Continous auditing vs traditional slide share
Download as PPTX, PDF0 likes997 views
The document discusses a shift from traditional problem-focused audits to a continuous, solution-focused audit approach aimed at control improvement, utilizing data analytics and exception reporting. It outlines the process of implementing continuous audits, which includes prioritizing tasks, documenting processes and risks, and validating control operations to ensure effectiveness. The goal is to enhance control designs iteratively to achieve desired outcomes more efficiently.
Continous auditing vs traditional slide share
- 1. Shifting from a Traditional Problem Based Audit Approach to a Continuous Audit Approach Focused on Control Improvement 2/13/20151 Advantages of
- 2. Key Differences in Outcomes 2/13/20152 Traditional – Problem Focused Continuous – Solution Focused Covera ge 2014 / 2015 – (?) Program and (?) Process projects. (? FTE) Once implemented, all priorities on a continuous basis plus 1 or 2 focused audit projects. (? FTE) Controls Ad-hoc, informal, great variation by auditee. Formal design. Key risks and process elements addressed; consistently performed. Audit Project Mainly non-repetitive requiring significant time to plan (30%) and report (30%). Highly subjective in content and approach. Mainly continuous behind the scenes. Rapid exception reporting based on reasonable criteria established by auditee. Also includes the heavy use of data analytics and algorithms. Auditee High degree of frustration due to auditor subjectivity of criteria, scope, and performance expectations. High involvement in defining design of controls, test criteria. Stake- Audits may not be providing assurance where needed the Provides direct assurance on design and effectiveness of controls that relate
- 3. Traditional Audit Project Time Allocation 2/13/20153 Audit Phase Percentage of Time 1. Planning • Approval, notification, scoping, entrance conference, information request, risk assessment, & procedure design 25% - 30% 2. Fieldwork • Execute plan, status reports as needed, & discuss findings 35% - 50% 3. Reporting • Draft report, exit conference, management response, final report, & issuance. 20% - 30% 4. Closeout / follow-up • Ensure action plans are addressed. 5%
- 4. CORE ACTIVITIES ARE: • A group of tasks that produce output • Specific enough to be actionable Control Input Consumables Output Uncontrollables & Environment •Work products •Measures of Quality •Timeliness •Reporting •Outside Funding •Resource Time •IT Resources & Capacity •Applications •Work Orders •Information System •Executive Oversight •Designed Processes Continuous Approach Seeks to Raise Confidence of Achieving Desired Outcome 2/13/20154 Time through work function
- 5. Continuous Auditing Focus is on Iterative Improvements to the Design of Controls to Reasonably Achieve Prioritized Objectives 2/13/20155 Select Priority Elements Document Processes Define Risks Document Controls Assess Design Validate Operation Report High Effort First Year
- 6. 1. Select Priority Elements 2/13/20156 Prioritize what to do first. Entity wide High Impact / low level of effort / easy wins Consider significance to external reporting / mission Next – prototype a process element. Focus on only a few common controls consistent with most processes. Next – roll-out to key processes.
- 7. Example of Priority Elements 2/13/20157 Key stakeholders consistently receive timely, accurate, complete, and compelling information. The organization satisfies the customer by delivering timely and cost effective services.
- 8. Example Roll Out 2/13/20158 Cumulative Number of Controls / Implementation Status Process Year 1 Year 2 Year 3 Entity level / cross-cutting 10 10 10 First tier process cycles Information Technology 10 25 30 Financial Reporting 5 10 10 Loan Application to Close Start Refine Mature Requisition to Payment Start Refine Mature Second tier process cycles Entity Only Start Refine Third tier process cycles No Activity Start Refine
- 9. 2. Document Processes 2/13/20159 Document transaction flows that affect major elements. e.g. Expense requisition to payment execution Order to cash Key business reporting
- 10. 3. Define Risks 2/13/201510 What are the risks that can impact the achievement of the priority elements?
- 11. 4. Document Controls 2/13/201511 It is better to have a few consistently well performed controls than a number of haphazardly performed controls. Controls need owners. Include a mixture of control types. Preventative, at the source of the risk, preventative (input validations, approvals, sequential doc numbers) Detective, (review, mgmt. reports) Corrective, (action item logs, f/u reviews)
- 12. 5. Assess Control Design 2/13/201512 Is the control robust to address multiple risks? Is the documentation clear with respect to when, where, how, and what is to be executed? Is the execution of the control easily testable by a tester include with what constitutes ineffective performance?
- 13. 6. Validate Operation 2/13/201513 Test control execution on a periodic basis. Frequency and sample size based on: Newness of control Complexity of control Historical errors Risk of the underlying element(s)
- 14. 7. Report 2/13/201514 Live / Real time dashboard reporting Snapshots taken quarterly and distributed to stakeholders. Effectiveness reviews - issues distributed to owners immediately following control tests to be evaluated and / or addressed. Design reviews – performed on an annual basis. Consideration to increase control robustness determined iterative basis.