29
Continuous Auditing Tianli Xie July 3 rd , 2011 Section 1
Continuous Auditing
Tianli Xie
July 3rd, 2011
Section 1
What is Continuous Auditing (CA)?
ISACA: “the collection of audit evidence, by an auditor, on systems and transactions, on a continuous basis through a period”
External Auditors: electronic audit evidence gathering process to render an opinion on fair presentation of financial statements (Rezaee et al)
Internal Auditors: process to evaluate business processes and assess management’s monitoring process of the control and disclosure environment (Rezaee et al)
Continuous Monitoring (CM)
A tool for management
Automatic and continuous monitoring of:
◦ compliance of business processes and transactions against company rules, policies and objectives
◦ effectiveness of internal controls
Some techniques/procedures are similar
CA and CM complement each other
CA’s advantages over traditional external auditing
CCM
• continuous control monitoring
• monitors the internal control effectiveness
• verifies the programming code of the controls retrieved in read-only format against appropriate benchmark to see whether it is actually achieving its purpose
CDA
• continuous data assurance
• attests information system data integrity
• 1st level filter: transaction verification • 2nd level filter: analytical procedures on transactional level
CRMA
• continuous risk monitoring and assessment • assesses risks to provide input for audit planning• collects real time inputs relating to change in environment to
generate a new risk profile• change the CCM and CDA software and techniques and the
audit plan accordingly
Traditional
Purchase Listing
Item A $5,000
Item B $5,000 DL
Programming code:
@IF( SERV_YEARS >= 5 .AND. DAYS_ABSENT_ACTUAL <= 30, 0.2* MON_SAL_DOLLAR )
CA
CCM
• continuous control monitoring
• monitors the internal control effectiveness
• verifies the programming code of the controls retrieved in read-only format against appropriate benchmark to see whether it is actually achieving its purpose
CDA
• continuous data assurance
• attests information system data integrity
• 1st level filter: transaction verification • 2nd level filter: analytical procedures on transactional level
CRMA
• continuous risk monitoring and assessment • assesses risks to provide input for audit planning• collects real time inputs relating to change in environment to
generate a new risk profile• change the CCM and CDA software and techniques and the
audit plan accordingly
Traditional audit
Manual procedures
Annual audit
Annual option
trend, regression and ratio analytics
Sample testing
Continuous Audit
Automated procedures
Frequent to real time audit
Evergreen/on demand opinion
regression, classification, association and clustering analytics
100% population
Cost reduction
Traditional audit
Manual procedures
Annual audit
Annual option
trend, regression and ratio analytics
Sample testing
Continuous Audit
Automated procedures
Frequent to real time audit
Evergreen/on demand opinion
regression, classification, association and clustering analytics
100% population
Cost reduction
Traditional audit
Manual procedures
Annual audit
Annual option
trend, regression and ratio analytics
Sample testing
Continuous Audit
Automated procedures
Frequent to real time audit
Evergreen/on demand opinion
regression, classification, association and clustering analytics
100% population
Cost reduction
Traditional audit
Manual procedures
Annual audit
Annual option
trend, regression and ratio analytics
Sample testing
Continuous Audit
Automated procedures
Frequent to real time audit
Evergreen/on demand opinion
regression, classification, association and clustering analytics
100% population
Cost reduction
Traditional audit
Manual procedures
Annual audit
Annual option
trend, regression and ratio analytics
Sample testing
Continuous Audit
Automated procedures
Frequent to real time audit
Evergreen/on demand opinion
regression, classification, association and clustering analytics
100% population
Cost reduction
Traditional audit
Manual procedures
Annual audit
Annual option
trend, regression and ratio analytics
Sample testing
Continuous Audit
Automated procedures
Frequent to real time audit
Evergreen/on demand opinion
regression, classification, association and clustering analytics
100% population
Cost reduction
Demand for CA
SOX
Growing complexity of business transactions
Trend towards continuous reporting (ie. MD&A, XBRL)
Wide adoption of ERP systems and data warehouses
More responsibilities for fraud detection
Demand for CA
CA Implementation
1. Business case
cost benefit analysis
Hard to justify using ROI alone
Recommended to develop specific cases where CA is value adding and cost saving
2. Client Pre-requisite
Good control environment
Good data integrity
Understanding of company system and controls in place
Senior executive and BOD support
3. Adoption Strategy prioritize the risk areas under each
business process◦ ROI, degree of risk and costs and benefits
start with a less complex, high return and low cost project
quick realization of benefits gain support
4. Planning scope and objectives resources and timeline roles and responsibilities
5. Design and implementation
establish the business rules, controls and analytical procedure benchmarks
frequency of testing
follow up procedures
6. Monitoring and communication
results and benefits reported to stakeholders
CA software
Barriers to CA
Barriers to CA
Cost constraint
Hard to demonstrate benefits using ROI
Lack of system integration (decentralized)
Lack of data integrity and control environment
Staff resistance
Current CA adoption and future outlook
