control, and governance
Recommendations for an Effective Continuous Audit Process
Understanding what continuous auditing does, how it works, and ways to get started will help internal auditors implement an effective continuous audit program.
Manager, Continual Auditing
Royal Canadian Mounted Police
An evolving regulatory environment, increased globalization of businesses, market pressure to improve operations, and rapidly changing business conditions are creating the need for more timely and ongoing assurance that controls are working effectively and risk is mitigated properly. To meet this need, many internal auditors are using continuous auditing to maximize the effectiveness of their work. Learning what continuous auditing does and how it works can help auditors make better use of this process, while maintaining internal audit's independence and objectivity in evaluating the effectiveness of controls, risk management, and governance processes.
WHAT IS CONTINUOUS AUDITING?
To understand the benefits of continuous auditing, it is important to know the differences between continuous auditing and continuous monitoring. Continuous auditing is the use of audit methods, ranging from ongoing control evaluations to continuous risk assessments on a more frequent or ongoing basis. Technology plays a key role in the continuous audit process by automating the pattern analysis of key numeric fields and the examination of trends. Technology also enables the comparison of detailed transaction analysis against specific thresholds, the identification of exceptions and anomalies, the testing of controls, and the comparison of processes or systems over time.
On the other hand, continuous monitoring is a process that management puts in place to ensure that its policies, procedures, and business processes are operating effectively. It typically addresses management's responsibility to assess the adequacy and effectiveness of internal controls. For instance, management may identify critical control points and implement automated tests to determine if these controls are working properly.
The continuous monitoring process usually involves the automated testing of all transactions and system activities within a given business process area against control rules. Monitoring may occur on a daily, weekly, or monthly basis based on the nature of the underlying business cycle. For example, depending on the specific control rule, related test, and threshold parameters, certain transactions are flagged as control exceptions after which management is notified. The continuous monitoring function also may be tied to key performance indicators (KPIs) and other performance measurement activities.
Many of the continuous monitoring techniques used by management are similar to those performed by internal auditors during continuous audit activities. However, continuous auditing usually enables auditors to evaluate the adequacy of management's monitoring function and identify and assess risk areas. By using data-driven indicators of risk and electronic testing of controls, IT auditors can provide audit committees and senior management with independent assurance that control systems are working effectively and risk is being managed. Furthermore, continuous auditing helps IT-savvy auditors to:
Finally, continuous auditing can provide auditors with a holistic view of operations and the ability to drill down into companywide detailed transactions as a means to assess control frameworks electronically.
Understanding Data: A Key Continuous Audit Step
The first step in developing a continuous audit methodology is accessing and understanding the data. Enterprise resource planning (ERP) systems contain many online reports, some of which are built to support the testing of controls. Audit software, for instance, can access SAP tables directly or use open database connectivity to access ERP and legacy systems. Computer modeling software also can be used to create models that take advantage of existing data and risk ratings to teach the computer how to evaluate risk using data-driven indicators.
After accessing and understanding the data, auditors can import standard reports into Excel or a similar program. For example, using the extracted ERP data, a cross tabulation showing the number and dollar value of each type of transaction by user can help auditors identify segregation of duty problems. Whether the auditor is using a series of standard reports, a continuous controls monitoring system, or an audit software and computer modeling program, the important thing is to start by understanding the main business systems, key controls, and emerging risk areas from a data perspective.
Continuous auditing consists of two main components — continuous risk assessment and continuous control assessment. Below is a description of each.
Continuous risk assessments refer to audit activities that identify and evaluate companywide risk levels by examining trends and comparisons within a single process or system. These processes are then compared to their past performance and other business systems. For example, product line performance is compared to previous-year results and also is assessed within the context of one plant's performance versus the others. While management is responsible for developing and maintaining a system that identifies and mitigates risk, The IIA states that auditors should assist the organization by identifying and evaluating significant exposures to risk and by contributing to the improvement of risk management and control systems. The organization encourages auditors to establish risk-based plans to determine the priorities of internal audit activities that are consistent with the organization's goals.
Throughout the continuous audit process, auditors are responsible for evaluating the state of risk and control systems and providing this information to the audit committee and senior management. In the case of legislation such as the U.S. Sarbanes-Oxley Act of 2002, auditors also evaluate management's assessments of their internal controls. Ideally, internal auditors are not part of the controls monitoring process and do not design or maintain the controls, thereby retaining their independence. Auditors can use continuous risk assessments to identify and evaluate risk levels on an ongoing basis. This allows auditors to assess management's risk mitigation activities and support the development of objectives for individual audits and the annual audit plan.
Continuous risk assessments can include the evaluation of detailed transactions against a cut-off point and a comparative analysis on a summary of the transactions. This type of comparison enables auditors to examine a process' consistency by measuring its variability in a number of dimensions. In operations, for instance, measuring the variability in the number of defects is a method for testing the consistency of a production line. The more variability in the number of defects, the more concerns about the proper and consistent functioning of the production line.
The second component of continuous auditing is continuous control assessment. Continuous control assessment refers to audit activities that identify whether selected controls are working properly. Traditionally, control testing is performed on a retrospective and cyclical basis after business activities occur. The testing procedures often are based on a sampling approach and include activities such as reviews of policies, procedures, approvals, and reconciliations.
Today, organizations recognize that this approach gives internal auditors a narrow scope of evaluation and is used too late to be of real value to business performance or regulatory compliance activities. Through continuous control assessments, individual transactions are monitored against a set of control rules that determine if internal controls are functioning as designed and that highlight exceptions. A well-defined set of control rules warns organizations when process or system controls are not working as intended or are compromised. By identifying control weaknesses and violations, auditors can let audit committees and senior management know whether controls are working properly.
Continuous control assessments don't need to occur in real-time. The frequency depends on the control's risk level and the degree to which management is monitoring the controls. For example, management may perform ongoing monitoring of purchase cards on a transaction basis, while auditors run the purchase card analytics once a month after receiving the card transactions from the credit card company. And, in some cases, auditors may perform the initial control testing, after which management will monitor the control on an ongoing basis.
STARTING THE CONTINUOUS AUDIT PROCESS
Many organizations have been evaluating the introduction of continuous auditing to support regulatory control assessment requirements. While having an adequate automated system for testing controls contributes to the assessment of internal controls and the overall mandate for a higher standard of corporate governance, additional benefits in the form of improved business performance can be equally significant. Therefore, it is important for the chief audit executives (CAEs) to consider the short- and long-term objectives of continuous auditing. The effort involved in gaining access to and knowledge of key business systems and processes has the potential to reduce the burden of compliance and eliminate impediments to business performance.
To start the continuous audit process, auditors first need to understand continuous audit objectives and requirements. Continuous auditing can be approached on an incremental basis (i.e., starting small and building on each success). When developing an approach to continuous auditing, IT auditors should make sure they have considered the short- and long-term objectives to address management-set goals adequately.
The continuous audit process can be started in two ways. The first requires the use of the organization's continuous monitoring or enterprise risk management (ERM) function. The extent to which management is performing continuous monitoring will affect the continuous audit effort, as well as internal audit's assessment of management’s continuous monitoring adequacy. In areas where management has not implemented continuous monitoring, auditors should apply detailed testing by employing continuous audit techniques such as testing detailed transactions from an ERP system to determine segregation of duties were not violated. The same is true for management's ERM function.
In some cases, auditors may play a proactive role establishing risk management and control processes. In companies where management is performing continuous monitoring or ERM, auditors only need to perform procedures to determine if they can rely on these processes, such as:
A second starting place is the organization's current risk-based audit plan. Simply by including data-driven indicators of risk, auditors easily can bring continuous auditing to bear on the selection of audit activities. A key point to remember is that auditors can start small. The IT auditor or audit team leader can increase the use of data analysis to support individual audits, then run the same analysis six months later to see if the audit recommendations have been implemented and if they had the desired effect.
The key to making effective use of continuous auditing is to develop a good understanding of the main business processes and the associated information systems and infrastructure (i.e., their controls and the data contained therein). However, the adoption of continuous auditing will not only require auditors to have knowledge of information systems, but also enable them to analyze the data. This means that IT auditors need to have the necessary data analysis skills. Furthermore, auditors must realize that continuous auditing will change the way audits are conducted, including the procedures and level of effort required by auditors. This will place demands on the audit department and possibly the work performed by IT auditors. In particular, auditors will have to obtain the support of the audit committee and senior management to move forward with the implementation of continuous auditing.
Continuous auditing also will allow auditors to identify the organization's key controls and risk areas any time during the year. The results will not be linked to a specific audit necessarily, nor will the level of assurance be as high as if a full audit was conducted. In addition, a formal audit report may not even be issued. The audit committee, management function, and internal auditors will have to realize the implications this may have on future audit reports and findings. Finally, auditors must be prepared to manage and report the results obtained. For instance, auditors need to consider:
While technology has made data easier to access than before, and computing power makes real-time analysis increasingly feasible, technical hurdles remain. In particular, information to be audited must be generated by reliable systems, the continuous audit process must be highly automated, and an effective link between the auditor's system and that of the audited entity must exist. The CAE must ensure that continuous auditing is adopted as an integrated, consistent approach to a controls-based, risk-oriented audit plan. In addition, the audit department will have to document, develop, and maintain the technical competencies and technology necessary to access, manipulate, and analyze the data contained in disparate information systems.
To overcome these challenges, IT auditors must understand the business process sufficiently well before defining the appropriate analytical techniques and identifying potential risk and key control points. IT auditors also should have the ability to gain access to relevant data in a timely manner and be capable of normalizing data from disparate systems across the organization. The aim is to identify the most accurate and effective data source and control points to perform continuous audit tests and analyses. This also will enable auditors to perform a comprehensive set of tests and analyses that address key control points and risk areas, as well as report results in a timely manner. Doing this will require auditors to understand the nature of the tests or analyses used to:
Finally, IT auditors will have to manage and respond to continuous audit results and determine their appropriate use, follow-up, and reporting mechanisms. For instance, auditors will have to identify whether appropriate action is taken on the findings reported to management and if continuous audit results are considered by management when assessing activities.
Management's use of continuous audit procedures will help determine if controls are effective and the information produced for decision-making is relevant and reliable. An important benefit of continuous auditing is that instances of error and fraud are reduced significantly, operational efficiency is increased, and bottom-line results are improved through a combination of cost savings and a reduction in overpayments. Additionally, organizations that use continuous auditing often find that they achieve a rapid return on investment.
When using continuous auditing, internal auditors need to address the end-to-end business process and IT controls present in business activities. The reliability of business systems and transactional data is paramount not only to the internal control framework and the integrity of financial reporting, but also to the efficiency of business operations. Thus, ensuring the reliability, integrity, and availability of business systems and data should be a key objective for IT auditors and senior managers.
Finally, continuous auditing can help internal auditors and senior management identify and assess risk at many levels throughout the organization. At a higher level, continuous auditing should take place as part of the annual planning process. Continuous audit results should be used when determining the risk-based audit plan and be made available to the audit team leader as a starting point for the audit. During the conduct of individual audits, continuous auditing can be used to further examine risks. As part of the planning and implementation phases, specific key controls can be tested, such as separation of duties, while comparisons can be used to identify operation improvement areas. After the audit, data-driven indicators can be used to determine if improvements were realized and whether audit recommendations were implemented and had the desired effect.
For more information about continuous auditing refer to the following IIA publications:
David Coderre is the manager of Continual Auditing for the Royal Canadian Mounted Police in Ottawa, Canada. He is the author of The IIA’s Global Technology Audit Guide on continuous auditing, Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment (2005), and three books that promote the use of data analysis techniques: CAATs and Other BEASTs for Auditors (2005), Fraud Detection: A Revealing Look at Fraud (2004), and The Fraud Toolkit (2006).
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.