The need for timely and ongoing assurance over the effectiveness of risk management and control systems is critical. Organizations are continually exposed to significant errors,
frauds or inefficiencies that can lead to financial loss and increased levels of risk. An evolving regulatory environment, increased globalization of businesses, market pressure to
improve operations, and rapidly changing business conditions are creating the need for more timely and ongoing assurance that controls are working effectively and risk is being mitigated.
These demands have put increased pressure on chief audit executives (CAEs) and their staff. Internal audit departments have been extensively involved in a wide range of compliance efforts, particularly due to legislation, such as Section 404 of the U.S. Sarbanes-Oxley Act of 2002, raising concerns not only about mounting expectations, but also about internal auditors’ ability to maintain independence and objectivity when evaluating the effectiveness of controls, risk management, and governance processes.
Today, internal auditors face challenges in a range of areas:
Regulatory Compliance and Controls: Evaluation and identification of issues and processes, sustainability, resources, defining materiality, priorities, and financial reporting risks. Internal Audit Value and Independence: the high expectations of internal auditing, growing internal controls issues, confusion around the role of internal auditing liability
and responsibility, and compromised objectivity and independence. Fraud: Detection and control, identity theft, fraud management responsibility, and increased incidence and cost of fraud. Availability of Skilled Resources: Lack of competency and appropriate skill sets, shortage of auditors, retention, and lack of understanding of risks and controls. Technology: appropriate solutions to support compliance, technology business model, information security, competing information technology (IT) priorities, and
outsourcing.
It is evident that a new approach, one that provides a sustainable, productive, and cost-effective means to address these issues, is essential.

Continuous Auditing
Traditionally, internal auditing’s testing of controls has been performed on a retrospective and cyclical basis, often many months after business activities have occurred. The testing procedures have often been based on a sampling approach and included activities such as reviews of policies, procedures, approvals, and reconciliations. Today, however, it is recognized that this approach only affords internal auditors a narrow scope of evaluation, and is often too late to be of real value to business performance or regulatory compliance.
Continuous auditing is a method used to perform control and risk assessments automatically on a more frequent basis. Technology is key to enabling such an approach. Continuous auditing changes the audit paradigm from periodic reviews of a sample of transactions to ongoing audit testing of 100 percent of transactions. It becomes an integral part of modern auditing at many levels. It also should be closely tied to management activities such as performance monitoring, balanced scorecard, and enterprise risk management (ERM).
A continuous audit approach allows internal auditors to fully understand critical control points, rules, and exceptions. With automated, frequent analyses of data, they are able to perform control and risk assessments in real time or near real time. They can analyze key business systems for both anomalies at the transaction level and for data-driven indicators of control deficiencies and emerging risk. Finally, with continuous auditing, the analysis results are integrated into all aspects of the audit process, from the development and maintenance of the enterprise audit plan to the conduct and follow-up of specific audits.

The Need for Continuous Auditing/Continuous
Monitoring: An Integrated Approach
In light of CAEs’ concerns regarding the burden of compliance efforts, the scarcity of resources, and the need to maintain audit independence, a combined strategy of continuous auditing and continuous monitoring is ideal.
Continuous monitoring encompasses the processes that management puts in place to ensure that the policies, procedures, and business processes are operating effectively. It
addresses management’s responsibility to assess the adequacy and effectiveness of controls. This involves identifying the control objectives and assurance assertions and establishing automated tests to highlight activities and transactions that fail to comply. Many of the techniques of continuous monitoring of controls by management are similar to those that may be performed in continuous auditing by internal auditors.
Management’s use of continuous monitoring procedures, in conjunction with continuous auditing performed by internal auditors, will satisfy the demands for assurance that
control procedures are effective and that the information produced for decision-making is both relevant and reliable.
An important additional benefit to the organization is that instances of error and fraud are typically significantly reduced, operational efficiency is increased, and bottom-line
results are improved through a combination of cost savings and a reduction in overpayments and revenue leakage.
Organizations that introduce a continuous auditing and controls monitoring approach often find that they achieve a rapid return on investment.
The business and regulatory environment and emerging audit standards are driving auditors and management to make more effective use of information and data analysis technologies as a fundamental enabler of continuous auditing and continuous monitoring.

The Roles of Internal Auditing and Management
Management has the primary responsibility for assessing risk and for the design, implementation, and ongoing maintenance of controls within an organization. The internal audit activity is responsible for identifying and evaluating the effectiveness of the organization’s risk management system and controls as implemented by management. Auditors conduct the evaluation to provide assurance to the audit committee and senior management as to the state of risk and control systems and, in the case of legislation such as the Sarbanes-Oxley Act, the reliability of management’s representation concerning the state of controls. Ideally, internal auditing is not part of the controls monitoring process and does not design or maintain the controls, thereby retaining its independence.
Although the monitoring of internal controls is a management responsibility, the internal audit activity can use and leverage continuous auditing to strengthen the overall
monitoring and review environment in an organization.
The level of proactive monitoring performed by management will directly affect how auditors approach continuous auditing.
In cases where the continuous monitoring of controls is being performed by management, the same level of detailed transaction testing may not be required under continuous
auditing. Instead, auditors can focus on procedures to determine the effectiveness of management’s monitoring process and, depending on the outcome of such tests, adjust the
scope, number, and frequency of audit testing.

The Power of Continuous Auditing
The power of continuous auditing lies in the intelligent and efficient continuous testing of controls and risks that results in timely notification of gaps and weaknesses to allow immediate follow-up and remediation. By changing their overall approach in this way, auditors will develop a better understanding of the business environment and the risks to the company to support compliance and drive business performance.

Implementation Issues
The CAE must be cognizant of the fact that continuous auditing will change the audit paradigm, including the nature of evidence, timing, procedures, and level of effort required by internal auditors. This will place demands on the audit department.
In particular, it will have to:
• Obtain and nurture audit committee and senior management support for the concept and implementation of continuous auditing.
• Develop and maintain the technical competencies and enabling technology necessary to access, manipulate, and analyze the data contained in disparate information systems.
• Use (or implement) data analysis techniques to support audit projects, including the use of appropriate analytic software tools and development and maintenance of data analysis techniques and expertise within the audit team.

Sponsor, promote, and encourage the adoption and support of continuous monitoring by management.
• Ensure that continuous auditing is adopted as part of an integrated, consistent approach to risk oriented audit planning.
• Manage and respond to the results of continuous auditing, determining appropriate use, follow-up, and reporting mechanisms. The CAE will have to ensure that appropriate action is taken on the audit findings reported to management and that the results of continuous auditing are considered by management when assessing activities, such as the monitoring of controls, performance measurement, and enterprise risk management.
This IIA Global Technology Audit Guide (GTAG) identifies what must be done to make effective use of technology in support of continuous auditing and highlights areas that require further attention. By reading and following the steps described, internal auditors should be in a much better position to use technology and maximize their return on
investment as well as to demonstrate to management the need to make appropriate technology investments — while contributing to compliance with the regulatory requirements impacting their organization and to its overall health and competitiveness.

For more details and to join, visit www.theiia.org

Recent Entries

• IT Expertise Serving to In Haitian Revival
• Automating Audit Tests
• IT Controls in my live and their bearing on firm
• Complying With Government Regulations With Data Entry Software
• Data migration services
• BS7799 and ISMS
• BS7799 Accreditation for Certifying ISMS
• GTAG 3 - Implications for Assurance, Monitoring and Risk Assessment
• Certified Internal Auditor® (CIA®) Overview
• Certified in the Governance of Enterprise IT® (CGEIT®) Overview

This entry was posted on Wednesday, May 27th, 2009 at 11:34 am and is filed under GTAG. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.