Continuous auditing that should NOT be performed by internal audit
I have to admit to being a big fan of continuous auditing in general. One of my more popular papers (available for download here) is on the topic of continuous risk and control assurance. I wrote it to explain why I believe internal auditors should move from providing assurance on an occasional basis to providing assurance when it is needed by the audit committee and top management. In these days of rapidly changing risks, when businesses are moving faster and faster, internal audit needs (IMHO) to be able to provide prompt assurance on the more significant risks. Telling top management that internal audit can provide assurance in a month, after an audit is completed, is clearly sub-optimal (if not unacceptable).
But, I also believe that certain practices, generally described as continuous auditing, are NOT core internal audit practices. At best, they are consulting services; at worst, they are internal controls relied on by management – that should be performed by management.
Let’s start with a statement with which, hopefully, almost everybody will agree: the core internal audit mission is to provide assurance services related to the adequacy of management’s processes for managing risk, the organization’s governance processes, and the related controls. In addition (and to me, this is a clear secondary activity) internal audit provides value-add consulting services. Both the assurance and consulting services are intended to assist management improve the effectiveness of their processes.
- Continuous audit activities that are designed to provide assurance on a more continuous basis, for example by testing controls more frequently.
- Continuous audit activities that are recognized as value-add (rather than assurance) activities and are approved by the audit committee.
Let’s examine a few cases:
- The use of software to identify duplicate payments. To me, management should have controls to prevent, or at least identify promptly, duplicate payments. If reliance is instead placed on internal audit to identify the duplicate payments, internal audit is performing a management function. I would be reluctant to do this, unless management were able to make a convincing case that this was the best use of overall corporate resources, it did not take resources away from essential assurance activities, and was approved by the audit committee.
- The use of software to detect errors, typically the result of internal controls failing to operate effectively: for example, internal audit monitoring transactions to detect errors such as approved (or paid) vendor invoices not matching purchase orders or receiving documents. Some consider this a valid internal audit activity, but again I think that internal audit is stepping in and performing a control – a management function. Now, I am fine with audit providing a consulting function, developing the capability and turning it over to management to run. But, I am reluctant to see internal audit continuing to do it. I would do it if management could make a solid business case, it didn’t detract from essential assurance work, and it was approved by the audit committee.
- Fraud detection is an interesting case. While many internal audit functions have this in their charter, I believe that controls to prevent and detect fraud are a management responsibility – that internal audit can perform as a consulting service, with the approval of the audit committee. It should not divert resources away from essential assurance activities. In an ideal world, fraud detection is performed by management and assessed by internal audit. But, internal audit has independence and skills that may well make a compelling case for their owning fraud detection. Again, it should be approved by the audit committee and included in the internal audit charter.
My preferred continuous audit work consists of tests (that are generally but not always automated) that provide assurance that the controls relied upon to manage the more significant risks are working effectively. Testing data does not provide assurance that controls are working: when the tests identify exceptions, that implies the controls are not working – but the absence of exceptions does not provide evidence that controls are operating and effective.
What do you think? Do you agree that these forms of continuous auditing should be performed by management (and are really continuous monitoring)?