Home > Risk > Why is the move to continuous auditing so slow?

Why is the move to continuous auditing so slow?

January 14, 2010 Leave a comment Go to comments

Continuous auditing has been on the agenda for CAEs for quite a few years. Many are dabbling in it, with a process here and there, or have implemented a set of tests around the easy targets of accounts payable, payroll, manual journal entries, etc.

But why have so few moved their audit approach to one that maximizes the use of technology to test the controls and monitor the data for the majority of the risks they audit – on a continuous basis?

Here are my top five reasons for organizations not spending the money (yes, money is needed even though the payback is fast) to acquire and implement the technology.

1. We have no money. Internal auditors typically have no budget, even in good times. These last couple of years, funding has been tighter still. I believe the key is:
a. Build the financial case, showing how a fuller continuous auditing or monitoring deployment (across a large number of risks and related controls) generates savings over time
b. Partner with other departments, outside internal audit, who can use the same technology. The continuous auditing/monitoring technology can be used for SOX, but it can also be used for monitoring or for automating detective controls within business processes
c. Focus less on fraud and more on risk management, controls assurance, and positive ROI

2. I am not sure how to implement it. Vendors are happy to show you the content they deliver with the product (the tests), but not every vendor has a methodology that helps drive a top-down and risk-based program. I refer you to my paper on continuous risk and control assurance: see my shared documents tab for details on how to download the CRCA paper on my LinkedIn profile.

3. How is it different from CAATs? This question goes to the heart of the issue: that many people don’t understand how to implement a continuous auditing program – refer to my paper on CRCA.

4. Monitoring is a management function. Yes, it is but that doesn’t mean that (a) internal audit can’t help them build a continuous monitoring program that they will then audit, and (b) internal auditing should not move to continuous auditing where management is not using technology. For example, management may rely on supervisor’s reviewing documents and other work of their subordinates; internal audit may use technology to go deeper and test whether the supervisor’s review is consistent and effective. Certainly, the use of continuous auditing techniques to detect fraud or to detect higher levels of risk is independent of any management use.

5. IT won’t let me buy products from the specialized vendors of continuous auditing technology, and they are reluctant to let me connect then to production systems. These are legitimate concerns, as adding more vendors and technologies to the infrastructure adds complexity, risk, and cost. IT is correct to be protective of the production applications and data. The answer, I submit, is to consider the use of enterprise solutions. If you are an SAP customer, consider the products from SAP for continuous auditing/monitoring (SAP BusinessObjects Process Control), systems access monitoring (SAP BusinessObjects Access Control) and business intelligence (SAP BusinessObjects Explorer and related solutions).

What are your top reasons the adoption of continuous auditing has been so slow?

  1. paul steele
    January 14, 2010 at 2:21 PM

    Norman,
    You have highlighted 5 very common reasons IA depts/companies probably are slow to implement continuous auditing. Our IA department was in a similar situation, with money being the major roadblock. Fortunately we were able to partner with IT and are in the process now of implementing Oracle’s GRC module. Our goal is to maximize the use of this tool, using it to continuously monitor transactions throughout the ERP system. It’s a journey we are just beginng here. Last summer we spoke on this topic and I would like to epress my thanks for the insight you provided then.

  2. January 17, 2010 at 10:15 AM

    Adoption has been slow because this is a new discipline for most organizations and there are few models for success. As an vendor in the space, Oversight Systems has worked with a many clients as they’ve implemented continuous auditing (CA) and continuous monitoring (CM) programs. One key to success is moving from a retrospective to a real time mentality which gives the CA/CM program an opportunity to gain momentum.

    With the retrospective mentality the CA/CM system is loaded with the exceptions from the past 12 or 18 months of transactions. The net result is a huge backlog of exceptions that overwhelms the CA/CM users.

    In a real time mentality the focus moves to recently created exceptions. The work load is less imposing and the exceptions are easier to correct since you’re dealing with a problem that just happened – you’re nipping the problem in the bud.

    (Certainly there’s nothing wrong with examining the past year’s data. It should just be part of a separate project and not part of the ongoing CA/CM efforts.)

    CA/CM is a new process for most organizations which dictates a gradual ramp up of the capability within the organization. Doing so increases the liklihood of success.

    And with more successes more organizations will start CA/CM initiatives.

  3. Norman Marks
    January 17, 2010 at 1:48 PM

    All:

    One reason I didn’t include in my list: abdication of the topic by operational auditors and CAEs, and domination by IT auditors.

    If the goal of the internal audit program is to assess and test all the controls relied upon to manage the more significant risks, you have to test manual and hybrid (semi-automated) controls as well as automated controls. IT auditors tend to focus on automated controls and IT general controls, and may overlook manual and hybrid business process controls. The latter are more difficult to test using technology (you have to use surveys, management self-assessments, and repeated manual tests), and not every vendor has that functionality.

    To succeed, a continuous auditing program has to be carefully and thoughtfully desgined by a team of operational and IT auditors, and recognize:
    1. You need to test all the controls relied upon to manage the more significant risks, and not just the IT controls, and
    2. You probably need more than one product

  4. nmarks
    January 17, 2010 at 1:54 PM

    Please do not advertise. I am open to constructive comment, but not a comment that is pure marketing.

  5. Isaak Estes
    July 8, 2010 at 5:16 AM

    To perform a continuous audit, the auditor has to develop utility programs that routinely perform during the normal processing of the enterprise’s day-to-day operations. Auditors can also rely on utility software that is used in running the system.

    Isaak Estes
    access control systems

  6. Mujeebullah Yoosufani
    April 8, 2011 at 6:47 AM

    Hi Norm,

    What you stated is definitely true. Although we purchased a stand-alone desktop license of ACL, we have setup a full-blown Continuous Auditing program. One reason for that is that when advertising, they promise a lot but when you install the application, it’s hard to know what strategies to use in developing a continuous auditing program. Then they want you to attend countless training courses to get up to speed but still as for knowing what audit programs we should develop, there is little to no guidance on the internet. We find that as the major drawback. Now we have to invest $40,000 – $50,000 for the vendor to come and implement a full-blown program for us. That’s the catch.

    – MY

    1.

  7. Mujeebullah Yoosufani
    April 8, 2011 at 6:50 AM

    Hi Norm,

    What you stated is definitely true. Although we purchased a stand-alone desktop license of ACL, we have not setup a full-blown Continuous Auditing program. One reason for that is that when advertising, they promise a lot but when you install the application, it’s hard to know what strategies to use in developing a continuous auditing program. Then they want you to attend countless training courses to get up to speed but still as for knowing what audit programs we should develop, there is little to no guidance on the internet. We find that as the major drawback. Now we have to invest $40,000 – $50,000 for the vendor to come and implement a full-blown program for us. That’s the catch.

    – MY

    1.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: