Richard Chambers, president and CEO at The Institute for Internal Auditors, often talks about “auditing at the speed of risk.” In today’s business environment, that can feel like lightning speed. Things change fast—from economic volatility to disruptive technologies to new regulations—and companies have to be able to adapt.
Operating at this pace creates new and greater risks for organizations, and the role of internal audit becomes even more important in helping companies navigate this complex environment. Traditionally, auditing has mostly focused on evaluating the past and ensuring compliance. While that will always be important, the role is evolving to serve a more strategic purpose. Organizations are looking to their internal auditors to help them identify and address issues as they are happening and predict future risks that could impact performance.
PwC’s “2017 State of the Internal Audit Profession” study highlighted one way internal audit functions are helping organizations look forward and proactively manage disruption. “As disruption occurs, agile internal audit functions help the organization in multiple ways. For example, they more frequently provide a point of view around risks associated with disruptive events, coupled with advice on the process and controls design needed in response.”
Taking this “audit forward” approach requires two important capabilities—the ability to access and report on information quickly and the flexibility to easily make changes to processes and plans. But this can be challenging for internal auditors who don’t have a finance system that was designed to provide this insight or adapt to today’s pace of change.
One of the biggest issues with current legacy and cloud-based ERP providers is that their compliance, internal controls, and audit capabilities are sold as separate solutions that sit outside of the core financial system of record. As a result, auditors (both internal and external) end up spending most of their time and resources working between systems to gather information and verify processes for events that have already happened.
Other issues exist as well. While many traditional legacy solutions were designed with an audit trail documenting everything that happens in the system, it is optional and many customers turn it off because of the significant impact to performance. Also, controls, workflows, and approvals are delivered for only select transactions and business processes, which require additional effort to add more.
Because Workday was built post-Sarbanes Oxley, we had the luxury to consider SOX requirements in the design of our solution. With Workday, audit, controls, and compliance are part of the foundation and leverage our Business Process Framework—where business processes are defined and tied directly to organizational structures and role-based security. All activity is modeled and governed in one place, so nothing happens in Workday without being documented.
This makes a huge impact on the auditing process. Every change that happens in the system is self-documenting, including who made it and when it was made, making it very easy for auditors to access and verify information. For example, an auditor can review a definition of a business process for journal entry approvals to ensure it is designed effectively, and then look at the audit log to verify if anyone made changes to that definition for change management control, all within the same system.
This always-on audit trail becomes especially important when a company is going through major change, such as transitioning to the new revenue recognition standards, ASC 606. The new standards can impact both historical and future periods and transactions, potentially affecting a company’s financial statements. Documentation and auditability of the entire process is critical so there are no surprises when closing the books and issuing financial statements. Workday simplifies the auditing process for finance teams and auditors, enabling them to see how a contract moves through the organization for approvals, making it easier to verify every step, change, and approval during this conversion to the new standard.
Workday’s in-memory architecture allows all transaction data to be accessible at any time and that data is real-time, making it easier to create reports and analyze information. Auditors can also configure auditor dashboards to monitor activities such as manual journal entries or executive expenses in real time, so any issues can be identified and addressed quickly.
Ensuring compliance from the rearview mirror is no longer enough in today’s business environment. Organizations must be able to look forward at potential risks and compliance needs and factor those into their strategic planning. Having the right technology foundation will make all the difference—helping internal auditors become more efficient and effective at auditing practices while giving them the capabilities and bandwidth to partner more closely with the business on strategy.
Read the first six blogs in this series: