Governance, Risk Management, and Compliance (GRC): Influences on Internal and External Audits
19 May 2020 - By Maeva Charles, Partnerships & Technical Director
The nature of risk management is changing. And given the current crises across the globe, it is undergoing a renaissance in importance, as well. Part of these changes is the growing uncertainty around external risks and their impact on both internal and external audit processes.Although there are important differences between the two types of audit, notably their audiences there are equally important commonalities. Ultimately, those two distinct audits rely on a robust risk monitoring and governance process, at the heart of GRC.
What does GRC mean?
GRC is the integrated collection of Governance, Risk Management, and Compliance capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity. This includes the work done and oversight provided by departments like internal audit, compliance, risk, legal, finance, IT, and HR as well as the lines of business, executive suite and the board itself.
Internal and External Audit Processes: Differences
The first step to exploring that point is to look at how internal and external audits differ. The chart below lays out the most important differences. As you can see, internal audits are continuous, focus on GRC concerns, and are intended for executive consumption, especially the C-Suite. Meanwhile, external audits are a third-party review intended for the shareholders in order to assure annual financial reports.
The key takeaway here is that each type of audit is valuable at different levels and for different audiences.
Internal and External Audit Processes: Similarities
Ultimately, however, both types of audit are targeted towards the same goals: making sure that the company is not overlooking any material issues; ensuring appropriate management in the case of internal audit; and providing valid financial statements in the case of external audit. Both types push, directly or indirectly, towards a better understanding of external risks. Undergirding this is a pressing need to continuously monitor those risks and to overcome the challenge of systematically gathering evidence and data.
Understanding external risks in internal audit...
A solid understanding of external risk factors is a crucial component of the GRC structure, the main object of an internal audit, that will influence the content of the annual report and, in turn, the outcome of the external audit. But in this regard, internal and external audits ask different questions - and get different answers. More than anything, this shows how different perspectives are essential to understanding the environment we work and conduct business in.
An internal audit looks at formal internal processes that ensure risk management controls, for the identification, assessment, mitigation, and monitoring of risks. Emerging risks and external risks, more particularly, are the ones the most difficult to capture and manage, because they are respectively less apparent and more out of the company’s control.
However, a robust and systematic process can enable companies to capture weak signals through the use of ‘Big Data’ and artificial intelligence like Natural Language Processing. By doing so, the internal audit enables the constant review and maintenance of a company’s risk register, which feeds the annual report with priority risks.
…And in external audit
A few steps down this process comes the external audit. This review is primarily aimed at confirming that a company’s accounting records are complete and accurate and that no material misstatement has been made. Indirectly, the implication is for a review of the evidence behind a company’s disclosure on what affects or might affect its financial performance.
This is where a robust GRC structure improves the preparation of the company for that review and provides more confidence to external auditors as to how decisions were made - enabling the tracking of evidence used by decision-makers to their collection point (i.e. the audit trail). This allows for verification of how well the internal system does in completely accounting for risk factors and not overlooking potential threats.
Addressing the need for monitoring
In a digital world that can move as fast as the speed of your Internet connection, the need for monitoring is omnipresent. Internal and external auditing complement each other by ensuring that the necessary monitoring gets done on all relevant levels.There is a clear premium placed on dynamic monitoring and continuous assessments over static, once a year reviews of external and emerging risks. For example, one of the main references to determine external risks, is the Global Risk Report published every year by the World Economic Forum. The most recent one, dated January 2020 was outdated as it was published - with infectious diseases (for one) not making the cut of top 10 risk factors by likelihood.
In addition, external risks can be completely undetectable by traditional means - even though all the signals might be there. Companies need to be able to capture so-called ‘weak’ signals out of the sea of data that is generated daily. Stepping up the risk management game in a way that enables this will pave the way for business resilience through a more proactive process. The key to that process is improving data gathering, analysis, and application tools.
Systematically gathering evidence and data
This is the central challenge for auditing processes in the 4th Industrial Revolution: how to systematically gather evidence and data in a way that is comprehensive, objective, and digestible?
One way of doing this is to do so manually, but this risks objectivity and is in any case far too time-consuming. While this has been the way of doing things in the past, it is now obsolete.
The solution, as many companies have already discovered, lies in automation.
Discovering a robust audit process
Regardless of whether the audit is intended for internal or external stakeholders, the need for a robust process is undeniable. Now more than ever, it is important for boards to take a more active and direct role in risk management, which can be facilitated by stronger internal and external audits processes.
The best - and only - viable way to achieve this is through the use of technology. Only digital technologies can allow auditing processes to be truly systematic. Automation through the use of machine learning AI and Natural Language Processing can help companies see weak signals that are otherwise invisible to the naked eye.Automated, AI-driven, cloud-based systems are the future of data collection and risk monitoring processes. Platforms like Datamaran allow businesses to take control of risk management and materiality analysis in-house at accelerated speed to keep up with rapidly changing trends.
See how Datamaran can help you
Trusted by blue-chip companies, Datamaran is the only software that automates processes for identifying and monitoring external risks and opportunities tied to ESG issues.
Datamaran’s proprietary software enables data-driven decision-making on current and emerging external risks. Cutting-edge AI captures evidence-based insights into the strategic, regulatory, and reputational risks and opportunities tied to ESG issues. This is based on an automated analysis of publicly available sources. Datamaran has the most comprehensive database of corporate reports, regulations, policies, news, and social media.
Get your complimentary demo of Datamaran to find out how you can improve and streamline your materiality and issue monitoring processes.
“Data-driven materiality helps us to take better strategic decisions.”
Antoni Ballabriga, Global Head of Responsible Business, BBVA