This article seeks to explain some of the key concepts of Continuous Auditing, some important benefits as well as do’s and don’ts, so as to get you to start thinking about introducing Continuous Auditing initiatives in your organizations.
For several years now, management experts have been emphasizing the following key attributes of organizations of the future, in order to strengthen Corporate Governance and enhance Corporate Performance through changes in culture, structures and processes:
- Flat organizations with few hierarchical arrangements;
- Open, flexible, nimble, but nevertheless resilient environments; and
- Distributed rather than centralized decision-making structures
The foundations of both Corporate Performance and Corporate Governance are built on the following FOUR PILLARS:
- Measuring and Managing Information Integrity Risk
- Achieving Operational Efficiency
- Striving for Business Process Optimization
- Leveraging Business Intelligence for Strategic Decision Making
If it is true that organizations today, whether proactively or reactively, are looking to strengthen the four pillars supporting Corporate Performance and Corporate Governance, it means Internal Audit departments needs to evolve in order to achieve their core mission. The Core mission of any Internal Audit department, large or small (as explained by the IIA) is – the provision of independent, objective assurance and consulting services that (a) add value (b) improve operations and (c) help the organization achieve its objectives, by bringing a systematic, disciplined approach to evaluating the adequacy and improving the effectiveness of its governance, risk management and control (GRC) processes.
Stated differently, the aim of IA is NOT to audit GRC processes for their own sake, but to audit them to help the organization achieve its objectives!
In order to achieve this core mission, it is obvious that an audit framework that is reactive, backward-looking, based substantially on labor-intensive, manual verification of a small, statistically correct, representative sample of records will not help internal audit departments much in adding value to the organizations of the (near?) future, nor help those organizations achieve their objectives. Instead, what Internal Audit departments need is a risk-based audit framework that, while forming part of an overall risk-based Internal Audit plan, provides a complete, consistent and continuous method, wherever possible, of providing assurance to the board of directors or equivalent.
According to Norman Marks, prolific thought leader and an authority on Internal Audit, in these days of rapidly changing risks, when businesses are moving faster and faster, IA needs to be able to “audit at the Speed of Business”!
Throughout the next decade, the value of the controls-focused approach that has dominated internal audit is expected to diminish. Internal audit will provide its customers – the board of directors and executive management – with ongoing assurance that those risks which impact the achievement of its objectives, are subject to appropriate and effective governance, risk management and control processes. This ongoing assurance will be enabled primarily through continuous risk and controls assurance, with a much reduced set of traditional audit projects and more reliance on continuous auditing methods.
Continuous Auditing or Continuous Assurance – let’s call it CA, is defined very simply by the IIA as “any method used by auditors to perform audit-related activities on a more continuous or continual basis”.
While there is a specific, detailed methodology for planning and executing CA, the objective of the remainder of this article is not to detail the methodology, but to explain the core concepts of CA, the key business benefits, and some key implementation perspectives.
CA comprises the following two broad components:
- Continuous Risk Assurance (let’s call it CRA) – which provides ongoing assurance that the organization is addressing all its current and emerging key risks, including Fraud Risks, and their risk levels.
- Continuous Controls Assurance (let’s call it CCA) – which provides ongoing assurance that all controls that respond to current and emerging key risks (“key controls”), including controls that respond to Fraud Risks, are suitably designed, established and operating as intended.
One of the key terms in these definitions is “ongoing” – which does not mean 24 x 7 x 365, but rather a more continual process for identifying and assessing key risks to the achievement of objectives, monitoring changes in their levels, a more frequent testing of key controls that respond to those risks, and just as importantly, more continual reporting of findings. Another key term is “current and emerging”. What is the use of monitoring risks that no longer impact the achievement of the enterprise’s objectives, but are listed in a legacy Risk Register? And, what is the use of testing controls that are listed in a legacy Controls matrix, but which do not address an existing or emerging risk to an enterprise objective?
A concept related to Continuous Risk and Controls Assurance is the review / monitoring of (i) data that acts as an indicator of the level of risk i.e. risk drivers, and (ii) transactions that have already been subjected to a control. Ongoing review or monitoring of data relating to key risk drivers is the means by which Internal Audit provides Continuous Risk Assurance. And ongoing review or monitoring of transactions that have been subjected to a key control(s), is an additional line of defense, which not only provides a more comprehensive level of Continuous Controls Assurance, but also significantly increases the probability that if any out of control processes or fraudulent transactions did slip through the “control net”, they will be detected on a timely basis.
Technology may or may not be used in Continuous Assurance – in fact it would be a mistake to think that Continuous Assurance can be provided only through the use of technology. For instance, monthly physical attendance by Internal Audit at a stock count to ensure that it is performed in accordance with predefined company policies and procedures, is an equally valid example of Continuous Assurance. Technology is a great enabler of Continuous Assurance, no doubt, and should be used as such – i.e. as a means to an end, and not as an end in itself, by purchasing, for instance, an off-the-shelf GRC software just because it seems the in-thing nowadays, or because a competitor bought it! So, follow the methodology, understand if and where IT (ie. CA software) would add most value, check for availability of in-house solutions, and then go out into the market to check what IT solution, if any, best fits your enterprise’s specific IT environment and CA requirements.
Let’s consider a couple of examples of CA….
A global company sells its products to, among others, customers in a country currently experiencing turmoil owing to international sanctions and a plunging currency, thus exposing the company to reputational and credit risk. One of the “drivers” of that risk will be the pipeline of sales orders to customers in that country. As that pipeline grows, so does the risk. Technology is used by the Internal Audit function to continuously review /monitor the level of sales orders by country and send an alert to the pre-defined recipients/decision makers if sales to that country exceed a predefined level.
Another example….In order to test the quality of authorization controls over Corporate Credit Card expenditures in a more efficient and effective manner, internal auditors develop a series of continuous, data analytic tests to identify corporate credit card policy violations, such as personal expenses (travel,. jewelry, alcohol, clothes, home furniture, etc.), use by unauthorized cardholders, split purchases to avoid authorization limits, transactions involving prohibited merchants, etc. The above data analysis tests are turned over to the Corporate Credit card manager who runs them on a monthly basis, as a control over credit card usage. Internal Audit verifies on a monthly basis that the manager has run this control (i.e. these analytic tests).
The Business Case for CA is built around several benefits, the most important among them being:
- Comprehensive validation of the efficiency and effectiveness of the current internal control system, with prompt notification of control breakdowns, process deficiencies, data errors, missed SLAs with clients, IT security violations, Segregation of Duties violations, non-compliance with internal policies & procedures – which allows management to respond promptly with corrective action that prevents or minimizes losses.
- More effective and efficient risk assurance, focusing on key risks, both current and emerging, for business operations, reporting and compliance
- Prompt identification of non-compliance with external laws & regulations across diverse systems, geographies, summarizing them into an enterprise view of regulatory compliance, and enabling the organization to reduce the costs of compliance (penalties, etc), over time
- Deterrent against fraud owing to real-time, or near real-time audit activity
- Greater risk & controls coverage by Internal Audit within budget constraints
Finally, a few key implementation perspectives, Do’s and Don’ts….
- Whether you are monitoring a risk or testing a control, and whether you do it sitting at your computer, or by physically visiting a location, it must be remembered that under CA, you are providing a much deeper level of assurance, since the monitoring, testing and reporting is ongoing / repeated as per a pre-defined schedule, throughout the audit cycle. As a result of this ongoing / repeated testing, it is vital within a CA framework, to diligently follow the pre-defined continuous audit plan, to validate all potential findings with process owners, to summarize repeat audit findings into common trends, and to perform root cause analysis for each finding.
- It should also be noted that there are certain types of controls that are suitable for continuous controls testing – for instance, controls over high volume transaction processing, and certain others that are not suitable for continuous testing – for instance authorization controls over judgmental areas.
- Get Board sponsorship – this is not an IT project – it is a Business Improvement Program – position it, and treat it as such
- The Head of Internal Audit / CAE provides the vision, and a “CA Champion” is needed to provide the push and the glue that keeps different stakeholders moving towards the common goal of program success
- Start small, with “low-hanging fruit”, build confidence, then gradually expand areas covered by CA
- When CA is first implemented, you will likely find a lot of exceptions. The exceptions were there yesterday, but no-one knew. Encourage recognition of the fact you have moved the inspection ‘microscope’ from 1x to 1000x magnification
- Report continually – No surprises
CA is the way forward, and while it may be at the “cutting-edge” of developments in the internal audit profession today, it is soon expected to become one of THE MOST IMPORTANT ways in which the Internal Audit profession remains relevant to organizations of the future!
PORUS PAVRI, CRMA, CIA, CA is a partner at Logos Consultants in Dubai.
To comment: firstname.lastname@example.org