Key Steps to Implementing Continuous Auditing
Once the issues above are understood by managers and auditors alike, the organization will be in a better position to begin using continuous auditing. Generally, the implementation of continuous auditing consists of six procedural steps, which are usually administered by a continuous audit manager. Knowing about these steps will enable auditors to better monitor the continuous audit process and provide recommendations for its improvement, if needed. These steps include:
- Establishing priority areas.
- Identifying monitoring and continuous audit rules.
- Determining the process’ frequency.
- Configuring continuous audit parameters.
- Following up.
- Communicating results.
Below is a description of each.
Continuous audit implementation steps
1. Establishing Priority Areas
The activity of choosing which organizational areas to audit should be integrated as part of the internal audit annual plan and the company’s risk management program. Many internal audit departments also integrate and coordinate with other compliance plans and activities, if applicable. (Steps 2-6 below are applicable to all of the priority areas and processes being monitoring as part of the continuous audit program.)
Typically, when deciding priority areas to continuously audit, internal auditors and managers should:
- Identify the critical business processes that need to be audited by breaking down and rating risk areas.
- Understand the availability of continuous audit data for those risk areas.
- Evaluate the costs and benefits of implementing a continuous audit process for a particular risk area.
- Consider the corporate ramifications of continuously auditing the particular area or function.
- Choose early applications to audit where rapid demonstration of results might be of great value to the organization. Long extended efforts tend to decrease support for continuous auditing.
- Once a demonstration project is successfully completed, negotiate with different auditees and internal audit areas, if needed, so that a longer term implementation plan is implemented.
When performing the actions listed above, auditors need to consider the key objectives from each audit procedure. Objectives can be classified as one of four types: detective, deterrent (also known as preventive), financial, and compliance. A particular audit priority area may satisfy any one of these four objectives. For instance, it is not uncommon for an audit procedure that is put in place for preventive purposes to be reconfigured as a detective control once the audited activity’s incidence of compliance failure decreases.
2. Monitoring and Continuous Audit Rules
The second step consists of determining the rules or analytics that will guide the continuous audit activity, which need to be programmed, repeated frequently, and reconfigured when needed. For example, banks can monitor all checking accounts nightly by extracting files that meet the criterion of having a debt balance that is 20 percent larger than the loan threshold and in which the balance is more than US $1,000.
In addition, monitoring and audit rules must take into consideration legal and environmental issues, as well as the objectives of the particular process. For instance, how quickly a management response is provided once an activity is flagged may depend on the speed of the clearance process (i.e., the environment) while the activity’s overall monitoring approach may depend on the enforceability of legal actions and existing compliance requirements.
3. Determining the Process’ Frequency
Although the process is called continuous auditing, the word continuous is in the eye of the beholder. Auditors need to consider the natural rhythm of the process being audited, including the timing of computer and business processes as well as the timing and availability of auditors trained or with experience in continuous auditing. For instance, although increased testing frequency has substantial benefits, extracting, processing, and following up on testing results might increase the costs of the continuous audit activity. Therefore, the cost-benefit ratio of continuously auditing a particular area must be considered prior to its monitoring.
Furthermore, other tools used by the manager of the continuous audit function include an audit control panel in which frequency and parameter variations can be activated. Hence, the nature of other continuous audit objectives, such as deterrence or prevention, may determine their frequency and variation.
4. Configuring Continuous Audit Parameters
Rules used in each audit area need to be configured before the continuous audit procedure (CAP) is implemented. In addition, the frequency of each parameter might need to be changed after its initial setup based on changes stemming from the activity being audited. Hence, rules, initial parameters, and the activity’s frequency ― also a special type of parameter ― should be defined before the continuous audit process begins and reconfigured based on the activity’s monitoring results.
When defining a CAP, auditors should consider the cost benefits of error detection and audit and management follow-up activities. For instance, in the example of the bank described earlier, the excess threshold of US $1,000 could lead to a number of false negatives (e.g., values that were ignored when the balance was smaller than US $1,000 but were identified as representing a problem) and a number of false positives (e.g., values with balances above US $1,000 that were flagged but were accurate). If the threshold is increased to US $2,000, there will be an increase in false negatives and a decrease in false positives. Because follow up costs would go up as the number of false positives increases and the presence of false negatives may lead to high operational costs for the organization, internal auditors should regularly reevaluate if error detection and follow-up activities need to be continued, reconfigured, temporarily halted, or used on an ad hoc basis.
Furthermore, the stratification of audited data into sub-groups allows organizations to better monitor the activity and reconfigure any parameters (e.g., auditors will be notified when balances larger than 20 percent of the debt remain that are also larger than US $5,000). However, the more complex the rule and its conditional components, the more parameters that must be examined, monitored, and sometimes reconfigured.
5. Following Up
Another type of parameter relates to the treatment of alarms and detected errors. Questions such as who will receive the alarm (e.g., line managers, internal auditors, or both ― usually the alarm is sent to the process manager, the manager’s immediate supervisor, or the auditor in charge of that CAP) and when the follow-up activity must be completed, need to be addressed when establishing the continuous audit process.
Additional follow-up procedures that should be performed as part of the continuous audit activity include reconciling the alarm prior to following up by looking at alternate sources of data and waiting for similar alarms to occur before following up or performing established escalation guidelines. For instance, the person receiving the alarm might wait to follow up on the issue if the alarm is purely educational (i.e., the alarm verifies compliance but has no adverse economic implications), there are no resources available for evaluation, or the area identified is a low benefit area that is mainly targeted for deterrence.
6. Communicating Results
A final item to be considered is how to communicate with auditees. When informing auditees of continuous audit activity results, it is important for the exchange to be independent and consistent. For instance, if multiple system alarms are issued and distributed to several auditees, it is crucial that steps 1-5 take place prior to the communication exchange and that detailed guidelines for individual factor considerations exist. In addition, the development and implementation of communication guidelines and follow-up procedures must consider the risk of collusion. Much of the work on fraud indicates that the majority of fraud is collusive and can be performed by an internal or external party. For example, in the case of dormant accounts, both the clerk that moves money and the manager that receives the follow-up money may be in collusion since the manager’s key may have to be used for certain transactions.
Key Steps to Implementing Continuous Auditing
At CAKART www.cakart.in you will get everything that you need to be successful in your CA CS CMA exam – India’s best faculty video classes (online or in pen drive) most popular books of best authors (ebooks hard copies) best scanners and all exam related information and notifications.Visit www.cakart.in and chat with our counsellors any time. We are happy to help you make successful in your exams.
Click here to download FREE CA CS CMA books.