Keeping Up With the Continuous Audit
In 2006, a survey conducted by PricewaterhouseCoopers revealed that 81 percent of responding companies had either implemented continuous auditing, or aspired to do so. More recently, in an on-going benchmarking survey conducted by the Institute of Internal Auditors (IIA), 32 percent of respondents confirmed that their business is currently performing continuous auditing activities.
Based on those findings, it is clear that the relevance of this practice is growing, and for good reason: Continuous audits give organizations timely and accurate assessments of data with minimal losses.
Yet despite its obvious popularity, the definition of “continuous audit” has yet to be pinned down some 20 years after gaining professional recognition.
The IIA defines continuous auditing as “any method used to perform audit-related activities on a more continuous or continual basis,” without further defining what it means by “more”. That has left others to apply their own definition, with the one most widely accepted by auditing professionals being “activities that are performed more frequently than every three months.” Some disagree with even that definition, preferring to instead apply their own.
Further muddling the definition of continuous auditing is the practice of continuous monitoring, which is typically performed by company management to ensure that business procedures are running properly and internal controls are effective.
“There seems to be a misnomer between continuous auditing and continuous monitoring,” said Tom Boyle, district audit officer for Palomar Pomerado Health. “Though both create an environment or process for implying real-time controls, the latter involves recurring controls that management uses to monitor their operations and make changes. Continuous auditing, however, is different in terms of outcome, process and who the owners are. Auditors have the expertise to monitor, and management owns the responsibility to react to them.”
Though the two often cover similar ground, continuous monitoring involves the transferring of responsibility of control to the operations staff, putting more control in the hands of management. Continuous auditing, on the other hand, is performed by internal auditors.
Technology to the Rescue
Boyle notes that regardless of how frequently auditing occurs, continuous auditing is generally viewed as repetitive. It is a concept that first arose from the absolute need for businesses to keep up with regulatory challenges and be more effective. Doing so required finding ways to leverage resources that allowed companies to efficiently achieve their objectives.
“Today, technology is here to do just that,” he said. “Manual auditing and control management processes are quickly losing their position in the field and making way for much more efficient audit solutions brought about through powerful data analytics, scripted test work and integrated web-based results reporting .”
For example, software solutions such as ACL AuditExchange provide a platform that supports the three phases of continuous auditing: 1) automated data extraction; 2) automated analysis; and 3) exception management.
For companies with complex operations and a myriad of data, these solutions provide a timely and accurate assessment of operations, allowing auditors to determine whether or not adjustments are required to prevent problems from ever occurring. By reacting quickly to minor issues, larger ones are avoided and losses greatly reduced in the long run.
“It seems like this is where auditing should be,” said Boyle. “It’s like a patient wearing a heart monitor so you know immediately if something is wrong, as opposed to waiting until there is a problem to find a solution.”
Automation frees staff members to perform more subjective audits that require professional judgment while continuous auditing controls assess low-risk areas requiring less attention. Additionally, an auditor’s time is spent evaluating anomalies, as opposed to searching for them.
Implementing Continuous Audit
For companies looking to set up continuous auditing practices, researching trusted practices prior to implementation is advised. Organizations such as the IIA offer professional guidance, training, research and case studies. Seeking out expert advice is also advised, as it will save time and money in the long run.
Once initial research is completed, companies should identify the proper metrics to monitor. A good starting place is with key controls that consume staff resources and have the largest risk impact to the organization. Once these are identified, companies must determine how the effectiveness or success of these processes can be measured, analyzed and reported in order to make timely changes to operations. If a company’s existing information systems are not capable of performing this task, identifying a technological solution should be selected to effectively integrate with existing systems and achieve desired goals.
Though selecting the correct technology solution is important, it is secondary in this process because companies cannot find the right tool to achieve automation if they do not know exactly what they hope to accomplish.
For most companies, a top candidate for continuous auditing will be Sarbanes-Oxley compliance audits, as these tests generally consume significant time and resources and auditors are notoriously unhappy with the amount and type of work they entail.
“Sarbanes-Oxley compliance has a lot to do with the fast evolution of continuous auditing,” said Boyle. “It mandated organizations to look at control environments and what they consisted of, and continuous auditing or monitoring was likely the only solution to have very timely assurance of effective controls.”
In addition to freeing up resources, simplifying these tests will increase auditor acceptance of continuous auditing. It also reduces the amount time spent each year performing compliance testing.
Another important element to the continuous auditing process is follow-up. Auditors must know without a doubt that they have made the right decision based on monitoring feedback or results. Thorough follow-up will also allow auditors to review and tweak their process until it operates as intended.
Process Challenges
Though the benefits to continuous auditing are numerous, so are the challenges. Companies can typically expect to have the most problems in two areas: extracting the data and pushback from both the audit staff and the internal stakeholders whose business processes are to be audited.
In terms of data extraction, particularly in large, complex companies, the data may not all be housed in the same place. Overcoming this problem will require the auditor to have specialized software, such as ACL, which will provide concurrent access to disparate data systems and formats; otherwise they are dependent upon their IT department to provide all needed data in a readable format.
To mitigate pushback, those in charge of implementing a continuous audit project should understand that it is a major change for auditors and internal stakeholders. As with most process changes, the introduction of continuous auditing is sure to cause bumps in the road that must be considered at the outset.
A bigger problem, however, may be overcoming auditors’ technology learning curve.
“As an organization and department, it will be somewhat of a challenge because of the new technology and talent resources that are needed and used in this,” said Boyle. “For this reason, I am a huge advocate of the ACL Software. In addition to providing powerful analytics and data access capabilities, the company provides online presentations that people can listen to, free webinars, reference materials about continuous auditing and continuous monitoring, how to use the software, case studies, etc.”
An audit department should develop a plan to improve the skill level of staff through education and training in order to be effective in implementing continuous monitoring and continuous auditing solutions. As the demands for the job change, it may require staff reassignments or new hires to meet the challenges of current trends, but will ensure high adoption rates and less resistance to the change.
For large organizations with complex data structures, the emergence of continuous auditing is driving manual auditing and control management closer to obsolescence. Though some processes may never be fully automated, as technology advances so too will the way organizations utilize the continuous audit.
Also In This Month's Issue:
SEC Approves Engagement Quality Review Standard
Employee Retention Key to Surviving Economic Recovery