Overview

Business monitoring, sometimes known as “continuous monitoring” and often a precursor to continuous auditing, provides a clear purpose and framework for its effectiveness. Zara sets out how internal auditors can reap the benefits of monitoring and anticipate its challenges. The result should be an improvement in the assessment of audit risk by considering the underlying risks to the business and a continuous re-evaluation of the appropriateness of the internal audit plan.

Zara sets out the specific range of activities to be performed by internal auditors, as key elements of business monitoring, and asserts that the value of monitoring is greater where the internal audit universe is aligned with the businesses risk model. A scoring system for the risk assessments derived from the monitoring can enable a robust identification of areas where independent assurance can add the greatest value to the business.

Introduction

Business monitoring involves a continuous evaluation of both internal and external factors, along with frequent and productive discussions with senior management and the audit committee. The main objective of business monitoring is to have a clear understanding of the current environment in which an organisation operates, the short- and long-term risks that it is exposed to, and the impact on risk assessment and audit coverage. Business monitoring reflects the organisation’s evolving needs for assurance and consulting.

Benefits of business monitoring

With the rise in market changes, such as digitalisation, demographic trends or competition, it becomes essential to monitor business strengths, opportunities or challenges on a continuous basis. Internal audit is provided with accurate data on the risk profile and internal controls of audit entities through business monitoring. 

The auditors rely on information obtained during the monitoring to modify the risk assessment of the audit entities, which can result in updates to the Audit plan.

Internal Audit can respond quickly to internal and external changes by monitoring the business, assessing potential risks and their impact on business activities. Although business monitoring may be documented on a quarterly basis, it does not mean that business tracking activities should only be performed once a quarter. The process is ongoing to reflect the current risk assessment of audit entities. 

The monitoring also enables the allocation of Internal audit resources to areas of an organisation that pose the most significant risks to its goals, and where Internal Audit can facilitate management of those risks.

Challenges of Business monitoring

Internal Audit should utilise a risk-based approach to execute an audit strategy, rather than simply provide coverage of the audit universe on a set cycle. Otherwise auditors avoid analysing changes in input factors to determine the impact on audit entities' risks and end up concluding that no significant changes were detected and no updates to the Audit plan are required.

Several factors contribute to this situation, including insufficient time to gather information on the external and internal environment, limited understanding of the interrelationship between business environment and risk assessment, and the preference for conducting the same type of audits rather than checking whether they accurately reflect emerging and evolving risks. Auditors can also be reluctant to repeat the approval process for the Audit plan in the same year.

It can be tempting to opt for the same tasks and activities - we already have a clear understanding of what to request, how to test, and how much time should be allocated for audits if we adhere to the established Audit plan. It makes the life of auditors easier. However, if auditors have been examining the same audit areas for years and performing identical testing, internal stakeholders may question whether Internal Audit as a function contributes to the organisation's value. Due to the ever-changing and challenging environment, Internal Audit should focus on improving processes within the organisation, identifying inefficiencies, and recommending ways to optimise operations. Business monitoring serves these purposes as a useful audit tool.

Audit activities within Business monitoring

Auditors should perform actions that contribute to efficient updates of risk assessment on a regular basis.  Business monitoring does not require detailed audit testing and could be performed at the audit entity’s level or entities’ consolidated level (e.g. group of audit entities within the same product or function). Auditors should determine if merging audit entities is a more effective method for business monitoring and identify those that could be combined for this purpose.

Key monitoring activities to identify ‘hot topic’ risks and areas of concern:

1. Preparation of business overview: Analysis of key political, economic and social data: political factors and influences that may affect the performance of, or the options open to the organisation, the nature of the competition faced,  financial resources available within the economy, demographic changes, trends in the way people live, work and think that impact the target market and perspectives of business development. Financial performance management: measures used to reflect business success, stability or progress towards a specific goal, and various metrics related to profitability, leverage, valuation, liquidity or efficiency. Product offerings (combination of products, services, and experiences a company offers its customers) and main product features (specific functions or characteristics of a product that provide value to customers), significant enhancements in capabilities, design elements or performance during the review period. Analysis of organisational structure, allocation of roles and responsibilities and their impact on the organisation’s performance. The most common organisational structures are: hierarchical (authority will follow a vertical chain of command from top to bottom); matrix (specialist divisions are further divided into separate project teams or product groups; or flat structure (also known as a horizontal structure) where management is decentralised, effectively removing the need for line management altogether. Each structure has its own advantages, and the primary concern is whether it aligns with the organisation. The business operates in an environment that is influenced by both external and internal factors that impact business decisions, risk management strategies or established controls.
2. Meetings with senior executives to establish changes in the business model, external requirements or emerging risks (e.g.  new products, outsourcing of critical or important functions or activities, new regulations or policies, risks on managers’ radar). Here auditors could use a practical tool – ask managers which three areas they are most concerned with
3. Review of internal and external vendor performance monitoring: a balanced scorecard or a dashboard to track key performance indicators for optimal vendor performance management
4. Analysis of self-assessment within the Governance, Risk and Compliance framework, including emerging risks, effectiveness of tested internal controls, raised issues and status of developed action plans
5. Review of operational losses, IT system malfunctions, market conditions, data protection issues raised during the review period, and management actions to mitigate the impact, investigate root causes and take remedial steps
6. Participation in internal committees of corporate governance without involvement in decision making - auditors gather pertinent data on business expansion, regulatory inquiries, and market conditions
7. Review of previous regulatory examinations, internal and external audits, and second line reviews: scope, timing, issues raised or status of open recommendations at the time of running business monitoring.

The primary focus should be on more significant (higher level) risks that are inherent with an audit entity. However, auditors should be receptive to lower-level risks as risk factors that define the risk level may have changed significantly during the monitoring period, leading to updates of the audit entity’s risk profile. 

An exclusion to business monitoring may occur if auditors conduct audits or make complete risk assessment of the audit entity to develop an Audit plan during the review period.

The Head of Internal Audit approves the format of business monitoring documentation. Business monitoring addresses each of the risk drivers (factors or variables that influence the likelihood, impact, or timing of risks). The risk score is determined by analysing the qualitative and quantitative factors that influence it. The value of monitoring increases when the audit universe is aligned with the organisation’s risk assurance universe, ensuring that auditors are not overlooking critical risk areas during business monitoring.

A business monitoring form could cover these risk drivers:

1. Size: business volume, number of business divisions, impact of business performance on organisation’s financial results, geographical areas, etc. Auditors should analyse the assets and liabilities of the business portfolio, the optimisation of the portfolio structure (if applicable), key performance indicators, and volume trends of concluded deals
2. Strategy: decisions within risk-appetite, consistency of decisions made and their alignment with the priorities for the organisation’s development, etc. Auditors should examine strategic objectives and their updates during the review period, initiatives for product development or plans to enter new geographic regions or review a budget variance analysis. The strategy risk driver includes the incorporation of ethics and culture. Stable ethics and culture help achieve strategic objectives but auditors may face challenges in evaluating ethics and culture. They could consider the amount and volume of compensation due to unethical behavior, complaints from clients, the use of escalation tools to reach management, and leadership actions to demonstrate the commitment to ethical standards, e.g. realistic sales plans are established, or sales incentives programs provide for reduced points for unethical behavior;
3. Management and Personnel: resources planning, remuneration, organisational structure, restructuring of units, the approach to hiring and retaining personnel, etc. Reviewers should consider the number of vacant positions, time required to fill them, team stability, changes in senior management, outcome of employee surveys, and management follow-up activities
4. Processes, Policies and Procedures: existing business and operational processes, instructions and guidelines, etc. Auditors should assess the level of automated processes versus manual ones, the primary content of policies and procedures, taking into account the size of a business unit, external requirements, or strategic value placed on business or operational activities. 
5. Vulnerability to Fraud: product or channel features, target markets’ specifics, segregation of duties, operational losses (including numbers and amounts), etc. Reviewers should evaluate the likelihood of fraud in products or distribution channels by examining staff access to funds or ability to post financial entries to customer accounts or access to underlying programming or logic of automated systems. In addition, auditors can analyse external factors, such as corruption levels, market fraud incidents, losses trends, and management actions to manage fraud cases;
6. Outsourcing: dependency on external and internal vendors, quality of services provided, vendor monitoring, trends in operational losses, etc. Auditors should review the list of outsourced activities, their importance to the day-to-day operations of the audit entity (e.g. client identification), results of performance monitoring, the amount of losses;
7. Compliance environment: external and internal requirements, reporting complexity, regulatory focus, encouraged behavior, etc. Reviewers should evaluate the nature and volume of regulatory requirements, the number of regulatory bodies and requests, frequency and depth of regulatory examinations, trends in fines, number and substance of client complaints to regulators;
8. Anti-Money Laundering: customer due diligence, transaction monitoring and reporting, training and awareness programs, etc. Auditors should analyse the number of expired KYC forms, trends in volume, complexity and variation of products and transactions, operating models for on-boarding customers, regulatory examination results, volume of Suspicious Transactional Reporting and Suspicious Activity Reporting.
9. Finance: accounting standards, the quality of financial reporting (relevant, correct, complete, and unbiased information) and timeliness, overseeing reporting preparation, etc. Although some organisations view reporting risk as a component of compliance risk, I would emphasize the importance of accurate financial data. The reporting risk could result in detrimental strategic and operational decisions, reputational harm, financial loss, penalties, fines, legal action, and even bankruptcy. Reviewers should evaluate the complexity of financial reporting processes, automation level, staff experience, the nature and quantity of estimates and judgements utilised to determine the values of assets or liabilities.
10. Risks (related to liquidity, interest risk, price risk or credit risk): client loyalty and the structure of the client base, market price movements, models used, stress-testing, etc. Auditors should review management reporting, asset diversification, fluctuation in client ratings, management activities after stress-testing, model performance metrics (accuracy, false positive rate, precision).
11. Technology environment: communication networks (e.g. internet, cellular), data centers, hardware components (computers, servers, devices), software platforms,  embedded system capabilities (e.g. maker-checker), digital initiatives, etc. Reviewers should evaluate the quality of physical and digital technology components, business process automation, issues related to role-based access control, data protection or confidentiality, etc. Auditors should also consider the number of databases used, trends in client or staff complaints and IT security incidents.

For each risk driver auditors should evaluate the impact of risk factors on a specific risk (strategic, credit, operational, etc.) and its assessment. Auditors may use a scoring system for risk assessment, where, for instance, 1 - Low level of risk, 2 – Moderate level, 3 - Significant level or 4 - Highly significant level. As a next step, ratings for each risk are added together across each audit entity to arrive at a total risk score for the audit entity. The total risk score indicates the relative level of risk for each audit entity as of business monitoring date. Based on the total score auditors define the entity’s rating, that can range from a Low score (0 to 32), Moderate score (33 to 45) and High score (46+). This leads to the determination of the audit coverage cycle. This is a simple example to demonstrate that the monitoring results can impact audit coverage, timing and frequency of the audit entity’s review.  

The business monitoring form should also contain the scores for each risk driver, as well as the total score and rating of the entity from the previous quarter to indicate any changes in risk assessment and its impact on the Audit plan.

The documentation for business monitoring is frequently excessively detailed and does not provide a clear indication of how changes or trends impact the auditor's understanding of risks, as well as whether Audit plan updates are necessary. As a result, the objective of business monitoring as a tool to prioritise specific audit coverage, in terms of the level of risk exposure and risk appetite, is not accomplished. The Head of Audit should emphasise that the Audit plan is an essential component in the delivery of effective and valuable internal audits, and business monitoring assists in prompt coverage of known or suspected areas of concern.

Issues raised during business monitoring

By utilising the procedures described above, auditors can identify where the design and/or operating effectiveness of controls are not effective (e.g. new regulations caused changes in the business process, controls were developed but not implemented). Auditors should raise such issues in their business monitoring report, assess the issue level, and request an action plan to address the issue. The standard methods of monitoring are then used to review the remediation for each issue.

Conclusion

Internal Audit prioritises audit reviews within specific timeframes by utilising ongoing monitoring of the internal and external environment, management or audit committee concerns in a particular area, the stability of IT systems, organisational changes, and results of recent regulatory examinations. Business monitoring can help Internal Audit identify areas where independent assurance will add the most value to the organisation in the current environment, or cover specific risks that are considered likely to materialise and impact the organisation, and thus help Internal Audit to achieve its primary objective of being a strategic business partner, that enables the organisation to manage risks proactively, protect the organisation, make and achieve better strategic decisions. 

Zara Ambartsumova FCCA

Zara's areas of expertise are quality assurance, internal audit and business improvements. She has spent the last seventeen years employed by international consulting firms and banking groups. She works in the Monitoring and Remediation Department at Deloitte UK and holds ACCA, CIA, and ACAM qualifications. Zara is passionate about the internal controls environment and enjoys working in new or developing areas of assurance.