control, and governance
Continuous Online Auditing in the Government Sector
Continuous online auditing is benefiting many organizations around the world, including government agencies such as the China National Audit Office, where an audit information system was implemented to help auditors determine the reliability and performance of the office's budget tracing system.
Zhu Wenming, CISA
Southeast University, China
Internal auditing is playing an important role in Chinese society today. In recent years, a number of serious scandals and the low performance of government operations have increased the need for government auditors. In addition, because government audit reports are an important source of information in the decision-making process, it is not uncommon for audits to take place before significant decisions are made. These and other events are placing unprecedented performance pressures on government audit departments in China. To meet increasing compliance demands, Chinese government auditors and internal auditors around the world are starting to rely on the use of continuous online auditing (COA). This article discusses the effectiveness of different COA solutions based on a study conducted at the China National Audit Office (CNAO) and provides a case study of how COA is being implemented in China's government sector.
IMPLEMENTING A COA SYSTEM
COA, also known as continuous auditing, employs technology to help evaluate, monitor, or review an organization's activities on a more frequent or ongoing basis. Though recent technology advances have made COA available and affordable, many issues need to be considered before its implementation. For instance, a successful COA system should:
Below is a description of three different ways to implement a COA system based on studies conducted at the CNAO during the design of the agency's automatic audit system.
Embedded Audit Module
To implement this COA system, the continuous audit module is embedded or incorporated in the desired business application. Because embedded audit modules — also known as integrated test facility modules — need to be designed as an application component, they are able to identify and report specific transactions or other information based on pre-defined criteria. As a result, reporting should occur as transactions are processed. Figure 1 illustrates what the embedded audit module looks like. Hi-end enterprise resource planning and customer relationship management systems, such as SAP and Oracle, have created solutions of this type.
COA systems that have an embedded audit module provide organizations with a number of benefits. First, they can keep an audit trace of all business activities. Second, they are easy to implement and maintain because all application components are provided by the same vendor. Finally, they enable the organization to conduct complex functions, such as early exception report and fraud alarming. However, these COA systems have limitations. For instance, the COA system may not be compatible with all of the applications used by the organization.Many large organizations today use different enterprise and legacy systems at the same time. Hence, it may be difficult for the COA system to gather data from all the systems.
In addition, the COA system's independence may be limited because the audit module is incorporated as part of the logical access capability of the audited application. Furthermore, integrating system-monitoring software in the audited application may limit the extent of the application's audit, especially if the developer has a limited understanding of what to include in the module. Finally, integrating the continuous audit software with the application may decrease its process productivity and performance.
An agent is a program that gathers information or processes tasks behind the scenes. These programs can be leveraged to enable COA. Figure 2 illustrates how an agent-based COA architecture works.
An agent-based approach is more scalable and flexible than using an embedded audit module system. Agents can be installed in distributed hosts to balance the burden of application servers that communicate through a special protocol. In addition, agent development toolkits are available on the market, such as Agent Builder and VAStudio. The main obstacles of an agent-based approach are the technology's complexity, which is knowledge-intensive, and its high-implementation costs.
Although IT environments may vary, similarities exist. For example, many government agencies have an accounting information system (AIS). Also, organizations may have a system database that houses all the information needed to conduct an audit. In organizations like these, communication between the COA program and the organization's application can be simplified with the exchange of data between the two systems. This exchange of information provides the basis for a data-oriented COA solution. The center of this solution is a data retrieval interface (DRI) that collects and transforms data. This data flow is explained in Figure 3.
Although auditors don't necessarily have to understand the complex internal logic of an application or program, they do have to know what kind of information resides in the application and how it is used. The first advantage of a data-oriented solution, therefore, is that it simplifies the connection between the audited application and the audit system. Second, this solution minimizes the burden on the audit application because analysis is performed on another host and the data transferred consumes fewer resources. Finally, this solution separates the two systems logically and physically and improves audit independence. Thus, a data-oriented COA process is similar to the data warehouses used by many third-party management information systems and executive dashboards.
The main drawback of this system is that DRI development can be a significant task because different applications may need a new DRI. Another limitation is that audits are not performed in real time because data is available only after the transaction has taken place. This may pose a significant concern if strong, preventive process controls are not present in the DRI.
GAIS: A PRACTICAL COA CASE
In 2002, CNAO launched a countrywide IT program called the Golden Auditing Project (GAP). The program's objective was to build a government audit information system (GAIS) that promotes a new audit model: The simultaneous use of budget tracing — to track the government's budget management process throughout its lifecycle — and COA — to determine the reliability, conformity, and performance of the budget management process. The following were implemented to maximize the use of GAIS:
A DRI is the most important part of a COA system because it is responsible for transferring data from the audited system to the audit system. The DRI works in two modes: automatic and manual. Under the automatic mode, the DRI is triggered by predefined audit rules that identify the time, interval, and scope of the data to be gathered. Under the manual mode, only the authorized auditor can start the DRI process manually.
In GAIS, the DRI provides two ways to collect data — through a standard AIS interface or through an open database connection. To access data in a different system, GAIS employs a template mechanism that defines the software vendor, version, data, location, structure, and related information in the database. New templates can be designed and added when a new system is encountered.
The DRI process consists of the following steps:
Information security is an important issue in government auditing. In GAIS, the security problem is solved through the use of an IDS and a special switch that separates the audited and audit systems. The IDS performs two functions: data retrieval and data analysis. When a data retrieval process begins, the switch connects the audited system and the intermediate database server, disconnecting the audit application server. When the data retrieval process is completed, the switch connects the IDS and the audit system and disconnects the audited system. In both instances, the audited system and audit application are separated from each other, thus maintaining the COA's independence.
The audit center contains an audit management module that administers tasks, data, documents, and other resources. These materials can be packaged and shared among members of the same group. Supervisors can assign tasks and review work papers through the network platform.
The center works in two modes: manual and automatic. In the manual mode, only authorized auditors may operate the software to analyze the audit data by conducting queries and by sorting, comparing, merging, totaling, or sampling the database information. In the automatic mode, the system executes predefined audit procedures to detect any deviations. Auditors also can add new procedures to the system, which can be archived in a central location or library. This library can be adjusted to meet the audit needs of different organizations or industries.
COA is a promising audit technology not only for the government sector in China, but for internal auditors around the world. With the prosperity of e-governance and e-commerce, there is great demand for online assurance and reporting services. Though the initial study shows a promising future for COA, there is little evidence on the effects of COA, especially on the quality and financial impact of this technology. Before the wide application of COA comes to life, more research needs to be conducted in this area and more information needs to be shared among organizations around the world.
For more information on COA, auditors should read the following publications or visit the Web sites below:
Zhu Wenming is a doctorate student in Southeast University's School of Management in China. He is also a senior IT auditor for Pingan Insurance Group. Prior to Pingan, Wenming worked for eight years performing IT audits for government and private-sector organizations. His areas of expertise include fraud detection techniques, application control review, and continuous online auditing.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.