Home > Risk > PwC has sound advice on Continuous Auditing

PwC has sound advice on Continuous Auditing

This week, I attended a Chief Audit Executive roundtable in PwC’s new San Jose’s offices. The first topic was continuous auditing, led by their national director out of Chicago. I was able to find a copy of the slides from a similar presentation at the Kansas City chapter of ISACA earlier this year.

What I like about the PwC presentation includes:

  • The use of continuous auditing techniques to move from annual or periodic to more continuous risk assessment (slide 10). This enables what I refer to as “auditing what the risks are now” rather than what they used to be when the periodic risk assessment was completed. Continuously assessing risks allows internal audit to change direction and address risks as they emerge, providing greater value to the organization.
  • An emphasis on the top-down, risk-based approach to internal audit. I have been advocating this for a long time, and you can see my writing and papers on the topic here. PwC covers this on slide 16. The idea is that internal audit should not change from a risk-based approach when it considers using continuous auditing techniques. Rather, it should go through the same process of identifying the risks to address then ask: (a) is there value in providing assurance on a more continuous basis, rather than as a result of a one-time audit, and (b) what is the best method for providing that assurance? The answer may well be continuous auditing, generally – but not always – using technology. (One common mistake is to think that continuous auditing is only the use of software. If you look at the IIA GTAG, you will see that the term is used to describe any auditing activity that is performed more continuously. So, if you decide to do manual testing of transactions every month, that is continuous auditing as well.) Page 17 is a nice, concise summary.
  • Page 20 includes a key point: don’t select a tool and then try to be busy with it. That results in testing of low-level risks. It is better to decide what you need to do and then select the tools (often a combination of tools) necessary to do the job.
In the presentation, PwC mentioned the opportunity for auditors to use:
  • Tools the company already has in place, such as the business intelligence and data warehouse systems used by financial and operational analysts.
  • Specialized continuous auditing tools from SAP, Oracle, Approva, Oversight and others.
  • More traditional tools for auditors, such as ACL and IDEA.
  • Microsoft products, like Excel and Access.
Each option has advantages and disadvantages.
I am interested in your views, both of the PwC slides and of my paper. Do you agree that the use of continuous auditing should be focused on providing more continuous assurance on the risks that matter today?
  1. July 22, 2011 at 9:11 PM

    From general business point of view, PWC provided a good reason for getting more money from the clients.
    For what? For letting them use “tools the company already has in place, such as the business intelligence and data warehouse systems used by financial and operational analysts.” and knowing more confidential information on clients’ activity.
    Someone can find this opportunity exciting, not me.

  2. Norman Marks
    July 23, 2011 at 6:45 AM

    Sergey, I am confused by your comment. PwC gets “more money from clients” by acting as a consultant to their implementation of tools. If internal audit decides not to buy a tool but instead to use something the company already owns, how are they making more money?

    I was encouraged by the recognition that often you don’t actually have to buy a tool but can use existing solutions. Why? Because that makes implementation an easier business proposition. You don’t have to get a purchase approved, struggle with getting access to the data, and obtaining support from IT.

  3. Norman Marks
    July 23, 2011 at 3:43 PM

    Two other recent posts address the ability to use technology:

    – PwC provides wealth of material on innovation and mobility (https://normanmarks.wordpress.com/2011/07/22/pwc-provides-wealth-of-material-on-innovation-and-mobility/)

    – Facts, risks, and opportunities: The explosion of data about us and our companies (https://normanmarks.wordpress.com/2011/07/18/the-explosion-of-data/)

  4. Paul M. Walker
    July 25, 2011 at 3:24 AM

    Hi Norman: Can you share the slides from the PwC presentation?

  5. Norman Marks
    July 25, 2011 at 6:01 AM

    Paul, please click on the word “slides” in the post. Let me know if that does not work.

  6. Sarah
    July 26, 2011 at 1:33 PM

    In my opinion, anything that brings the internal auditors closer to the real time risk decisions has to be a positive step. Whether you’re analysing data, performing routine challenge sessions to project teams after they’ve brainstormed, or looking at the completeness of risk identification and changes to the risk environment with very short (e.g. monthly) periodicity you are much more likely to add bottom line value by providing objective and independent assurance that the business is setting itself up for success by looking at the risk management undertaken based on the same information the business has at the time of decision making, than going in 2 years later with 20/20 hindsight and the evidence of what went wrong and criticising them for things they possibly could not and sometimes should not have foreseen. This will force the internal audit profession to “up it’s game” in terms of professionalism and risk management expertise and move away from the rut of compliance that appears to be becoming endemic post Enron/SOX.

  7. Onwumah L Esumeh
    August 2, 2011 at 11:40 PM

    Although, I have not watched the slides, but from the trend of discussion and my personal experience in external audit, I agreed strongly
    to the need for continuous risk assessment. The annual exercise hardly revised the trend of non compliance and risk management. It is absolutely proper to address arising issues now than the 12 months after.

  8. August 4, 2011 at 1:54 AM

    Interesting data and comments. What puzzles me is what we mean by ‘continuous’. It seems to include ‘real time’, discovering issues at an earlier stage and auditing on a very regular basis. Then the question raises whether this is an internal audit approach or whether this is something we expect to sit within the business as a normal part of their control environment. Should internal audit as an organisation not continue to concentrate on holding the occasional mirror based on an continuous risk assessment rather than sitting on the business chair? What do I miss? I am interested to hear your experiences.

    • August 4, 2011 at 3:49 AM

      Hans,

      I’ll try to answer that. The final stage in this approach for continuous auditing is to eventually hand off ownership of exception reporting to the business owners. By doing this, Internal Audit itself does not become a control but the continuous auditing system is a new element in the control environment (accessible to both IA and BOs). Ideally they would be various levels of exceptions with the lowest risk items being handled day to day by process owners (but documented for reference) and the highest risk items would have an ‘alert’ built in for IA as well. This approach would be coupled with an update to the risk assessment once a year or more (really depending on the business process tested). In reality the continuous auditing model defined here lets everyone focus on the key aspects and audit risks that exist versus having to get caught up in the actual data analysis exercise.

      Let me know if that helps.

      Thanks,
      Mullins

  9. David Boulanger
    August 16, 2011 at 7:11 AM

    Norman –

    Can you share the slides for the presentation? Thanks.

    • Norman Marks
      August 16, 2011 at 7:12 AM

      David, please click on the word ‘slides’ in the post.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: