Why is the move to continuous auditing so slow?
Continuous auditing has been on the agenda for CAEs for quite a few years. Many are dabbling in it, with a process here and there, or have implemented a set of tests around the easy targets of accounts payable, payroll, manual journal entries, etc.
But why have so few moved their audit approach to one that maximizes the use of technology to test the controls and monitor the data for the majority of the risks they audit – on a continuous basis?
Here are my top five reasons for organizations not spending the money (yes, money is needed even though the payback is fast) to acquire and implement the technology.
1. We have no money. Internal auditors typically have no budget, even in good times. These last couple of years, funding has been tighter still. I believe the key is:
a. Build the financial case, showing how a fuller continuous auditing or monitoring deployment (across a large number of risks and related controls) generates savings over time
b. Partner with other departments, outside internal audit, who can use the same technology. The continuous auditing/monitoring technology can be used for SOX, but it can also be used for monitoring or for automating detective controls within business processes
c. Focus less on fraud and more on risk management, controls assurance, and positive ROI
2. I am not sure how to implement it. Vendors are happy to show you the content they deliver with the product (the tests), but not every vendor has a methodology that helps drive a top-down and risk-based program. I refer you to my paper on continuous risk and control assurance: see my shared documents tab for details on how to download the CRCA paper on my LinkedIn profile.
3. How is it different from CAATs? This question goes to the heart of the issue: that many people don’t understand how to implement a continuous auditing program – refer to my paper on CRCA.
4. Monitoring is a management function. Yes, it is but that doesn’t mean that (a) internal audit can’t help them build a continuous monitoring program that they will then audit, and (b) internal auditing should not move to continuous auditing where management is not using technology. For example, management may rely on supervisor’s reviewing documents and other work of their subordinates; internal audit may use technology to go deeper and test whether the supervisor’s review is consistent and effective. Certainly, the use of continuous auditing techniques to detect fraud or to detect higher levels of risk is independent of any management use.
5. IT won’t let me buy products from the specialized vendors of continuous auditing technology, and they are reluctant to let me connect then to production systems. These are legitimate concerns, as adding more vendors and technologies to the infrastructure adds complexity, risk, and cost. IT is correct to be protective of the production applications and data. The answer, I submit, is to consider the use of enterprise solutions. If you are an SAP customer, consider the products from SAP for continuous auditing/monitoring (SAP BusinessObjects Process Control), systems access monitoring (SAP BusinessObjects Access Control) and business intelligence (SAP BusinessObjects Explorer and related solutions).
What are your top reasons the adoption of continuous auditing has been so slow?