short. Now with cRisk Academy, they can purchase just the hours they need to maintain their CPE.
 
ZenGRC:  When looking at CLE requirements, many people think that having an “accredited” program is necessary. Is this true? How do you feel cRisk Academy can change that mindset?

Mefford: I’m going to let you in on a little secret that will probably make the accrediting companies mad.
One of the biggest accrediting companies in the US is the National Association of State Boards of Accountancy (NASBA). NASBA was created to help ensure Certified Public Accountants (CPAs) training is high quality and has reciprocity agreements with all of the state boards of accountancy. The idea is that if a training is NASBA accredited, it would be accepted by any state board of accountancy in the US for CPE purposes. For this reason, many people look specifically for NASBA accredited courses.

The reality is, only a handful of state boards of accountancy in the US require CPE to be NASBA accredited. I am personally a CPA in two different states and neither requires my CPE to be NASBA accredited. Each state does have their own CPE requirements, but those vary from state to state and are usually based on topic areas instead of accreditation.

Internationally NASBA accreditation is not relevant unless the student is a US CPA; and, as I already said, their state may not even require NASBA accreditation.
I have many different certifications and two CPA licenses. Only one of my certifications is particular about having accredited training, which means I am free to choose the training I need for the others, within the parameters of my certifications and licenses, to have most of my training qualify for my annual CPE requirements.

We decided not to go through the NASBA accreditation process, as it is very cumbersome and costly, especially in an online training format. We decided that since most people using our training platform wouldn’t require NASBA accreditation, there was no reason to add extra cost to our trainings when it wasn’t needed.

Our platform is perfect, for someone in your situation, who can’t afford the time away from work, or the large investment required to obtain in-person accredited training to maintain their certificates and licenses. It also allows you to customize your learning experience to get exactly what you need to do your job and meet your individual CPE needs.

One last comment on this area. It is important for people to focus on why we need to obtain CPE, not just obtaining CPE. Certifications and licenses mandate a certain number of CPE hours each year to help ensure professionals are staying relevant with changes and are competent to do their jobs. One’s focus should be obtaining the training they need to improve their career and do their job, not just getting CPE “hours.”

I think that is also one of the benefits of our training platform. Students can get the training they need to improve their career, and use the training for their CPE requirements. We offer CPE certificates for all of our courses once the course is completed, so students can track their training hours and use it in their CPE reporting each year.
 
ZenGRC: Your book really tries to get auditors to think differently, more holistically, about the way the audit process fits into the greater scope of business. Can you explain to me some of the ways in which you approach audit differently from others? Why do you feel this approach is better for an organization?

Mefford: The name of my book you are referring to is Risk-Based Internal Auditing. I used that title because lots of auditors realize they need to use a “risk-based” approach to auditing, but there are some misconceptions about what it really means to be risk-based in your audit approach.

What I advocate is “focusing on objectives, not internal controls.” I like to joke that an auditor never sees an internal control he/she didn’t want to audit. This causes many auditors to believe they need to test all of the controls in their organizations.

The real trick is to only audit key controls that relate to response activities their organizations are using to help meet key objectives. Auditors tend to focus first on controls instead of taking a couple of steps back and considering the organization’s objectives. As a result, they audit the details instead of looking at the bigger picture where they can provide more value to their organizations.
There are really three things that affect whether an organization achieves its objectives, which go back to the concept of Principled Performance®. Organizations are trying to reliably achieve objectives (performance) while addressing uncertainty (risk/reward) and acting with integrity (mandatory and voluntary compliance). Auditors should be focusing on the forces, events and changes in condition, that impact their organization’s ability to achieve objectives in those three areas. My book helps to explain how auditors can focus on the “significant” items.

The concept of Principled Performance®, created by OCEG, the organization that invented GRC, is really what my book is about. How auditors can help provide assurance to their board and management that the organization is on track to meet its objectives. This approach is better, since it focuses the auditor’s efforts on what matters most to the organization, not just what the auditor wants to, or thinks is important to audit.
This is a common theme I teach people in all of my trainings, including those on the cRisk Academy training platform.
 
ZenGRC:  One of the things we talk about constantly in infosec is building a culture of compliance and awareness. From what you’re telling me about your approach to audit and cRisk, it feels as though this is very much on your mind. How would you envision cRisk adding to culture shift within organizations?

Mefford: For organizations to succeed in the future they must be more risk aware. They must practice the concept of Principled Performance®. The risk-based professionals we are trying to reach through cRisk Academy need to clearly understand forces, events, and changes in conditions. They need to learn a language they can use to help others in their organization understand these concepts.

Culture in an organization is based on values and beliefs that lead to individual behaviors. The way to change culture is changing belief. Belief changes through education and experience.

If an organization wants to build a culture of compliance and awareness, their employees need to be educated (that’s where cRisk Academy comes in) and have experiences that support that culture.

Cultural change is a long-term process that requires repetition, another way cRisk Academy helps. Our on-demand trainings are available to the student as long as they maintain their account. They can go back and watch the video lectures again and again, until they really understand the concepts and can apply them in their job.