Reinventing Internal Audit by embracing technology

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. It is designed to be the management’s ally to ensure that all processes work as designed.

Internal Auditors have a professional duty to provide an unbiased and objective opinion, be independent of the operations being evaluated, and report to the audit committee – an independent governance body that provides support to the board of directors.

The results of internal audits provide management with the most relevant risks so they can address them and also suggestions for improvements to current processes not functioning as intended.

An internal audit process can be summarized in four stages:

1. Planning: To define objectives and scopes of the audit
2. Fieldwork: When auditors evaluate procedures of the audited business unit
3. Report: A written report that details the results of the fieldwork, with audit findings and recommendations for improvement.
4. Follow-up: Performed on previously reported audit findings to determine whether corrective action plans have been effectively implemented and that expected results are being achieved.

Banking audit methodologies usually involve many hierarchical roles and a lot of meetings in almost every stage of the audits. For instance, this is what the first stage might look like: auditors report their fieldwork planning to the coordinator, the coordinator takes it to the manager, the manager presents it to the superintendent, and the superintendent gets the director’s approval.

Data is not usually accessible to auditors, due to complicated access control schemes in legacy systems and lack of documentation; therefore, auditors heavily depend on the team being audited to obtain most of the evidence for their tests, slowing down fieldwork execution and demanding a lot of time from the auditees.

At Nubank the Internal Audit team works together with the business areas from the start. Auditors have access to all databases and they know how to query them, making fieldwork faster and causing the least possible impact on the business. They also map all activities performed by the company, perform a risk-based analysis to define the areas that are going to be audited.

Fieldworks are faster, a consequence of breaking the hierarchy and removing barriers between auditors and business data. However, although fieldwork results give great insights and improvement opportunities, they will always provide a “snapshot” of the process at the moment the audit occurred.

To go beyond this scope and cover more risks, we needed to continuously evaluate the effectiveness of internal controls; we decided to do this by automating auditing procedures through data and programming, implementing a Continuous Auditing methodology that matched our way of work.

These are the procedures we wanted to do continuously:

• Evaluate the effectiveness of the internal control systems and identify potential risks;
• Check the efficiency of routine operations of the bank;
• Evaluate the reliability and accuracy of the financial records and reports;
• Ensure that the procedures comply with the legal and regulatory requirements.

Continuous auditing is a method used to perform control and risk assessments automatically and frequently. This technique includes programmed internal audit tests in the analytical environment, providing fast information about control breaches, rules, exceptions, and anomalies in KRIs (Key Risk Indicators). It transforms the audit paradigm from periodic reviews to a live and iterative process, giving valuable and timely information to react to the risks.

This means we went ahead and trained all auditors to have enough programming skills to code their continuous auditing tests in the analytical environment. They are very independent to create, update, and monitor a test, as well as follow up with its results.

Continuous Auditing is a hot topic in the audit community, and at Nubank we decided to do it our way: applying technology and software, just like we do to reinvent all of our financial products.

We didn’t create the concept of Continuous Auditing, we reinvented it fast using the technology available as Nubank did with Credit Cards.

The Audit team monitors the results of all continuous tests and reaches out to the responsible team when any of them shows a negative/unsatisfactory result. An unsatisfactory result in a continuous test will have the same treatment as an audit finding. The owners of the risk, along with the audit team and additional teams – when required – build an action plan to mitigate the risk/correct the process. The Internal Audit team follows up on the plan implementation.

Continuous auditing transforms Internal Audit tests into automated alarms. It converts a static photograph into an uninterrupted movie.

Continuous Auditing Tests can be compared to automated tests in Software Engineering. Developers write pieces of code that check whether the application behavior meets its specificati-on. With Audit Tests, we aim to automatically check if a process of a given business area is behaving as it should be, according to regulation or internal policies.

How we accomplish

From software engineering design concepts (an interface inside the company analytical environment) to beautiful data visualizations that help the audit team understand and collect insights on the company’s overall performance/health.

Data is a fundamental pillar of Nubank. We aim to democratize access to it, so most of our existing data is readily available in our analytical environment. This by itself already provides value for auditors, allowing for faster analysis and insights in any direction.

However, to accomplish the desired level of automation, we decided to leverage the full power of our analytical environment, creating a simple and effective interface for auditors to create new tests.

During fieldwork, auditors use the Scala programming language to query data in our analytical environment (via Spark SQL). When they decide to create an automated auditing test, they simply create a new Scala object implementing a predetermined contract. In Scala, this contract is called a Trait, a template that defines how a Continuous Audit Test should be implemented. Below is a snippet of the interface created to ease/simplify the implementation of Continuous Audit Tests on our ETL:

On this Trait they need to set some fields, like:

• The types of risk (Financial, Regulatory, Operational, etc) the test covers
• The frequency of the test execution (daily, weekly, monthly, etc)

Monitoring the results

After a test is created, it runs periodically and all of its executions are also saved in the analytical environment. When a failure is detected, i.e. when the result doesn’t meet the expectations (within a threshold), the audit team is warned.

For example, let’s say we create a test to check if we are approving underaged customers, it counts the number of underaged customers approved in a given day, and since we don’t want to have any due to internal policy, the expected result is 0, if the result is greater than 0 this may indicate an operational problem.

In summary, whenever a potential risk materializes based on the programmed scenario, auditors are automatically alerted to act on the problem the company might be facing.

Visualizing

As we are data addicted, we are not satisfied by only having the results of our tests; we want metrics on everything related to our continuous auditing tests, such as:

• How many tests are triggering?
• What areas are more susceptible to potential risks?
• Are we complying with all regulations our tests are covering?

We create dashboards and visualizations using metrics gathered from our continuous auditing tests, as well as to check the historical execution of a specific test.

Reporting

Differently from fieldwork that has a specific duration, Continuous Auditing Tests are automatically executed at a chosen frequency and if a problem is identified, the audit team contacts the responsible area to come up with a plan to mitigate it.

The result of fieldwork is a written report with audit findings and the action plans to solve them. However, Continuous Auditing is essentially different in this aspect, as each problem identified by a Continuous Auditing Test is addressed with an action plan on the spot.

Considering this scenario, a question emerged: how would we report the audit findings generated by this methodology? Should we issue a report every time a test identifies a problem?

The objective of an Audit Report is to provide the Audit Committee (External Independent Members) and the Company board of directors the problems identified by the Audit Team during the fieldwork.

Considering that action plans are created together with the business area when the tests identify problems and also to avoid issuance of multiple reports in a short time, we decided on publishing quarterly reports for the Continuous Auditing methodology.

The Continuous Auditing Report not only describes the audit findings of the period but also gives an overview of this methodology’s evolution, such as what new processes/areas are being continuously audited and the main risks being covered.

We are getting ready for a future where most Internal Audits will be performed via the continuous auditing methodology that we are building, combining software engineering concepts and data analysis. For most of the Internal Audit teams, this is the future of audit.

Currently, continuous auditing is helping us on

• Knowing sooner where our defense is not working properly, and consequently prioritize the risks identified before they become a big issue;
• Ensuring compliance with regulatory requirements by continuously testing them;
• Being prepared, as no other company in the market, for regulatory inquiries when they come;
• Enhancing overall risk and controls oversight;
• Automating audit evidence collections.

At Nubank the future is happening right now: our controls are being automatically tested, with no human interaction, while you read this article.