Both continuous auditing and continuous monitoring can be cornerstones in helping internal audit respond effectively to the increased expectations that are placed upon them. They can also help organizations operate more efficiently and more profitably. In part one of this two-part series, John Verver, from ACL Services Ltd., poses the question: Are these two separate concepts or merely variations of a theme? In part two, John closes his discussion by focusing on the benefits of continuous auditing and monitoring, and related best practices.
Continuous Monitoring and Auditing: What is the difference? – Part 1
Call them the twin peaks of continuity – “continuous auditing” and “continuous monitoring.” There are certainly similarities between them, but they are not quite the same processes. Both can be cornerstones in helping internal audit respond effectively to the increased expectations that are placed upon them. They can also help organizations operate more efficiently and more profitably.
The concept of continuous auditing is fairly straightforward: Audit performs auditing activities on a frequent repeated basis to provide ongoing assurance and more timely insight into risk and control issues.
Continuous monitoring is also straightforward: It is essentially a process that falls under management’s responsibility, in which key business process transactions and controls are constantly assessed. This permits ongoing insight into the effectiveness of controls and the integrity of transactions running within them.
Are these two separate concepts or merely variations of a theme?
There is indeed a primary difference, which is related to ownership of the process. Though both processes are similar and tend to produce similar outcomes, continuous auditing – as its name implies – is owned by the audit function and can include any audit process that is repeated regularly; whereas continuous monitoring is a process owned by management. Management is responsible for maintaining effective controls systems, so it follows that they should have the primary responsibility for monitoring the effectiveness of controls. They also have the most to benefit from obtaining timely insight into transactions that are the result of fraud, error or abuse.
The confusion is understandable. The term “continuous auditing” has existed for some 20 years, and has laid a solid basis for familiarity with the “continuous” concept. Audit has regularly seen “continuous monitoring” applied to its own stable of activities, including continuous control monitoring technologies. Auditors often refer to “continuous monitoring” in the context of technology, specifically around testing controls and transactions. It is not surprising, then, that the two terms often are used interchangeably. Only in recent years has the auditing profession realized the need to address the ambiguity and to distinguish the two based on ownership. In many respects this remains an ongoing educational effort.
The concepts have evolved in other ways as well. Often, change has occurred in tandem with technological developments. Look back at the past 20 plus years, and it is easy to see constant progression in the use of computers to support internal and external audit processes by means of analyzing and testing data. It has been clear for many of those years that it would be -advantageous to use computer technology in this fashion on an ongoing basis - continuously. In practice, however, the technologies for this were specialized, and the accompanying process and people issues related to implementing continuous auditing were sometimes challenging.
The evolution has been one in which technology has increasingly enabled both continuous auditing and monitoring, at the same time as the audit profession has increasingly recognized the differences between the two processes.
Why These Processes Matter
There are good reasons for organizations to consider performing continuous auditing and continuous monitoring. On the auditing side, the trend has been for internal audit to move to a more risk-based approach to auditing and to become more actively involved in risk management and assessment. Because of these trends, internal audit must provide more timely insights to management in areas related to risk, controls and operational issues. To do this, technology is critical; internal audit will find it difficult if not impossible to do its evolving job without it. Indeed, recent surveys of chief audit executives (CAE) suggest that continuous auditing and continuous monitoring technologies are expected to be among the areas that have the greatest impact on audit going forward.
One approach is to use continuous auditing to perform the bulk of regular testing activities. This frees up the audit team to focus on the more critical business risks that may impact the organization. Continuous auditing technologies also give audit an indication of risks in the common business process areas. For example, when the volume of control exceptions in the purchase-to-payment cycle is increasing, audit can then respond in a timely fashion.
As far as continuous monitoring is concerned, the trend to involve management started with the requirements imposed by Sarbanes-Oxley. Another trend emerged when it became clear that going through the control assessment process benefited businesses beyond satisfying regulations: by monitoring business process systems and focusing on controls and transactions, businesses could detect errors, fraud, abuse and system inefficiencies on a timely basis.
Ultimately, continuous auditing can make the audit process more efficient and more effective while improving quality. The benefits of continuous monitoring include the support of compliance with regulatory requirements (Sarbanes-Oxley and beyond); better business efficiencies to produce improvements to the bottom line; and insight to management regarding risk.
What are the main commonalities between continuous auditing and monitoring?
Both use technologies to test transactions close to the time at which they occur, to ensure they are in compliance with the controls that should be in place and to identify any transactions that appear to be in error or fraudulent. Typically this entails use of a suite of analytics that test all transactions against a comprehensive range of control rules. They also perform statistical and profiling analysis, looking for indications of risk and control problems that may not be addressed through existing controls. This could involve a trend analysis around payroll, identifying when pay rates in one department become unusually high, for example, or when payments are being made to employees who are terminated.
The two approaches also complement each other. In fact, there is often an inverse relationship between the extent of continuous monitoring performed by management and the need for continuous auditing. For example, if management is actively monitoring transactions and controls across a range of business systems and processes, this usually means that internal audit does not have to perform the same continuous auditing activities. As long as internal audit is able to assess the reliability and effectiveness of management’s continuous monitoring then they can rely on those activities and reduce the extent of audit testing. Internal audit can then focus on extending continuous auditing techniques to those areas that are not monitored by management. As illustrated in The IIA’s GTAG #3 Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment, the combination of effective integrated continuous auditing and monitoring results in continuous assurance.
What about the challenges to implementing continuous auditing and monitoring?
The benefits are now becoming widely understood and accepted – so why has there not been more rapid progress in implementing both approaches? A number of issues are often cited; lack of appropriate software and implementation expertise, staff turnover, assigning responsibility for managing and responding to exceptions, as well as dealing with false positives. However, the most significant issue is usually that of leadership. The topic has traditionally been considered to be a technical area, left to specialists to pursue. Yet, the organizations that have had the greatest success in continuous auditing and monitoring are those in which the CAE has embraced the approach and provided leadership to ensure that the approach is fully integrated into the overall audit strategy. When the CAE provides the compelling vision to the organization – whether it be to the audit committee, business process and financial managers or the internal audit team – the likelihood of achieving full benefits from continuous auditing and monitoring are greatly increased.
Continuous Monitoring and Auditing: What is the difference? – Part 2
There are a number of practical issues that must be addressed in order to maximize the benefit from continuous auditing and monitoring. Many of these are also the same issues that need to be addressed for the effective application of any data analytics in support of audit.
The most significant issue is getting access to the right data and ensuring that the data remains secure, controlled and well managed. Another key issue is quality and control of the testing and analysis processes themselves. Can they be relied upon to provide the appropriate level of assurance? Finally, continuous auditing and monitoring, as for any audit analytic processes – need to be efficient, productive and sustainable processes – ones that are not reliant upon one individual.
How to best address these issues
A good place to start is by selecting the most effective technology. Although it is possible to perform continuous auditing and monitoring with various types of general purpose analysis software, there are many advantages to using audit data analysis software that is designed for the purpose. Specialized software, for example, should provide a secure, controlled repository for the data, for the analytic procedures and for results. All activities should be logged. It should be easy and flexible to configure tests and to vary parameters. Workflow and reporting of results and exceptions should be straightforward. Interactive analysis capabilities are also critical for ensuring that additional analysis can be performed where additional analysis is required.
Of course, technology is only part of the solution. It is essential to consider and plan for the people and process issues that must be addressed in order to realize the full potential benefits of continuous auditing and monitoring. Assigning appropriate roles to appropriate individuals is central to success. For example, a non-technical auditor should not be expected to deal with the issues of data access or designing a complex analytic. On the other hand, technical specialists should not necessarily be tasked with designing the tests if they are not familiar with the specific audit and control objectives.
The role of the technical specialist is important for working with IT to access data and to populate the audit data repository that maintains the data required for testing and monitoring as well as any interactive analysis. The specialist role should include confirming that the data in the repository is the right data, that it is well controlled and that it is reconciled to ensure that it is a complete and valid population. In many cases the specialist will need to work closely with a non-technical auditor to confirm the validity of the design and running of specific tests – that they achieve the right audit and control objectives.
Once continuous auditing or monitoring tests are implemented, a common issue to address is assigning responsibility for follow up on the results of the auditing and monitoring process. This involves regular review of the output and for proceeding with remediation efforts – both to reverse problem transactions and to fix the control deficiencies that allow the problems to occur in the first place.
Other closely related issues are those of dealing with false positives and managing the volume of exceptions generated. It is not unusual, particularly in the early stages of implementing continuous auditing and monitoring to generate a large number of false positives – or, at least, exceptions that are not significant enough to warrant a lot of investigation. Too many exceptions create an information overload that can get in the way of an effective and efficient response.
These issues should be expected and addressed during the implementation process. False positives are addressed by means of modifications to the analytic tests in order to exclude them in the future. Large volumes of low impact exceptions can be addressed by setting up reports so that they are quantified in total, but exceptions below a certain dollar threshold are not subject to specific remediation and workflow.
Benefits of Continuous Auditing and Monitoring
We have established that continuous monitoring is the responsibility of management and that audit’s primary role is to assess the effectiveness of management’s procedures. However, internal audit is often in a position to help management establish continuous monitoring – as long as this guidance does not result in a lack of objectivity and independence.
Business process managers tend to be focused primarily on day to day operational issues. Most do not have a professional background that helps them to fully understand the impact of controls and control deficiencies and to know how to move ahead with continuous monitoring.
Internal audit clearly has expertise in internal controls and testing. Therefore, it is in a unique position to not only provide guidance to management on how to test transactions and controls, but also to point out the bottom-line impact and operational benefits of these approaches.
In times of economic uncertainty, the benefits to business process owners can be particularly significant and the risks of fraud and error often increase. By implementing continuous monitoring there can be proven quantifiable reductions in error rates (duplicate payments, for example), as well as revenue leakages and occurrences of fraud.
What can internal audit expect as benefits?
One significant benefit can be a new working relationship between audit and management. Management can begin to see internal audit in a new light if the discussions around controls monitoring and testing are able to clearly identify the operational benefits that can accrue from this effort. The process can also provide both audit and management with a better understanding of their respective priorities on risk and control issues.
Continuous auditing can provide a range of benefits directly to internal audit. We have already mentioned the automation of routine audit procedures so as to free up audit teams to focus on immediate risk areas. There are many cases in which audit procedures that typically took many weeks to perform can be reduced to a small fraction of the time. The requirement to travel for audits can be substantially reduced. In a case study, one audit organization reported a combined savings of $21M in one year through the use of audit analytics and continuous monitoring. Another reported annual savings of approximately $1M from a reduction in incorrect billings alone.
A Broad-Based Task Force
Setting up continuous auditing and continuous monitoring processes requires involvement of a cross-section of the organization: auditors, business process owners, and those responsible for the actual operational procedures and controls in a given process area. It is often helpful to include representatives from financial management and compliance. Finally, IT needs to be involved as well, particularly in terms of getting access to data.
There is no denying that establishing comprehensive continuous auditing and continuous monitoring processes is a step that should not be taken lightly, as it involves significant time, personnel and resources. However, when done properly, the benefits more than justify the investment. The benefits should resonate with a broad audience, from the audit committee, the CEO and CFO, to internal audit, external audit and business process managers. As with any initiative that involves doing things differently, there also needs to be a champion – and who better to drive such an initiative than internal audit leadership?