As organizations find increasing pressure both from regulatory bodies and other stakeholders both inside and outside the organizations to comply with a growing list of by laws and regulations, audit departments increasingly find themselves trying to navigate complex audit environments. A complex audit environment differs from a traditional audit environment based on a number of factors observed by Blue Hill Research. These factors include: the high volume of audits, the audits are transaction-driven instead of calendar-driven, the audits cover a variety of subject matters, and the organizations are required to comply with the requirements of a variety of regulatory bodies. Rather than just a requirement to conduct quarterly and annual audits, internal or external pressures require that these organizations conduct almost constant audits for assurance that business activities are properly conducted, regulations properly followed, or risk mitigation activities properly completed.
AT A GLANCE
To assess the impact of audit process automation on complex audit environments, Blue Hill Research analyzed the reported experiences of two organizations with respect to key audit challenges, corresponding investments in audit process automation, and the resulting impact for the organization.
Characteristics of Complex Audit
- Diversity of Subject Matter
- Diversity of Requirements
- Platform Configurability
- Reporting & Analytics
- Workflow Automation
- Process Management
- Requirements Library
- Profiled Organizations reported a 70-90% reduction in time to complete pre-audit preparation
- Profiled Organizations reported a 40-60% reduction in time to complete quarterly audit
- Increased capacity to drive new strategic initiatives
Governance, Risk, and Compliance (GRC) software provider DoubleCheck Software offers a vision and software solution for audit process automation developed uniquely for complex audit environments that emphasizes a combination of requirements management, process management, workflow automation, and analytics capabilities. Unlike best-of-breed audit tools, specific to work paper management, the DoubleCheck strategy emphasizes the integration of these capabilities within a highly configurable suite to support the full scope of the audit process as well as provide the flexibility to support evolving needs. In order to assess the potential business value of this strategy in complex audit environments, Blue Hill Research investigated the investments of two organizations demonstrating key attributes of DoubleCheck’s strategy. This report summarizes the observed complex audit business cases and investment characteristics, and the resulting improvement in efficiency and accuracy reported over legacy approaches, including a 60% reduction in the time to complete quarterly audits.
Defining the Complex Audit Environment
In contrast to periodic or intermittent audit needs typically targeted at validation of controls, process audits (such as an AP audit), or a financial report audit that might be familiar to non-practitioners, the complex audit environment is characterized by a multitude of interconnected circumstances between an organization and its regulatory requirements. Blue Hill Research divides those circumstances into four basic categories (Table 1). These characteristics are not absolute values, but should be viewed as a matrix by which organizations can evaluate the relative complexity of their own audit requirements.
To greater and lesser degrees, all organizations confront these factors. Determining whether an organization’s circumstances rise to the level of complex audit depends on the interaction of these factors and the scope of operational and business impact. To this end, the occasional, customer-driven audit does not give rise to the same scope of organizational demand as on-going audits against a variety of requirements. In particular, Blue Hill observes that complex audit environments frequently possess a decentralized aspect. Rather than being driven down through a central functional area, such as compliance or risk departments, the complex audit emerges out of ongoing business operations and discrete business units and sites, such as various regional branches or storefronts, spread across multiple geographic locations and, often, jurisdictions. Management of a complex audit thus necessitates balancing the requirements, needs, and frankly, desires of disparate stakeholders—both within the business structure of the organization and outside of the business environment.
Examples of organizations facing complex audit environments are:
- Insurance companies for policy audits
- Mortgage lenders or other lenders engaged in similar secured transactions
- Multi-location banks
- Multi-location large chain stores for inventory control and regulatory compliance
- Multi-location chemical manufacturers to verify environmental compliance
- Research organizations engaged in clinical trials or studies using controlled substances.
In these environments, traditional audit methods are often unsatisfactory, as these approaches are generally intended to support particularized and detailed (but intermittent) inquiries, rather than diverse, ongoing assurance efforts. In a complex audit environment, management is about more than just organizing and completing a single audit, but it is incumbent on the organization to ensure that the various audits facing an organization are completed simultaneously and with a high degree of accuracy—assuring the value of the audit. In that vein, the organization must confirm that all necessary steps are completed and that efficiency is maintained. In addition, due to a lack of resources and strategic IT focus, audit departments are frequently left to perform their functions with legacy, siloed tools that have resulted from prior best-of-breed investments. Ultimately, these factors lead to slower audit processes, overloaded audit backlogs, and an increased likelihood of inaccuracies or errors that contribute to overall risk exposure.
DoubleCheck balances its software on four key pillars: use case personalization, configurable workflows, analytics reporting, and data visualization capabilities.
- “Workbench” environment tailored to provide each role with information relevant to their responsibilities
- Centralized data management structure
- Customizable options to meet client needs
Data Visualization Capabilities
- Heat map, graphs, and dashboard views
- Robust workflow and process management framework
- Highly configurable to match customer process
Audit Process Automation: Capabilities and Articulated Value Proposition
DoubleCheck’s audit process automation solution set is, in part, a response to the needs of the complex audit. To this end, the software provider articulates a comprehensive vision of the integrated coordination of audits from audit requirements management to execution and reporting. Core functionality sets included in the scope of DoubleCheck’s approach include a requirements library, process management capabilities, workflow automation and alerting, and reporting and analytics capabilities provided via an integrated Jaspersoft business intelligence engine, which supports advanced reporting, analytics, and visualization. In addition to these core capabilities, the DoubleCheck platform supports audit process automation through dedicated audit capabilities, such as auto-sampling and compliance template question mapping.
Individually, the functionality components included in this approach are not unique to audit management or the demands of complex audit environments. As such, two non functional attributes of the DoubleCheck platform are crucial to this approach: the degree of suite integration with other key GRC components and the degree of platform configurability. Both the integrated nature of the applications and the platform configurability represent core elements of the DoubleCheck audit process automation strategy. Standalone, best-of-breed audit applications, such as work paper management or transaction monitoring software, address specific functionality as discrete tools, creating application and data silos which contribute to inefficiencies in the audit management process as well as exacerbate the potential for error.
By contrast, the DoubleCheck approach is intended to maintain centralized management and continuity as the audit progresses through activity stages. Further, the high degree of configurability within the platform permits a high degree of persona- and project-based interface, data, and process exposure, and flexibility of workflow and data models. The flexibility of the solution permits a high degree of personalization to assist with the simplification of work environments as well as to enable self-service and self-reporting by audit stakeholders. Further, the adaptability of processes and data models offers organizations the ability to tailor the platform to varying sets of requirements and audit workflows, as well as preserve flexibility to adapt the solution to changing needs. Figure 1 provides an illustration of the functional components and non-functional aspects of this strategy.
The core value proposition of audit process automation in the context of complex audit is the capability to coordinate diverse sets of requirements, enforcing centralization and continuity of data within a single source of truth, and automation of manual and repetitive efforts. The articulated benefits of these changes primarily derive from: (1) reduced time to audit completion, (2) increased accuracy and reliability of audit, (3) increased efficiency of audit personnel, and (4) consistent and precise repeatability.
Nothing in these value propositions is unique to either the notion of audit process automation or complex audit. To this end, Blue Hill observes that a similar mix of process efficiency and risk mitigation objectives generally drives audit management investments. The distinct value enhancement offered by audit process automation in the complex audit context results from repeatable, efficient process that removes manual, ad hoc, and unnecessary steps while preserving the flexibility to map a coherent solution to a diversity of audit needs and stakeholders. Further, the removal of the silos between the solutions and centralized management of the platform provides the stakeholders with greater control over the individual audit and provides the stakeholder with greater control to meet evolving challenges.