Continuous Risk Assessment (CRA) and use of Data Analytics

Modern internal audit methodology goes further than the traditional model that provided basic recommendations to fix issues that were identified. This is done by not only suggesting solutions but also evaluating them and providing a view of the cost-benefit analysis and whether it is worth it. 

A continuous risk assessment process enhances internal audit’s impact and innovation by providing timely risk and performance insights regarding the company. By assessing the company’s operations, internal audit can develop a set of key risk indicators (KRIs) across key categories. These indicators should be readily available, easy to compute and understandable. These can then be used for comparison and inform audit planning. Access to systems and MI can be fed into data models to generate the metrics and whether they are in tolerance. 

As an example, for a retail and commercial bank, the following are a sample of risks and metrics that can be sought:

• Finance risk – number of regulatory resubmissions 
• Conduct – number of complaints, court proceedings, actions taken
• Regulatory compliance – number of emerging regulations that impact the bank but no plans in place
• Credit risk – number of delinquent customers, number of write-off’s, number of credits underwritten outside of policies

Metrics can be assimilated by getting a better understanding of the business through MI and discussions with management. 

Tolerance thresholds can be set for each of the metrics identified. A dashboard can be created giving an overview of what metrics are in tolerance and not. This can then be assessed for areas for audit focus and to generate viable solutions to counter risk. There are data models available or can be custom designed to retrieve data, transfer to metrics, compare to tolerances and create a dashboard.

The following process can be used for identifying issues using CRA with the help of data analytics:

1. Identify areas of focus – track risk and performance metrics that align with the overall strategy to understand the performance. Identify audit entities with a risk profile that does not align with performance results. Understand key initiatives, changes in operations at the audit entity.
2. Generate solutions – using the risk profile and metrics, identify specific areas performing lower than expected results. Develop solutions that would provide positive ROI to management.
3. Evaluate solutions – test the solutions and refine where required based on results. Discuss with management the test results and whether solutions provide a fair view.
4. Cost-benefit analysis – calculate cost of implementation and cost of non-compliance. Present a summary of the findings from these steps to management.  

Data analysis can highlight to internal audit areas where risks may be elevated. IA can drill down into these to identify the issues and generate viable solutions. The monitoring of these metrics can provide for a process to internal audit of continuous assessment on risk and able to capture emerging risks and adjust the audit plan accordingly where detailed audit is required.

For further information on how continuous risk assessment with the use of data analytics can be useful for your department and provide high impact audits, please reach out to us.