Leveraging Data Driven Compliance To Reduce Operational Risk

Audit and compliance functions are designed to evaluate how a business unit actually operates compared to ideal operations.  Generally, audits review past performance for a defined period, and frequently use sampling to form an opinion of how the business operated overall.  This means that audit assurance – that is, our confidence in the auditor’s opinion – is directly tied to the sample size and the audit period.  A large sample size in a small time frame gives you high confidence in that opinion, and likewise a small sample size over a long period makes you wonder if the audit results give a true and accurate picture of how things are really running.

What if there was a better way to assess operational risk?  This article will cover:

  • How can my business use data to increase audit sample size?
  • How can my business use data to shorten audit periods?
  • How can my business use automated process to improve audit and risk analytics?
  • How can I reduce audit cycle times?
  • What is the best way to identify operational risk?

What is Operational Risk?

Operational risk is defined as the difference between the risk factors identified by a business versus the actual risks present from day to day.  This manifests in a number of different ways, and it may be best illustrated if we think about the challenges faced by our local five & dime:

  • External fraud, such as customers switching the price tag on an expensive item for a lower-priced one.
  • Internal fraud, such as inaccurate timekeeping.
  • Inaccurate or incomplete internal reporting, such as inaccurate manual recovery counts that lead to incorrect stocking. 
  • Incorrectly configured business processes, for example if days are missed because inventory is ordered once per week but reconciled monthly.
  • Errors and omissions by employees, such as incorrectly manually entering inventory during a sale.

This is, of course, over-simplified, but it gives you some context about the types of risk businesses might face.  A business might protect itself from external fraud, for example, by putting up security cameras to catch shoplifting, without realizing the risks that could be eliminated by switching to a more durable price tag.

How Use Assessments to Identify Operational Risk

The classic method for identifying operational risk is to audit a business’s procedures and processes.  There are several levels of auditing.  The simple audit is simply to ask the business unit to provide their processes or procedures, usually in the form of a written policy.  Auditing through inquiry in this manner provides the business little to no information about what is actually happening at the operational level – it is simply an inquiry into how the business would run in an ideal state.

Increasing Confidence in Manual Auditing Processes

A slightly more complex audit would be to observe individuals engaged in the task.  This is a relatively small sample, and can be quite time-consuming if the task is complex or involves multiple steps.  Additionally, businesses tend to engage their best performers for this type of audit, and so it may not give you an accurate picture of how these processes and procedures are done on the average.  In auditing terms, this method may involve a high degree of deviation, given that the process may be performed differently under different circumstances.

To increase confidence in the auditing process, an auditor may inspect evidence of how the process was performed in the past.  The reliability of the audit conclusion is directly tied to the amount of evidence the auditor examines – for example, looking at one hundred results of a business process is exponentially more informative than reviewing ten results.  Additionally, an audit team may actually re-do a process on their own to see if the results come out the same, particularly if the process is automated.

Using Data to Audit Business Processes

To provide the highest assurance that a process is operating as intended is to use computer assisted auditing, an auditor uses technology to examine information with computer-assisted auditing techniques.  A larger dataset provides high confidence of how the process is running, because a computer can validate a tremendous volume of information, and that information can be harvested from a vast array of time periods, typically from near-real time to as far back as the records are kept.  Additionally, using recently created data allows a business to be agile in identifying operational risk – the issue can be caught quickly, rather than having to wait for the results an annual audit.

The various techniques can be expressed like this:

Using Data to Identify Operational Risk

Because computer-assisted auditing can cover a large sample size in near-real time, it is the optimal choice for identifying operational risk.  Often one of the biggest challenges is simply installing a system that can capture data on an automated basis.  As an efficiency, businesses look for points where data is already being exchanged as a way to tap into compliance data – in our five & dime example, this might be the point-of-sale system.  In this scenario, our store can increase their audit assurance by reconciling information from the point-of-sale system against their inventory and ordering system, and particularly if any discrepancies are researched until they are resolved. 

Operational Risk Management: Using Audit Results to Reduce Risk

To the business, the best auditing techniques are worthless if the information isn’t shared in a meaningful way.  When using an automated system, it’s important that the system alert its users when it identifies an issue.  Perhaps just as critical is actually operationalizing the audit findings – management must actually correct defective processes or otherwise remediate points of failure to correct the problem.  Management must re-examine the business process to identify other possible data sources and key risk indicators, or maybe more importantly parts of a process where there is no measurement as those are possible blind spots.  In this way, measuring operational risk never stops, but rather is a continuous cycle of defining a process, performing it, measuring it, and making correcting errors incremental changes to seek improvement.