Harnessing the Power of Continuous Auditing E-Book

Contents

Cover

Title Page

Copyright

Dedication

Preface

Acknowledgments

Chapter 1: Defining Continuous Auditing

The Real Definition

Differentiating Continuous Auditing

Segregating Continuous Auditing and Control Testing

Continuous Auditing Objectives

Dispelling the Continuous Auditing Myths

Summary

Chapter 2: Where to Begin

Recognize the Need

Potential Need/Fit Considerations

Client Relationship Score

Summary

Chapter 3: Continuous Auditing Methodology Development

Continuous Auditing Methodology

Methodology Requirements

Summary

Chapter 4: Preparing for a Continuous Audit

Building the Business Knowledge

Developing Business Knowledge

Understanding the Rules

Identifying Technology

Summary

Chapter 5: Continuous Auditing: Foundation Phase

Target Area

Testing Objectives

Frequency

Testing Technique

Summary

Chapter 6: Continuous Auditing: Approach Phase

Approach Phase

Scope

Volumes

Sampling

Testing Criteria and Attributes

Technology

Summary

Chapter 7: Continuous Auditing: Execution Phase

Execution Phase

Performance

Exception Identification

Summarizing Results

Summary

Chapter 8: Root Cause Analysis

Root Cause

Root Cause Defined

Team Understanding

Do I Need to Find Root Cause?

Root Cause “Why” Approach

Root Cause Keys

Summary

Chapter 9: Continuous Auditing Reporting and Next Steps

Reporting and Next Steps

Reporting Options

Advantages and Disadvantages of Report Type

Reporting Options Summary

Five-Component Approach

Next Steps

Summary

Chapter 10: Action Plans

Action Plans

Addressing Root Cause

Creating the Perfect Action

Components of a Real Action Plan

Action Plan Tracking

Summary

Chapter 11: Continuous Auditing Conditions

Conditions

Business Unit Management Conditions

Internal Audit Conditions

Technology Conditions

Summary

Chapter 12: Selling Continuous Auditing

Selling

Business Unit Management

Audit Team

External Clients

Summary

Chapter 13: Continuous Auditing Challenges

Challenges

Internal Audit Department

Client

Summary

Chapter 14: Continuous Auditing Uses and Users

Uses and Users

Uses

Users

Summary

Chapter 15: Continuous Auditing Lessons Learned

Lessons Learned

Developing Technique

Effective Concept

Lessons Learned Template

Summary

Appendix: Continuous Auditing Guidance

Audit Observations

Internal Audit Department: Status of Action Items

Continuous Auditing Methodology Template

Internal Audit Department: Lessons Learned (Suggested Questions)

Continuous Auditing Program Example: Account Reconciliations

About the Author

Index

Copyright © 2011 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Mainardi, Robert L., 1964—

Harnessing the power of continuous auditing : developing and implementing a practical methodology / Robert L. Mainardi.

p. cm. – (Wiley corporate F&A series)

Includes index.

ISBN 978-0-470-63769-2 (hardback) ISBN 978-1-1180-0700-6 (ebk); ISBN 978-1-1180-0701-3 (ebk); ISBN 978-1-1180-0702-0 (ebk)

1. Auditing, Internal. I. Title.

HF5668.25.M35 2011

657'.458–dc22

2010037965

To my father, Angelo Michael Mainardi, who continues to inspire me as he

watches over me, and to my mother, Lucy, who impresses me more everyday.

Preface

Continuous auditing has been around for quite some time, but there has always been an active discussion regarding its true definition and how to effectively incorporate the targeted testing methodology into an existing audit department. The other challenge that internal audit departments face is to differentiate continuous monitoring from continuous auditing. Although there does not appear to be a significant difference between the two, the one thing that remains constant is that a monitoring approach will not provide any control validation.

There is always a risk that audit departments, in an effort to implement a more streamlined testing approach, will rush through critical development and implementation phases of the continuous auditing methodology. It is critically important that each department takes the necessary time to understand the objectives of the approach, adequately plan and document its own methodology, and facilitate the communication of the methodology to its own team and business partners. The development of the continuous auditing methodology is time consuming and requires adequate planning and resources. However, this up-front investment will pay off significantly as the methodology is implemented.

This book addresses many misconceptions about continuous auditing; none is more significant than the belief that in order to implement continuous auditing successfully, the internal audit department must be supported by an automated technology. This could not be further from the truth. Continuous auditing programs are being executed daily without any technology at all. The true key to a successful continuous auditing implementation is not the type of technology solution used but the detailed, documented continuous auditing methodology that you have developed to support your existing risk-based audit approach.

This book defines the continuous auditing methodology and provides a practical, step-by-step guide on how to define, develop, communicate, implement, manage, and maintain the approach. The objective of the book is to ensure that any reader—whether auditor, company executive, business unit manager, practitioner, consultant, or any other business professional interested in a target approach to evaluating the effectiveness of critical controls—can clearly understand and successfully create and implement his or her own continuous auditing methodology.

Chapter 1 provides a clear definition of continuous auditing that is used as a foundation for the rest of the book.

Chapter 2 helps you identify how continuous auditing can be integrated into your existing methodology with a need and fit questionnaire encompassing five specific questions to ensure that a benefit will be realized once the continuous auditing methodology is developed and implemented.

Chapter 3 discusses the requirements of the critical fields that are required and should be included in the formal continuous auditing methodology document and provides a suggested format.

Chapter 4 outlines the specifics of preparing to perform a continuous auditing program. This is accomplished by detailing the requirements of developing the business knowledge, understanding the specific business process rules, and identifying the technology. Each one of these topics is required to execute the corresponding work program successfully.

Chapters 5, 6, and 7 provide the individual continuous auditing methodology requirements for the three phases: (1) foundation, (2) approach, and (3) execution. Each chapter defines each phase and its purpose and specifies the particular deliverables needed to document the continuous auditing methodology properly.

Chapters 8, 9, and 10 address the continuous auditing methodology reporting requirements. They encompass the critical need for root cause analysis (Chapter 8), the suggested report format and documentation requirements (Chapter 9), and the definition of real action (Chapter 10) that must be obtained to address the opportunities for improvement identified during the execution phase of the continuous auditing methodology.

Chapter 11 focuses on the business unit management, internal audit, and technology conditions that provide guidance and assistance during the development, implementation, and management of the continuous auditing methodology.

Chapter 12 discusses the selling of the continuous auditing methodology to the business unit client and to the internal audit department staff. Although the method is not the same as a full-scope audit, it is necessary for internal audit to understand and be able to appropriately articulate the continuous auditing methodology to all parties involved.

Chapters 13 and 14 provide guidance in recognizing the challenges of implementing the custom methodology and its specific potential uses.

Chapter 15 provides a tool that can be utilized to evaluate and record the successes and opportunities for improvements in planning, testing, executing, and reporting on the continuous auditing methodology.

The Appendix provides a detailed example of a successful continuous auditing methodology as well as all the templates mentioned throughout the book.

Acknowledgments

Throughout the book development and writing process, I had tremendous support from many people. I want to say thank you to everyone who waited patiently and tolerated my unavailability from the concept phase up to and including the final revisions.

First, I owe special thanks to my son, Robert, and my daughter, Gabrielle, for all of their sacrifices during the creation of this book. Because of their understanding, I was able to focus and dedicate all of my time and effort to writing. You are both amazing, and I could not be any more proud to say that I am your father.

Thanks to Marilyn for taking care of everything while I worked on developing this book. You provided the support that made it possible for me to concentrate solely on writing during each free moment. I appreciate everything that you did and singlehandedly addressed over this long process.

Thanks to my brothers Jerry, Michael, and Stephen: Jerry for being my own personal technology help desk; Michael for being my constant supporter and motivator; and Stephen for always making me laugh when I needed it. You guys are the best brothers on the planet.

Thanks to Barumbi for the inspiration and support during this creation. I look forward to working with you long into the future. Your unique insight and skills should be shared. I look forward to seeing you often.

Thanks to my best friend, Lieutenant Colonel Henry “Pat” Campbell. You have been by my side since Penn State, and I know that I can always count on you and Laura for support or anything I could ever need. Always remember Filet, Tom Z, Kevin “Ice” Anderson, and laughing until it hurts. I want to also say thank you again for your 21 years of service in the U.S. Air Force. You are a true hero, and I want you to know how much I appreciate all you have done and that you inspire not only me but also everyone you meet.

Thanks to my two financial gurus, John “Sma Sma Smitty” Smith and Donna Whiteley. I appreciate everything that you do for me on a daily basis. Your efforts do not go unnoticed.

Thanks to two of the best people I ever hired, Stephanie Jones and Victoria Robinson. I appreciate your effort, team dedication, and willingness to follow me on new adventures at different companies. We created great work environments, produced valuable audits, and built great relationships. Your creativeness and ingenuity regarding the audit process have helped shape the initial creation of this continuous auditing methodology.

Thanks to Ken Frantzen for helping me get through all of those painful Monday morning staff meetings. Our five years together were such an adventure. I appreciate your patience and willingness to always listen. Ken, I finally made it to the “big boy” table.

Thanks to Dino and Scott Borghi at Borghi's Restaurant for always taking care of me, my clients, family, and friends. Your food, dedication to excellence, superior service, and making everyone (especially me) feel like family are just a few reasons for your success.

Thanks to my business partners over the years. Although I may have forgotten some, this list includes: Suzanne Barron, Jill Benson, Lina Borrelli, Tom Cassidy, Kristi Coombs, Arnaldo Diaz, Ken Ebbage, Cynthia Fetterman, Todd Freeman, Jorge Green, John Hall, Denise Johnson, Susan Panzer, Jimmy Parker, Vinit Rajpara, Bruce Rice, Cyndi Summers, and John Wisz.

Thanks to all my former audit team members over the years. I am sure I have forgotten a few names, but the list includes: William Baugh, Robin Benns, Bob Campbell, Lisa Chadwick, Andrew Cooper, Jayne Cravens, Jeff “Hefe” Croasmun, Lou DiGiovine, Cari DeRose, Sam “Pooh Bear” Dungee, Mike Eyre, James Huff, Denise Joyce, Alton Knight, Eric Kramer, Ola Laniya, Tomeka Lee, Cara McWilliams, Ed Merenda, Jim Mullin, Christopher Nace, Jason Pandolfo, Eric Pettis, Jack Rockenbach, Frank Satterthwaite, Deborah Sullivan, Crystal Tucker, Jennifer Valentine, and Dwayne Weldon.

Thanks to Erin and Cathy at Catarinas for always fitting me in and taking care of me; and to Maria Martin at Unique Images for taking a great picture.

Chapter 1

Defining Continuous Auditing

The Real Definition

One of the significant challenges facing internal audit, control specialists, enterprise risk management teams, and business managers all over the world is being able to understand what continuous auditing is and how the approach can be used effectively. As you read through this book, keep in mind that continuous auditing has been around for decades. As I travel and speak around the world on this topic, I have found each individual team, department, or company has its own definition of what it believes the approach represents and how to maximize its value. So let us start off this educational process by establishing a clear-cut definition of continuous auditing and understanding the characteristics that make it a unique tool. The definition will be broken down into two distinct parts: (1) the formal “book” definition for personnel familiar with the audit profession and (2) the “nonaudit” definition for clients to clearly understand the objective of the approach.

Continuous auditing is one of the many tools used within the internal audit profession to provide reasonable assurance that the control structure surrounding the operational environment is:

Before discussing these three components, it is important to immediately identify a clarification regarding the definition. The assurance regarding the support structure of the operational environment is provided only for the specific controls selected during the development of the continuous audit. This is a critical distinction that must be understood by both the group using this approach and the client who is partnering in the effort. The continuous audit is not concluding on the total control environment for the process selected but only for the selected controls being reviewed. Time and time again, I have witnessed clients who receive results of a continuous audit (which was appropriately focused on a specific control) and then extrapolate the results of the control testing across the entire operation or control environment. It is not possible to use the results of a continuous audit to provide validation of an entire operation. Let's discuss the three critical components of the definition.

Suitably Designed

Auditors and control experts use the term “suitably designed” constantly when discussing control testing, but does everyone using the term truly understand what it means? When considering whether a process or control is suitably designed, you must be able to examine the supporting process documentation or clearly written policies and procedures. In the examination of the information, you should be able to identify the process flow, checkpoints, and required reviews necessary to ensure the process flows along its desired path. “Suitably designed” also implies there are documented policies and procedures detailing this process flow. These procedures should be examined to determine a sufficient level of documentation. In making this determination, a reasonableness test is applied that basically asks whether a reasonable person, without intimate knowledge of the area, would be able to follow the process and execute the tasks required. As anyone does when looking for sufficient evidence, examine the procedures and consider if there is enough detail included to perform the work. One of the difficult aspects of reviewing policies and procedures is that well over 50 percent of the time the documentation is out of date. In this situation, the reviewer will be required to perform additional steps to determine if the process is suitably designed. Those steps could include facilitating meetings with key process personnel to gain an understanding or creating detailed process maps or flowcharts. In the end, the goal is to be able to make a conclusion, based on examined information, that the process has been suitably designed.

Another component to consider when discussing design is the application and use of controls. In the review of the process documentation, there should be evidence of specific control activity. In other words, can you identify control points in the process where information is validated, reviewed, and/or approved before moving to the next critical step in the process? Control identification is critical in continuous auditing because, as you will learn in Chapters 5, 6, and 7, the “key” controls are going to be the ones selected to test using the continuous methodology. To simplify the key control concept, this type of control holds the process together tightly in an effort to ensure that the desired outcome is achieved as long as the process does not deviate from the established design. To further the explanation, consider that if this type of control fails, one of two things will happen: Either the process will come to a complete stop or the process's final result will be incorrect. Controls govern the flow of information and provide assurances to protect the outcome.

Additionally, a truly suitably designed process will include parameter requirements, established reporting, and a timely deliverable. Parameter requirements establish an upper and lower control limit. Every single control in every business process has control limits. Control limits provide the minimum (lower) and maximum (upper) range of acceptable performance. These limits communicate the range in which the business unit team must perform their assigned responsibilities. Without specific limits, there would be no way to determine whether the process was operating efficiently and effectively. As an example, when the accounts payable manager says that all expense reports submitted will be processed and submitted for payment within one to three days of being received, he is providing the control limits for expense report processing. That range of one to three days provides the control limits or standard for receiving, reviewing, and approving an expense report for payment. Each suitably designed process will have these control limits to provide accountability and guidance for the team. Without control limits, there would be no accountability for performance, which would make it almost impossible to audit with a standard for comparison.

Once the limits have been identified, examine the design of the process to determine if there are any reports generated to measure the process against the standard. In a suitably designed process, reports will be created that detail the effectiveness of the control environment to meet the standard created in the policies and procedures. These reports will also help in developing a focus for potential continuous auditing tests. The timely component mentioned earlier ties to both the reporting and the delivery of the end product. Having reporting as part of the process design is a must, but it won't help the business quickly identify potential problems or create solutions if it is not timely. If the process being considered processes items multiple times a day, every day, receiving performance reports on a monthly basis will not be very valuable. The same can be said about a daily process that just cannot meet the daily demand. If a process does not have timely reporting or cannot deliver a timely product, usually the design is flawed, not the personnel supporting the effort. You have to consider all of these factors when identifying a target area that would be suitable for a continuous audit.

Established

The next consideration after determining whether something is suitably designed is determining whether the controlled process is established. This verification may seem simple but it is mission critical in the preparation stage of developing a value-added continuous audit process. When trying to identify if a control structure is established, you need to verify that the process described in the policies and procedures or documented in the work flow is the actual process in place today. Too often a business unit has detailed policies and procedures that are not representative of the day-to-day operational process. The documentation of the current process is considered a low priority for the business unit due to their daily responsibilities taking precedence over the scripting of their activities. If the controlled process does not agree with the documented process requirements, identifying the control points that should be tested as part of a continuous audit is very difficult.

When presented with the scenario of the actual business process not agreeing with the policies and procedures, it will be necessary to understand and document the current process flow before attempting to develop an approach for continuous auditing. It is not that you would be unable to create a continuous audit without knowing the process was established; why would you want to test or verify a process control that is no longer critical or even applicable to the actual business process being executed on a daily basis? For the continuous audit tool to be effective and deliver the expected value, it must be based on the current control process in place and operating today. So when you are examining a department's policies and procedures, ensure that the documented process agrees with what the staff currently is executing. Once that step has been completed, it will be easier to identify and select the critical controls that govern the process to producing its results.

Another point to consider regarding an established process is the communication of the process requirements. With the speed of business and the demands of customers increasing at an almost daily rate, it is critical to understand how business units communicate changes in the process requirements and/or control limits. Very often, processes change without a formal communication plan. Without a plan to verify that all parties are aware of the change, it is not possible to ensure compliance. Communication within a business unit impacts the processing team's ability to deliver repeatable, reliable results. Ensure that you verify how process rule changes are communicated within a team before selecting it for a continuous audit. This advance knowledge will reduce the amount of potential rework as well as the number of false positives.

Operating as Intended

The last component of the definition probably seems to be the easiest one to verify. Pretty simple question: Is the process operating as intended? What this question really is asking is, is the process creating a result? It is a yes-or-no question. It is straightforward and doesn't really require any interpretation. You must consider one simple nuance before rushing to answer what appears to be the simplest of questions. First consider this: Everyone will agree that each process, business activity, or task will produce a result. However, what the question is really asking is this: Is the process producing the expected result? After all of the activities have been completed, the question to be asked is this: Did the proper, expected deliverable occur? When a continuous audit is created according to the methodology, it will provide the data and supporting evidence to conclude on the effectiveness and efficiency of the specific controls selected for review. It will confirm or deny that the established process is producing the expected results.

It is important to have a clear understanding of the definition of continuous auditing before racing out to make your first selection. Not only is it required prior to creating your continuous auditing methodology, but it is also necessary for you and your team to have a standard definition that can be clearly explained to your clients when asked.

Differentiating Continuous Auditing

The next step in understanding continuous auditing is differentiating continuous auditing from continuous monitoring. Many business units, internal audit teams, and risk professionals believe they are performing continuous auditing when in actuality they are not. By definition, they have implemented continuous monitoring. For example, consider a business unit that has created some form of continuous monitoring mechanism that provides activity reports detailing the business process activity that the business unit own or are trying to evaluate. The business unit begins by selecting their main process, obtaining the applicable process volumes, dollars, or man-hours. Once these figures have been compiled, they are compared to the target range or benchmark to determine whether the total number fits within an acceptable range of performance. The process of matching totals to their target or benchmark is not continuous auditing. Without performing any validation testing of the compiled data, it would not be possible to ensure that the key control or controls surrounding the process are working effectively to deliver the expected outcome. To conclude on control effectiveness confidently, testing must be performed.

Let's continue this example and turn the monitoring process described into a continuous audit process. Taking the same report that summarized the volumes, dollars, or man-hours would be a quick reference point in which to select the area for testing. Even if all of the data indicated the process appeared to be working effectively (because all information obtained fell within the target area of acceptable performance), testing would have to be performed to validate that the data, which appears effective or efficient, belongs within the acceptable range as the report indicates. It is not possible to conclude, from a continuous audit perspective, that a process control is operating effectively without performing detailed testing on the control environment for a period of time. That is the only way the process can be proven to produce repeatable, reliable results.

Table 1.1 further illustrates the differences between continuous auditing and continuous monitoring.

Table 1.1 Continuous Auditing versus Continuous Monitoring.

Table 1.1 first identifies the process owner. It is important for all parties involved to understand and agree that management owns monitoring. Management has a responsibility to provide oversight of the process it owns. This oversight should be able to provide a status of the key process deliverables on demand. What that means is that management has the ability to produce status updates of its process at any time during the day, week, or month in which it is requested. If the information is not readily available, how does management run the operation and adjust to changes in demand, availability, or client needs when appropriate? It would seem difficult, if not impossible, to effectively manage an operation without a formal reporting process in place to support the business. If a person encounters an area without management reporting, consider whether this area is ready and willing to commit to a continuous audit. The reason for the skepticism is that without standard monitoring reports, the business owner may struggle when trying to discuss the critical controls and convey the established control limits supporting the process potentially under review. Be cautious in this situation, and be sure to communicate client expectations and the objective of the continuous audit.

Just by name alone, it would appear that internal audit owns continuous auditing. Although that is true initially, many times established continuous auditing tests are developed and executed by internal audit and then handed over to the business unit to use as part of its self-assessment process. Although it may be common for continuous auditing tests to be given over to the business unit for its use, it is very rare for the business to give internal audit one of its monitoring procedures. Any business unit can execute the continuous audit work as a proactive measure to identifying potential opportunities for improvement and trends in the workload.

Next, review the definition of continuous auditing and monitoring in Table 1.1. Monitoring is management's primary tool to meet its fiduciary responsibility for oversight of the operation. As the owner, management must maintain the quality of the process and institute checks and balances to ensure that the process is as efficient and effective as possible while meeting business, regulatory, and client demands. Management will not be successful in this endeavor without a monitoring process. One word of caution regarding business unit monitoring: For the monitoring to be effective, it must be formal. Business owners who say things like “I trust my people” or “That will never happen to me” are managing by feel and experience. That approach is dangerous and has been proven to work only for so long before something negative impacts the business. The best way to manage and monitor any process is by obtaining data and analyzing it to verify that it is complying with the process standards.

We have discussed the continuous auditing definition, but here is another summation definition more from a nonaudit perspective. This type of definition is one that could be provided to a potential client to explain the concept more easily:

Continuous auditing is another method to verify that the critical controls in a business unit process are working effectively.

Segregating Continuous Auditing and Control Testing

Now that we have established the definition of continuous auditing, let's further clarify the methodology by comparing it to a full-scope audit or control testing. A full-scope audit is a very foundational approach. It begins with an understanding of the area to be reviewed. From that information, a detailed process map is created. From the process map, a risk control matrix is developed to identify the process objectives, inherent and residual risks, and their corresponding likelihood and significance ratings. Control identification and effectiveness are also scored on the matrix. Once the matrix has been completed and validated with the client, internal audit will build the detailed audit program to test the control environment effectiveness. In its most basic form, the detailed steps from information gathering to execution of testing are the major components to executing a full-scope control testing review. This type of audit or review evaluates the implemented process from start to finish.

Although continuous auditing requires business knowledge, just as a full-scope audit does, it does not require any other of the listed major document deliverables. This alternate approach does not focus on all of the controls to execute the process from start to finish but strategically identifies the critical controls that anchor the process. Once the key controls have been identified, they will be selected and tested to ensure that they are operating as designed. This is a streamlined approach to validate the performance of the critical controls.

The key difference between these two types of audits is that continuous auditing is a results-focused methodology that has been created to determine proper performance of a selected control. The methodology is not concerned with the ancillary controls in the process from start to finish but only the controls identified as critical during the planning. Continuous auditing is a drastically different mind-set from traditional auditing focused on the delivery and execution of an individual control. The same selected control will be tested on a recurring basis to ensure that it produces repeatable, reliable results. The frequency of control testing is discussed in Chapter 5 as part of the foundation phase of the continuous auditing methodology.

Remember, a full-scope audit evaluates all of the control points from start to finish in a process; a continuous audit evaluates the selected controls on a recurring basis for a specified period of time. Figure 1.1 provides an illustration of this point.

Continuous Auditing Objectives

One of the most difficult tasks is to clearly articulate the objective of a process, tool, or approach. However, if you want to be successful in your efforts to develop, implement, and manage this continuous auditing methodology, you must be able to identify the objectives. Before discussing the specific objectives of this approach, let's clarify what an objective represents. An objective must depict the purpose or reason for doing whatever it is you are planning to accomplish. The reason that the continuous auditing objective is so important is simple: If the objective is not known, no one will be able to grasp the concept of why the work is being performed. The lack of a fully developed continuous auditing objective can and will cause confusion for the individuals performing the work and any clients involved. Now that we have clarified the definition, let's discuss the objectives.

First and foremost, the objective of continuous auditing is to conclude on the efficiency and effectiveness of selected controls through targeted testing performed on a recurring basis for a specified time period. In simpler terms, continuous auditing is a strategic testing approach to verify that selected controls are working. From an audit perspective, it provides additional objectives. For one, the application of continuous auditing allows audit departments to expand coverage and depth of critical areas that would not have been covered under the traditional audit approach. Additionally, when developed and used correctly, continuous auditing saves time by streamlining control verification testing.

Another objective is that continuous auditing verifies the implementation and operation of newly created action items. Because audit teams are concerned with the timing and quality of significant management actions in response to audit reports, audit departments have implemented continuous auditing to authentic action plan completion. It is difficult for audit departments to perform detailed follow-up or field visits to areas with significant action plans due to the time, cost, and resource commitment such an effort would require. As an alternative solution, continuous auditing can be used to verify that the action has been addressed and is operating as intended. To ensure reliable results, this type of continuous audit should be executed after the business unit action has been in place for at least 90 days.

An additional objective for continuous auditing is to expand audit universe coverage. In this day and age, audit departments are being asked to take on additional work, participate on company-wide projects, partner with external auditors, and own Sarbanes-Oxley work, just to name a few areas. It is difficult, if not impossible, for some audit departments to take on these new requests on top of the existing workload and commitments to the audit committee and senior management. Continuous auditing can provide the flexibility to increase audit coverage without sacrificing quality, dedicating new resources, or demanding overtime.

Imagine being able to complete your existing audit plan, verify newly implemented action items surrounding critical risks, increase audit coverage, and drill down deeper in higher-risk areas without adding staff or altering required work hours. All this is attainable when you plan properly and incorporate continuous auditing into your department.

Dispelling the Continuous Auditing Myths

Even though continuous auditing has been around for a long time, there are still misconceptions about what it is and how it should be used effectively. Here are a few of the myths along with the corresponding truths.

Summary

Clearly understanding the definition of “continuous auditing” is a critical first step in the adoption and implementation of the methodology into your audit department or business unit. First and foremost, establish the objective for your team and communicate that same objective to the team throughout the development process. In order to successfully integrate continuous auditing into your current operation, you must understand the approach, document the process, and recognize the opportunities to use the methodology effectively. In Chapter 2, you will learn to recognize those opportunities and review your current methodology to determine how to expand the services you offer at this time.

Chapter 2

Where to Begin

Recognize the Need

It does not matter if you are in an audit department, an enterprise risk management group, a compliance department, or a business unit. It does not matter if you are a team of one or work with a team of over 50 individuals. There never seems to be a sufficient amount of time or resources to accomplish all of the department goals that were set at the beginning of the year. Why that happens should not be a mystery to anyone who has worked in a business unit for more than a year. Each year begins with optimism and excitement and the belief that, as a team, we can accomplish more than the previous year because of experience.

The reality is that it is very difficult, if not impossible, to take on more than the previous year, even with an experienced team. Why? Because a high-functioning, successful team, especially an audit department, will be looked to as a resource in subsequent years. As resources, departments that have met or exceeded their goals will be asked to partner on company-wide projects, expand their breath of coverage, or guide and direct other business units on how to be successful. So with all of these potential additional activities, how will an audit team handle its new popularity? Keep in mind that while accepting the invitations to partner is an excellent marketing opportunity for internal audit and a significant morale boost for the audit team, it does not alleviate the existing commitments to the audit committee and senior management. Internal audit will still be required to complete the audit plan, partner with external auditors, and work closely with regulatory agencies. Please remember the goals and objectives of your department before accepting every invitation to partner on projects and initiatives of other departments.

Regardless of whether your team is being asked to participate on large projects or assist other departments with specific initiatives, continuous auditing still may be able to provide assistance with the execution of work and generation of control effectiveness conclusions. The question becomes: Is there a way to become more efficient and effective as a team without sacrificing quality or increasing the size of your staff? I do not believe there is an audit department or business unit out there today that does not want to be able to operate with a more efficient and effective team, especially without increasing department size. In the current environment, business units and companies are trying to find ways to reduce expenses. So asking for more staff for any department would be a futile effort.

However, it would be worthwhile to consider a methodology that could provide a reasonable assurance over critical or key controls without increasing the size of the team instead of begging for additional headcount or passing up on an opportunity to become more efficient. Before deciding whether a continuous auditing methodology would be the right fit for your department, consider the next questions to assist in identifying your opportunity for maximizing the benefits from this approach.

Potential Need/Fit Considerations

Believe it or not, fit is critical when considering incorporating continuous auditing into an existing operation. The methodology has a drastically different approach from traditional auditing and requires discipline in its development, execution, and maintenance. As defined in Chapter 1, continuous auditing is focused on validating the performance of a critical control and not with the examination of the process from start to finish. This key distinction sounds simple in explanation but is difficult for auditors to maintain in real-life performance. The reason why is because internal audit traditionally has reviewed business processes from start to finish, verifying that all controls are in place and operating as intended. Also, the traditional audit will occur once every 12 to 18 months for a higher-risk area.

Continuous auditing is going to require an auditor to examine a process, consider all controls in place from start to finish, select the critical control(s), and test the specific performance of the selected control on a recurring basis. Supporting or ancillary controls involved in the process are ignored. This is the most difficult concept for auditors to accept since they are accustomed to testing all controls in a process as part of a regular, or full-scope, audit. To determine whether continuous auditing is a methodology that could help your team, review the next five questions. Each question includes a brief explanation to ensure a clear understanding prior to answering.

As previously discussed, the success of any audit activity relies on the client partnering and working with the audit team to provide business process details, activity data, and explanations regarding deviations from the business processing standard. To understand the current state of the audit/client relationship more effectively, the next section discusses how to identify the audit department's client relationship score and provides suggestions on how to strengthen existing relationships and foster new ones.

Client Relationship Score

Every auditor knows the value of a strong relationship with business partners. Even though it is impossible to measure specifically the importance of the auditor/client relationship to the success of an audit, the client relationship still remains the number-one priority of all audit teams. Why? Because all audit activity requires the client to provide:

An auditor, even one with no experience, knows the client is not going to just open up and share business information without feeling confident about the auditor and having a clear understanding of how the information is going to be used in the examination of the business process.

To assist in quantifying the audit/client relationship, complete the Client Relationship Scorecard in Table 2.1. To determine the client relationship score, read the statement and then place a checkmark under the corresponding number that best describes your current work environment. After reading and scoring all 14 statements in Table 2.1, calculate the total number of points accumulated for each answer and average the total by dividing by 14. An average score of above 3.5 indicates that your audit department recognizes the importance of establishing relationships with your clients and is on the way to fostering positive partnerships on every audit. If your average score is between 3.0 and 3.5, you have begun to develop relationships but still need to focus on the core competencies (communication throughout the process, validation of issues, and timely delivery of the audit product) that are critical to a partnership's success. Any average scores below 3.0 require the audit department to analyze each statement and determine which ones represent the biggest opportunity for improvement. The analysis should include a ranking of the relationship statements from most to least critical. When performing this ranking, consider the objective of the audit department and the steps needed to meet them on a consistent basis. Once the ranking is completed, develop specific action plans with the business process owner to address each opportunity for improvement.

Table 2.1 Client Relationship Score.

Each statement in Table 2.1 is explained in detail in the numbered list. In scoring, 1 indicates Strongly Disagree; 2 means Disagree; 3 is Neutral; 4 means Agree; and 5 means Strongly Agree. The acronym IAD represents Internal Audit Department.