+
Getting Started with Continuous Auditing and Continuous Monitoring
Prepared for Detroit IIA Chapter February 8, 2011
Session Objectives
Reviewing the “what and why” of Data Analysis and Continuous Auditing
IIA Guidance (Global Technology Audit Guide #3)
Internal Audit Utopia – what might it look like? How far away is it? Why?
Maturity Model approach. People, Process, Governance, and Technology
Visual Risk IQ’s QuickStart Methodology – ways to get started
Exercises / Examples
Q&A
2
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
How do today’s economic conditions affect the auditing profession?
Lowering Earnings Guidance
Continued SG&A expense control initiatives
Staff reductions
Hiring (salary, travel) freezes in the Company
Bigger audit staffs / bigger audit budgets?
3
• Think about the Fraud Triangle
• Financial Pressure, even Rationalization are increasing
• What is the Audit Profession doing about Opportunity
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Headlines / Fraud in the News 4
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Review of IIA Guidance
Continuous Auditing Method used to perform audit-related activities on a
continuous basis. Includes control and risk assessment
Activities performed by the Internal Audit function
Continuous Monitoring Process to ensure policies / processes are operating
effectively and to assess adequacy of controls
Performed by Operational / Financial Management; audit independently evaluates the
Continuous Assurance Combination of Continuous Auditing and Audit Oversight of Continuous
Monitoring Activities
CAATs (Computer Assisted Audit Techniques) Using data analysis in executing audit programs
5
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Relationship between Continuous Auditing and Continuous Monitoring
Role of continuous auditing is dependent on Management’s role in continuous monitoring Inverse relationship between
management and audit activities
True continuous assurance Depends on effective monitoring of
internal controls by management
And on Audit’s independent assessment of that function
Where is your management team?
How is Internal Audit helping?
6
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Evolution from CAATs to CA to CM 7
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
CAATs Continuous
Auditing Continuous Monitoring
Internal Audit
• Greater coverage than sampling
• Deep coverage from automated testing
• Core competency of internal audit
• Created on demand, reuse is considered
• Repetitive/on-going; frequent intervals
• Not based on audit project timeline
• More in-depth automated testing
• Centralized process requires cross-audit-program focus
• Monitoring controls, responsibility of business process owners
• Periodically reviewed by IA
• Includes both transaction and controls monitoring
Business
Continuous Auditing has been a hot topic for 5++ years. But what is continuous, really?
8
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Continuous auditing and continuous monitoring become “right time” when the timing and frequency of evaluation matches business requirements. What frequency is right for your revenue transactions? Supply chain?
Continuous auditing / continuous monitoring programs
Today’s continuous auditing frequency
** Source: 2009 State of the Internal Auditing Profession Copyright PricewaterhouseCoopers LLP 2009
What might Audit “Utopia” look like? How far away are we? "
9
Corporate Data
Enterprise Audit Projects
Risk Assessment
Planning &
Scoping
Execution
Planning &
Scoping
Execution
Planning Planning &
Scoping
Execution
Reporting Reporting
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Implementing continuous auditing across your audit methodology is not about technology
10
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Risk Assessment Audit Plan Stakeholder
Reporting Enterprise
Audit Projects
Project plan
Project execution
Project Reporting
Technology
Technology
…it’s about a model that acknowledges the impact of People, Audit Process, and Governance
11
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Risk Assessment Audit Plan Stakeholder
Reporting Enterprise
Audit Projects
Project plan
Project execution
Project Reporting
People Technology Governance Audit process
People Technology Governance Audit process
We advocate that risk assessment should be the centerpiece of the audit process
12
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Enterprise Audit Projects
Risk Assessment
Planning Planning &
Scoping
Execution
Reporting
Reporting
Our Continuous Auditing Maturity Model was published in 2009 in WG&L’s Internal Auditing
13
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Basic practices Repeatable CAATs Frequent CAATs Continuous auditing
People
Staff has some basic data literacy. Knows how to ask IT for digital information
Some IT- and data-specific specialists are accessible, either in-house or as consultants
Audit staff and leaders are IT- and data-literate. Little distinction between IT audit and financial / operational audit people
No need for ad hoc data acquisition - CA and CCM systems are well-integrated into finance, operations, and Enterprise Risk Management (ERM)
Technology
Basic data capture and analysis using MS-Office or ERP Query tools. Heavy reliance on Corporate IT
Some re-usable scripts exist and are used on-demand for relevant audit projects. Prevalent use of CAAT tools like IDEA and/or ACL
ACL and IDEA scripts are stored, scheduled, and run at appropriate intervals in support of audit projects
Continuous auditing and monitoring technologies contribute to all audit steps at project and department level
Governance
Business is reactive to requests from Internal Audit and usually helps in a timely way
Audit department can and does access enterprise data directly at the source
IT consults with IA prior to making system changes that are known to affect IA.
Data driven early warning / risk alerts include both business and controls / audit implications.
Audit methodology
Risk assessments are conducted annually
Updates to risk assessments are conducted more frequently than annually
Risk assessments are scheduled at regular intervals and updated based on internal and external data points.
Risk assessments consider objective and subjective data. Gaps between objective and subjective assessments are highlighted
Moving up the Maturity Curve is best accomplished in simple, deliberate steps
14
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Basic practices Repeatable CAATs Frequent CAATs Continuous auditing
People
Staff has some basic data literacy. Knows how to ask IT for digital information
Some IT- and data-specific specialists are accessible, either in-house or as consultants
Audit staff and leaders are IT- and data-literate. Little distinction between IT audit and financial / operational audit people
No need for ad hoc data acquisition - CA and CCM systems are well-integrated into finance, operations, and Enterprise Risk Management (ERM)
Technology
Basic data capture and analysis using MS-Office or ERP Query tools. Heavy reliance on Corporate IT
Some re-usable scripts exist and are used on-demand for relevant audit projects. Prevalent use of CAAT tools like IDEA and/or ACL
ACL and IDEA scripts are stored, scheduled, and run at appropriate intervals in support of audit projects
Continuous auditing and monitoring technologies contribute to all audit steps at project and department level
Governance
Business is reactive to requests from Internal Audit and usually helps in a timely way
Audit department can and does access enterprise data directly at the source
IT consults with IA prior to making system changes that are known to affect IA.
Data driven early warning / risk alerts include both business and controls / audit implications.
Audit methodology
Risk assessments are conducted annually
Updates to risk assessments are conducted more frequently than annually
Risk assessments are scheduled at regular intervals and updated based on internal and external data points.
Risk assessments consider objective and subjective data. Gaps between objective and subjective assessments are highlighted
Questions and Dinner Break 15
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Brainstorm
• Review Audit Objectives
• Explore Internal Data Sources
• Compare vs External Data Sources
• Consider with other Audit Tests
• Use Trending and Exception Queries
Brainstorm
Acquire and Map
Data
Write Queries
Analyze and
Report
Refine and Sustain
QuickStartsm Methodology Brainstorming
16
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Brainstorming Exercise P-Card Audit Assumptions:
Data acquisition is easy and free. Any interesting data file, whether internal or external, can easily be made available on our audit department server (PC, USB Drive, etc.)
Programming resources are plentiful and affordable. Most any query that the team brainstorms can be developed at a reasonable cost.
There is sufficient time in the audit between planning and fieldwork, such that the queries can be developed, tested, and executed.
So…. What data sources would you like to have for an audit of …. Purchasing Card?
What audit objectives do you have?
And what interesting queries would you want to write?
17
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
QuickStartsm Methodology Acquire and Map Data
18
Acquire and Map Data
• Identify specific sources
• Explore direct vs. flat file access
• Submit written data request, including control totals
• Tie out record counts and control totals
• Trace control totals back to ledger or other source systems
Brainstorm
Acquire and Map
Data
Write Queries
Analyze and
Report
Refine and Sustain
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
QuickStartsm Methodology Refine and Sustain
19
Refine and Sustain
• After-Action Review
• Re-use Queries for Follow-up Tests
• Re-use Queries for Risk Assessment
• Transition Queries to Management
Brainstorm
Acquire and Map
Data
Write Queries
Analyze and
Report
Refine and Sustain
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Refine and Sustain Examples
After Action Review
Consider timing of key audit tasks
What should we do earlier?
What could we do later?
Who else should we involve? Why?
20
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
Start Stop Continue
Wrap-up Thoughts
Assess where your audit team is on the Maturity Curve. Where do you want to be? Find a small win opportunity and get started.
Begin with more frequent risk assessment. What questions should we ask each quarter to tell us whether our risk assessment is still on target?
Identify an audit where you can be data-driven in your analysis. What questions do you want to answer? How does management know?
Identify management reports that audit can use to validate financial or operational performance? Would accessing the data sources directly answer other questions?
Challenge your teams to be the R&D lab for innovation in continuous monitoring and data analysis
21
Visual Risk IQ – GRC thought leadership, practically applied © 2011 Visual Risk IQ, LLC, All Rights Reserved
For Additional Information 22
“And will you succeed?
Yes! You will, indeed!
98 and 3/4% guaranteed**”
So Follow, Friend, Connect with us at:
www.twitter.com/VisualRiskIQ
http://ContinuousAuditing.BlogSpot.com
www.Linkedin.com/in/JoeOringel
704-353-7000 (office)
704-752-6403 (mobile)
Top Related