GTAG 3 Continuous Auditing Implications for Assurance, Monitoring, and Risk Assessment

Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment Global Technology Audit Guide Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment Author David Coderre, Royal Canadian Mounted Police (RCMP) Subject Matter Experts John G. Verver, ACL Services Ltd. J. Donald Warren Jr., Center for Continuous Auditing, Rutgers University Copyright © 2005 by The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIA publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. 1. Executive Summary Summary for Chief Audit Executive ………………………………………………………………………...............1 Continuous Auditing ………………………………………………………………………………………1 The Need for a Continuous Auditing/Continuous Monitoring: An Integrated Approach ………………1 The Roles of Internal Audit Activity and Management ……………………………………………………2 The Power of Continuous Auditing …………………………………………………………………………2 Implementation Issues ………………………………………………………………………………………2 2. Introduction …………………………………………………………………………………………………3 Continuous Auditing: A Brief History ………………………………………………………………………3 Today’s Audit Environment …………………………………………………………………………………3 COSO Enterprise Risk Management (ERM) Framework …………………………………………………4 The Roles of the Internal Audit Activity and Management ………………………………………………5 Benefits of Continuous Auditing and Monitoring …………………………………………………………5 3. Key Concepts and Terms: The Need for Clarity ……………………………………………………………7 Continuum of Continuous Auditing ………………………………………………………………………8 4. Relationship of Continuous Auditing to Continuous Assurance and Continuous Monitoring……………9 Continuous Assurance ………………………………………………………………………………………9 Continuous Monitoring ……………………………………………………………………………………9 Continuous Auditing ………………………………………………………………………………………9 5. Areas for the Application of Continuous Auditing ………………………………………………………11 Applications for Continuous Control Assessment…………………………………………………………11 Applications for Continuous Risk Assessment ……………………………………………………………13 Development of Audit Plan ………………………………………………………………………………14 Support to Individual Auditing ……………………………………………………………………………15 Follow-up on Audit Recommendations ……………………………………………………………………15 Conclusion …………………………………………………………………………………………………16 6. Implementing Continuous Auditing ………………………………………………………………………17 Continuous Auditing Objectives …………………………………………………………………………17 Continuous Control and Risk Assessment – Relationship ………………………………………………21 Manage and Report Results ………………………………………………………………………………23 Challenges and Other Considerations ……………………………………………………………………24 7. Conclusion …………………………………………………………………………………………………26 8. Appendix A – Example of Continuous Auditing Applied to Accounts Payable …………………………27 9. Appendix B – Related Standards …………………………………………………………………………29 10. Appendix C – Continuous Auditing Self Assessment ……………………………………………………30 11. About the Author …………………………………………………………………………………………32 12. References …………………………………………………………………………………………………33 GTAG — Table of Contents The need for timely and ongoing assurance over the effective- ness of risk management and control systems is critical. Organizations are continually exposed to significant errors, frauds or inefficiencies that can lead to financial loss and increased levels of risk. An evolving regulatory environment, increased globalization of businesses, market pressure to improve operations, and rapidly changing business conditions are creating the need for more timely and ongoing assurance that controls are working effectively and risk is being mitigated. These demands have put increased pressure on chief audit executives (CAEs) and their staff. Internal audit depart- ments have been extensively involved in a wide range of compliance efforts, particularly due to legislation, such as Section 404 of the U.S. Sarbanes-Oxley Act of 2002, raising concerns not only about mounting expectations, but also about internal auditors’ ability to maintain independence and objectivity when evaluating the effectiveness of controls, risk management, and governance processes. Today, internal auditors face challenges in a range of areas:1 Regulatory Compliance and Controls: Evaluation and identification of issues and processes, sustainability, resources, defining materiality, priorities, and financial reporting risks. Internal Audit Value and Independence: the high expectations of internal auditing, growing internal controls issues, confusion around the role of internal auditing liability and responsibility, and compromised objectivity and inde- pendence. Fraud: Detection and control, identity theft, fraud management responsibility, and increased incidence and cost of fraud. Availability of Skilled Resources: Lack of competency and appropriate skill sets, shortage of auditors, retention, and lack of understanding of risks and controls. Technology: appropriate solutions to support compli- ance, technology business model, information security, competing information technology (IT) priorities, and outsourcing. It is evident that a new approach, one that provides a sustainable, productive, and cost-effective means to address these issues, is essential. Continuous Auditing Traditionally, internal auditing’s testing of controls has been performed on a retrospective and cyclical basis, often many months after business activities have occurred. The testing procedures have often been based on a sampling approach and included activities such as reviews of policies, proce- dures, approvals, and reconciliations. Today, however, it is recognized that this approach only affords internal auditors a narrow scope of evaluation, and is often too late to be of real value to business performance or regulatory compliance. Continuous auditing is a method used to perform control and risk assessments automatically on a more frequent basis. Technology is key to enabling such an approach. Continuous auditing changes the audit paradigm from periodic reviews of a sample of transactions to ongoing audit testing of 100 percent of transactions. It becomes an integral part of modern auditing at many levels. It also should be closely tied to management activities such as performance monitoring, balanced scorecard, and enterprise risk management (ERM). A continuous audit approach allows internal auditors to fully understand critical control points, rules, and exceptions. With automated, frequent analyses of data, they are able to perform control and risk assessments in real time or near real time. They can analyze key business systems for both anom- alies at the transaction level and for data-driven indicators of control deficiencies and emerging risk. Finally, with contin- uous auditing, the analysis results are integrated into all aspects of the audit process, from the development and main- tenance of the enterprise audit plan to the conduct and follow-up of specific audits. The Need for Continuous Auditing/Continuous Monitoring: An Integrated Approach In light of CAEs’ concerns regarding the burden of compli- ance efforts, the scarcity of resources, and the need to main- tain audit independence, a combined strategy of continuous auditing and continuous monitoring is ideal. Continuous monitoring encompasses the processes that management puts in place to ensure that the policies, proce- dures, and business processes are operating effectively. It addresses management’s responsibility to assess the adequacy and effectiveness of controls. This involves identifying the control objectives and assurance assertions and establishing automated tests to highlight activities and transactions that fail to comply. Many of the techniques of continuous monitor- ing of controls by management are similar to those that may be performed in continuous auditing by internal auditors. Management’s use of continuous monitoring procedures, in conjunction with continuous auditing performed by inter- nal auditors, will satisfy the demands for assurance that control procedures are effective and that the information produced for decision-making is both relevant and reliable. An important additional benefit to the organization is that instances of error and fraud are typically significantly reduced, operational efficiency is increased, and bottom-line results are improved through a combination of cost savings and a reduction in overpayments and revenue leakage. Organizations that introduce a continuous auditing and controls monitoring approach often find that they achieve a rapid return on investment. The business and regulatory environment and emerging audit standards are driving auditors and management to make more effective use of information and data analysis technolo- gies as a fundamental enabler of continuous auditing and continuous monitoring. 1 GTAG — Executive SummarySummar y for t he Chief A udit Executive — 1 1 Report from The IIA’s 2005 International Conference CAE Roundtable Discussion, July 2005. The Roles of Internal Auditing and Management Management has the primary responsibility for assessing risk and for the design, implementation, and ongoing mainte- nance of controls within an organization. The internal audit activity is responsible for identifying and evaluating the effectiveness of the organization’s risk management system and controls as implemented by management. Auditors conduct the evaluation to provide assurance to the audit committee and senior management as to the state of risk and control systems and, in the case of legislation such as the Sarbanes-Oxley Act, the reliability of management’s repre- sentation concerning the state of controls. Ideally, internal auditing is not part of the controls monitoring process and does not design or maintain the controls, thereby retaining its independence. Although the monitoring of internal controls is a management responsibility, the internal audit activity can use and leverage continuous auditing to strengthen the over- all monitoring and review environment in an organization. The level of proactive monitoring performed by management will directly affect how auditors approach continuous audit- ing. In cases where the continuous monitoring of controls is being performed by management, the same level of detailed transaction testing may not be required under continuous auditing. Instead, auditors can focus on procedures to deter- mine the effectiveness of management’s monitoring process and, depending on the outcome of such tests, adjust the scope, number, and frequency of audit testing. The Power of Continuous Auditing The power of continuous auditing lies in the intelligent and efficient continuous testing of controls and risks that results in timely notification of gaps and weaknesses to allow immediate follow-up and remediation. By changing their overall approach in this way, auditors will develop a better understanding of the business environment and the risks to the company to support compliance and drive business performance. Implementation Issues The CAE must be cognizant of the fact that continuous audit- ing will change the audit paradigm, including the nature of evidence, timing, procedures, and level of effort required by internal auditors. This will place demands on the audit depart- ment. In particular, it will have to: • Obtain and nurture audit committee and senior manage- ment support for the concept and implementation of continuous auditing. • Develop and maintain the technical competencies and enabling technology necessary to access, manipulate, and analyze the data contained in disparate information sys- tems. • Use (or implement) data analysis techniques to support audit projects, including the use of appropriate analytic software tools and development and maintenance of data analysis techniques and expertise within the audit team. • Sponsor, promote, and encourage the adoption and support of continuous monitoring by management. • Ensure that continuous auditing is adopted as part of an integrated, consistent approach to risk oriented audit planning. • Manage and respond to the results of continuous audit- ing, determining appropriate use, follow-up, and report- ing mechanisms. The CAE will have to ensure that appropriate action is taken on the audit findings report- ed to management and that the results of continuous auditing are considered by management when assessing activities, such as the monitoring of controls, perform- ance measurement, and enterprise risk management. This IIA Global Technology Audit Guide (GTAG) identifies what must be done to make effective use of tech- nology in support of continuous auditing and highlights areas that require further attention. By reading and following the steps described, internal auditors should be in a much better position to use technology and maximize their return on investment as well as to demonstrate to management the need to make appropriate technology investments — while contributing to compliance with the regulatory requirements impacting their organization and to its overall health and competitiveness. 2 GTAG — Executive Summary Summar y for t he Chief A udit Executive — 1 This GTAG will focus on the technology-enabled aspects of continuous auditing and will address: • A history and background of similar concepts used during the last 30 years. • A definition of related terms and techniques: continuous auditing, continuous risk assessment, continuous control assessment, continuous monitoring, and assurance. • The role of continuous auditing in relation to continu- ous monitoring. • Areas where continuous auditing can be applied by the internal audit activity. • Challenges and opportunities related to continuous auditing. • The implications for internal auditing and the CAE and for management. • A continuous auditing self-assessment tool (Appendix C, page 30). Since 1980, many terms have been associated with the notion of providing ongoing audit procedures in real time or near real time, including: continuous monitoring, continuous control assessment, and continuous auditing. This GTAG categorizes previous approaches under the unifying concept of “continuous auditing.” It discusses continuous control assessment and continuous risk assessment as the main components of continuous auditing. This guide also deems monitoring activities to be management’s responsibility, but discusses the interrelationship between auditing and moni- toring and how internal auditors provide additional assurance to support management in their role. One of the current and most visible drivers for continu- ous auditing is the high cost of regulatory compliance. In the United States, a Financial Executives International survey (March 2005)2 pegged the cost of Sarbanes-Oxley compli- ance at an average of more than $4 million per organization. Since most of these costs were related to manual, people- intensive processes — based on use of internal resources and external consultants — it is no surprise that an AMR Research study (January 2005)3 found that key technologies can be used to reduce compliance costs by upwards of 25 percent. The burden of compliance is pressuring organizations to improve their methods of performing ongoing evaluation of internal controls. In this context, the U.S. Securities and Exchange Commission stated, “both management and audi- tors must bring reasoned judgment, and a top-down, risk- based approach to the [Sarbanes-Oxley Section 404] compliance processes.” This has led to an increased focus on both continuous monitoring (by management) and continu- ous auditing. Supporting a comprehensive set of audit activi- ties, continuous auditing not only helps support the audit activity’s assurance of controls, but also risk assessment; the identification of fraud; waste, and abuse; audit planning; and the tracking of audit recommendations. Continuous Auditing: A Brief History The origins of automated control testing began in the 1960s with the installation and implementation of embedded audit modules (EAMs). However, these modules were difficult to build and maintain, and were used in relatively few organiza- tions. By the late 1970s, auditors begun moving away from this approach. In the 1980s, early adopters within the audit profession began using computer-assisted audit tools and techniques (CAATTs) for ad hoc investigation and analyses. Coincident with this, the notion of continuous monitoring was first introduced to auditors in a largely academic context. The basic premise was that use of ongoing automated data analysis would help auditors identify the areas of greatest risk, as a precursor to determining their audit plans. For the most part, however, auditors were not ready for this type of approach. They lacked easy access to appropriate software tools, the technical resources and expertise to overcome data access challenges, and most importantly, the organizational will to embrace this new commitment to a significantly different audit approach and methodology. During the 1990s, within the global audit profession, there was increasingly widespread adoption of data analytics solutions, which were viewed as a critical tool to support the testing of the effectiveness of internal controls. This technol- ogy was used to examine transactions for indications of events that occurred because a control did not exist or failed to perform properly. It also identified transactions that did not meet control standards. In addition, data analysis supported the testing of controls not directly evidenced by transactional data. For example, enterprise resource planning (ERP) access and authorization tables could be analyzed to identify failures to maintain appropriate segregation of duties. However, even with this technology underpinning, tradition- al audit processes often relied on representative samples, rather than assessing the entire population, with analyses continuing to take place some time after the completion of the business activity (transaction). As a result, risk and control problems had a greater opportunity to escalate and impact business performance negatively. Today’s Audit Environment Today, proliferation of information systems in the business environment gives auditors easier access to more relevant information — but also involves the management and review of vastly increased volumes of data and transactions. Further, the rapid pace of business requires prompt iden- tification of, and response to, control issues. Regulations such as Section 404 of Sarbanes-Oxley in the United States require the timely disclosure of control deficiencies and management assertions around the adequacy of the control 3 Introduction – 3GTAG — Introduction — 2 2 Survey on SOX Section 404 Implementation, Financial Executives International, March 2005. 3 SOX Decisions for 2005: Step Up Technology Investments, John Hagerty, AMR Research, January 2005. framework. This statutory compliance imperative, as well as ongoing changes in auditing standards and the evolution of audit software, are encouraging and enabling auditors to adopt new approaches to assessing information and controls. The CAE must be able to provide senior management with ongoing assessments — rather than simply periodic reviews — of the health of