Conference Workshop Continuous Auditing: An Approach for Today Univ. of Salford, 5 December December 2015 Presented by Anton Bouwer

AGENDA  The “Phrase”  The “Distinction”  Approach for Today’s Requirements  Summary

Definition of Continuous Auditing  CONTINUOUS  Never ends  When cycle ends, next starts  AUDITING.  Access information  Know business  Verify info  Express/Report

Definition of Continuous Auditing  Can CA be possible without human interface?  Are we disrespecting the auditor?  Square peg, round hole?  Diluting the concept “audit”?  Legal issues? Ignore at own peril!

The Distinction MONITOR/REPORT  Monitoring & Reporting checks every transaction  One record at a time  Type = Control  Implemented FOR management AUDIT  Auditing is looking for & verifying exceptions  Independently  Comparing each record against expected norms  Audit efficiency: more than 1 record at a time  Type = Audit compliance or substantive

What is the PROBLEM? The only way to get CA to the masses (auditors):  Build bridge from today’s audit program to the SciFi CA system. Don’t start in 2010, start in  Ask auditors what they want & verify result (Majority rules). Remember budget!  Messing with age old principles  Lets learn from the E-Bubble & Y2K & Euro conversion!!! How big a part did we play in this? How much did we cost commerce?

Approach to CA Development  NOT Complex  NOT Technical  Audit approach & result (NOT contol)  Obtain top level buy-in & top level sponsor  One application at a time  Get specialist assistance

 Setting up the project  Perform detailed risk analysis  Link to risk measurement  Anticipate exceptions & develop specifications  Plan access to data  Plan the audit frequency and audit response  Setting up the project  Perform detailed risk analysis  Link to risk measurement  Anticipate exceptions & develop specifications  Plan access to data  Plan the audit frequency and audit response Implementing Continuous Auditing

 Develop and implement the continuous auditing application  Test & Acceptance  Maintenance and redesign  Post Implementation Review  Regular auditing of the continuous auditing application  Develop and implement the continuous auditing application  Test & Acceptance  Maintenance and redesign  Post Implementation Review  Regular auditing of the continuous auditing application Implementing Continuous Auditing

 What to measure?  Exceptions  Trends on statistics & ratios  Difficult to get data access  Auto update of audit database  Top-level sponsor  Slow death  What to measure?  Exceptions  Trends on statistics & ratios  Difficult to get data access  Auto update of audit database  Top-level sponsor  Slow death Pitfalls

 Audit independence Pitfalls DODONT Test compliance Substantiate accuracy Substantiate completeness Report on trends Detect Control Monitor Prevent

Case Study Background  Banking & finance entity  Strategic risk analysis identified reputational risk as very high due to impact  Management expect auditor to review risk on more regular basis

Case Study Solution  Measure (audit) risk  Report on risk measurement  Automate process  Schedule future audits and reporting frequency

Risk Measurement RiskControlAudit Procedure Type = Reputation Abuse of customer funds trough internal theft or fraud Staff are not allowed to transfer customer funds to their own accounts. Such transfers in excess of $ 1000 must be done by another employee. Access data containing information on: User ID Employee account To account From account Identify control exceptions

Develop Specifications ObjectiveMethodData Search transactions to find: Transfer of funds To employee account Captured by employee who owns account Amount bigger than $1000 Analyse each transaction and identify instances where the TO account equals the account number of the employee who captured the transaction Info needed can be found in two files Employee master Transaction master Both files contain the field EmpID which is the employee’s unique ID number in the company.

Technical Specifications AnalysisNotificationReporting 1. Access both files 2. Join files on EmpID and (Emp_Accnt to To_Accnt) 3. Join type MATCHED 4. Extract matches 5. Compute statistics on exceptions 6. Automate analysis 7. Schedule automated excecution 1. Determine if there are exceptions 2. NOTIFY auditor of exceptions 3. Attach exceptions 4. Automate notification 1. Extract statistical data to permanent file 2. Present file with results as trend analysis to management 3. Automate reporting

Efficient Data Access

Develop Application

Schedule Application

Real-time Notification

Audit Verification

Continuous Reporting

Continuous Audit Cycle Automated data download Automated scheduling Report Automated audit Audit Verification

Summary  Start at Risk Analysis  Do not forget 80:20  Prove benefits (£££)  Internal audit implement, external audit share benefits (Consulting opportunities - £££)  Wonderful trends!!!  Technical barriers are smallest problem  Risk can not be measured, managed?  Start at Risk Analysis  Do not forget 80:20  Prove benefits (£££)  Internal audit implement, external audit share benefits (Consulting opportunities - £££)  Wonderful trends!!!  Technical barriers are smallest problem  Risk can not be measured, managed?

Thank You