Reflections on Continuous Auditing

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.

 

QFinance recently published an article of mine on Continuous Auditing: Putting Theory into Practice. When I shared this news, a couple of people commented that internal audit should not be doing this kind of work, because it is a detective control, management's responsibility, and management may rely on it instead of taking ownership themselves. (I should point out that they reacted to the idea of continuous auditing, without reading the article.)

This observation made me think, and I want to share my reflections and hear what you have to say:

  1. The role of internal audit is to provide assurance to the board and top management that governance, risk, and control processes provide reasonable assurance that risks are at acceptable levels.
  2. We should be providing that assurance when it is needed, which in many cases is more frequently than annual.
  3. It is not internal audit's role to test every transaction and verify that it was handled properly (and function as a detective control). We should be focusing on the adequacy of processes and controls.
  4. Confirming that transactions are correct does not provide assurance that the controls are in place and effective.
  5. Many of the vendors and consultants who advocate continuous auditing (and even some practitioners) are testing transactions and not controls — and I don't believe we should be doing that, except as a service to management with express approval from the board.
  6. Continuous auditing is not limited to the use of technology, and you don't need technology to do it — it just makes it easier.

If our work looks like a detective control, we shouldn't be doing it (absent approval by the board).

If it leads to us being able to provide assurance that the controls are in place and working (because we are testing controls not just transactions), then congratulations!

What do you think?

 

Posted on Jan 30, 2012 by Norman Marks

Share This Article:    

  1. Norman you address only half of internal audit's mission/role - that being assurance.  What about consulting to help achieve business objectives through bringing ideas, innovation and technology into play? Bringing in continuous transaction monitoring solutions is a great way to improve business processes, reduce the cost of external and internal audit testing and improve compliance with laws, regulations, policies and procedrues.  As Fortune 300 CAE and now a trusted assurance and consulting advisor this is a no brainer with ROI in 6 months is all cases.  Why not be ambitious for the business and lead!

  1. Good point, Michael. I agree that providing a consulting service by introducing technology or other techniques can add great value.

    But is this (testing transactions) something that should be done on a continuing basis by internal audit? Or should it instead be turned over to management?

    BTW, since testing transactions does not provide positive assurance on controls or risk management, I am not convinced that it should reduce either internal or external audit work. I realize some believe that if the transactions are OK the controls must be - but I am not in that crowd because I have heard the mantra so often:

    "Why should I improve the controls? Nothing has gone wrong."

  1. Is part of the management business model, that internal audit and external audit validate for reliancel. Yes, it tests many (not all) controls as well as transactions. Not sure why you continue to think this is the case?  Am I missing something?

    Regards,

    Mike

  1. Michael, using technology to test that transactions were approved by the correct person is just fine. That is testing the control.

    An example:

    a. If the software is used to test that payments match to invoices, orders, and receiving documents that is a test of transactions and not of controls.

    b. If the software is used to test that the payment was authorized by the appropriate individual, that is a test of controls.

    I like method (b), but not (a).

  1. Testing of the transactions on continuous basis is the responsibility of the management as in SAP  or other ERP system, there is always the "" requirement of maker and checker process"". It is to ensure the right transactions duly authorised by the right/ delegated competent authority are taking place . Internal Audit while doing transaction audit on random basis for a selected period , ensures correctness of the transaction as well that the system/ processes followed are  in  in order. If anybody is by-passing the processes / control mechanism , there is need to be alarmed. IA has to point out such cases in his report to the Board. Some of such cases can be fraud prone.

    This is based on my 35-1/2 years experience in Finance and Corporate Internal Audit of a Fortune 500 company. Thanks.

  1. You're right on point with transaction testing and its inability to prove that controls are effective and reliable. Over my 20+ years in the field, I've had this debate with many audit professionals. I believe that the historical contributions of external auditors into the field of internal auditing explains this focus. But it is time for Internal Auditing to break-away from the traditional external auditing techniques. They need to replace these procedures with innovative techniques that provides the assurance that the Board and top management seek. To support this type of change, Internal Auditors need to return to the basics of process decomposition and control analysis.  

  1. @ Norman - We all know that a 3-way match is fundamental detective control in every acounts payable system against improper payments, inaccurate accounting and potentially fraud. If you audit your accounts payable, I would be suprised if this is not one of the controls you look at. If you have ERP and other recent systems, they can be fully configured with this control. In this case the de facto test is the configuration of the control while ensuring robust change and configuration management controls and logical access controls within the system. If there are no automated controls then enabling continuous auditing on such a fundamental control would be ideal (dependent on the number and value of transactions we are talking about).

    Having said that the question as to whether continuous audit should be performed by internal audit or management, is a question of how mature the organisation's control culture is. Personnaly I believe Internal Audit should foster that culture and let management run with continuous auditing once adequate maturity  is reached

  1. Continuous audit can help to continuously test the controls over transactions. The greater strength of continuous audit is to help auditors see the anomalies in the data so that we can look at possible exceptions and verify that controls are still operating effectively. This type of work is outside of the expectation of management. Internal audit is better able to set the parameters to be reviewed and we should be the independent set of eyes to review output.

  1. Norman - I am on the side of testing controls using continous auditing as well, which I believe is based on fundamentals of our profession and proper division of responsibilities.  However I cannot deny the fact that at some point in time we can do a better work than management using automated tools, based on our view of controls, knowledge of the business processes and independence.  From that perspective my approach has been develop the continous auditing tests, make sure management understands it and buy it and after that transitioning completely to them.   Perofrming this tests for both controls and transactions is a valuable tool that the Executive Committee really appreciates.

  1. Mike, Our intent is to use continuous auditing as part of our fraud risk procedures to identify data anomalies such as matches of emploee address with vendor's, spending by level of associate by expense type to identify outliers.  Testing of transactions belongs to management and using continuous auditing to determine whether a control is operating effectively is not at the control level we would hope to be if we have applied our top down risk based approach correctly. However from a fraud asessment perspective we find it can be useful.

  1. I'm an avid believer in the Internal Audit function providing information to management that provides a basis for quality decisions. The boundary for making those decisions and assuming operational responsibility is a critical one for us not to cross. Having said that, providing a validated data set (with risks or exceptions identified) to operational management that facilitates remediation is inherent to our mission and objective. Optimized Internal Audit is an independent executive function that is focused on identifying risk and risk management as implemented throughout the organization, which includes a 'continual' view of information in a cost-effective and efficient manner as possible. In my opinion, having a process of data analysis that starts within the audit function, is then communicated and verified with responsible management to the point of their commitment to resolve, followed with an ongoing monitoring of management is completely within the realm of the IIA standards. Utilizing technology furthers the cause in a systematic way predicated on a factual foundation.
  1. We support internal audit utilizing continious auditing.  We review control design, but measuring whether the controls are functioning as designed shows up in reviewing detailed transactions.  Given the large number of transactions in applications such as accounts payable, continous auditing is the most effective way to review the population.  I believe that both IA and management should be using the tools available.   Our IA usually introduces the technology to management and then encourages the use.  The more resources and eyes applied to areas of fraud risk, in my opinion all the better. 

  1. Kevin, you say " The greater strength of continuous audit is to help auditors see the anomalies in the data so that we can look at possible exceptions and verify that controls are still operating effectively".

    I agree that if the automated routines detect errors or anomalies, that may indicate that controls are not effective. That's the prima facie assumption.

    But, if the routines do not detect errors, you cannot assume that the controls are in place and operating effectively.

    Let me share my favorite metaphor:

    If you do not receive a call from the police that your house has been burgalirized, does that prove that you always lock the doors when you leave?

    My mission as internal auditor is to provide assurance that the controls are in place. Now, if management and the board want me to test transactions to detect fraud or error, that is another story and I have to ask whether I should do it or look to managemement to do it (perhaps after I have shown them the way).

  1. One of my favorite continuous auditing tests is around configurable (automated) controls. In an SAP or Oracle environment, the configuration settings will determine what is matched (2-way, 3-way, not at all) and what the tolerances are for items that don't match perfectly. You can use software to monitor the configurations for changes, then test the changes to confirm they were approved by the appropriate people. This confirms that the control is in place and operating as intended. (You do have to examine the configuration before monitoring changes).

  1. Let me share another perspective.

    I started with Coopers & Lybrand way back when. We were taught this way of testing controls, after we had documented and evaluated the design of controls.

    1. Examine a sample of transactions for evidence that the control is in place. This could be through the presence of signatures, for example.

    2. Reperform the control (for example by matching invoices to purchase orders)

    Too many are using automation to do step 2, but not looking for evidence of controls.

  1. I think the question of fraud and fraud detection is an interesting one. Should IA not be assessing management's processes for detecting fraud? Should we be the detective control?

    What I have done in the past is perform my own fraud detection (using many ACL routines) when the condition of controls indicated that the fraud risk was high. I then turned the ongoing responsibility (and the routines) over to management.

    What I continued was monitoring fraud risk and the effectiveness of management's fraud controls. If fraud risk increased, then I would step up to the plate for some testing through analytics.

  1.  

     

     I think CA should basically be an "attitude". In my opinion, these are the basic elements of CA:
     
     - A continuous inflow and analysis of relevant information. The most relevant information is usually in powerpoint or word format. Analyzing databases is important, but CA is not about trying to understand everything that is happening in the huge information repositories of our companies (and anyway it’s impossible).
    - A flexible use of all different kinds of audit tools. We tend to think about our Audit Plan in terms of “Audit Reports” or “Audit projects”. We should consider it to be a kind of Lego, where we assemble (a continuous process) a mix of different elements (our toolbox) in order to reach a global view of the company, and at the same time a granular view of relevant risks. Our toolbox should include meetings, analysis of management information, focused analysis of databases,… etc, and not just traditional Audit projects.
    - A change in the mindset of the team. The job of the auditor should no longer be to perform a chain of audits throughout the year. They should be responsible for understanding what’s happening in the business, where the relevant and emerging risks are, and then decide what is the right tool (or mix of tools) to be used in each circumstance.
     
    A big challenge to this approach (in addition to having the right people/culture, of course) are the logistics. We are used to a linear plan, easy to control and to present to the Audit Committee, a real CA Plan is much more difficult to explain and more difficult to track.
  1. This discussion continues to confuse me. Continuous auditing generally implies use of automation to provide some type of near real-time evidence. But since we're talking about an automated control, there are only two chances for a control failure ... either the control doesn't exist within the normal automated processing routines so that auditing must look for it outside of the regular control environment ... or... the control is being overriden by someone. That second option should have its own controls in place. I fail to see how continuous auditing, and it's generally implied, is an audit function. It more often represents the lack of an automated control and auditing is stepping into the role of looking for errors due to the lack of the control. Our role should be to recommend that management address the risk, either with an automated control or a manual one in its place.

  1.  Charles, my view and my opinion:

    1. Continuous auditing is the use of auditing techniques on a more continuous basis (see the IIA GTAG at http://www.theiia.org/guidance/technology/gtag3/)

    2. Continuous auditing is not limited to automated techniques. If the auditor attends the quarterly CFO calls with the division controllers, he is able to obtain assurance that the call (which is an important control) is taking place and the quality is solid.

    3. Automated techniques can be used to test manual controls, not just automated controls (within limits). For example, an auditor can test that journal entries were approved using the id (and presumably by the person of) the GL manager.

    4. Automated controls can be turned off.

    5. When used to obtain assurance that controls are in place and operating, I see this as an audit function.

    6. When used to obtain assurance that transactions are clean, including whether fraud occurred, I prefer this to be a management function - a detective control.

  1. Norman your points #5 and #6 above summed it up nicely.  I am currently a newbie looking into buying analytic software for a one person shop (me).  One of my internal delimmas that I have been fretting about is that if I find for example a duplicate vendor has been created, then will the department take that anomoly and ownership of preventing it from happening in the future?  Or will they always in the back of their minds think, "Oh well I do not have to really monitor it too much - Internal Audit is looking and will catch it if it happens again."

  1. Norman, I strongly agree with you. IA is more of an assurance function that the controls are in place and working effectively. Yes, Internal Audit can do the continuous auditing but at the end of the day management will start to think, as long as audit looks into it then all is well. It is the responsibility of management to detect. The controls should be put in place to have exceptions. Secondly when internal audit is involved in continuous auditing, the staff tend to loose their objectivity. Testing of transactions can be done as part of testing the controls but should not be a routine.
  1. Continuous auditing has two main purposes: assessment of risk and the assessment of controls.  So far the focus of discussion seems to be centred on Control testing.  However, as Norman pointed out, it will not serve as a preventive control, but supports a form of detective control. 

    We use continuous auditing to identify and assess risk and to assess key controls.  The risk assessment uses various indicators and trend analysis to assess changing levels of risk.  Typically the control testing is first performed as part of an audit and is coupled with interviews, walk-thrus etc to assess not only if the controls have failed (evidenced by transaction testing), but also that the controls and addequate and working as intended (evindenced by the additional audit work).  Additional analyses are performed after the audit to determine if management action has been taken and is producing the desired effect.  It also provides auditors with an indication that controls are, or are not working (i.e. do we need to come back).

    Where possible we try yo hand over audit tests to management to use as part of continuous monitoring and then we assess the adequacy of their monitoring (periodically).  I use a smoke detector - it is always testing the air (management monitoring); twice a year you check teh batteries (continuous auditing).

  1. Norman,

    Thanks for your write up on CA.  We are in the process of inplementing a form of CA, and your short write up, along with some of the comments from others, will help us establish a clear direction of what is best for our unit.  I particularly liked the part about analyzing transactions (point 5).  We were getting hung up on the unit's technological skills, which now I think we can increase over time while at the same time implementing what would be considered some CA processes.

    Thanks again.

  1. CA is a toolset. Before you use any tool, decide what you are trying to build.

    I am a believer in the role of IA as providing assurance on the more significant risks, so my house - what I am trying to build using the CA toolset - is timely assurance.

    So, I decide on which risks I am trying to audit. What are the related controls, and which should be tested more frequently, using CA techniques and tools?

    I don't use CA out of the box to do what is easy.

    I use CA to do what is needed and most valuable.

  1. Norman, once again a great topic that generates much conversation.  My viewpoint is that when the continuous auditing activity is akin to watching security cameras, Internal Audit is doing Management's work. Otherwise, CA/CM can be a useful tool to acomplish our mission.  

     

  1. In my view, the question is better around who owns continuous monitoring and how does audit ensure that continuous monitoring is being appropriately used. 

    Ensuring control compliance is first a management responsibility; second, an assurance function mission ; and lastly, internal audit to ensure the first two (lines of defense) is being done effectively.

    If audit uses a tool or method that has real value in continually providing assurance that controls are met or that transactions and data are reliabe, that is great... BUT if of real value, it should be turned over to either the first or second lines of defense to own or to use on an ongoing basis.

    Auditors should not continuous monitoring (sometimes called continuous auditing).  Although we can contribute in expanded use of continuous monitoring  if we innovatively develop a tool to provide real value as part of our audit efforts.

  1. Sorry, last paragraph, first sentence above.... Auditors should not "own" continuous monitoring....

Leave a Reply