Should internal audit perform continuous auditing?
A service provider in Germany recently completed a survey of internal audit heads in that country. He told me that the great majority believe that internal audit should not use continuous auditing techniques because monitoring controls is a management responsibility, and asked my opinion.
I told him that I have some sympathy with that opinion, and expressed my own:
1. The system of internal control is a management responsibility, and management is also responsible for control monitoring. However, the COSO internal control framework recognizes that management may place some reliance on internal audit for controls monitoring (assurance).
2. The way many, if not most, use these techniques is really auditing transactions and not controls. They are detecting errors and possibly fraud. First, testing transactions provides only limited assurance that the controls are in place and operating, so that future activity will be as desired. Second, I believe it is management’s job to test transactions and internal audit’s to test controls.
3. We need to remain mindful that the primary task of internal audit is to provide assurance that the more significant risks to the organization are managed within acceptable limits, and this is achieved by internal controls. Our job in internal audit is to address the controls over the more significant risks, and to provide assurance when it is needed by the organization. For some risks, high risks such as derivative trading, assurance may be needed on a frequent basis. So, we should perform tests of controls that support that more frequent need for assurance.
4. The IIA Global Technology Guide (GTAG) on continuous auditing has some excellent content and advice. I suggested more people should reference it.
5. I believe in continuous risk monitoring and updating of the audit plan, to ensure that audit efforts are focused on what matters now, rather what mattered at the start of the year. This is a form of continuous auditing. For example, I would use analytics technology to monitor a software company’s credit memos at the beginning if each quarter as that is an indicator of potential revenue fraud, and support a consumer products company’s internal audit monitoring of trends in product gross margin as an indicator of potential risks.
6. Continuous audit is not always continuous (see the GTAG definition). It simply means performing the audit activity more frequently.
7. Continuous auditing is not another way of talking about audit use of technology. Continuous audit tests may be manual, for example attending the CFO’s monthly meeting to review the divisional financials, trends, and variances confirms that this important control is operating.
The bottom line is that internal audit should do the work necessary to provide its stakeholders with the assurance they need, when they need it, on the more significant risks. Doing less is an issue. Doing more may mean either inefficient use of resources (unless clearly valuable consulting services) or an encroachment upon management responsibilities.
What do you think?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I agree with you. I would treat the service provider opinion as cutting the responsibility too finely.
Internal Audit’s job is to provide assurance. Based on volume, value, risk etc IA can decide to take any approach which can be best utilisation of resources.
With the increase use of technology, operations would be relying more and more on computers. As an Internal auditor, I would put controls in this environment and generate exception reports on an ongoing basis.
As far as continuous auditing through manual means are concerned, IA need to decide on which activities is absolutely must. After all meetings are generally waste of time.
Manoj, some meetings are certainly a waste of time. But a review meeting conducted by senior management can be a powerful control.
Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP
Norman
Asking this question in our automated business world gives me some concern, however I am not sure of what is going on in IA in Germany. IA should definately use automated continuous auditing/monitoring, as it independently assesses and tests the system of internal control. Management too should use automated CM to build the system of IC. I believe SAP, large German software vendor you know well, has endorsed CM and Oversight Systems as an endorsed SAP CM extension. See my papers at http://www.canco.us
Michael
Michael, SAP absolutely has technology for continuous auditing. I have implemented continuous auditing techniques (both manual and automated) as CAE and derived great value. But, as I say in the blog and in comments there, I only believe in doing it where it contributes to the overall assurance mission. I don’t do it just because I can and management likes it.
Norman
Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP
Good post Norman.
I am tempted to ask what auditing techniques the respondents advocate if ‘continuous’ ones are inappropriate! If monitoring controls is not desirable, is a purely subjective assessment preferable?
However, you state that the term ‘continuous’ is subjective and a relative concept. A little more surprising is that even the terms ‘auditing’ and ‘monitoring’ mean different things to different people, in my experience!
This survey and your post does trigger a related (or maybe the root) issue I see repeatedly in Germany. The ‘M’ word . . . .
Monitoring is a delicate term in German business culture, primarily due to the powerful Workers Councils and the perception of ‘monitoring’ as an oppressive ‘big brother’ activity which employers should not get involved with. It is not permitted, for example, to monitor employee activity or performance without VERY specific reasons, and this is often extended to include the execution of control activities. Since one would only determine the specific reason having performed the monitoring, it becomes a time consuming and circuitous route to follow this reasoning . . .
Successful CM and CA initiatives in Germany do not use the ‘M’ word and typically are focussed at ‘reporting process exceptions’ . . . .
A subtle subterfuge perhaps, but that’s certainly the reality that I see!
Dan
Lidl Accused of Spying on Workers
A report by German magazine Stern triggers a government probe into the supermarket chain’s alleged high-tech monitoring of employees
http://www.businessweek.com/globalbiz/content/mar2008/gb20080326_558865.htm
I think you have it right here Norman. The key point is that if continuous assurance is needed then continuous auditing would be a route to provide this. I would counter, however, that most organisations have a tiny audit team compared to management team. Thus, if the board could accept a less independent form of management assurance with periodic, more independent, internal audit assurance, that would represent better value for money. Hence, as a rule, I would suggest continuous auditing is not a generally required.
Norman, I’m not sure if I completely agree with you here. When only considering the highly automated parts of continues auditing, e.g. scanning all transactions, I don’t see why the IA team should not be allowed to view and investigate red flags produced by these systems. As you say, management is responsible for the system of internal controls, but don’t you think the IA team, with their special set of mind, is the better fraud finder? Consequently, management and IA could share responsibility: Management could handle all non-severe cases related to their area, whereas IA could view management’s decisions on flags and investigate severe fraud flags and therefrom derive a holistic view.
Speaking of efficiency: I guess most firms let their internal auditors scan through transaction data to find irregularities, so why not let systems to the dirty work? Securing the independency of IA work in a highly automated setup and ensuring that IA doesn’t only rely on IT system may then be new uprising challenges.
Is a collaborative approach with management and IA using the same system to prevent fraud from slightly different perspectives that bad? Is it really necessary to introduce a really strict line between management and IA?
In my experience, NO. IA can help setup criteria and validate results, but not perform this function. Also, the ROI of continuous monitoring never pays off.
Controls are necessary to run a business.
Given the scale and speed at which businesses are run these days, controls are more important than ever.
Continuous auditing is a methodology or technique to monitor risks/control.
Whether it’s done by management or auditors, it would require resources.
If there is a positive ROI, I am sure that it won’t matter who owns it because it generates a positive return to the business.
I think what’s more important is how IA works with management. Management should own the detection of business issues ’cause they can take credit for finding them. If IA takes all the credit for finding business issues via continuous auditing, then continuous auditing will not be sustainable. Management will choose to ignore the expansion or do things to lessen the impact of continuous auditing.
Is there Segregation of Duties conflict in this case?
Can the same person / business area create a transaction and perform assessment of the continuous monitoring?
See my comments for each numbered item mentioned:
1) I agree that establishing and maintaining a system of internal control is management’s responsibility but isn’t Internal Audit’s responsibility to provide assurance as to whether the control environment is effective, and not just from a financial perspective either? If as a part of your audit, you see that management is not deploying continuous monitoring techniques, would you not recommend such to improve overall efficiency of the control process? Remember, there is also an inverse relationship between continuous monitoring and continuous auditing. The more that management monitors, the less that Internal Audit needs to continuously audit; they can rely on / audit the monitoring process rather than performing the continuous audit steps themselves. Oftentimes though, management’s control (although effective) may not be efficient. Therefore, Internal Audit departments that deploy continuous auditing practices are simply being more efficient in their audit process, and based on the type of continuous audit process in place, reduce sampling risk. Also remember that Internal Audit’s risk appetite is more than likely more conservative the management (at least mine is) and if management does not want greater assurance that all is ok, which is their prerogative, but that will not stop me from providing a higher level of assurance –> and one way to achieve that is through continuous monitoring / continuous auditing solutions.
2) I don’t necessarily agree. Continuous auditing can be used for both controls and transactions. For example, if your system is set up to block shipments over a specified credit limit for customers (a good system control), continuous monitoring / auditing could be used to identify if the configuration was changed to allow shipments to customers over their credit limit. This could potentially cause revenue recognition issues. But if you deploy some software to monitor it, you then can audit the change as soon as it occurs and perform additional procedures if necessary to determine of the appropriateness of the revenue recorded. The other thing missing here I believe is combining test of transactions with control testing (dual purpose testing). If you identify transactions that you want to audit via continuous auditing techniques, you also test the control attributes around that transaction as well.
3) Agree and well said. But also remember, that Internal Audit must also be prepared to cover any “black swan” events. And if the company is utilizing continuous monitor / continuous auditing methodologies, they should be able to re-direct resources to address such items without affecting previously committed to deliverables, as well as minimize the impact on the risk profile of the organization, which oftentimes does NOT happen as audits are dropped as an example, due to allocation of resources to address the event(s).
4) Particularly GTAG #3. This is very informative document. If organizations deploy both continuous monitoring / continuous auditing practices, there is simply a greater level of assurance being provided to the Exec. Team, the Board and to the shareholders. As mentioned in #3 above, we hope that management is focusing / managing the higher risks of an organization, which by nature, one could assume those risks should be monitored more frequently. Deploying continuous monitoring / continuous auditing solutions provides such assurance.
5) The terminology (continuous monitoring / continuous auditing) suggests that risks are being continuously monitored / updated based on the continuous audits being performed. We all know why we audit –1 ) To verify reliability and integrity of financial and operational information 2) To improve effectiveness and efficiency of operations, 3) to ensure compliance with laws, regulations, and contracts and 4) to simply safeguard company assets; all of which relates to risks within the organization.
6) I don’t necessarily agree with this statement. Simply changing monitoring / auditing of transactions / controls from an annual to quarterly frequency or quarterly to monthly frequency is really not continuous monitoring / continuous auditing. Continuous by definition suggests marked by uninterrupted time or sequence. Performing a manual control on a quarterly or monthly basis is NOT continuous. Yes, you are shrinking the gap between the two periods and it probably provides a higher level of assurance than doing it only quarterly, but without the use of technology, it is not continuous monitoring / continuous auditing. You’re still simply deploying a traditional audit methodology.
7) Again, I don’t necessarily agree. The example you provided is really not continuous monitoring / continuous auditing. It is simply an observation (type of audit procedure) of a manual, monthly control. There is nothing continuous about this. The data included in the meeting discussion, i.e., financials, trends and variances lends itself to being continuously monitored / continuously audited, but not the monthly meeting itself.
Without technology, it is virtually impossible for auditors to deploy continuous auditing, or continuous monitoring for that matter. Yes, you’re correct that the audit tests performed once an exception has been identified, or sample selection determined is manual, but that will always be the case.
Technology provides organizations with the ability, if they choose to do so, to get the information as close to “real-time” as possible and allow the users of the information to act much more quickly than ever before, thus providing an unprecedented level of assurance to the Exec. Team, the Board and to the shareholders. This is the “Value” of continuous monitoring / continuous auditing and risk management solutions!!!
Excel may be slow if you run the calculationg process every time you whant a calcuation, but what you need to do is to estimate the maximum variation you variables have and frome that data you can do a faster estimation with the excel.
You need to considere what you are willing to do when you are not willing to pay for a development or a system that has valuation “just in time”.