Continuous Auditing and Monitoring: From Theory Into Practice
By Jos̩ Tabuena РMay 10, 2011
For many auditors, continuous auditing remains more of a goal than a reality.
The concept—which shifts the internal auditing paradigm from routine
periodic audits of a small sample of transactions, to the ongoing
review of much larger volumes of data—has proven difficult to put into
practice. Financial and audit executives warmed to the idea of
continuous auditing (and monitoring) some time ago, yet implementation
remains a work-in-progress. Despite its potential, only a few
organizations have begun to realize the benefits.
Continuous auditing enables internal auditors to determine more
quickly and accurately where to focus attention and resources to
improve audit quality. For audit thought leaders like Norman Marks,
the value proposition for continuous auditing is in its ability to
provide assurance when it is actually needed—that is, delivering
“audit at the speed of business.”
The accounting system is based on historical transactions; hence, the
method of traditional auditing is to perform random tests of completed
transactions in order to obtain reasonable assurance that the events
recorded reflect the true financial position of a company. With
traditional practices, financial-reporting systems are audited
annually or quarterly, and individual business processes are audited
every year or every few years.
In contrast, continuous auditing is an automated approach, and all
data relevant to the audit being performed is examined in real time,
rather than just a representative sample.
Yet in many respects the use of the term continuous is somewhat
misleading. Some companies refer to any audit activities performed
more often than every three months as “continuous.” Other companies
consider it continuous when a particular process fails an audit and
the audit is repeated several times over the next year. Very few
companies actually audit certain business processes in anything akin
to real time. Any definition at this time is a moving target, as
technology advances and the methods organizations use to perform
audits continue to evolve.
Still, a working definition is in order, as confusion remains about
continuous auditing and related activities. According to the Institute
of Internal Auditor's Global Technology Audit Guide, continuous
auditing is: “Any method used by auditors to perform audit-related
activities on a more continuous or continual basis.” GTAG further
provides that technology plays a critical role in continuous audit
activities by “helping to automate the identification of exceptions or
anomalies, analyze patterns within the digits of key numeric fields,
review trends, and test controls, among other activities.”
Continuous auditing itself should be considered in the context of the
following related terms and processes:
Continuous monitoring as a management function to ensure that company
policies, procedures, and business processes are operating effectively
and addresses management's responsibility to assess the adequacy and
effectiveness of internal controls.
Continuous risk assessment (also known as risk monitoring), including
the use of analytical techniques to identify trends, and other
indicators to develop and maintain the periodic audit plan.
It's important to consider how continuous auditing differs from
continuous monitoring, since both entail the automated testing of
available transactions and system activities within a given business
process against internal control rules. Typically, monitoring is done
by company management; continuous audits are performed by the internal
audit department to evaluate the adequacy of management's
monitoring—although both often cover the same ground.
While continuous auditing and continuous monitoring do not need to
coexist, putting both in place can maximize the value of each by
increasing coordination between management and internal audit thereby
minimizing the duplication of controls and efforts. Implementing both
can also help integrate management's responsibilities for performance
of controls with internal audit's accountability for assurance over
management's controls, while preserving IA's independence.
Because continuous audit activities differ from those taking place
during a traditional audit, core audit principles such as independence
also need to be reconsidered. When the internal audit department's
role is not just to scrutinize management monitoring, but to provide
the data-analytic scripts for management to use in monitoring
activities, auditors can find themselves in the middle of the
transaction flow.
For example, at a brokerage firm that monitors its clients' electronic
transactions, auditors are notified when a transaction is blocked
after certain analytical parameters are met. The auditor in follow-up
then deals directly with the client. Where the distinctions between
management monitoring and continuous auditing can be blurred, it is
important for internal auditors to make sure that the continuous audit
process has a system of checks and balances to maintain the
independence and objectivity of their work throughout the audit.
Implementation Challenges
Whether an internal auditing approach on a particular process can be
considered “continuous” depends on several factors, such as: the
number of assessments, timing, frequency of automation, and the
sophistication of the technology employed. The frequency of continuous
auditing itself will depend on a number of factors, including the rate
and timing at which the transactions occur (for example, journal
entries are predominantly a month and quarter-end activity), and the
frequency with which controls are performed.
Some of the challenges in rolling out a continuous audit program are:
What do we want to do? Start with the risks you want to monitor, as
the potential opportunities can quickly become overwhelming. Identify
areas appropriate to pursue based on projected benefits, costs, and
return on investment. For example, concern regarding data-privacy has
become a hot-button issue in healthcare, so continuous auditing and
monitoring of the access to electronic health records may be worth the
investment in that regulatory environment. One approach might involve
automatically identifying users who share log-in information and
passwords by detecting concurrent use of the same login and password
information at different computers.
Show me the data: The collection of data can be an elusive challenge.
Often at a large, complex company, the data is not all housed in the
same place. There can be formidable logistics involved in working with
the IT department to get data in a readable format and compile it in
one database to enable the use of a single set of queries instead of
several.
Can we (afford to) keep doing it? As any experienced auditor realizes,
the identification of exceptions and anomalies is but one step in the
process. Audit and management resources are needed to review and
assess access logs and findings that are now being generated. Effort
is needed to recognize significant false positives and to fine tune
the rules to better ensure only high-risk activity is flagged. After a
decision is made to develop a continuous audit routine, then the
challenge becomes determining its scope and setting failure
thresholds. When configuring a continuous audit procedure, you should
consider the cost benefits of error detection, and the audit and
management follow-up activities that will be required.
Neither continuous auditing nor continuous monitoring should be viewed
as a short-term endeavor; both are commitments toward a new way of
doing business. Basic approaches will still apply, and auditors will
need the core skills that manual testing instills and the know-how to
evaluate risks and controls.
Auditors understand that even when all transactions are examined,
assurance is provided only as to those transactions. Testing does not
provide assurance that the controls themselves are adequate and that
they will ensure the integrity of future transactions.
Still continuous auditing enables an internal auditing function to
provide assurance, when it is needed, on the more significant areas of
the organization's governance, risk-management, compliance, and
related operational controls processes.
The benefits of implementing a continuous auditing system will
outweigh the costs. Though it can require a large capital investment
up front, it should be viewed as a long-term, strategic investment. An
effective continuous audit and monitoring system will increase the
reliability of financial data, assist in making improving financial
information, and ultimately enhance the company's internal audit
function.
By Jos̩ Tabuena РMay 10, 2011
For many auditors, continuous auditing remains more of a goal than a reality.
The concept—which shifts the internal auditing paradigm from routine
periodic audits of a small sample of transactions, to the ongoing
review of much larger volumes of data—has proven difficult to put into
practice. Financial and audit executives warmed to the idea of
continuous auditing (and monitoring) some time ago, yet implementation
remains a work-in-progress. Despite its potential, only a few
organizations have begun to realize the benefits.
Continuous auditing enables internal auditors to determine more
quickly and accurately where to focus attention and resources to
improve audit quality. For audit thought leaders like Norman Marks,
the value proposition for continuous auditing is in its ability to
provide assurance when it is actually needed—that is, delivering
“audit at the speed of business.”
The accounting system is based on historical transactions; hence, the
method of traditional auditing is to perform random tests of completed
transactions in order to obtain reasonable assurance that the events
recorded reflect the true financial position of a company. With
traditional practices, financial-reporting systems are audited
annually or quarterly, and individual business processes are audited
every year or every few years.
In contrast, continuous auditing is an automated approach, and all
data relevant to the audit being performed is examined in real time,
rather than just a representative sample.
Yet in many respects the use of the term continuous is somewhat
misleading. Some companies refer to any audit activities performed
more often than every three months as “continuous.” Other companies
consider it continuous when a particular process fails an audit and
the audit is repeated several times over the next year. Very few
companies actually audit certain business processes in anything akin
to real time. Any definition at this time is a moving target, as
technology advances and the methods organizations use to perform
audits continue to evolve.
Still, a working definition is in order, as confusion remains about
continuous auditing and related activities. According to the Institute
of Internal Auditor's Global Technology Audit Guide, continuous
auditing is: “Any method used by auditors to perform audit-related
activities on a more continuous or continual basis.” GTAG further
provides that technology plays a critical role in continuous audit
activities by “helping to automate the identification of exceptions or
anomalies, analyze patterns within the digits of key numeric fields,
review trends, and test controls, among other activities.”
Continuous auditing itself should be considered in the context of the
following related terms and processes:
Continuous monitoring as a management function to ensure that company
policies, procedures, and business processes are operating effectively
and addresses management's responsibility to assess the adequacy and
effectiveness of internal controls.
Continuous risk assessment (also known as risk monitoring), including
the use of analytical techniques to identify trends, and other
indicators to develop and maintain the periodic audit plan.
It's important to consider how continuous auditing differs from
continuous monitoring, since both entail the automated testing of
available transactions and system activities within a given business
process against internal control rules. Typically, monitoring is done
by company management; continuous audits are performed by the internal
audit department to evaluate the adequacy of management's
monitoring—although both often cover the same ground.
While continuous auditing and continuous monitoring do not need to
coexist, putting both in place can maximize the value of each by
increasing coordination between management and internal audit thereby
minimizing the duplication of controls and efforts. Implementing both
can also help integrate management's responsibilities for performance
of controls with internal audit's accountability for assurance over
management's controls, while preserving IA's independence.
Because continuous audit activities differ from those taking place
during a traditional audit, core audit principles such as independence
also need to be reconsidered. When the internal audit department's
role is not just to scrutinize management monitoring, but to provide
the data-analytic scripts for management to use in monitoring
activities, auditors can find themselves in the middle of the
transaction flow.
For example, at a brokerage firm that monitors its clients' electronic
transactions, auditors are notified when a transaction is blocked
after certain analytical parameters are met. The auditor in follow-up
then deals directly with the client. Where the distinctions between
management monitoring and continuous auditing can be blurred, it is
important for internal auditors to make sure that the continuous audit
process has a system of checks and balances to maintain the
independence and objectivity of their work throughout the audit.
Implementation Challenges
Whether an internal auditing approach on a particular process can be
considered “continuous” depends on several factors, such as: the
number of assessments, timing, frequency of automation, and the
sophistication of the technology employed. The frequency of continuous
auditing itself will depend on a number of factors, including the rate
and timing at which the transactions occur (for example, journal
entries are predominantly a month and quarter-end activity), and the
frequency with which controls are performed.
Some of the challenges in rolling out a continuous audit program are:
What do we want to do? Start with the risks you want to monitor, as
the potential opportunities can quickly become overwhelming. Identify
areas appropriate to pursue based on projected benefits, costs, and
return on investment. For example, concern regarding data-privacy has
become a hot-button issue in healthcare, so continuous auditing and
monitoring of the access to electronic health records may be worth the
investment in that regulatory environment. One approach might involve
automatically identifying users who share log-in information and
passwords by detecting concurrent use of the same login and password
information at different computers.
Show me the data: The collection of data can be an elusive challenge.
Often at a large, complex company, the data is not all housed in the
same place. There can be formidable logistics involved in working with
the IT department to get data in a readable format and compile it in
one database to enable the use of a single set of queries instead of
several.
Can we (afford to) keep doing it? As any experienced auditor realizes,
the identification of exceptions and anomalies is but one step in the
process. Audit and management resources are needed to review and
assess access logs and findings that are now being generated. Effort
is needed to recognize significant false positives and to fine tune
the rules to better ensure only high-risk activity is flagged. After a
decision is made to develop a continuous audit routine, then the
challenge becomes determining its scope and setting failure
thresholds. When configuring a continuous audit procedure, you should
consider the cost benefits of error detection, and the audit and
management follow-up activities that will be required.
Neither continuous auditing nor continuous monitoring should be viewed
as a short-term endeavor; both are commitments toward a new way of
doing business. Basic approaches will still apply, and auditors will
need the core skills that manual testing instills and the know-how to
evaluate risks and controls.
Auditors understand that even when all transactions are examined,
assurance is provided only as to those transactions. Testing does not
provide assurance that the controls themselves are adequate and that
they will ensure the integrity of future transactions.
Still continuous auditing enables an internal auditing function to
provide assurance, when it is needed, on the more significant areas of
the organization's governance, risk-management, compliance, and
related operational controls processes.
The benefits of implementing a continuous auditing system will
outweigh the costs. Though it can require a large capital investment
up front, it should be viewed as a long-term, strategic investment. An
effective continuous audit and monitoring system will increase the
reliability of financial data, assist in making improving financial
information, and ultimately enhance the company's internal audit
function.
No comments:
Post a Comment