Key Steps to Implementing Continuous Auditing
Once the issues above are understood by managers and auditors alike, the organization will be in a better position to begin using continuous auditing. Generally, the implementation of continuous auditing consists of six procedural steps, which are usually administered by a continuous audit manager. Knowing about these steps will enable auditors to better monitor the continuous audit process and provide recommendations for its improvement, if needed. These steps include:
Establishing priority areas.
Identifying monitoring and continuous audit rules.
Determining the process' frequency.
Configuring continuous audit parameters.
Following up.
Communicating results.
Below is a description of each.
Figure 2. Continuous audit implementation steps
1. Establishing Priority Areas
The activity of choosing which organizational areas to audit should be integrated as part of the internal audit annual plan and the company's risk management program. Many internal audit departments also integrate and coordinate with other compliance plans and activities, if applicable. (Steps 2-6 below are applicable to all of the priority areas and processes being monitoring as part of the continuous audit program.)Typically, when deciding priority areas to continuously audit, internal auditors and managers should:
Identify the critical business processes that need to be audited by breaking down and rating risk areas.
Understand the availability of continuous audit data for those risk areas.
Evaluate the costs and benefits of implementing a continuous audit process for a particular risk area.
Consider the corporate ramifications of continuously auditing the particular area or function.
Choose early applications to audit where rapid demonstration of results might be of great value to the organization. Long extended efforts tend to decrease support for continuous auditing.
Once a demonstration project is successfully completed, negotiate with different auditees and internal audit areas, if needed, so that a longer term implementation plan is implemented.
When performing the actions listed above, auditors need to consider the key objectives from each audit procedure. Objectives can be classified as one of four types: detective, deterrent (also known as preventive), financial, and compliance. A particular audit priority area may satisfy any one of these four objectives. For instance, it is not uncommon for an audit procedure that is put in place for preventive purposes to be reconfigured as a detective control once the audited activity's incidence of compliance failure decreases.
2. Monitoring and Continuous Audit Rules
The second step consists of determining the rules or analytics that will guide the continuous audit activity, which need to be programmed, repeated frequently, and reconfigured when needed. For example, banks can monitor all checking accounts nightly by extracting files that meet the criterion of having a debt balance that is 20 percent larger than the loan threshold and in which the balance is more than Rs. 1,000. In addition, monitoring and audit rules must take into consideration legal and environmental issues, as well as the objectives of the particular process. For instance, how quickly a management response is provided once an activity is flagged may depend on the speed of the clearance process (i.e., the environment) while the activity's overall monitoring approach may depend on the enforce ability of legal actions and existing compliance requirements.
3. Determining the Process' Frequency
Although the process is called continuous auditing, the word continuous is in the eye of the beholder. Auditors need to consider the natural rhythm of the process being audited, including the timing of computer and business processes as well as the timing and availability of auditors trained or with experience in continuous auditing. For instance, although increased testing frequency has substantial benefits, extracting, processing, and following up on testing results might increase the costs of the continuous audit activity. Therefore, the cost-benefit ratio of continuously auditing a particular area must be considered prior to its monitoring.Furthermore, other tools used by the manager of the continuous audit function include an audit control panel in which frequency and parameter variations can be activated. Hence, the nature of other continuous audit objectives, such as deterrence or prevention, may determine their frequency and variation.
4. Configuring Continuous Audit Parameters
Rules used in each audit area need to be configured before the continuous audit procedure (CAP) is implemented. In addition, the frequency of each parameter might need to be changed after its initial setup based on changes stemming from the activity being audited. Hence, rules, initial parameters, and the activity's frequency ― also a special type of parameter ― should be defined before the continuous audit process begins and reconfigured based on the activity's monitoring results.When defining a CAP, auditors should consider the cost benefits of error detection and audit and management follow-up activities. For instance, in the example of the bank described earlier, the excess threshold of Rs. 1,000 could lead to a number of false negatives (e.g., values that were ignored when the balance was smaller than Rs. 1,000 but were identified as representing a problem) and a number of false positives (e.g., values with balances above Rs.1,000 that were flagged but were accurate). If the threshold is increased to Rs. 2,000, there will be an increase in false negatives and a decrease in false positives. Because follow up costs would go up as the number of false positives increases and the presence of false negatives may lead to high operational costs for the organization, internal auditors should regularly reevaluate if error detection and follow-up activities need to be continued, reconfigured, temporarily halted, or used on an ad hoc basis.Furthermore, the stratification of audited data into sub-groups allows organizations to better monitor the activity and reconfigure any parameters (e.g., auditors will be notified when balances larger than 20 percent of the debt remain that are also larger than Rs. 5,000). However, the more complex the rule and its conditional components, the more parameters that must be examined, monitored, and sometimes reconfigured.
5. Following Up
Another type of parameter relates to the treatment of alarms and detected errors. Questions such as who will receive the alarm (e.g., line managers, internal auditors, or both ― usually the alarm is sent to the process manager, the manager's immediate supervisor, or the auditor in charge of that CAP) and when the follow-up activity must be completed, need to be addressed when establishing the continuous audit process.Additional follow-up procedures that should be performed as part of the continuous audit activity include reconciling the alarm prior to following up by looking at alternate sources of data and waiting for similar alarms to occur before following up or performing established escalation guidelines. For instance, the person receiving the alarm might wait to follow up on the issue if the alarm is purely educational (i.e., the alarm verifies compliance but has no adverse economic implications), there are no resources available for evaluation, or the area identified is a low benefit area that is mainly targeted for deterrence.
6. Communicating Results
A final item to be considered is how to communicate with auditees. When informing auditees of continuous audit activity results, it is important for the exchange to be independent and consistent. For instance, if multiple system alarms are issued and distributed to several auditees, it is crucial that steps 1-5 take place prior to the communication exchange and that detailed guidelines for individual factor considerations exist. In addition, the development and implementation of communication guidelines and follow-up procedures must consider the risk of collusion. Much of the work on fraud indicates that the majority of fraud is collusive and can be performed by an internal or external party. For example, in the case of dormant accounts, both the clerk that moves money and the manager that receives the follow-up money may be in collusion since the manager's key may have to be used for certain transactions.
Additional Considerations
Besides the six steps described in the previous section, two additional issues that emerge when implementing continuous auditing are the infrastructure needed for the process to work and its impact on the workplace.
Organizational Infrastructure
Because continuous auditing is a part of the company's audit function, it must be kept independent of management. Therefore, during the planning stages, auditors need to keep in mind the process' independence when designing its structure. For instance, a typical internal audit department is structured so that areas of the department focus on different cycles or business activities. In addition, the department may be divided into financial and IT audit functions.Sometimes, however, IT audit activities are incorporated as part of existing IT operations. In organizations such as these, the development of continuous auditing is usually delayed because the activity may not get the necessary development priority. Regardless of whether IT audit activities are part of the organization's IT or internal audit department, the organization must maintain the process' independence as well as allocate resources in support of continuous audit activities.
Impact on Personnel
In addition, the audit manager in charge of the continuous audit process should have a more technical understanding of IT as well as extensive experience on the activities being audited. However, hiring, training, and retaining auditors who can implement and monitor continuous audit activities might be challenging due to the scarcity of internal auditors with knowledge in the area. Furthermore, the continuous audit process might create a daily stream of issues that need to be resolved, which might prove stressful given current personnel resources, and might require the continuous audit manager to exert adequate authority in moments of exceptions.
Final Thoughts
While more organizations are progressively implementing continuous auditing ― and, along the way, improving the quality of the data gathered during each audit ― auditors and managers that are looking to implement a continuous audit approach need to be willing to move beyond their traditional yearly audit activities. Although not a lot of guidance exists today about the best ways to implement a continuous audit process, as with any major change, the evolution toward continuous auditing will take time and substantial attention from senior management.
The writer is enthusiastic about purchasing wooden furniture on the web and his exploration about best wooden furniture has brought about the arrangement of this article. https://computerbusinessbreakthrough.com/