An old idea is getting a fresh look as technology and organizations evolve
Back in 1980, a popular accounting magazine asked: "Are we ready for continuous auditing?" That publication is no longer in circulation, but decades later, this question remains relevant.
The idea of auditors assessing controls on a continuous basis is certainly not a new idea. The Sarbanes-Oxley Act of 2002 had tremendous impact to that effect, forcing management teams across the board to take steps towards achieving continuous auditing.
Continuous auditing goes hand-in-hand with continuous monitoring performed by financial, operational and IT management departments. It establishes processes that ensure policies are operating effectively and that assess the adequacy of controls. When continuous auditing and continuous monitoring are in harmony, the result is continuous assurance. Considering that information overload is a growing threat to the effectiveness of teams, continuous auditing is a perfect option for internal audit departments to process this mountain of data and champion their risk management efforts.
Four key drivers propelling continuous auditing are:
- Progressing use of ERP systems and data warehouses, making global enterprise information more accessible to management and auditors on a timely basis.
- Availability of better tools.
- Auditors' increased comfort and confidence using software to obtain business application data and perform data analysis on a semi-continuous basis.
- Recent regulations, such as SOX, Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), which forces new commitment from senior management teams.
Continuous auditing offers several notable benefits, including:
- Faster, cheaper, and more efficient and effective audit processes.
- Shortened audit cycle times, providing more timely risk and control assurance.
- Expanded audit coverage without the necessity of expanding audit resources.
- Automation in audit testing.
- Complete data audits, rather than simple audits of data samples.
Despite these benefits, the difficulty of defining dollar-amount cost savings often sidelines projects. Naturally, management is concerned about return on investment, but how do teams quantify such a number? Considering the necessary initial investment in manpower, training and tools, chief audit executives (CAE) are constantly asked by audit committees to establish cost-benefit relationships, which vary depending on the size of the organization and the field in which it operates.
Performing a ROI cost-benefit analysis, companies will find that a key underlying benefit to continuous auditing is a better control environment. Again, this benefit may not automatically equate to monetary savings. An easier way to justify the transition is to "pick the low-hanging fruit;" identify the true savings continuous auditing often provides by eliminating duplicate payments, recouping lost revenue, halting travel and expense abuse, and correcting inaccurate payrolls.
In review, continuous auditing can help protect against:
- Inadequate controls
- Manual control breakdown caused by increased volume
- Inadequate controls at the startup of new systems
- Super-users and system administrators bypassing controls
- Undetected control weaknesses hidden by large transaction volume
Why Shake Things Up?
For an audit team that has established a reputation for excellence, hesitation about moving in a new direction is understandable. Two sectors where I have seen leaps made to continuous auditing are healthcare and banking. The reasons behind each leap are similar and fall under general concern for increased risk of fraud and security breaches. My clients in these areas (and one in consumer electronics) each have held training sessions kicked off by their CAE's, issuing the edict: "We are investing in the training, the tools and the process. We're going to make this happen." Uniformly, such strong support for these strategic decisions correlates directly to the processes working smoothly at each of these entities.
The critical success factor for organizations considering continuous auditing lies in the effective planning process; it's something that cannot be overlooked. It falls to the CAE to ensure that continuous auditing is adopted as an integrated, consistent approach to a risk-oriented audit plan. I recommend considering this as a project, one that needs to be planned, scheduled and staffed with skilled resources. As part of the strategic planning, the audit department needs to develop and maintain the technical competencies and tools necessary to obtain, manipulate and analyze the data contained in disparate information systems.
One mistake some management teams make is training their entire staff at the outset of continuous audit implementation. Instead, identify and train employees keenly interested in doing continuous auditing. Organizations can then build on the enthusiasm of the initial team, increasing the likelihood of the project's success by establishing a core of internal experts who can then train additional team members.
Long- and Short-Term Focus
Consider the first year of continuous audit implementation as a "pilot." As requirements and initial project objectives are defined, remember that starting small is imperative. Take time to understand the business process of concern, determine areas of high risk (initial projects may involve little risk), and establish the frequency of reviews and procedures for reporting results.
At the outset, it may be wise to avoid areas of high risk in order to keep the project manageable and to ensure success. It is harder to recover from a big failure; whereas a stumble in a smaller project is only a minor inconvenience, something to learn from and move on. After a successful first year, consider weightier risk solutions that are larger in scope, size, or impact.
Creating audit reports from the continuous auditing process is likely foreign to most auditors. These reports differ from those of standard audits that use a specified start-to-end timeframe. Continuous auditing will ideally become an ongoing audit with no immediate completion. Applying creativity to audit reporting becomes necessary; time-scalable trend analysis or quarterly problem summaries are two methods I've seen implemented. The quicker organizations standardize these new reports, the smoother the transition goes.
Finally, establishing an appropriate frequency of reviews – quarterly, monthly, weekly, daily, hourly – is important. It should depend on what specific actions are taken, availability of data, and overall expense.
The ultimate approach is "real time" auditing, which detects problems immediately. Identify responsible parties (management or auditors) and their roles for continuous assurance. We assume that management has responsibility for internal controls and that the audit team's job is to provide validation of the effectiveness of the controls. A separation of duties must be achieved and kept in balance. Depending on how frequently auditors are evaluating controls, the lines may become blurred and audit could be construed as assuming management's role.
In the long term, it is important that the implementation of a continuous auditing methodology does not have the permanent effect of shifting an oversight role from management to the audit team. Lessons in change management are relevant here, which is an entirely separate subject. Although it is necessary, placing increased focus on the audit team will affect the larger organization, so management must ensure this effect is temporary. In my view, continuous auditing is an interim process to move responsibility for controls oversight to management.
Ultimately, your organization will want to achieve continuous assurance, involving the audit committee, senior management, senior finance, internal audit, IT management and IT security in a multi-disciplinary approach. Audit management commitment is a must; they are responsible for implementing the plan and must understand and agree with all costs, resources and time the project will consume. Apprise the audit committee of your successes in order to obtain continued support.
Examine each audit process and determine if the individual objective should be considered for continuous monitoring. Procurement is a good place to start, catching inefficiencies and thwarting potential fraud. Internal audit should develop a tool or process, and then decide whether to move the results of the project over to management. Management is then positioned to do its own monitoring.
Hypothetically, if auditors come up with a process and complete a handover to management, can auditors then come back and audit the process? While auditors must be mindful about compromising their independence in such instances, these situations require resolution. One answer is to formalize an agreement with management, where auditors reserve the prerogative to revisit and find fault with or to fine tune the process. Organizations that avoid these agreements, citing independence issues, are missing out on great opportunities.
Success with a continuous auditing project calls for recognition that this is not a technology problem but an organizational and business issue. Techniques used by continuous auditing will automate significant parts of the audit process and result in greater efficiencies. As far as continuous assurance solutions, these must be management-driven. Because of the high degree of expertise demanded in understanding the concepts and practical implications of continuous auditing, success will not come without an expenditure of time, money and effort.
Editor's Note: This article was developed in cooperation with Protiviti.