Driving faster decisions
When management at Hewlett-Packard Co. (HP) identified a concern
related to the frequency and volume of manual journal entries, the
company’s internal audit function initiated a dashboard to enable
HP adopted a continuous auditing and continuous monitoring approach
to identify the root cause of such transactions and to enable better
decisions through standardized entries made under improved controls.
Various governance and compliance teams collaborated to design
high-level analytics with drill-down capabilities. They were able to
identify and study trends, movements in the accounts, spikes of
activity during the period, the nature of the entries, and the
individuals who are posting entries. The success of the program, in
collaboration with compliance functions and management, has prompted
action to reduce the number and risk of journal entries.
“That’s one very simple step forward,” said Brad Ames, CPA, a
director of internal audit for HP.
In a business world where change occurs rapidly and organizations
have access to a seemingly unlimited supply of data, companies want to
act on data in real time. Organizations need to proactively anticipate
and mitigate risks, and data analysis that enhances the control
environment increasingly is becoming a part of that process. Jason
Pett, CPA, the leader of PwC’s internal audit practice, said internal
auditors at leading companies are leveraging data to drive everything
“How do we use data to drive our scoping decisions?” he said. “How
do we use data to drive our risk assessment process? How do we use
data to [help decide] which audits we should be doing? I think the use
of data, leveraging data to totally transform how internal audit
performs, is the story.”
In this environment, continuous auditing and continuous monitoring
are growing as tools for internal auditors to provide more value to
their employers. In continuous auditing, the internal audit staff uses
technology to analyze data frequently for early identification of
outliers. This helps internal audit focus its resources. Continuous
monitoring differs slightly from continuous auditing. In continuous
monitoring, analytics on key performance metrics are set up for
management to review in real time and act on, when necessary. These
methods can enhance the timely, ongoing review of financial data and
internal control at an organization.
According to the 2014 internal audit capabilities and needs survey
conducted by consulting firm Protiviti, skills with computer-assisted
audit tools and data analysis are the most-needed competencies in
internal audit. These tools and technologies support continuous
monitoring and auditing activities.
The highly regulated power and utilities industry is a leader in
using forensic data analytics tools for continuous monitoring,
according to a 2014 EY global survey report, Big Risks Require Big
Data Thinking. A PwC survey report published in 2014 on the
power and utilities industry, Empowering Business Agility:
Strengthening Internal Audit’s Impact and Value, found that
continuous auditing was rated as very important by 57% of chief audit
executives, up from 31% in 2012. A 2013 PwC survey on that industry
found that areas where continuous auditing was being used the most were:
“One of the biggest benefits … is ongoing evaluations or analytics
that shorten the time for getting management to respond to risk,” Ames
said. “… As an audit department, you can be more persuasive and enable
timely management actions through analytics much more quickly or much
more efficiently than you could through an inspection-style audit.”
HP has used continuous auditing and monitoring to make improvements
in several areas, including:
Simplifying Sarbanes-Oxley Section 404 attestation around IT
general controls and application IT controls. Benchmarking
configurable automated controls to measure the timing and extent of
change optimizes application control testing. The purpose is to track
trends and compare changes with a predefined threshold to sustain and
carry forward the baseline conclusion with minimal examination (i.e.,
automated controls that have not changed since the previous audit
would be validated without further examination).
Analysis of journal entries and account reconciliation to provide
auditors and management with an ongoing view of journal-entry
volume and frequency across the business. Manual
journal-entry monitoring is designed to isolate key indicators,
outliers such as:
Sales compensation monitoring, which consists of ongoing
evaluation of bonuses and commissions for reasonableness.
Factors that would suggest an outlier may include:
Monitoring changes to fixed assets’ useful lives and depreciation
to ascertain if assets are conforming to the company’s accounting
policy. The dashboard provides a view of the following
exceptions for management action:
Monitoring for product warranty fraud. The objective of
warranty fraud analytics is to detect potentially fraudulent behavior.
Analytics compare data on spare parts that were shipped to customer
locations with data on used parts returned to HP to monitor for the
A summary view is created to show the number of exceptions of each
type and the dollar amount per engineer. Another graphic is created to
observe a trend per engineer. The reports are used to select cases for
Employee expense monitoring risk indicators to isolate potential errors:
ERP systems’ role in continuous monitoring
Large organizations that have spent a lot of money upgrading their
enterprise resource planning (ERP) systems particularly are
accelerating their use of continuous monitoring, according to
Christopher Wright, a consultant and managing director and firmwide
leader of finance remediation and reporting compliance for Protiviti.
He said that since most ERP systems hold data all in one place and
routine exception reports are standard in these systems, they give
internal audit the ability to create and implement continuous
monitoring platforms. This allows internal audit and management to
maximize the value of ERP systems and make their organizations more agile.
Wright said the first step for companies looking to begin continuous
monitoring is taking an inventory of the tools they already have and
seeing what data might be easily used in real time.
“Their ERP system isn’t just an expensive word processor,” Wright
said. “So it actually functions in a way that adds value, eliminates
work flow, and improves the control structure in a way that’s
efficient and cost-productive.”
Do benefits outweigh costs?
Nonetheless, cost may be an obstacle to continuous auditing and
continuous monitoring for midsize and small organizations that already
are facing significant compliance burdens in an increasingly regulated
business environment. HP’s Ames said the costs may be justified
because of the benefits continuous auditing and continuous monitoring
provide on two levels.
First, the benefits are seen throughout the entire audit life cycle,
from planning to the engagement (which gets more precise conclusions
more quickly) to the recommendation and corrective action, when
analytics can be set up to sustain the remediation. Second, there can
be multiple beneficiaries, including the ethics and compliance,
enterprise risk management, and IT security functions.
“When they carry out continuous monitoring, you’ve got more
beneficiaries, more sponsors to whom you can deliver a larger benefit
and increase the return on investment,” Ames said.
With that in mind, one thing that can seriously inhibit
implementation and usefulness of continuous auditing and continuous
monitoring is organizational restructuring, Ames said. He said that a
compliance team may be in place and working with internal audit as a
strong sponsor of continuous monitoring and auditing, only to have
management priorities changed by restructuring. That can lead to
frustration in implementing and executing continuous auditing and
continuous monitoring. (Ames further discusses the conditions an
organization must have in place to successfully implement continuous
auditing and continuous monitoring, below in “Do you have what it takes?”)
The focus on continuous monitoring and auditing does not decrease
the need for assurance through the traditional audit reporting that
internal auditors have performed for many years. Despite all the
technological developments of past years, companies remain focused on
the fiscal-year quarterly metrics because of regulatory reporting requirements.
External audit requirements also tie some of the traditional
internal audit reporting to the fiscal year. But the continuous
monitoring does change the focus of some of the traditional internal
“Anytime you’re dealing in real time, it shifts the dynamic from
triage after the fact to saying, ‘Here’s what we found. Here’s what we
fixed. Here’s what we’re doing differently already,’ by the time you
report to the board. It compresses the dynamic of audit identification
and problem-solving. It can compress it in a way that you can report
the solution, if not the status,” Wright said.
In turn, traditional internal auditing and reporting can also spur
additional continuous monitoring that can produce further improvements
for the organization. At HP, internal auditors performing traditional
fieldwork were asked to identify three to five leading and lagging
indicators in the areas they were auditing that would sustain
remediation and provide new metrics to monitor.
Meanwhile, Ames has seen the HP internal audit planning function
become much more strategic and future-focused. And internal audit is
planning collaboratively with the risk/compliance function as a
“It’s not just good enough to have the technical capacity and the
standardized data,” Ames said. “You have to have the coordination and
relationship management capacity to plan jointly with the second line
of defense and the compliance function. … We have quite a program in
HP that builds up [compliance personnel] and trains them, equips them
with technology and the standardized data, and sets the expectation
for monitoring risk. That requires leadership.”
is a JofA editorial director. To comment on this article or
to suggest an idea for another article, contact him at firstname.lastname@example.org or 919-402-2112.
Brad Ames, CPA, a director of internal audit for Hewlett-Packard Co., said organizations wishing to be successful with continuous auditing and continuous monitoring must have the following conditions in place:
Support for the vision. Company management needs to be engaged and willing to respond without delay to the outliers that are raised. The audit committee’s support can prevent budgetary restrictions from torpedoing a project and help authorize internal audit to get access to data and technology. The information technology function is needed to help internal audit develop the technology and tools for continuous monitoring. IT assists internal audit in accessing and keeping data in a safe place and often needs to provide resources and support over multiple years as internal audit implements continuous auditing platforms.
Standardized data. This is the raw material that makes the whole process possible and transforms an ad hoc analytic into recurring, ongoing monitoring. Establishing audit data standards provides for the routine valuation and efficient exchange of the company’s data from multiple sources. The Emerging Assurance Technologies Task Force of the AICPA Assurance Services Executive Committee has developed voluntary audit data standards, which help auditors obtain accurate data in a usable format and are available at tinyurl.com/mr32kwc. These voluntary IT standards create a standardized format for data fields (e.g., naming, formatting, and levels of data fields) and files that are commonly requested from auditors, with the theory being that if file formats are standardized, any company’s system would be capable of producing them in the standardized format.
Coordination with second line of defense. The risk management and compliance function—the “second line of defense”—must be willing to work with internal audit to help build tools and then monitor them. Risk/compliance will have a full understanding of business risk that can help auditors plan continuous monitoring and continuous auditing activities around the factors that are critical to the organization’s success. Auditors must be able to relate to the business risks and key risk indicators while still understanding the audit objectives and assertions associated with the audit process.
Auditors willing to lead change. Auditors need to become comfortable with analytics that will allow them to look forward in addition to analyzing historical data, Ames said. Addressing emerging risks requires that forward-looking mentality and is a shift from the traditional mindset that some internal auditors are accustomed to.
For more information or to make a purchase, go to cpa2biz.com or call
the Institute at 888-777-7077.
Research & References of Driving faster decisions|A&C Accounting And Tax Services