Principles and Problems of Audit Automation as a Precursor to Continuous Auditing Michael Alles Alexander Kogan Miklos A. Vasarhelyi

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 2 Drivers and Objectives of Audit Automation Automation of business processes Labor-intensive repetitive audit work Cost and availability of qualified audit personnel Budgetary pressure on internal audit departments Complexity of business transactions and increasing risk exposure Scale and scope of audit procedures Timeliness of audit results

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 3 Continuous Auditing (CA) as Implementation of Automated Audit An automated audit system can run continuously CA = CCM + CDA Continuous Control Monitoring (CCM): –Access Control and Authorizations –System Configuration –Business Process Settings Continuous Data Assurance (CDA): –Master Data –Transactions –Key Process Metrics using analytics (including Continuity Equations)

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 4 Formalizing the Audit Program Automation requires formalization Formalized is usually automatable Possibility of formalization is often underestimated Benefits of formalization: –promotes precision and consistency –improves confidence in audit results –Reduces long-run audit costs Problems with formalization –Many humans experience difficulties with logical reasoning and formal thinking –Formalization can be very laborious and costly –Certain complex judgments are not amenable to formalization

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 5 Reengineering the Audit Program Conventional audit programs are not designed for automation Surprisingly large proportion of audit procedures (up to 68% at Siemens) can be formalized and automated Formalizable and judgmental procedures are often intermixed – redesign is required to separate them out Re-engineering objective: maximize the proportion of automatable procedures in the audit program (i.e., reduce reliance on informal judgmental techniques) Substitution of high frequency (“continuous”) automated procedures for eliminated manual methods

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 6 Automating Audits through Baseline Monitoring Traditionally used in configuration management and IT security Baseline – a snapshot of system configuration and business process settings Deltas from baseline  exceptions Critical issues: –Definition of baseline (the more static parameters are, the better they are suitable for baselining) –Initial verification of baseline values –Security of baseline (both definition and current values) –Accumulation of deltas  redefinition of baseline

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 7 System Architecture of Automated Audit Structure of audit software: –integrated software – vs. –distributed (i.e., multi-agent-based) system Access to the enterprise system and data: –Direct (either to the database or to the application layer) –Intermediated (through a business data warehouse) Platform of audit software: –Common enterprise platform (EAM – embedded audit modules, or mobile agents) –Separate platform (MCL – monitoring and control layer) Providers of audit software: –Common platform – enterprise software vendors –Separate platform – 3 rd party vendors and audit firms

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 8 Pros and Cons of Common Platform in Automated Audit Mobile audit agents are transported to the enterprise platform to run there, as EAMs do Benefits of common platform: –Protection against network connectivity outages –Event-triggered execution of audit procedures  potentially zero latency (not affected by network congestion) –More efficient for processing large volumes of enterprise data (on site – vs. moving that data over the network) Problems with common platform: –Protection of enterprise platform against (possibly malicious) agent/EAM –Protection of agent against possible manipulation by the platform (malicious host problem) Impossibility of protecting the agent/EAM outweighs the benefits!

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 9 Software for Audit Automation (Separate Platform) Continuous Data Assurance (common data models) –ACL –CaseWare IDEA –Oversight Systems Continuous Control Monitoring –Approva –Governance, Risk, and Compliance Solutions: SAP GRC Access Control, Risk Management, Process Control (VIRSA) Oracle Governance, Risk, and Compliance (LogicalApps) IBM Workplace for Business Controls and Reporting Paisley Enterprise GRC OpenPages AXENTIS Enterprise BWise Protiviti Governance Portal

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 10 Securing Continuous Auditing Location of continuous auditing hardware: –client’s premises –audit shop Physical access security Logical access security Client’s IT personnel access Super-user privileges Comprehensive logging of all super-user activities Export / import of CA system settings (comparison of cryptographic check-sums)

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 11 Audit Automation Change Management Auditing processes have a tremendous amount of inertia Senior executive champions of the project Identification and engagement of stakeholders: –Business process owners –IT personnel –Internal auditors Composition of audit automation teams Automation of audit procedures –Duplicate automation is ideal but too expensive Verification of automated procedures –Independent verification by experienced auditors Approval of automated audit program

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 12 Scalability of Audit Automation Automation of highly specific audit procedures for different enterprise units can incur prohibitive costs Automation will be scalable across the enterprise only if the repetitive audit procedure automation costs are eliminated Strategies for making audit automation scalable: –Parameterization of automated audit procedures –Hierarchical structuring of automated audit procedures – from the most generic audit procedures applicable across the enterprise to the more specific ones for major units and subunits –Hierarchical updates

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 13 Alarm Management in Automated Audit Systems Auditing system will be generating alarms caused by anomalies and exceptions and delivering them automatically to auditors and enterprise personnel It is essential to have an automated closed loop process for capturing information about corrective actions and assuring problem resolution Auditing system should have a built-in mechanism for evaluating identified control failures using the enterprise risk model to associate appropriate risk levels to them Various ad hoc solutions and simplifying assumptions can be used to build a continuous auditing dashboard to provide an aggregate view of enterprise control problems in real time

Principles and Problems of Audit Automation as a Precursor to Continuous Auditing 14 Concluding Comments AMR Research projects spending on government, risk and compliance applications and services will top $32.1 billion in 2008, up 7.4 % from In 2009, growth is projected at 7 %. Hosted, or on-demand solutions Integration of audit automation with audit working papers software Transformation of internal audit (the skill sets of internal auditors, the structure and the role of the internal audit departments) Structural changes in external audit