Continuous Auditing D.French

IACON 2010
Taking the Internal Audit Profession Forward

Continuous Auditing:
Technology Enabled Continuous Assurance
Dan French - Consider Solutions

Consider Solutions are the European distribution operation for Approva
© 2010 Approva Corporation and Consider Solutions Limited. All rights reserved. 1

www.iloveagoodaudit.com /

© 2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
2

Learning Points

• The value in developing a continuous auditing framework
• Why is continuous auditing important for auditors?
• How does technology aid continuous auditing?
• Monitoring for management use or internal audit?
• Interpreting and reacting on your results

3

Structure

• Continuous Auditing & Continuous Controls Monitoring
• The Controls Challenge for Management and Audit
• Continuous Auditing in Practice
• Challenges and Best Practices
• Questions and feedback

4

Continuous Auditing (CA) & Continuous Controls
Monitoring (CCM)
• ‘Continuous auditing is the application of automated tools to provide
assurance on financial and non-financial data within a company’
• ‘Continuous auditing uses a set of tools to check whether internal
controls are functioning to prevent errors and fraud’
• ‘A generally accepted definition of "continuous auditing“ remains
elusive, and expert practitioners remain rare’
• ‘32% of 305 organizations have told the Institute of Internal Auditors in
the past year that they perform continuous auditing’
• In a 2006 PWC survey, 81% of 392 companies said they at least
aspired to continuous auditing
• ‘Continuous Controls Monitoring seeks to assure the effectiveness of
internal controls, reduce fraud and meet regulatory requirements.

5

Continuous Auditing (CA) & Continuous Controls
Monitoring (CCM) – What is the difference?

• There is much debate on the semantics !
• No, not all risks can be effectively monitored using automation
• Monitoring data and transactions does not necessarily prove that the
control is working
» But it helps!
• Emerging Continuous Monitoring definitions
» Application configuration (CCM-AC) – ‘Do our systems allow anyone to . . .?’
» User access (CCM-SOD) – ‘Can anyone . . . . ?‘
» Master data (CCM-MD) – ‘Is the critical static data correct and controlled? ‘
» Transactions (CCM-T) – ‘Did anyone . . . ? What was the impact?‘

• Consistent, Continuous, Complete
6

Audit & Internal Controls
courtesy BMW AG


An Audit Committee Perspective

• The pace of business change continues to increase

• The demands for more rapid and robust reporting will increase

• Technology risk will continue to increase

• The patience of the public, investors and regulators to accept fraud
risks will continue to grow thin

• The demand for independent, rapid assurance will continue to grow

• We are entering a new Age – We need constant, not periodic,
visibility

8

Drivers for Change
• Maintenance of continuous state of audit requires:
» Provide immediate insight into control violations
» Increase audit scope and frequency while reducing costs
» From manual to fully automated control testing with integrated
view on risks
» Reduce recurrent testing/review cost significantly, while focusing
on more added value areas
• Enterprise risk and controls coverage across all processes and
applications
• Increasing complexity and integration of systems requires new
control methods and tools

9

Vision
Current approach New approach
Periodic, mainly manual reviews and Continuous testing via predefined rules and
audits of systems and processes tools
Broader and deeper scope of testing
Sample based manual and computer Exception based automated monitoring
aided testing
Multiple controls and tools to cover one Optimisation of controls and testing in
control objective or risk integrated tool set

Inconsistent, decentralized tools and Local controls and testing derived from
testing common consistent global rules

Mainly focused on regulatory control Extension to other risk areas (operational risks,
objectives extend fraud detection, other compliance risks)
Further business improvement opportunities

Global centralized, standardized and integrated controls management and testing that
helps:
• Realize efficiency gains through automated and continuous control monitoring
• Increase coverage and scope of controls to areas not sufficiently covered today
• Embed controls in business processes
10

Over the Last 5 Years Risk Management Has Jumped
to the Top of the CFO’s Agenda…
Which of These Company-Wide Initiatives Are ‘Very
Important’ or ‘Critically Important’ to CFOs?

93%
increase

2010
2005

Measuring/ Providing inputs Driving enterprise Supporting/ Driving integration
monitoring into enterprise cost reduction managing/ of information
business strategy mitigating across the
performance enterprise risk enterprise
Source: IBM CFO Survey, 2010
11

…But CFOs Say a Significant Gap Remains Between
the Effectiveness & Importance of Internal Controls
How Would You Rate the Importance vs. the
Effectiveness of These Cross-Enterprise Activities?

28% Gap
16% Gap
23% Gap

Importance
Effectiveness

Executing continuous Strengthening Driving Finance cost Supporting/ managing
finance process compliance programs reduction / mitigating enterprise
improvements & internal controls risk

Source: IBM CFO Survey, 2010
12

The Vast Majority of Organizations Rely on Manual Methods to
Validate The Effectiveness of Their Controls

What Methods Do You Use
to Provide Management Assurance of Your Controls?
Mostly real-time automated Others/not sure
checks & dashboards

Mix of real-time,
manual &
automated Mostly periodic
checks manual checks/
standard reports

Mix of regular
manual &
automated
checks

Source: KPMG Continuous Monitoring & Continuous Auditing Survey, 2010
13

The Controls Challenge for Management & Audit

Processes are ignored
Processes are ignored Policies cannot be cost-
Policies cannot be cost-
or circumvented
or circumvented effectively enforced
effectively enforced

What is supposed to happen?
Processes

What actually does happen?

Multiple Risks, Multiple Data Sources

14

The myth of standardisation & control in systems

CFOs have invested tens of millions in ERP / Finance Systems to
drive:
» Process and control standardisation
» Business efficiency
» Economies of scale

However, only some of the value has been released . . .
» Many businesses have implemented ERP and achieved;
• A standard data input process and control

BUT NOT

• A standard business process or control


Example standard business process
ERP is configured to only allow GR if PO exists, however…

1. Truck drops off shipment, but
3. Purchasing creates PO for
no PO exists
Shipment
2. Warehouse worker calls up
purchasing to create a PO

4. GR is created against PO

“The myth of automated business controls in ERP”


Fixing the myth of standardisation & control in
systems

• Neither management nor audit can rely on system
configured controls (automated business controls) alone;

• For key controls of high risk or high impact, we need;
» Monitoring and Prevention of high risk Segregation of Duties issues
» Monitoring of configured control, where it exists
» Monitoring of related master data for specific changes
» Monitoring of specific business activities/transactions outside
accepted or expected boundaries

• This gives 360 degree business control visibility for
management and audit – Consistent, Continuous, Complete

17

Consistent, Continuous, Complete Testing
• Continuous monitoring catches things that just don’t typically get
found in entirety including;
» Changes to Bank Account details
» Change in payment terms or prices on specific orders
» Approvals to key changes (such as terms and prices)
» SoD checks at the individual level e.g., POs created and released by
same person, GR created by same person as approved the PO.
» Deliveries with no reference to a Sales Order
» Over deliveries
» Sales Orders for Customers over Credit Limit
» Duplicate payments
» ‘Unusual’ GL postings
» Multiple PO’s to avoid signoff limits
» Nominal value PR’s to ‘make the process work’
18

CA/CCM Landscape is Confusing

“GRC” Components & Related Services

Governance Layer Corporate Reporting
Align Performance With Documentation / Alignment / Rationalization
Corporate Objectives
Issue &
Enterprise Audit
Resolution E-Discovery
Risk/Compliance Layer Risk Management
Management.
Establish The Rules For
Business Operations
Continuous Control Monitoring (CCM), Testing & Enforcement
Policy, procedure & control definition
Business/Performance Layer Supply Manuf.
ERP Finance HR Sales LOB
Assure That Operations Follow Chain Ops.
Set Policies and Expectations Health- Transp- Manuf- Financial
Pharma Retail Energy
care ortation acturing Services

SOX Basel II HIPPA FCPA J-SOX PCI Others.

Continuous Monitoring Layer Automated testing
Provide Insight & Perform Application
User Access Master Data Transactions
Configuration
Specialized Functions (CCM-AC)
(CCM-SOD) (CCM-MD) (CCM-T)

IT Infrastructure Layer IT Control Monitoring, Testing & Enforcement
Assure That Information Is Networks Web E-mail Servers Storage
Properly Controlled

19

Continuous Auditing in Practice


User Access Exceptions


Business Process Exceptions


Process Exceptions – drilldown into specific issues


Process Exceptions – drilldown – duplicate vendor


Continuous Monitoring helps Risk Assessment

Value of Returned Goods by Location


. . . and helps drive Business Improvement

Open Sales Orders Not Shipped


Case Study:
Continuous Auditing Approach
Approach

• Systematically examine each Audit
Action Sheet, the audit approach, and 75% Automation of Audit Tests
the audit objectives
• Design an automation and
continuous monitoring method, 25% Automated by
achieving the same audit objectives Re-Engineering Audit Plan
while leveraging CCM/CA Controls

• Identify and validate automation 25% Automated by
opportunities in 4 key areas: Configuring New CCM/CA Rules

25% Automated With
1. CCM/CA out-of-the-box rules
Out-of-the-Box Rules
2. Configure new rules
3. Re-engineer manual AAS tests
25% Not Possible to Automate
4. Not possible to automate
2

© 2009 Approva Corporation. All rights reserved.

Continuous Auditing / Continuous Controls Monitoring
• Can target up to 60-70% of key controls
• But, it can be complex
» Many Moving Parts, including . . .
• Technology
• Potentially broad controls and data scope
• Multiple systems and processes
• Geography, Lines of Business, Organisations & Plants
• Managing Stakeholders & Expectations
• Reporting and actioning exceptions and issues
• Human impact of continuous monitoring
» Invariably involves change!

© 2008 Approva Corporation. All rights 30
reserved

Some Specific Recommendations (1)

• Be clear and get agreement on ownership and sponsorship
• Start simple, narrow risk focussed scope with quantifiable value
• Prioritise based on business risk and suitability for automation ...
HIGH / HIGHs are the sweet spot
• Develop a plan for iterative refinement of entire process. Deploy ...
use ... learn ... review ... refine ... extend. Increase breadth in
controlled stages.
• Review current beliefs and practices in light of each iteration. Is
there a better way to test this control or manage this risk?
• Deeply engage the business / control owners as part of the
assessment / development / testing processes
• Be aware that continuous monitoring WILL find more exceptions
than periodic sampling. Communicate well and often.
reserved

Some Specific Recommendations (2)
• Implement a robust rule configuration methodology involving
required skills. Structured but iterative approach works well.
• Define a robust rule testing strategy which closely involves the
business / control owners.
• Define and agree business deployment strategy before rolling out.
e.g. practical information dissemination and alerting strategy that
makes it easy for the stakeholders. Work out how the stakeholders
will use the output, confirm priority of exceptions, and agree types of
actions needed.
• Reporting: Ensure the content is filtered appropriately for the target
community so they only see relevant information. Ensure report
output is appropriate for the target community.

reserved

Work Streams to consider when Planning
• CCM/CA Project
» Vision & objectives setting and stakeholder buy-in
» Narrow Path Pilot to develop and test full cycle controls
testing from control confirmation to business action and
remediation
» Extend to next LOB, geography, control set
» Iterate

• Don’t invest in technology until you have proven the value
in a Narrow Path Pilot . . .

reserved

Implementation
Controls Definition & Optimization
Considerations
IT Planning & Operability

Information Dissemination
& Exception Action Planning

Planning & Pilot “Business As Usual”
Management on Narrow Path Scope

Roll-Out & Follow-On Planning


The Business Case
• The vision and rationale
» Enable a comprehensive controls testing environment for optimised risk coverage, visibility
of control effectiveness, elimination of fraud and waste and process (& system) simplification
and standardisation

• Tangible benefits of Continuous Audit
» Cost savings OR Cost avoidance
• Internal Audit Effort
• External Audit Effort
• Finance Effort
• IT Effort
• Other External effort
» Both centrally and locally (often disguised in other activities)

• Improved risk profile – 100% control testing
• Efficiencies and cost savings in core business processes
• Operational intelligence for business exceptions
• Driving process standardisation and economies of scale


Companies Expect to See Significant Benefits From
Their Deployment of CCM Applications

In What Areas Do You Expect to See the Most
Significant Benefits With CCM Applications?

Source: AMR Research, 2009
© 2009 Approva Corporation. All rights reserved. 36

Stakeholder views on CCM/CA

CFO / Internal CIO/ Compliance/
Finance Audit IT Risk

• Increased • Reduced • Reduced time • Improved visibility
business testing time for to support into key risks
efficiency routine controls audits

• Reduced risk of • Improved • Reduced IT • Reduced time and
adverse audit internal auditor cost of cost for monitoring
findings & fraud utilization ownership controls


Continuous Auditing & Continuous Monitoring
Complementary Business Goals of
Continuous Auditing & Continuous Monitoring

Value

Business Process
Transaction Processing Optimization
Costs Performance
Performance & Strategy
Management
Performance
Financial Improvement
Cash Leaks
Reporting Accuracy
(continuous monitoring)
Operational Benefits

Fraud Prevention
Risk Management &
Improved Audit
Operational Improvement Quality &
Effectiveness
Reduced Audit
Costs
Reduced Audit
Preparation Costs
Regulatory
Compliance Automated Audit
Testing

Audit Benefits
(continuous auditing)


More than 50% of Organizations Are Considering or
Piloting Continuous Auditing & Monitoring Tools
How Widespread Is the Use of Technology to Support
Continuous Auditing & Continuous Monitoring?
Widespread use of dedicated
auditing & monitoring tools
Not at all or don’t know

Limited/pilot use of
dedicated auditing &
monitoring tools

Considering the Use standard
use of dedicated reporting (e.g.
auditing & from ERP
monitoring tools system)
Source: KPMG Continuous Monitoring & Continuous Auditing Survey, 2010

The Value of Effective, Assured Controls

• Better risk identification, mitigation and management
• Knowledge that the business runs ‘as advertised’
• Revenue is solid, cash is collected, expenses are valid,
tax position is correct, accrual values are fair, waste &
fraud is eliminated
• Stakeholders (internal and external) have greater
confidence in results, operations, controls and
management
So the question remains;
‘is continuous, automated testing more cost effective?’


In God we trust . . . .

Everyone else gets (continuously) audited!


Questions?

Contact Details

dfrench@consider.biz

www.iloveagoodaudit.com /


IACON 2010
Taking the Internal Audit Profession Forward

Continuous Auditing:
Technology Enabled Continuous Assurance
Dan French - Consider Solutions

Consider Solutions are the European distribution operation for Approva

Continuous Auditing D.French

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Continuous Auditing D.French

Similaire à Continuous Auditing D.French (20)

Plus de Dan French

Plus de Dan French (8)

Continuous Auditing D.French