This traditional approach to ensuring internal controls are effective is problematic. The normal protocol involves selecting one or more team members to test particular controls on a sporadic basis. The traditional internal audit department is specifically designed with this approach in mind. So what is wrong with this model?
The traditional approach is largely manual and that takes a ton of time.
For example, your team is concerned about duplicate payments in your Purchase-to-Pay (P2P) process. On some recurring basis, someone (an internal auditor if you have one):
This one round of P2P testing is certain to take weeks and weeks of work. An expert we work with estimates a good internal auditor can review 2.5 transactions per day (from selection through investigation & remediation). Thus, if your organization processed only 6,000 payments a year, you want to review approximately 300 transactions (assuming a goal of 95% confidence level & +/- 5% margin of error). That translates into about 30 weeks to do this testing.
As the traditional approach is so time-consuming and you are busy, these tests are often done infrequently. Thus the auditor is looking at transactions that are months/years old. Meaning when they find a duplicate payment (for example), the likelihood of recovery is greatly diminished.
As evidence of this significant delay, according to a KPMG Fraud & Misconduct survey, it takes 24 months on average to detect procurement fraud; by then 89% of proceeds are unrecoverable.
If you think you could be doing something better with this time, consider better solutions...