Operational Risk Management: AI Tools and Best Practices for Finance and Audit

Learn how to master operational risk management in finance and auditing. Discover AI tools and strategies to identify, mitigate, and monitor risks effectively.

Operational risk poses a significant challenge for organizations, threatening financial stability and reputations alike when internal processes, systems, or external events fail. For all organizations, operational risk management is essential to protect against costly disruptions. Risk identification, assessment, mitigation, and monitoring are the pillars of operational risk management. Many methods are used to conduct these … Read more

SAS 145: A roadmap towards risk-based auditing

The AICPA Auditing Standards Board (ASB) has recently issued an update to the risk assessment standards, SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement. This standard was developed to address gaps in risk assessment procedures identified by practice monitoring programs worldwide, and is intended to help auditors focus their time on the areas of greatest risk of material misstatement in an audit engagement.

With the ASB’s strategic objective of converging with the International Standards on Auditing (ISA) SAS 145 used ISA 315 (revised 2019), Identifying and Assessing the Risks of Material Misstatement,  as a starting point.

SAS 145 will likely require firms to take a more data-driven approach to risk assessment and, when coupled with SAS 142, enable firms to rely less on substantive tests of detail and more on analytics. While SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023, the standard presents such a fundamental shift in methodology that firms are thinking about their strategy now ahead of the 2022 busy season.

 

Roadmap of activities

Due to the lead time of understanding SAS 145 and the required change management processes to update existing audit methodology, we suggest firms consider the following timeline for implementation:

Graphic showing the SAS 145 implementation timeline

SAS 145 implementation timeline

What’s changing?

The executive summary of the standard outlines several of the substantive changes but here are the three areas that we believe firms will struggle with from a procedural perspective.

The standard itself explains the key areas of enhancement:

  • “Requirements and guidance related to the auditor’s risk assessment, in particular, obtaining an understanding of the entity’s system of internal control and assessing control risk”
  • “Guidance that addresses the economic, technological, and regulatory aspects of the markets and environment in which entities and audit firms operate”

It’s important to note that SAS 145 does not alter the fundamental concepts of audit risk. Rather, the document provides clarification of certain aspects of risk identification and the assessment of material misstatement to improve overall audit quality.

For more information on how AI-enabled audit data analytics supports your team

Download our free audit approach white paper: MindBridge Audit Approach

The spectrum of inherent risk

SAS 145 takes a more granular approach to inherent risk and introduces new concepts to assist auditors in understanding the new requirements. This includes inherent risk factors (events or conditions that influence the susceptibility to misstatement of an assertion, such as fraud or error) and the spectrum of inherent risk:

“Depending on the degree to which the inherent risk factors affect the susceptibility of an assertion to misstatement, the level of inherent risk varies on a scale that is referred to as the spectrum of inherent risk. The spectrum of inherent risk provides a frame of reference in determining the significance of the combination of the likelihood and magnitude of a misstatement.” – SAS 145, page 12

The risk factors require the auditor to look at complexity, subjectivity, change, uncertainty, susceptibility to misstatement due to bias or fraud, qualitative or quantitative significance, and volume or lack of uniformity (ref. SAS 145, paragraphs A10-11). Then, the likelihood and magnitude of a possible misstatement should be assessed to determine where on the spectrum of inherent risk it falls. The higher the combination of likelihood and magnitude, the higher on the spectrum it falls; the lower the combination, the lower it falls.

Spectrum of inherent risk Source: IAASB

According to paragraph A245, these assessments should be done at the assertion level. Firms will need to evolve their methodology to incorporate a fuller assessment of inherent risk, that trigger items such as significant risks and appropriate audit responses.

Enhanced requirements regarding IT general controls

“The auditor should, through performing risk assessment procedures, obtain an understanding of the entity’s information system and communication relevant to the preparation of the financial statements.” – SAS 145, paragraph 25

The standard puts an increased focus on understanding and evaluating IT General Controls (ITGC) as they pertain to financial statement generation. This includes these steps that the auditor must take:

  • Identifying IT applications and other aspects of the environment that are subject to risks arising from the use of IT (ref. SAS 145, paragraph 28)
  • Identifying the related risks arising from the use of IT and the controls to address them (ref. SAS 145, paragraph 29)
  • Evaluating the effectiveness of controls in addressing risks of material misstatement (ref. SAS 145, paragraph 30)
  • Determining whether such controls have been implemented (ref. SAS 145, paragraph 30)

An ITGC example to consider is that many firms have long used data tools to mechanically validate the completeness of their general ledger (GL) and assess their GL platform by comparing the results with their trial balances. As these use cases and complexities grow, validation of data at the beginning of the audit engagement will become critically important in the testing and documentation of a client’s IT environment.


New stand-back provision

The standard has a new provision that supports the evaluation of completeness, referred to as the “stand-back provision”. This provision requires the auditor to evaluate whether their determination of material classes of transactions, account balances, or disclosures as not significant (i.e., no relevant assertions identified) remains appropriate.

While there aren’t any documentation provisions cited specifically for this section, we anticipate firms needing to create procedures and documentation around the stand-back provision.


How MindBridge is helping firms to comply

For the three areas identified above, here’s how MindBridge’s audit data analytics features help firms adapt to SAS 145:

  1. Spectrum of inherent risk – key to this new requirement is identifying, understanding, and evaluating different risk factors. MindBridge control points are designed to compare client data against pre-defined areas of risk, providing visualizations and reports to understand levels of risk (risk scores), identify unusual transactions, and drill-down into the details.
  2. IT general controls – The MindBridge data ingestion process (or extract, transform, and load) includes a series of checks and validation steps that verify the client’s data sets and automatically identify areas that require further information or pose areas of risk.
  3. Stand-back provision – As MindBridge analyzes 100% of the client’s transaction data, assessments and data exploration can be performed on any data subset at any time, including the modification of analysis criteria. This multi-faceted approach means you can re-evaluate prior assessments and adapt to new information quickly.


Conclusion

With the release of SAS 145, firms should plan and implement their strategy now to be compliant by December 15, 2023. The timeline defined here offers a progressive approach to SAS 145 implementation and, combined with the risk assessment capabilities of MindBridge, positions firms towards a stronger audit approach and value for clients.

Top 3 automated risk assessment tools

An abstract image depicting the importance of finding and implementing technologies to automate rote tasks in risk assessment

Managing potential risks in financial data is a monumental task. But thanks to the latest digital audit tools and AI audit software, automation is now revolutionizing this domain. Here, we delve into the top 3 automated risk assessment tools that are making waves in the industry.

The adoption of new risk management processes has been a focal point of discussion in the business world generally. But, financial institutions are particularly focused, lately, on updating their procedures and processes in a post-pandemic, largely remote world. While pandemic talk may sound like a broken record at this point, it’s still an important consideration, even as the world becomes vaccinated and business begins to open up. 

As businesses, we are not out of the woods yet.

Fortunately, new technologies spurred by automation are making it easier than ever for organizations to invest in more effective risk assessment tools. 

As a report from Deloitte notes: “Latest technologies have the potential to fundamentally transform risk management. In addition to substantially reducing operating costs, these and other technologies can provide risk management with new capabilities including building controls directly into processes, prioritizing areas for testing and monitoring, deploying automated monitoring of limits with defined escalation, addressing issues in real-time to improve the enterprise-wide view of risk, and providing decision support.”  

In addition to providing more efficient processes and a holistic view of risks facing an organization, improving the risk management function facilitates the detection and assessment of new risks that have emerged over the past decadeCybersecurity, business model, and contagion risks are examples of some of the more recent risks that firms must now contend with. How an organization handles these risks can be the deciding factor on whether or not they sink or swim. 

Kristina Davis, a partner with Deloitte Risk and Financial Advisory, explained in an article: “Organizations that proactively construct advanced risk management capabilities to keep pace with transformative change have the opportunity to gain competitive advantages.”

Wondering where to start with updating your risk assessment processes? Here are 3 top tools to help your organization automate risk assessment.

3 tools to automate risk assessment

LogicGate: GRC in the cloud

 

As LogicGate describes it, they’re creating more than just software – they’re creating peace of mind with their automated risk assessment tool.

LogicGate provides cloud software solutions for automating governance, risk, and compliance (GRC) processes through its Risk Cloud platform. The software empowers organizations to change disorganized risk and compliance processes into enhanced enterprise risk management operations that increase efficiencies. 

What is GRC? According to CIO.com, GRC is a tailored way to align a company’s IT with business goals while also managing risk and meeting compliance obligations. In addition, a GRC framework can offer numerous benefits for organizations that take the time to implement one properly, such as better decision-making, improved IT investments, and the elimination of silos.

With LogicGate’s enterprise technology, process owners have full control with a no-code-needed app builder, pre-built templates, and the ability to craft workflows that suit their needs. The result is a customized solution that provides a comprehensive view of risk programs.

In an effort to make things even more flexible for users, the company recently expanded its integration offerings. LogicGate’s Risk Cloud now integrates with hundreds of platforms via the new Risk Cloud Connect, which works seamlessly with many core business systems, including Jira, Slack, DocuSign, and more.

 “We’re on a mission to give risk and compliance professionals a single source of truth to make better, more informed decisions with their data,” said Jon Siegler, LogicGate’s chief product officer, in a press release.

Fusion Risk Management: Resilience meets efficiency

Fusion Risk Management originated as an idea scribbled by its co-founders on a restaurant tablecloth. Since then, it has become a well-respected cloud-based software solution focused on operational resilience, encompassing business continuity, risk management, IT risk, and crisis and incident management.

The company aims to help organizations anticipate, prepare, respond, and, perhaps most importantly, learn in any situation by providing them with the risk assessment tool to be successful. And because every organization is different, Fusion’s integrated suite of platform capabilities can be custom-tailored to fit a company’s unique needs.

Fusion’s products and services take organizations beyond legacy solutions, enabling them to make decisions backed by data with a flexible and inclusive approach to achieve operational resilience and mitigate risks.

Fusion’s flagship offering is the Fusion Framework System, which allows organizations to maintain resilience through a single platform, thereby eliminating the need for multiple disconnected modules across various risk areas. The company also recently launched Fusion Analytics, a new system capability that allows users to compile all relevant and required data into a single platform, which helps eliminate operational silos and foster collaboration by allowing teams to work together from anywhere.

“In today’s highly competitive market, businesses must demonstrate they have a robust operational resilience program and can make important, difficult decisions fast, at the speed of business. This especially holds true during times of market turbulence and volatility,” Brian Molk, Fusion’s Chief Product Officer, said in a press release.

 

MindBridge: The future of automated risk discovery

At MindBridge, we’re all about changing the world and creating a better future for all by improving the global financial system – one organization at a time.

Since our founding in 2015, MindBridge has become the world’s leading AI-powered risk discovery platform for financial integrity. We’re here to help auditors, accountants, and financial professionals become more efficient and successful.

From transactional risk reviews to organizational process improvements, MindBridge users have the AI-embedded tools, visualized analytics, and comprehensive resources needed for more robust and holistic analysis, assessments, and advisory services.

So, how does it work? MindBridge’s Ensemble AI technology compares data against 28 capabilities, or “control points,” to identify the level of risk in 100% of transactions in a given data set. The results far outweigh what would be achieved by running each capability separately, which is why more than 8,000 firms worldwide use MindBridge’s platform, including well-established institutions like the Bank of England and the Bank of Canada, and major firms such as Dixon-Hughes Goodman and Cherry Bekaert. 

“Using MindBridge, we now have a standard way to do journal entry testing. And I feel a lot more confident about our selections now than almost any other method that we could come up with,” explained Jonathan Kraftchick, a partner with Cherry Bekaert LLP, of the firm’s adoption of MindBridge. “MindBridge is the future of auditing.”

And there you have it: 3 tools to automate risk assessment.

To read more on how other organizations have adopted MindBridge to improve their risk discovery, check out our case studies and customer stories.

To book a demonstration or hear from an expert, schedule some time with our team

4 steps to improve risk management

Risk management is a broad and overarching term. It reaches to and beyond finance, touching every aspect of an enterprise’s operations. Especially for enterprises, the intermingling of all risk-related activities across an organization is important not only to understand, but to build management strategies around. 

This methodology is known as enterprise risk management (ERM):

“ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Therefore, a holistic approach to risk management is considered to be the standard for risk officers and other members of the executive team. 

In this article, we’re listing five ways that businesses can improve their financial reporting and controls risk by creating a plan of action to integrate into their larger ERM processes.

1. Understand the breadth and importance of risk management

As mentioned, risk management is an umbrella term that essentially identifies potential and actual risk and empowers a business with the necessary tools to adequately identify and deal with potential risks such as fraud, material misstatement, and more. 

Fraud is a major challenge for most enterprises. COVID-19 proved this to be extraordinarily true. A survey carried out by LIMRA showed that 42% of its respondents had already experienced increases in attempted fraud since the pandemic began. 

As noted by the Corporate Finance Institute, assessment and management of risks is the best way to prepare any enterprise for circumstances that may get in the way of progress and growth. When a business evaluates its plan for handling potential threats and then develops those structures to address them, it will inevitably create risk tolerant processes that future-proof the organization. An in-depth risk management plan is also a sign to investors and higher-level stakeholders of the stability of your organization. 

In addition, progressive risk management ensures risks of a high priority are dealt with as aggressively as possible. Management will thus have the necessary information that they can use to make informed decisions and ensure that the business remains profitable which, believe it or not, is also important to stakeholders.

2. Decide how to manage risk

There are many ways to manage financial risk, and they can be best summarized using the 4Ts model; transfer, treat, terminate and tolerate.

Risk transfer means to assign an individual, group, or third party to be responsible for the risk. This method absolves the transferer of the risk implications, while compensating the person or entity receiving the risk for taking it on. More often than not, transferring risk simply means getting insurance; for example, an enterprise may work with a commercial insurance entity to offload potential financial risk for themselves, their stakeholders, and investors.

Treating risk is the next layer to consider in a case of financial risk in cases where the risk cannot be offloaded through insurance or other means. This is done by performing actions that reduce the likelihood of the risk occurring or minimizing its impact before it inevitably occurs. The best way to treat risk is to ensure that your team is equipped to predict and handle these risks as they come up. Training your team is vital.

The next method to manage risk is through terminating. Just like with treating risk, terminating risk is achieved by altering processes or practices to eliminate the risk completely. This could mean removing the process or area that is causing actual or potential risk to occur, as well. 

The final category is tolerating risk. This step is part of the overall risk management process, as organizations determine the level of risk that they are willing to accept in any given situation or area. When it comes to finances, an organization must consider the amount of financial loss they are willing to risk to perform any number of activities.

These steps and processes can be applied to risk management in a similar manner. However, the detection and investigation of individual financial risk events is much more specific and technical, requiring the expertise of auditors and accountants.

3. Employ tools, automate risk management

Enterprise risk management tools now go beyond traditional spreadsheet-based software. According to McKinsey & Co., 66% of enterprises were piloting or using automation technology in 2020, with predicted increases to come. 

Here are two key areas companies are exploring in 2021:

Robotic Process Automation (RPA) — This technology provides rules to “bots” which mimic simple, repetitive processes that humans often do. This could mean automating the compilation, download, and circulation of an ERM-related report. However, some other highly popular use-cases are onboarding, third-party screening, due diligence, and compliance monitoring. Upon implementing this technology, businesses report reduction of input errors, less human handling of sensitive information, and faster input and processing for overall time savings. Additionally, Gartner reports that “88% of corporate controllers expect to implement RPA in 2021.”

Risk Discovery Artificial Intelligence (RD AI) — According to research conducted by the Public Company Accounting Oversight Board (PCAOB), one of their biggest concerns as the audit industry develops is “over-auditing” due to lack of understanding of company risks. MindBridge’s RD AI platform finds potential risk across 100% of financial data, and explains these findings in a transparent way. The ensemble AI engine finds potential risks with 10x the effectiveness of rules-based tools, and at over 2000x the speed of manual entry. An ERM framework with deep accuracy, efficiency and effectiveness gains can be enhanced by the 4Ts in the figure below:

 Flow chart depicting the combination of the ERM process and the 4 T's of risk management.
Figure: ERM enhanced by the 4Ts model

 

4. Review risk management processes often

The final and most important way to improve your risk management is to review continuously. Meaning, check in on your risk management processes as often as you can. Set up a schedule of monthly, quarterly, or even yearly reviews. 

Even the strongest risk management processes are at the mercy of ever-changing external and internal factors.

An effective risk management plan will implement an ongoing basis to accommodate these changes, ensuring that it continues to be as effective as possible.

 For example, the Enterprise RIsk Resilient EcoSystem, a framework designed to incorporate the needs of larger organizations, is a testament to the need for an evolving mindset regarding risk management.

Diagram of the Enterprise Risk Resilient EcoSystem from Baker Tilly, speaking to the "modern world" and the need for flexibility in corporate risk management.

According to Jonathan Marks of Baker Tilly, the 8th largest accounting firm in the United States, 

“The Enterprise Risk Resilient EcoSystem is more complete than other published frameworks and is more reflective of the current state of “our modern world” and where we need to focus. Why? Regulators are expecting organizations to be using a data driven audit process and using the results or feedback to continually enhance their compliance program.”

 He continues:

“This means organizations should be strongly considering adding technology like MindBridge to the equation. It also means that if compliance, audit, and the general counsel are not working harmoniously there is a possibility risks will not be properly addressed increasing the likelihood of fraud.”

To learn how you can implement MindBridge into your risk management process, or to learn more about the MindBridge Audit Approach, click here.

For more articles like this one, visit the MindBridge blog