Building continuous auditing capabilities
2 likes1,733 views
The document discusses continuous auditing (CA) as a method for auditors to conduct ongoing audit activities, leveraging computer-assisted audit techniques (CAATs) and data analytics (DA) to improve efficiency and assess risk management. It outlines a systematic data analysis cycle for planning, executing, and reporting audit results, emphasizing the importance of building CA capabilities through skilled personnel, necessary technology, and effective communication. Additionally, it addresses challenges related to data quality, privacy, and required investment in technology for successful CA implementation.
Building continuous auditing capabilities
- 1. CONTINUOUS AUDITING INTERNAL AUDIT TOOLS & TECHNIQUES Building Continuous Auditing (CA) Capabilities
- 2. Definitions Computer Assisted Audit Techniques (CAATs): any automated audit technique that relate to generalized audit software, test data, generators, integrated test facilities, computerized audit programs, and specialized audit and system software utilities. Data Analytics (DA): processes and activities designed to obtain and evaluate data to extract useful information. The results of DA may be used to identify areas of key risk, fraud, errors or misuse; improve business efficiencies; verify process effectiveness; and influence business decisions. Data Analysis Cycle: systematic approach to obtain data, perform analysis and report results Planning Data Access Integrity Verification Data Analysis Reporting Results
- 3. Internal audit identifies and designs CAATs as part of internal audit projects: 1. Planning: identify data required for the audit tests. 2. Fieldwork: Get access to and extract data from various resources Develop the Data Analytics (DA) using different tools (e.g. MS Excel, Access, SQL Plus, ACL) Perform data analysis using DA 3. Reporting: generate exception reports, document results and report findings. Audit team will identify CAATs used in conjunction with datasets and process steps to generate the exception reports can be used in future audits …. Planning Data Access Verify Integrity Data Analysis Reporting Results Planning Fieldwork Reporting Audit Closing Continuous Auditing Continuous Auditing Audit Project Phases Data Analysis Cycle: CAATs to Continuous Auditing (CA)
- 4. Increasing... Audit quality and consistency % of controls automated % of controls tested Adherence to organization policies Decreasing... Audit and compliance costs Time spent testing controls # of audit findings Continuous Auditing (CA) Continuous Auditing (CA): method used by auditors to perform audit-related activities on a more frequent basis. It changes the audit approach from periodic reviews of sample transactions to ongoing audit testing of 100%. Increase efficiency of audit processes in assessing the effectiveness of risk management and add value to the organization. WORK SMARTER!
- 5. Example CA Opportunities IT Systems Security Controls Automated monitoring of IT internal controls in accordance with IS Policies Detect, remediate, and prevent segregation of duties conflicts and inappropriate access to sensitive transactions Track user activity within and across ERP and legacy systems Conduct “what if” analyses to determine the impact of access control changes Automated access control certification process Banking Review capital ratio adequacy and compliance to Basel II accord Abnormal activities in dormant accounts Overdraft facilities for retail customers Defaulted/blacklisted customers Compliance with anti-money laundering regulations Aviation Monitor percentage of tickets refunds Incentive sales per agents Trend analysis for free tickets usage Employee rostering patterns Monitor wastage in catering
- 6. Example CA Opportunities Inventory Controls Stock-out on shelves High level of inventory Non-moving inventory items Rate/pricelist to invoicing Level of discounts Terms of invoicing Ageing of debtors Sales and receivables Accounts Payable Three way match Changes to payment terms Match payee with bank account details Inventory controls Track payments to different vendor addresses Compare address details and invoice address details Vendor & Contractor Management Compare approved contract spending vs. actual expenditures Track contractor payments vs. submitted expenses Identify duplicate vendors and/or duplicate vendor payments Match vendor information against employee information to ensure policy compliance Monitor changes to vendor or contractor master records that may indicate fraud Compare vendors and contractors against approved contractors list and send alerts to protect against violation Payroll and benefits Compensation and Benefits Structure Financial and Non-financial Compensation to employees Monitor allowances and advances paid to employees
- 7. Building CA CapabilitiesPeople • Management Support • Team with the right skill set • Education and training Process • Establish process to identify and build CA Library • Educate users on the use of the process • Review and refine the CA scripts Technology • Getting the data e.g. connectivity, extraction • Developing scripts and exception reports • Automating scripts • Archiving results and datasets Building Continuous Auditing (CA) is an change management effort. Successful implementation requires:
- 8. Building CA Capabilities - People Management Support – support from business management. Communication between internal audit and business management is necessary to get the data, communicate results and improve control environment. Build Dedicated Team – team should have the right blend of expertise to create and support the daily operations, skill sets required: Technical skills: Data – database, data extraction, data archiving Script writing – writing audit test logic using technical tools or programming languages e.g. ACL scripting, Visual Basic, Excel Macros. Automation – setup the running of the CA scripts on periodic basis, automate the exception report generation Business Knowledge – understanding business processes and transactions. They can help while developing CA scripts, evaluating the results and refining CA for future runs. Basic Users – can write simple CA scripts as part of audit project. Can re-run the created CA scripts to on different datasets (manual). Education and Training – invest in training people, acquiring the right skill-set, understanding new technologies and building a strong business acumen.
- 9. Building CA Capabilities - Process 1. Identify CA Opportunities 2. Develop CA reports 3. Execute CA reports 4. Communicate CA Results 5. Review & improve CA reports Continuous Auditing Repository Objective : Build and maintain a central repository of continuous auditing scripts. 1. Identify CA Opportunities either from audit projects or on ad-hoc basis 2. Develop CA reports – convert the CAAT/DA script to automated script and schedule to run on periodic basis e.g. Quarterly. 3. Execute CA Reports - the script will run automatically and produce exception reports. 4. Communicate CA Results - to business management to investigate and solve the exceptions. 5. Review & Improve – review results and trends of exceptions, use to refine the test scripts or introduce new one.
- 10. Technical Layer (Data connection and extraction e.g. ODBC, SQL scripts, flat files from various systems CA Reporting Engine Data Analysis Projects Report Generation Procedures/Steps Exception Reports Building CA Capabilities - Technology Application 1 Application 2 Application n Objective : Build a technology solution that will support the Continuous Auditing operations. 1.Technical Layer – establish connectivity to different application databases. Create and run data extraction queries, index and archive the data. 2. CA Reporting Engine – schedule the CA reports run on periodic basis e.g. monthly, quarterly. Execution of scripts result in exception reports. Saving exceptions in database to provide trend- analysis.
- 11. 1. Level of Business Process Automation – depends highly on the level of automation for business processes, the availability of data, and the ease of accessing data and extracting it from system(s) especially from off-the-shelve and legacy systems. 2. Data Quality – the quality of data affects the quality/accuracy of test results. Special consideration required when CA script running on data from different systems or legacy systems. 3. Data Volume – increased data volume will increase load on CA automation tools/server and can affect the storage and archiving capacity. Performance might deteriorate in the absence of proper capacity planning. 4. Staff Competency – recruiting the right talent and ensuring they are provided with rewarding career paths. Retaining knowledge in case of staff leaving the organization. 5. Data Privacy Concerns – number of data privacy laws must be considered when developing and running CA scripts. Assessment should be made at planning stage to ensure the data will be handled as appropriate. 6. Technology Costs – CA require investment in technology , establishing processes and training people. Management has to see the benefits in order to invest in CA solutions. CA Implementation Challenges
- 12. References Audit Standards/Guidelines: “G3 Use of CAATs” IT Audit and Assurance Guideline. 2010 ISACA. “G42 continuous assurance”, IT Audit and Assurance Guideline, 2010 ISACA. IPPF - Practice Guide “Data Analysis Technologies “, 2011, The Institute of Internal Auditors . IPPF - Practice Guide “Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment”, 2005, The Institute of Internal Auditors. Journal Articles/White Papers: “Data Analytics – A Practical Approach” ISACA White Paper , August 2011 S. Sarva, "Continuous Auditing Through Leveraging Technology“ ISACA Journal Online, 2006 Online: www.acl.com