The Sirens of Continuous Auditing
As a youth, I loved Greek mythology and the story of the sirens is one that captured my attention. Here we have three beautiful women whose enchanting music and voices lured sailors on passing ships to draw closer to the shore so they could see and hear them better. The sailors became distracted by the seductresses and didn’t pay sufficient attention to the dangerous shores they were approaching – and their ships subsequently were destroyed.
Now don’t get me wrong, I believe in the use of continuous auditing techniques. But, not it’s blind use. Just as the sirens blinded passing sailors to the dangers of the rocky shore, so continuous auditing can blind internal auditors to their primary mission.
The primary mission of the internal auditing function (per the IIA’s Standards) is to provide its stakeholders with assurance on the adequacy of governance, risk management, and related internal controls. The mission is not to perform audits – they are just one of the ways we can obtain and share assurance on governance, risk management, and related internal controls.
Continuous auditing is a great technique that can be part of how internal audit provides assurance. You can download my paper on this topic (Continuous Risk and Control Assurance, CRCA) from my LinkedIn profile, at http://www.linkedin.com/in/normanmarks.
But it can also be a siren, luring us to dangerous waters. For example:
- When you acquire a vendor’s continuous auditing solution, it typically comes with the vendor’s sales pitch on the merits of (say) testing 100% of accounts payable transactions, payroll activities, and manual journal entries; and, delivered content that includes these tests. It is so easy to fall prey to the seductresses and implement these tests – consuming precious internal audit resources – when these are not the high risk areas for the company that merit internal audit attention. When you implement continuous auditing, it should be on higher ranking risks and related controls.
- The sirens may call you to buy the snazziest continuous auditing tool, perhaps the one that received high ratings in an analyst’s assessment or other market survey. Perhaps it is the solution from a trusted software vendor that has served internal audit needs well in the past. But is it the right tool for the job? As explained in my paper, a combination of controls is generally relied on to manage a business risk. These controls may include manual controls, automated controls, and IT general controls. If you want to provide assurance on a business risk, all the related controls have to be addressed – and not every tool will help you do that. For example, you may want to use surveys or management self-assessment to confirm individuals have read the code of ethics. You may also want to monitor access by database administrators to confirm there were no inappropriate changes to sensitive data. The snazziest tool may not contain all the features you need, and you may need more than one tool. The answer is to understand what you need to test, and how, before you answer the sirens’ call and buy a tool. You should also, and I believe this is very important, understand and assess the software already in place. If this is sufficient to the task, why purchase a separate continuous auditing tool?
- Moving to continuous auditing without appropriate pre-planning and coordination with operating management can lead you onto the rocks. The primary risk is that you will overwhelm management with a flood of potential exceptions that only they can investigate. If you do that, they are likely to push back and stop supporting the project. An initial false step may bring to an end any executive support as well. Secondarily, you need to consider how continuous auditing will affect the balance of projects on the audit plan, and how you will report the results of continuous auditing to management and the audit committee.
At SAP, we recognize these sirens for what they are and offer solutions to meet most continuous auditing needs.
- The SAP BusinessObjects Risk Management solution not only enables the assessment, monitoring, and management of risks, but the user can also identify the controls relied upon to manage those risks.
- SAP BusinessObjects Process Control, which is integrated with Risk Management, takes those risks and controls and manages the testing of the controls. Process Control has functionality for the near-real time examination of transactions against defined rules, enabling the continuous testing of controls and verification of data integrity. It can also identify transactions for manual review, for example identifying all changes to the configuration of key automated controls so they can be reviewed and verified as appropriate. The product supports surveys and management-self assessment, and it can also be used to automate the scheduling and workflow of manual control tests. In other words, SAP BusinessObjects Process Control is a very effective solution for continuous auditing.
- SAP BusinessObjects Access Control provides continuous monitoring of access control risks, including excess access and segregation of duties exposures.
- SAP BusinessObjects Business Intelligence is the premier business intelligence solution. Internal auditors can use it for data analytics as a supplement to the near-real time testing capabilities of Process Control. For example complex continuous auditing routines, or routines requiring the analysis of very large volumes of data (such as gross margin trends for the last year for every product group and geography), that may not be suitable for near-real time analysis.
SAP has a vast ecosystem of partners whose products augment ours and complete our customers’ needs.
We recommend (as discussed in the CRCA paper) that every customer understand its needs, including which risks and controls will be the subject of the continuous auditing program, before tools. We believe that in most cases, customers will need a combination of tools to test all the controls relied upon to manage the more significant risks to the enterprise.
We also believe that our range of tools will place us at the top of the list of potential suppliers of solutions to our customers’ continuous auditing needs.