Should internal audit perform continuous auditing?
A service provider in Germany recently completed a survey of internal audit heads in that country. He told me that the great majority believe that internal audit should not use continuous auditing techniques because monitoring controls is a management responsibility, and asked my opinion.
I told him that I have some sympathy with that opinion, and expressed my own:
1. The system of internal control is a management responsibility, and management is also responsible for control monitoring. However, the COSO internal control framework recognizes that management may place some reliance on internal audit for controls monitoring (assurance).
2. The way many, if not most, use these techniques is really auditing transactions and not controls. They are detecting errors and possibly fraud. First, testing transactions provides only limited assurance that the controls are in place and operating, so that future activity will be as desired. Second, I believe it is management’s job to test transactions and internal audit’s to test controls.
3. We need to remain mindful that the primary task of internal audit is to provide assurance that the more significant risks to the organization are managed within acceptable limits, and this is achieved by internal controls. Our job in internal audit is to address the controls over the more significant risks, and to provide assurance when it is needed by the organization. For some risks, high risks such as derivative trading, assurance may be needed on a frequent basis. So, we should perform tests of controls that support that more frequent need for assurance.
4. The IIA Global Technology Guide (GTAG) on continuous auditing has some excellent content and advice. I suggested more people should reference it.
5. I believe in continuous risk monitoring and updating of the audit plan, to ensure that audit efforts are focused on what matters now, rather what mattered at the start of the year. This is a form of continuous auditing. For example, I would use analytics technology to monitor a software company’s credit memos at the beginning if each quarter as that is an indicator of potential revenue fraud, and support a consumer products company’s internal audit monitoring of trends in product gross margin as an indicator of potential risks.
6. Continuous audit is not always continuous (see the GTAG definition). It simply means performing the audit activity more frequently.
7. Continuous auditing is not another way of talking about audit use of technology. Continuous audit tests may be manual, for example attending the CFO’s monthly meeting to review the divisional financials, trends, and variances confirms that this important control is operating.
The bottom line is that internal audit should do the work necessary to provide its stakeholders with the assurance they need, when they need it, on the more significant risks. Doing less is an issue. Doing more may mean either inefficient use of resources (unless clearly valuable consulting services) or an encroachment upon management responsibilities.
What do you think?