Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Anton Bouwer

Published byHartanti Lesmono Modified over 6 years ago

Similar presentations

Presentation on theme: "Presented by Anton Bouwer"— Presentation transcript:

1 Presented by Anton Bouwer
Conference Workshop Continuous Auditing: An Approach for Today Univ. of Salford, 19 February February 2019 Presented by Anton Bouwer

2 AGENDA The “Phrase” The “Distinction”
Approach for Today’s Requirements Summary

3 Definition of Continuous Auditing
Never ends When cycle ends, next starts AUDITING. Access information Know business Verify info Express/Report Methodology CA is a methodology not a tool only. It is very important to realise that this methodology will become the method through which the auditor will be auditing a specific subject in the organisation. It must be raised to a strategic level and become part of the audit department’s overall audit methodology. CA’s success rate is very closely related to the level of support given to the methodology by managers of the audit depaertment. Written assurance CA must enable the auditor to provide assurance on the area audited. It can not only be a control that performs a specific task. It must ne a methodology that verifies something. Either the effectiveness of a control measure or the accuracy and completeness of a specific group of transactions. Subject matter A CA application must specifically audit a pre-determined subject matter or audit area. It is not a methodology that is independent of its underlying subject. Different CA applications are developed for different subject. One will have one application auditing the accuracy and integrity of human resource expenses while another might evaluate the accuracy and completeness of user access rights to the custer data base. Series of audit reports The preparation of the audit report should also be automated to ensure that the results of the CA is available asap after the application has been executed. In a worst case senario, most of the benefits of a CA could be lost if the reports are not issues before the next occurance of the application is executed. It is therefore as important to determine to whom the results should be reported as it is to determine what should be audited. Issue as close to the event as possible Since a CA will perform automatic checks and verifications it is important to time the both execution and reporting phases of the application in the most efficient manner. In a very high risk environment such as International Fund Transfers, it might be expected that a CA is triggered more than once a day and the report being available and distributed directly after the data analysis has been completed. In less time-critical environments such as the payment of vendors, one could expect a less regular execution and reporting. The execution and reporting must, however, be very closely linked.

4 Definition of Continuous Auditing
Can CA be possible without human interface? Are we disrespecting the auditor? Square peg, round hole? Diluting the concept “audit”? Legal issues? Ignore at own peril! Methodology CA is a methodology not a tool only. It is very important to realise that this methodology will become the method through which the auditor will be auditing a specific subject in the organisation. It must be raised to a strategic level and become part of the audit department’s overall audit methodology. CA’s success rate is very closely related to the level of support given to the methodology by managers of the audit depaertment. Written assurance CA must enable the auditor to provide assurance on the area audited. It can not only be a control that performs a specific task. It must ne a methodology that verifies something. Either the effectiveness of a control measure or the accuracy and completeness of a specific group of transactions. Subject matter A CA application must specifically audit a pre-determined subject matter or audit area. It is not a methodology that is independent of its underlying subject. Different CA applications are developed for different subject. One will have one application auditing the accuracy and integrity of human resource expenses while another might evaluate the accuracy and completeness of user access rights to the custer data base. Series of audit reports The preparation of the audit report should also be automated to ensure that the results of the CA is available asap after the application has been executed. In a worst case senario, most of the benefits of a CA could be lost if the reports are not issues before the next occurance of the application is executed. It is therefore as important to determine to whom the results should be reported as it is to determine what should be audited. Issue as close to the event as possible Since a CA will perform automatic checks and verifications it is important to time the both execution and reporting phases of the application in the most efficient manner. In a very high risk environment such as International Fund Transfers, it might be expected that a CA is triggered more than once a day and the report being available and distributed directly after the data analysis has been completed. In less time-critical environments such as the payment of vendors, one could expect a less regular execution and reporting. The execution and reporting must, however, be very closely linked.

5 The Distinction MONITOR/REPORT
Monitoring & Reporting checks every transaction One record at a time Type = Control Implemented FOR management AUDIT Auditing is looking for & verifying exceptions Independently Comparing each record against expected norms Audit efficiency: more than 1 record at a time Type = Audit compliance or substantive Make it very clear to auditors that we are talking about continuous AUDITING; Therefore the task being performed must be strategic to the audit department. It must not be confused with the implementation of a system of internal control. This is paramount to ensure that audit independence does not get compromised. Audit independence will be discussed later in this seminar. An audit procedure can only be compliance (confirming that a control has been adhered to) or substantive (verifying a specific amount or other detail) in nature. An audit procedure can not be a contol in itself.

6 What is the PROBLEM? The only way to get CA to the masses (auditors):
Build bridge from today’s audit program to the SciFi CA system. Don’t start in 2010, start in 2002. Ask auditors what they want & verify result (Majority rules). Remember budget! Messing with age old principles Lets learn from the E-Bubble & Y2K & Euro conversion!!! How big a part did we play in this? How much did we cost commerce? Methodology CA is a methodology not a tool only. It is very important to realise that this methodology will become the method through which the auditor will be auditing a specific subject in the organisation. It must be raised to a strategic level and become part of the audit department’s overall audit methodology. CA’s success rate is very closely related to the level of support given to the methodology by managers of the audit depaertment. Written assurance CA must enable the auditor to provide assurance on the area audited. It can not only be a control that performs a specific task. It must ne a methodology that verifies something. Either the effectiveness of a control measure or the accuracy and completeness of a specific group of transactions. Subject matter A CA application must specifically audit a pre-determined subject matter or audit area. It is not a methodology that is independent of its underlying subject. Different CA applications are developed for different subject. One will have one application auditing the accuracy and integrity of human resource expenses while another might evaluate the accuracy and completeness of user access rights to the custer data base. Series of audit reports The preparation of the audit report should also be automated to ensure that the results of the CA is available asap after the application has been executed. In a worst case senario, most of the benefits of a CA could be lost if the reports are not issues before the next occurance of the application is executed. It is therefore as important to determine to whom the results should be reported as it is to determine what should be audited. Issue as close to the event as possible Since a CA will perform automatic checks and verifications it is important to time the both execution and reporting phases of the application in the most efficient manner. In a very high risk environment such as International Fund Transfers, it might be expected that a CA is triggered more than once a day and the report being available and distributed directly after the data analysis has been completed. In less time-critical environments such as the payment of vendors, one could expect a less regular execution and reporting. The execution and reporting must, however, be very closely linked.

7 Approach to CA Development
NOT Complex NOT Technical Audit approach & result (NOT contol) Obtain top level buy-in & top level sponsor One application at a time Get specialist assistance

8 Implementing Continuous Auditing
Setting up the project Perform detailed risk analysis Link to risk measurement Anticipate exceptions & develop specifications Plan access to data Plan the audit frequency and audit response

9 Implementing Continuous Auditing
Develop and implement the continuous auditing application Test & Acceptance Maintenance and redesign Post Implementation Review Regular auditing of the continuous auditing application

10 Pitfalls What to measure? Difficult to get data access Slow death
Exceptions Trends on statistics & ratios Difficult to get data access Auto update of audit database Top-level sponsor Slow death

11 Pitfalls Audit independence DO DONT Test compliance
Substantiate accuracy Substantiate completeness Report on trends Detect Control Monitor Prevent

12 Case Study Background Banking & finance entity
Strategic risk analysis identified reputational risk as very high due to impact Management expect auditor to review risk on more regular basis

13 Case Study Solution Measure (audit) risk Report on risk measurement
Automate process Schedule future audits and reporting frequency

14 Risk Measurement Risk Control Audit Procedure Type = Reputation
Abuse of customer funds trough internal theft or fraud Staff are not allowed to transfer customer funds to their own accounts. Such transfers in excess of $ 1000 must be done by another employee. Access data containing information on: User ID Employee account To account From account Identify control exceptions

15 Develop Specifications
Objective Method Data Search transactions to find: Transfer of funds To employee account Captured by employee who owns account Amount bigger than $1000 Analyse each transaction and identify instances where the TO account equals the account number of the employee who captured the transaction Info needed can be found in two files Employee master Transaction master Both files contain the field EmpID which is the employee’s unique ID number in the company.

16 Technical Specifications
Analysis Notification Reporting Access both files Join files on EmpID and (Emp_Accnt to To_Accnt) Join type MATCHED Extract matches Compute statistics on exceptions Automate analysis Schedule automated excecution Determine if there are exceptions NOTIFY auditor of exceptions Attach exceptions Automate notification Extract statistical data to permanent file Present file with results as trend analysis to management Automate reporting

17 Efficient Data Access

18 Develop Application

19 Schedule Application

20 Real-time Notification

21 Audit Verification

22 Continuous Reporting

23 Continuous Audit Cycle
Automated data download Automated audit Continuous Audit Cycle Report Audit Verification Automated scheduling

24 Summary Start at Risk Analysis Do not forget 80:20
Prove benefits (£££) Internal audit implement, external audit share benefits (Consulting opportunities - £££) Wonderful trends!!! Technical barriers are smallest problem Risk can not be measured, managed?

25 Thank You

Download ppt "Presented by Anton Bouwer"

Similar presentations

Testing Relational Database

Testing Relational Database
AUDITING : AN OVERVIEW. Auditing defined It is a critical and systematic examination or review of accounting reports, documents, records, procedures and.

AUDITING : AN OVERVIEW. Auditing defined It is a critical and systematic examination or review of accounting reports, documents, records, procedures and.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Towards a simpler and more efficient BR June 19, 2007 ICES-III Montréal (QC)

Towards a simpler and more efficient BR June 19, 2007 ICES-III Montréal (QC)
1 The Antecedents of Internal Auditors Adoption of Continuous Auditing Technology: Exploring UTAUT in an Organizational Context Ray Henrickson CAIT, CACISA.

1 The Antecedents of Internal Auditors Adoption of Continuous Auditing Technology: Exploring UTAUT in an Organizational Context Ray Henrickson CAIT, CACISA.
Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.

Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.
Auditing Concepts.

Auditing Concepts.
1 NYU Benefits Defined Benefit Plan Administration Efficiency Solution for 2010 and beyond April 30, 2009.

1 NYU Benefits Defined Benefit Plan Administration Efficiency Solution for 2010 and beyond April 30, 2009.
The Islamic University of Gaza

The Islamic University of Gaza
Practical Issues of Implementing Continuous Assurance Systems Presented by John Verver CA, CISA, CMC to the 5 th Continuous Assurance Symposium November.

Practical Issues of Implementing Continuous Assurance Systems Presented by John Verver CA, CISA, CMC to the 5 th Continuous Assurance Symposium November.
CAATTs for Data Extraction and Analysis

CAATTs for Data Extraction and Analysis
Miklos A. Vasarhelyi Siripan Kuenkaikaew Silvia Romero

Miklos A. Vasarhelyi Siripan Kuenkaikaew Silvia Romero
Continuous Auditing Technology Adoption in Leading Internal Audit Organizations Miklos A. Vasarhelyi Siripan Kuenkaikaew.

Continuous Auditing Technology Adoption in Leading Internal Audit Organizations Miklos A. Vasarhelyi Siripan Kuenkaikaew.
5-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Audit Planning.

5-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Audit Planning.
AUDITING INFORMATION TECHNOLOGY USING COMPUTER ASSISTED AUDIT TOOLS AND TECHNIQUES.

AUDITING INFORMATION TECHNOLOGY USING COMPUTER ASSISTED AUDIT TOOLS AND TECHNIQUES.
Introductions Jim Enzinna, Chief, Licensing Division Mark DiNapoli, Assistant Chief, Licensing Division Tracie Coleman, Head, Information Section Vince.

Introductions Jim Enzinna, Chief, Licensing Division Mark DiNapoli, Assistant Chief, Licensing Division Tracie Coleman, Head, Information Section Vince.
Auditing & Assurance Services, 6e

Auditing & Assurance Services, 6e
Today’s Lecture application controls audit methodology.

Today’s Lecture application controls audit methodology.
Solution Overview for NIPDEC- CDAP July 15, 2005.

Solution Overview for NIPDEC- CDAP July 15, 2005.
9 Closing the Project Teaching Strategies

9 Closing the Project Teaching Strategies

Similar presentations

Ads by Google