Part of a series on |
Accounting |
---|
Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities.
The "continuous" aspect of continuous auditing and reporting refers to the real-time or near real-time capability for financial information to be checked and shared. Not only does it indicate that the integrity of information can be evaluated at any given point of time, it also means that the information is able to be verified constantly for errors, fraud, and inefficiencies. It is the most detailed audit.
Each instance of continuous auditing has its own pulse. The time frame selected for evaluation depends largely on the frequency of updates within the accounting information systems. Analysis of the data may be performed continuously, hourly, daily, weekly, monthly, etc. depending on the nature of the underlying business cycle for a given assertion.
The objective of financial reporting is to provide information that is useful to management and stakeholders for resource allocation decisions. For financial information to be useful, it should be timely and free from material errors, omissions, and fraud. In the real-time economy, timely and reliable financial information is critical for day-to-day business decisions regarding strategic planning, capital acquisition, credit decisions, supplier partnerships, and so forth. Advances in accounting information systems such as the advent of enterprise resource planning (ERP) systems have enabled the generation of real time information. However, the practice of traditional auditing has not kept pace with the real time economy. Traditional manual audit procedures are labor and time intensive, which limits audit frequency to a periodic basis, such as annually.
These time and effort constraints can be alleviated through the use of technology and automation. Continuous auditing enhances the delivery of auditing services by making the audit process more efficient and effective through the use of technology and automation. The increased efficiency and effectiveness of the audit process enables more frequent or real time audits and hence enhances the reliability of the underlying information. [1]
The first application of continuous auditing was developed at AT&T Bell Laboratories in 1989. [2] Known as a continuous process auditing system (CPAS), the system developed by Miklos Vasarhelyi and Halper provided measurement, monitoring, and analysis of the company's billing information. Here key concepts such as metrics, analytics, and alarms pertaining to financial information were also introduced.
Continuous auditing is made up of three main parts: continuous data assurance (CDA), continuous controls monitoring (CCM), and continuous risk monitoring and assessment (CRMA). [3]
Continuous data assurance verifies the integrity of data flowing through the information systems. Continuous data assurance uses software to extract data from IT systems for analysis at the transactional level to provide more detailed assurance. CDA systems provide the ability to design expectation models for analytical procedures at the business-process level, as opposed to the current practice of relying on ratio or trend analysis at higher levels of data aggregation. CDA software can continuously and automatically monitor transactions, comparing their generic characteristics with predetermined benchmarks, thereby identifying anomalous situations. When significant discrepancies occur, alarms are triggered and routed to appropriate stakeholders and auditors.
Continuous controls monitoring consists of a set of procedures used for monitoring the functionality of internal controls. CCM relies on automatic procedures, presuming that both the controls themselves and the monitoring procedures are formal or able to be formalized. CCM can be used for monitoring access control and authorizations, system configurations, and business process settings. CDA and CCM are complementary processes. Neither process is self-sufficient or comprehensive. Even if no data faults are found it cannot be concluded that controls are fail-safe. Further, even if controls are being implemented, data integrity cannot be assumed. When combined, however, these monitoring approaches present a more complete reliance picture.
Continuous risk monitoring and assessment is used to dynamically measure risk and provide input for audit planning. CRMA is a real-time integrated risk assessment approach, aggregating data across different functional tasks in organizations to assess risk exposures and provide reasonable assurance on the firms' risk assessments.
In addition to the aforementioned three components, the black box audit log file is also an important part of continuous auditing. This file can be viewed as an extension of the existing practice of documenting audit activities in manual or automated work papers. A black box log file is a read-only, third-party controlled record of the actions of auditors. The objective of black box logging is to protect a continuous auditing system against auditor and management manipulations. [4]
Continuous reporting is the release of financial and non-financial information on a real-time or near real-time basis. The purpose of continuous reporting is to allow external parties access to information as underlying events take place, rather than waiting for end-of-period reports. The adoption of XBRL by companies makes the release of continuous reporting information more feasible. Continuous reporting also benefits users under Regulation Fair Disclosure. Continuous reporting is a point of constant debate. Some parties, including analysts and investors, are interested in knowing how a company is doing at a given point in time. They argue that near real-time information would provide them with the ability to take advantage of important business moves as they happen. However, opponents are skeptical of how the raw information can be useful and fear information overload, or that there would be too much irrelevant information out there. Additionally, some companies are fearful that continuously reported financial information would give away important strategic moves and undermine competitive advantage.
Generally, the implementation of continuous auditing consists of six procedural steps, which are usually administered by a continuous audit manager. Knowing about these steps will enable auditors to better monitor the continuous audit process and provide recommendations for its improvement, if needed. [5] These steps include:
This entails choosing which organizational areas to audit. When performing the actions listed above, auditors need to consider the key objectives from each audit procedure. Objectives can be classified as one of four types: detective, deterrent (also known as preventive), financial, and compliance. A particular audit priority area may satisfy any one of these four objectives.
The second step consists of determining the rules or analytics that will guide the continuous audit activity, which need to be programmed, repeated frequently, and reconfigured when needed. In addition, monitoring and audit rules must take into consideration legal and environmental issues, as well as the objectives of the particular process.
Continuous auditing need not be literally continuous. Auditors need to consider the natural rhythm of the process being audited, including the timing of computer and business processes as well as the timing and availability of auditors trained or with experience in continuous auditing.
Rules used in each audit area need to be configured before the continuous audit procedure (CAP) is implemented. In addition, the frequency of each parameter might need to be changed after its initial setup based on changes stemming from the activity being audited. When defining a CAP, auditors should consider the costs and benefits of error detection as well as audit and management follow-up activities.
Another type of parameter relates to the treatment of alarms and detected errors. Questions such as who will receive the alarm (e.g., line managers, internal auditors, or both ― usually the alarm is sent to the process manager, the manager's immediate supervisor, or the auditor in charge of that CAP) and when the follow-up activity must be completed, need to be addressed when establishing the continuous audit process.
A final item to be considered is how to communicate with auditees. When informing auditees of continuous audit activity results, it is important for the exchange to be independent and consistent.
Demand for continuous auditing has come from a variety of sources, primarily user-driven requirements. External disclosure, internal drivers, laws and regulation, and technology all play important roles in pushing up demand.
More frequent disclosure will drive the nature of the audit process. This increase improves the quality of earnings while reducing manager aggressiveness and decreasing stock market volatility. [6]
As companies have become more integrated within their own departments and with other companies, such as suppliers and retailers, a desire for data integrity throughout the electronic data exchange process is also driving demand for continuous auditing. [7] [8]
Laws and regulation require activities and ways a company followed in order to achieve a specific goal to be monitored. Under such laws and regulation company commenced for continuous auditing.
XBRL facilitates the development of continuous auditing modules by providing a way for systems to understand the meaning of tagged data. Proper use of XBRL assures that relevant data gathered from multiple sources is easily comparable and analyzable. XBRL is a derivative of the XML file format, which tags data with contextual and hierarchical information. It is expected that many enterprise resource planning systems will provide data in the XBRL-GL format to facilitate machine readability.
Because of the nature of the information passing through continuous auditing systems, security and privacy issues are also being addressed. Data assurance techniques, as well as access control mechanisms and policies are being implemented into CA systems to prevent unauthorized access and manipulation, and CCM can help test these controls.
For many organizations, there are a number of challenges to implementing a continuous auditing approach. The following are some common challenges with associated recommendations. [9]
Few organizations have a completely homogeneous, seamless system environment. There is typically a mix of ERPs or multiple instances of one ERP, mainframe systems, off-the-shelf applications, and legacy systems—all of which may contain valuable data. Technology is available to access all of this data to gain a complete picture.
Technology may be viewed as a threat to those who perceive that automation might replace jobs. A benefit of continuous auditing is that it performs routine, repetitive tasks and provides the opportunity for the more interesting exploratory work that adds far more value to the organization.
When not properly implemented, continuous auditing can result in hundreds—even thousands—of false positives and wasted effort. Many companies that have experienced success with continuous auditing recommend that you start small. Select which area of the company poses the greatest risk and where its transactions and control systems are most important to the company for your initial foray into continuous auditing. Automate a small number of key initial tests, such as comparing your accounts payable vendor master file with the employee address file, to uncover potential policy violations or fraud. Moving forward, increase the tests and gradually expand into other business processes in stages.
Training is essential for optimum results. A number of institutions, including ACL Services Ltd., offer training on computer-aided audit techniques including continuous auditing through automation. Training can be conducted either on-site or remotely, depending on the need of companies.
Continuous auditing is often confused with computer-aided auditing. The purpose and scope of the two techniques, however, are quite different. Computer-aided auditing employs end user technology including spreadsheet software, such as Microsoft Excel, to allow traditional auditors to run audit-specific analyses as they conduct the periodic audit. Continuous auditing, on the other hand, involves advanced analytical tools that automate a majority of the auditing plan. Where auditors manually extract data and run their own analyses in computer-aided auditing during the course of their traditional audit, high-powered servers automatically extract and analyze data at specified intervals as a part of continuous auditing.
An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.
A financial audit is conducted to provide an opinion whether "financial statements" are stated in accordance with specified criteria. Normally, the criteria are international accounting standards, although auditors may conduct audits of financial statements prepared using the cash basis or some other basis of accounting appropriate for the organization. In providing an opinion whether financial statements are fairly stated in accordance with accounting standards, the auditor gathers evidence to determine whether the statements contain material errors or other misstatements.
An audit committee is a committee of an organisation's board of directors which is responsible for oversight of the financial reporting process, selection of the independent auditor, and receipt of audit results both internal and external.
An auditor's report is a formal opinion, or disclaimer thereof, issued by either an internal auditor or an independent external auditor as a result of an internal or external audit, as an assurance service in order for the user to make decisions based on the results of the audit.
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
Computer-assisted audit tool (CAATs) or computer-assisted audit tools and techniques (CAATTs) is a growing field within the IT audit profession. CAATs is the practice of using computers to automate the IT audit processes. CAATs normally include using basic office productivity software such as spreadsheets, word processors and text editing programs and more advanced software packages involving use statistical analysis and business intelligence tools. But also more dedicated specialized software are available.
Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.
An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
Audit evidence is evidence obtained by auditors during a financial audit and recorded in the audit working papers.
Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
Fraud deterrence has gained public recognition and spotlight since the 2002 inception of the Sarbanes-Oxley Act. Of the many reforms enacted through Sarbanes-Oxley, one major goal was to regain public confidence in the reliability of financial markets in the wake of corporate scandals such as Enron, WorldCom and Waste Management. Section 404 of Sarbanes Oxley mandated that public companies have an independent Audit of internal controls over financial reporting. In essence, the intent of the U.S. Congress in passing the Sarbanes Oxley Act was attempting to proactively deter financial misrepresentation (Fraud) in order to ensure more accurate financial reporting to increase investor confidence. This same concept is applied in the discussion of fraud deterrence.
XBRL assurance is the auditor's opinion on whether a financial statement or other business report published in XBRL, is relevant, accurate, complete, and fairly presented. An XBRL report is an electronic file and called instance in XBRL terminology.
Entity-level controls are controls that help to ensure that management directives pertaining to the entire entity are carried out. They are the second level of a to understanding the risks of an organization. Generally, entity refers to the entire company.
Database activity monitoring is a database security technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach investigations, and alert on anomalies. DAM is typically performed continuously and in real-time.
The chief audit executive (CAE), director of audit, director of internal audit, auditor general, or controller general is a high-level independent corporate executive with overall responsibility for internal audit.
Risk assurance is often associated with accounting practices and is a growing industry whereby internal processes are developed to create a "checks and balances" system. These checks predominantly identify differences between risk appetite and real risk .Business risk refers to factors that can affect the company, both internally and externally. There are various types of business risks: strategic, compliance, financial and operational. Risk assurance aims to mitigate any of these areas. As such, companies can pre-analyse the industry to scout for potential risks or if a risk has already occurred, managers can analyse the problem in an attempt to mitigate the effects.
Audit technology is the use of computer technology to improve an audit. Audit technology is used by accounting firms to improve the efficiency of the external audit procedures they perform.
Artificial intelligence is used by many different businesses and organizations. It is widely used in the financial sector, especially by accounting firms, to help detect fraud.
{{cite web}}
: CS1 maint: archived copy as title (link)