Internal Audit - CCM and Risk Management

Internal auditors are familiar with walking those fine lines, but championing a "Continuous Controls Monitoring" (CCM) program requires an extra fine sense of balance.

Designing effective controls, especially those aimed at preventing incompetence and financial fraud, is typically defined as an activity performed by company management or business units and, under internal auditing standards, internal audit departments must be seen to be independent from management.

Clearly, that doesn't mean internal auditors don't have a role to play in Continuous Controls Monitoring (CCM). Auditors may not be able to help management design effective cost controls or tell them whether a particular control is the right one to have, but they can help in monitoring the situation.

Auditors are not 'troubleshooters' or management consultants, but they are very capable of testing your controls and processes and providing you with the results. In addition to these results, the auditor should provide some searching questions, which can be fed back into and addressed, in the next management meeting. This is an important feedback loop for management, which should not be under estimated.

The need for strong internal controls is heightened in public and financial companies, because of the Sarbanes-Oxley, Basel II requirements, etc . and external auditors have an equally heightened role to play in testing the soundness of these controls.

In these cases, the management are obliged to design controls to fulfill a regulatory obligation and win accreditation or regulatory approval, verifying the effectiveness of these controls. This verifying audit is required to be carried out by its external auditors, but this will only happen after due diligence and much work has been carried out internally, by the organisation's own audit team.

In reality, internal audit departments, conduct their audits to prevent or to root out fraud and error in high-risk transactional areas. Technology is a powerful double-edged tool, that can be used both for and against an organisation. So, it is vital that internal audit teams maintain tight control of that the tool so that the parameters of the tests don't get changed without their knowledge.