Presented by Anton Bouwer Conference Workshop Continuous Auditing: An Approach for Today Univ. of Salford, 19 February 201919 February 2019 Presented by Anton Bouwer www.acl.com
AGENDA The “Phrase” The “Distinction” Approach for Today’s Requirements Summary
Definition of Continuous Auditing Never ends When cycle ends, next starts AUDITING. Access information Know business Verify info Express/Report Methodology CA is a methodology not a tool only. It is very important to realise that this methodology will become the method through which the auditor will be auditing a specific subject in the organisation. It must be raised to a strategic level and become part of the audit department’s overall audit methodology. CA’s success rate is very closely related to the level of support given to the methodology by managers of the audit depaertment. Written assurance CA must enable the auditor to provide assurance on the area audited. It can not only be a control that performs a specific task. It must ne a methodology that verifies something. Either the effectiveness of a control measure or the accuracy and completeness of a specific group of transactions. Subject matter A CA application must specifically audit a pre-determined subject matter or audit area. It is not a methodology that is independent of its underlying subject. Different CA applications are developed for different subject. One will have one application auditing the accuracy and integrity of human resource expenses while another might evaluate the accuracy and completeness of user access rights to the custer data base. Series of audit reports The preparation of the audit report should also be automated to ensure that the results of the CA is available asap after the application has been executed. In a worst case senario, most of the benefits of a CA could be lost if the reports are not issues before the next occurance of the application is executed. It is therefore as important to determine to whom the results should be reported as it is to determine what should be audited. Issue as close to the event as possible Since a CA will perform automatic checks and verifications it is important to time the both execution and reporting phases of the application in the most efficient manner. In a very high risk environment such as International Fund Transfers, it might be expected that a CA is triggered more than once a day and the report being available and distributed directly after the data analysis has been completed. In less time-critical environments such as the payment of vendors, one could expect a less regular execution and reporting. The execution and reporting must, however, be very closely linked.
Definition of Continuous Auditing Can CA be possible without human interface? Are we disrespecting the auditor? Square peg, round hole? Diluting the concept “audit”? Legal issues? Ignore at own peril! Methodology CA is a methodology not a tool only. It is very important to realise that this methodology will become the method through which the auditor will be auditing a specific subject in the organisation. It must be raised to a strategic level and become part of the audit department’s overall audit methodology. CA’s success rate is very closely related to the level of support given to the methodology by managers of the audit depaertment. Written assurance CA must enable the auditor to provide assurance on the area audited. It can not only be a control that performs a specific task. It must ne a methodology that verifies something. Either the effectiveness of a control measure or the accuracy and completeness of a specific group of transactions. Subject matter A CA application must specifically audit a pre-determined subject matter or audit area. It is not a methodology that is independent of its underlying subject. Different CA applications are developed for different subject. One will have one application auditing the accuracy and integrity of human resource expenses while another might evaluate the accuracy and completeness of user access rights to the custer data base. Series of audit reports The preparation of the audit report should also be automated to ensure that the results of the CA is available asap after the application has been executed. In a worst case senario, most of the benefits of a CA could be lost if the reports are not issues before the next occurance of the application is executed. It is therefore as important to determine to whom the results should be reported as it is to determine what should be audited. Issue as close to the event as possible Since a CA will perform automatic checks and verifications it is important to time the both execution and reporting phases of the application in the most efficient manner. In a very high risk environment such as International Fund Transfers, it might be expected that a CA is triggered more than once a day and the report being available and distributed directly after the data analysis has been completed. In less time-critical environments such as the payment of vendors, one could expect a less regular execution and reporting. The execution and reporting must, however, be very closely linked.
The Distinction MONITOR/REPORT Monitoring & Reporting checks every transaction One record at a time Type = Control Implemented FOR management AUDIT Auditing is looking for & verifying exceptions Independently Comparing each record against expected norms Audit efficiency: more than 1 record at a time Type = Audit compliance or substantive Make it very clear to auditors that we are talking about continuous AUDITING; Therefore the task being performed must be strategic to the audit department. It must not be confused with the implementation of a system of internal control. This is paramount to ensure that audit independence does not get compromised. Audit independence will be discussed later in this seminar. An audit procedure can only be compliance (confirming that a control has been adhered to) or substantive (verifying a specific amount or other detail) in nature. An audit procedure can not be a contol in itself.
What is the PROBLEM? The only way to get CA to the masses (auditors): Build bridge from today’s audit program to the SciFi CA system. Don’t start in 2010, start in 2002. Ask auditors what they want & verify result (Majority rules). Remember budget! Messing with age old principles Lets learn from the E-Bubble & Y2K & Euro conversion!!! How big a part did we play in this? How much did we cost commerce? Methodology CA is a methodology not a tool only. It is very important to realise that this methodology will become the method through which the auditor will be auditing a specific subject in the organisation. It must be raised to a strategic level and become part of the audit department’s overall audit methodology. CA’s success rate is very closely related to the level of support given to the methodology by managers of the audit depaertment. Written assurance CA must enable the auditor to provide assurance on the area audited. It can not only be a control that performs a specific task. It must ne a methodology that verifies something. Either the effectiveness of a control measure or the accuracy and completeness of a specific group of transactions. Subject matter A CA application must specifically audit a pre-determined subject matter or audit area. It is not a methodology that is independent of its underlying subject. Different CA applications are developed for different subject. One will have one application auditing the accuracy and integrity of human resource expenses while another might evaluate the accuracy and completeness of user access rights to the custer data base. Series of audit reports The preparation of the audit report should also be automated to ensure that the results of the CA is available asap after the application has been executed. In a worst case senario, most of the benefits of a CA could be lost if the reports are not issues before the next occurance of the application is executed. It is therefore as important to determine to whom the results should be reported as it is to determine what should be audited. Issue as close to the event as possible Since a CA will perform automatic checks and verifications it is important to time the both execution and reporting phases of the application in the most efficient manner. In a very high risk environment such as International Fund Transfers, it might be expected that a CA is triggered more than once a day and the report being available and distributed directly after the data analysis has been completed. In less time-critical environments such as the payment of vendors, one could expect a less regular execution and reporting. The execution and reporting must, however, be very closely linked.
Approach to CA Development NOT Complex NOT Technical Audit approach & result (NOT contol) Obtain top level buy-in & top level sponsor One application at a time Get specialist assistance
Implementing Continuous Auditing Setting up the project Perform detailed risk analysis Link to risk measurement Anticipate exceptions & develop specifications Plan access to data Plan the audit frequency and audit response
Implementing Continuous Auditing Develop and implement the continuous auditing application Test & Acceptance Maintenance and redesign Post Implementation Review Regular auditing of the continuous auditing application
Pitfalls What to measure? Difficult to get data access Slow death Exceptions Trends on statistics & ratios Difficult to get data access Auto update of audit database Top-level sponsor Slow death
Pitfalls Audit independence DO DONT Test compliance Substantiate accuracy Substantiate completeness Report on trends Detect Control Monitor Prevent
Case Study Background Banking & finance entity Strategic risk analysis identified reputational risk as very high due to impact Management expect auditor to review risk on more regular basis
Case Study Solution Measure (audit) risk Report on risk measurement Automate process Schedule future audits and reporting frequency
Risk Measurement Risk Control Audit Procedure Type = Reputation Abuse of customer funds trough internal theft or fraud Staff are not allowed to transfer customer funds to their own accounts. Such transfers in excess of $ 1000 must be done by another employee. Access data containing information on: User ID Employee account To account From account Identify control exceptions
Develop Specifications Objective Method Data Search transactions to find: Transfer of funds To employee account Captured by employee who owns account Amount bigger than $1000 Analyse each transaction and identify instances where the TO account equals the account number of the employee who captured the transaction Info needed can be found in two files Employee master Transaction master Both files contain the field EmpID which is the employee’s unique ID number in the company.
Technical Specifications Analysis Notification Reporting Access both files Join files on EmpID and (Emp_Accnt to To_Accnt) Join type MATCHED Extract matches Compute statistics on exceptions Automate analysis Schedule automated excecution Determine if there are exceptions NOTIFY auditor of exceptions Attach exceptions Automate notification Extract statistical data to permanent file Present file with results as trend analysis to management Automate reporting
Efficient Data Access
Develop Application
Schedule Application
Real-time Notification
Audit Verification
Continuous Reporting
Continuous Audit Cycle Automated data download Automated audit Continuous Audit Cycle Report Audit Verification Automated scheduling
Summary Start at Risk Analysis Do not forget 80:20 Prove benefits (£££) Internal audit implement, external audit share benefits (Consulting opportunities - £££) Wonderful trends!!! Technical barriers are smallest problem Risk can not be measured, managed?
Thank You www.acl.com anton_bouwer@acl.com