The Human Element in Audit, Risk & Compliance
By Jason Rohlf
“The 9000 Series is the most reliable computer ever made. We are all fool-proof and incapable of error.”
— Hal, 2001: A Space Odyssey
I really enjoy giving demonstrations of Onspring. It gives me an opportunity to sharpen my demo skills (which can always use sharpening), present the benefits of our solutions and, most importantly, get direct feedback from folks who are out practicing their craft every day. Whether their field of expertise is audit, compliance, risk, business continuity, vendor or any other realm requiring focus, diligence and discipline, I know I can rely on these practitioners as a valuable resource for continuous improvement and development, not only in our product and solutions but also for me as a professional.
Last week I was giving one such demonstration to a group of internal auditors. I had configured a proof-of-concept environment (another one of my favorite things to do) that was tailored to their specific needs. From field names and form layout to formulas and logic to workflow and data, the focus was to show them Onspring as a clear and viable option for solving their business problem and addressing their most pressing needs. At one point in the conversation, we were discussing their process for documenting the results of control tests and having those tests go through a standard approval process.
Me: “Once the user completes testing, they will change the Test Results field from ‘In Process’ to either ‘Pass’ or ‘Fail’, set the Submission Status field to ‘Submitted’ and save the record, which alerts the assigned Manager that it’s time for them to review the record.
“You’ll notice that when I set the Submission Status to ‘Submitted’ two things happened: first, the Test Results field became required, and the option to set that field to ‘In Process’ was taken away, meaning the user had to select ‘Pass’ or ‘Fail’ as their result. I did this so that we can make sure there is integrity in your data – I wouldn’t want someone saying they were done with a control test without giving their final conclusion.”
Prospect: “I have a question”
Me: “Sure, go ahead…”
Prospect: “You were once an auditor, weren’t you?”
She had me dead to rights. I confirmed that I was indeed an auditor earlier in my career and that I took what she just said as a compliment. One of my favorite things about Onspring is its ability to automate the capture of data and enforce strong data integrity controls. There are a variety of options at our disposal that let us control where, when and how these features and controls are put into play. The overarching value proposition, at least in my mind, is in ensuring the data you gather and rely upon to drive decision-making and action is complete, accurate and reliable. Individuals and companies alike can leverage technology to help them efficiently mine accurate data, which leads to more reliable information which in turn drives better decision-making.
The unfortunate by-product of these capabilities is that they lead some people to believe that they should be able to configure their technology to do their bidding and all they have to do is sit back and watch the system hum along and do the work for them. If only it were that easy. The key word in the last sentence of the previous paragraph is “help.” Software and technology are excellent enablers, conduits, vehicles, tools or whatever euphemism for “helper” that you choose to adopt.
In the world where auditors, compliance managers, risk managers and the rest operate, software and technology can help users in their quest to gather critical information that enables them to make better business decisions more efficiently. While I know there are certain aspects of these processes that can be automated using technology (i.e., mining transaction data and performing a pre-defined analysis), I have yet to discover the technology that has the ability to replicate or replace the additional work that these professionals perform in the context of analyzing the outputs (i.e., how much of a risk to our business are the outliers of the analysis in the context of our current risk posture).
Believe me, I am not suggesting or advocating forsaking all technology and placing the burden of data mining and analysis solely on the people performing a process. (Given the vocation I have chosen for myself, this would not be wise.) On the other hand, I think we’re still a comfortable distance from the day where our audit, compliance and risk solutions respond to our requests by channeling Hal and stating, “I’m sorry Dave, I’m afraid I can’t do that.”
We are in the enviable position of having access to technology that can help us design and manage complex systems and data sets while at the same time making the professionals who review and monitor these systems the most important part of the process. As you identify opportunities to leverage technology to drive improvement within your critical business processes, I encourage you to keep the following aspects of the human element in mind:
Put the Process First.
It’s been said time and time again that automating a bad process simply allows you to do bad things faster. Before implementing technology to support a process, make certain that the process itself is designed in such a way that it helps you achieve a specific business goal, and that all key participants understand the primary drivers for their involvement.
Set Clear Expectations for End Users.
Regardless of the fool proofing they build into their systems, organizations must rely on their people to interact with these systems and provide them with meaningful data. When users interact with systems, they should be provided with clear guidance and expectations regarding the data they must provide. For example, if a control test requires the user to provide a conclusion and submit the record for approval, simply configuring the system to enable the user to perform these actions is not enough; the user must be guided toward this expectation.
Regularly Review and Revise (If Necessary).
As much as we’d like to think that the systems we implement are impervious to error, the fact that these systems are designed, implemented, tested and used by humans means that there is an inherent risk that mistakes can be made. Organizations and individuals who employ flexible systems are well positioned to remain adaptable and quickly implement changes that will enable users to more effectively interact with those critical systems.
While technology can enable us to do great things, we stand to accomplish so much more by properly considering and enabling the people whose knowledge the technology is there to support.
Image Source: https://d12vb6dvkz909q.cloudfront.net/uploads/galleries/23552/2001-image-1.jpg