A framework for continuous auditing: Why companies don’t need to spend big money
Big Data is powerful. It can also be daunting. The current data analytic landscape focuses on the use of “scripts” that can identify duplicates and quantitative outliers. Yet, there is little guidance for script implementation or use of existing resources.
Organizations are investing time and money in continuous auditing. However, success is limited to a few larger organizations with the resources needed to accomplish their implementation. For example, some companies have implemented continuous auditing processes for accounting functions, such as accounts payable (AP), which have added to their internal control structure and aided in Sarbanes–Oxley (SOX) readiness. These organizations have applied data analysis that alerts them to repeating check or invoice numbers, recurring and repetitive amounts, and the number of monthly transactions.
All of this is considered basic fraud prevention. The problem is that this ignores other risks and rarely provides value. Sometimes, a company spends thousands of dollars to implement these processes but does not get value from them. This article discusses the appropriate methods organizations should use in implementing continuous auditing procedures.
Companies don’t need complex data analytics tools or a large budget to employ an effective continuous auditing program. Organizations in the market for audit software can take advantage of a variety of tools. Those with little or nothing to spend can still achieve effective continuous auditing with simple yet powerful tools, such as Excel, and by thinking differently about data they already have.
Internal auditing’s testing of controls is based on risk and often performed months after business activities have occurred. The testing is based on a sampling approach and includes reviews of policies, procedures, approvals, and reconciliations. Today, it is recognized that this approach affords internal auditors with a narrow scope of evaluation and is sometimes too late to be of real value to business performance or regulatory compliance. Continuous auditing is a method used to perform control and risk assessments automatically on a more frequent basis.
Continuous auditing focuses on testing for the prevalence of a risk and the effectiveness of a control. A framework and detailed procedures, along with technology, are key to enabling such an approach. Continuous auditing offers another way to understand risks and controls and enhances sampling from periodic reviews to ongoing testing.
Continuous auditing is not intended to replace traditional auditing but is rather to be used as a tool in implementing certain standard audit procedures to enhance audit methodology and effectiveness. For example, continuous auditing may occur by performing trend analysis on expense accounts to identify variances or drivers and alerting the audit team to a potential issue.
Implementing a continuous auditing model can be difficult at first. It is a process that grows as the maturity of the audit function grows. Initial project objectives are focused on developing a model and implementing processes to discover and analyze patterns, identify anomalies, and extract other useful information in data.
Start small with the development of the continuous auditing model and plan to expand your systems’ capability as your understanding of the organization’s data and underlying concepts grows.
After development, the next step is to align the continuous auditing model with internal audit’s methodology and processes. Continuous auditing employs skill sets and resources that are different from traditional approaches; however, the methodology used to carry out the function is not significantly different. Continuous auditing is a function, like operational or IT audits, that helps internal audit management accomplish its objectives. The seven steps to follow to maintain continuous auditing are presented below (see the graphic, “7 Steps for Continuous Auditing”).
Before starting a continuous auditing project, the following needs to occur:
Most, if not all, internal audit departments have at their disposal a repository of risk and control information that details the processes and resources used (i.e., technology and people) by the organization to accomplish its objectives and goals. The information is revisited periodically and internal audit adjusts its audit plan based on new information. Continuous auditing will be used to initiate audit plan activities and increase internal audit coverage, and increase management’s risk–based knowledge of the organization as data are collected, analyzed, and reported.
Enterprise risk assessment. Most internal audit departments use a risk–based audit plan wherein the audit strategy is aligned with the organization’s strategic objectives and goals using information from internal and external sources. Information is aggregated, and risks and controls are measured based on impact and likelihood. In some instances, this process is repeated at the operational level before the initiation of an audit activity.
Audit activity plan. The objective of internal audit is to provide management with timely assurance on critical or high–risk areas. Internal audit develops its plan to accomplish this; however, certain variables affect the plan:
Like an enterprise risk assessment, the audit plan is constantly evolving and changing. Year 1 of implementation requires the creation of a perpetual inventory of current and future business information systems and the identification of external resources (e.g., management reports, financial analysis, etc.). Doing so may make implementation take longer, but it will allow for the process to mature much faster.
Once a business process is selected, the auditor needs to determine audit rules (e.g., indicators, analytics, or routines) that will guide the continuous auditing activity.
The auditor will gain sufficient information to understand and document a high–level process overview, business objectives, and the correlation to organizational objectives and goals, significant risks, and key controls. This will be accomplished by:
Using the two processes above accomplishes the goal of efficient audit coverage. The output of the initial process review is identification of audit rules to test for the prevalence of the risks and controls related to the business or process objectives using analytics or computer–assisted audit techniques (CAATs).
Consideration should be given to the cost, risk, benefit, and cadence of the proposed frequency of the process being audited. The nature of some continuous audit objectives, such as deterrence or prevention, may also determine frequency and variation.
After year 1, this step will become more refined as internal audit becomes more familiar with its continuous auditing abilities and the information produced from the function. Many baseline analytics or CAATs employed will come with a suggested frequency.
Technological support is needed to improve operational performance and business excellence. Testing scripts are developed and written using the audit rules and process information created in the second and third steps. Simultaneously, rules need to be configured before the continuous auditing procedure is implemented.
Internal audit will employ different types of analytic tests to conduct continuous auditing:
Because of the abundance of information, it is imperative that internal audit organize and present information and corresponding findings in a succinct manner.
Establishing the appropriate threshold levels and correctly configuring and building testing scripts ensure that an excessive number of false positives are not produced and resources are not used ineffectively. A responsible party needs to be assigned to review exceptions, evaluate results, and help make decisions related to future activities (e.g., changes, modifications).
Managing results and following up requires the greatest use of oversight resources to ensure the message delivered is appropriate and correct. More importantly, continuous auditing outputs are reviewed against internal and external measures to determine the impact of the findings as well as next steps.
In addition to a quantitative review and assessment, another important part of managing results and following up is identifying and using the appropriate tools and management techniques to ensure appropriate storage of information, scripts, and other relevant resources and information.
A variety of tools are available from external resources. However, internal audit departments should focus on tools for storage and data analysis that allow for the ability to analyze various forms and sets of data; ensure effective organization of scripts, system reviews, and findings; and allow for the ability to customize reports and expand as the continuous auditing program matures.
At the conclusion of each continuous auditing activity, results should be presented to management in a timely manner and in a consistent and formal report that includes observations and insight into risks, controls, and consequences associated with the findings. Because some activities are processed ad hoc and not on a defined schedule, reports are produced at various times throughout the year.
Results are incorporated into internal audit’s risk identification and assessment process, which can help with resource allocation. The process then repeats or continues through the same steps by adding more complex items.
About the author
Josh Shilts (email@example.com) is managing partner at Villela & Shilts LLC, a tax and advisory CPA firm with offices in Jacksonville, Fla.; Miami; and Ocala, Fla.
To comment on this article or to suggest an idea for another article, contact Neil Amato, senior editor, at Neil.Amato@aicpa-cima.com or 919-402-2187.
For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.
Research & References of A framework for continuous auditing: Why companies don’t need to spend big money|A&C Accounting And Tax Services