Continuous Auditing Is Here To Stay

hqkhope

Now that the need for transactional efficiencies, fraud prevention and real-time financial reporting is acute, mainstream finance is finally jumping on the bandwagon.
Continuous auditing's surprisingly long gestational period is nearing a conclusion. For software vendors, academics, consultants and a handful of practitioners at early-adopter companies, the primary question is: Why has it taken so long for corporations to embrace it? The delay can't be justified by claims of high cost. A $200,000 to $300,000 investment in a continuous auditing (CA) software application that sniffs out errors in masses of A/P, travel and entertainment (T&E), or general-ledger transactions is routinely recouped in less than a year. And that saving is based solely on the dollar amount of the errors that the application identifies. Further, more focused, downloadable CA applications are available for well below six figures.
Whatever the reasons companies have advanced for inaction, regulatory demands, the push for real-time financial reporting and resource-sapping manual audits are propelling them toward adoption of continuous auditing. Ultimately, though, larger forces will provide the biggest boost for change. "How do you maximize value and how do you manage and mitigate risk? ... My personal view is that continuous monitoring and continuous auditing can help to make progress towards both," said David M. Walker, comptroller general of the United States and chair of the Center for Continuous Auditing (CCA) at Rutgers University in New Jersey, in his keynote presentation at Penton Media's BPM Summit in November of last year. "I think this concept of both continuous monitoring within the organization by management, as well as continuous auditing by either internal and/or external auditors who are going to be dealing with test and assurance issues, is going to become much more important."
Finance executives (see Slowly but Surely below) and internal auditors seem to agree. Rod Brennan, director of IT audit for Siemens Corp. in Iselin, N.J., completed his Ph.D. thesis on continuous auditing. Brennan, an MBA who has worked as both a controller and a finance IT manager, says that his research showed him that the decision about whether to adopt continuous auditing "is kind of a no-brainer" due to the cost recovery, efficiency and fraud-prevention benefits the capability provides.


"I think the only way you will effectively address fraud at all levels is by using automation," he says. But continuous auditing's most valuable benefit may be its enablement and support of real-time financial reporting, Brennan adds. "That probably will be a larger impetus for adoption than auditing controls or something else."
Defining 'Continuous'
Hatched in Bell Labs 25 years ago and nurtured today in the Continuous Assurance and Reporting Laboratory and the Center for Continuous Auditing at Rutgers University in New Jersey, technology-assisted continuous auditing automates much of the work usually performed manually by internal audit departments. It takes two forms. The first mode enables companies to accomplish much more transaction oversight than an army of internal auditors can perform manually, thanks to applications that rip through tens of thousands of billing, purchasing, expense and general-ledger transactions and pounce on discrepancies. The Sarbanes-Oxley Act's Section 302, which requires CEOs and CFOs of public companies to certify their quarterly financial statements, nudged many enterprises to increase the frequency of these auditing activities. "In a way, it's good that everybody is complaining about the cost of Sarbanes-Oxley because companies are seeking out ways to be more efficient in reducing that cost," notes Robert Hirth, managing director, internal audit services, at Protiviti Inc., an independent internal audit and risk consulting firm headquartered in Menlo Park, Calif.
Another form of continuous auditing -- one whose importance was magnified by the Sarbanes-Oxley Act -- monitors the controls surrounding financial information systems. The goal of continuous monitoring is to ensure that all of the appropriate "switches" in ERP systems and other accounting applications are operating appropriately throughout the company as business needs and regulatory demands change. This kind of auditing would seem to be effortless. After all, it's easy to click an application box that instructs an alert to appear automatically in the appropriate finance manager's inbox whenever the program encounters an invoice greater than, say, $5,000. However, financial system controls have proven to be a confusing and challenging facet of Section 404 compliance among U.S. public companies.
The different kinds of continuous auditing and the labels associated with them can bewilder companies that are moving toward adoption. J. Donald Warren Jr., director, Center for Continuous Auditing, and professor of accounting at the Rutgers Business School, pointed out during a panel discussion at the 2005 BPM Summit that the terms "continuous auditing," "continuous assurance" and "continuous monitoring" are often used interchangeably. "There is no consensus on the definition," he said.
Nor are there standards for the terms -- yet. But some helpful clarifications seem to be taking root. The Institute of Internal Auditors (IIA), for example, has recognized and promoted the importance of CA. Two IIA papers on continuous auditing appeared last year: the hefty, extremely detailed "Continuous Auditing: An Operational Model for Internal Auditors" and "Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment." The second report, also called the Global Technology Audit Guide (GTAG), is a more accessible introduction for CA newcomers. GTAG clarifies continuous auditing by inserting independence and ownership into its definitions: Continuous auditing is conducted by internal auditors; continuous monitoring is conducted by management.
For his part, Brennan divides continuous auditing approaches into detective activities, which apply new technology that monitors massive amounts of transactions as they occur, and preventative activities, which focus on ensuring that the proper controls are in place within and around ERP systems and other finance and accounting applications.
Control monitoring alone is not infallible, however, and some industry insiders think it should not be the only form of continuous auditing a company uses. A control in an ERP system may be properly set up, or "switched on," yet users can still find ways to work around the control, either because doing so is more convenient or for more nefarious purposes. "The truth," says John Verver, vice president of professional services at Vancouver, British Columbia-based ACL Services Ltd., "is in the transactions."
Cultural and Technological Obstacles
Getting to that truth also requires workarounds. Companies should establish ownership of continuous auditing processes and technology first and then address internal-audit adjustments and technological problems. Early adopters, vendors and other experts tend to agree on ownership.
"It is not internal audit's job to look at every transaction or every anomaly," says Verver. "They would be snowed under if that's all they did all the time." Rather, management can use continuous auditing tools and processes to gauge the effectiveness of their transactional processes. They can also spot and respond to problem controls and transactions when they arise. "And then audit's job is to force that visibility into this process and see over periods of time the nature of the control problems that have been identified," says Verver.
Brennan agrees. "The feeling that we've come around to, and the feeling that the research bears out, is that these tools should be owned by the business and used by auditors," he explains. At Siemens, "our vision is that the businesses will invest in a continuous auditing product, and we'll come in and use it to audit independently. We'll have a secure ID, and we'll use the data to make sure that they're in compliance on a continuous basis."
Brennan also says that Siemens' external auditors may be able to use the same data to aid their analyses in the future. Although the extent to which external auditors can participate in continuous auditing projects remains unclear, their potential involvement is not an obstacle to companies' adoption of continuous auditing.
Independence problems may prevent external auditors from helping auditing clients develop CA applications, but they will not prevent external auditors from using the data that the applications produce. However, the degree to which they feel they can rely on that data is unknown. Even so, public accounting firms and software vendors are currently designing tools that external auditors can plug into financial systems to increase the depth and breadth of their auditing work.
Internal auditors also face challenges. They must learn new tools and, as Brennan notes, their traditional way of operating may also change. "I think you're going to have to find auditors who are much more technologically enabled than they have been in the past," says Warren. That already seems to be happening, as larger companies such as Siemens have created IT audit units within their internal audit functions.
Continuous auditing applications, such as the tools from ACL Services and Approva that Siemens uses, are easy to master. But Brennan and his colleagues at Siemens have discovered that continuous auditing does create a need to rethink how internal audit conducts its work. On a simplistic level, that translates to less traveling and more time in front of the computer screen analyzing transactions that have been identified as exceptions and mining other data.
"We're probably our own worst enemy as internal auditors because [continuous auditing] scares us from a standpoint of job security, new skills and technical activities," Brennan notes. "I don't think in this day and age that's really a valid argument, although it's understandable. ... I don't believe we will ever fully automate auditing. You're not going to get the right tone at the top, or ensure that it exists, through a fully automated approach. You have to go out and meet people and figure out their commitment. I do think it frees up auditors to spend more time on that important relationship element of the work."
An organization's existing technology environment represents a likely final hurdle to the adoption of continuous auditing. Siemens is fortunate on that count; it has a highly homogenized SAP environment. But Brennan points out that many SAP systems in various areas of his company still run differently. "To really automate auditing, or to automate the controls, you need harmonization of ERP systems. And very few companies have truly harmonized ERP systems," he says.
Siemens launched its foray into continuous auditing about three years ago. It established detective monitoring of transactions and preventative monitoring of ERP controls. The preventative project has shown the company that it needs to redefine its internal audit plan. Rather than taking the manual internal audit plan and adding automation to it, Siemens is overhauling its ERP-auditing process to make it as automated as possible. The company is identifying time-consuming, costly and potentially less reliable manual activities, such as interviewing process owners and asking them whether the appropriate controls in the part of the ERP system they use are turned on. Then it is replacing those activities with automation.
The initiative has also shown the company that the exception alerts produced by the continuous monitoring of controls require manual oversight. "Automated alerting is very important and useful," Brennan says. But, "if I have a continuous auditing project that looks at SAP preventative controls every day or even every hour, and someone has a control that has changed, the tool could start sending e-mail alerts out to that person every day or every hour. It has to be carefully managed."
The detective initiatives have borne fruit as well. Siemens has implemented software to scrutinize transactions in its purchase-to-pay cycle as well as in T&E. "We are just about a year into it, and we have seen significant savings," says Brennan.
The company is also working with continuous auditing experts from Rutgers to develop statistical analyses that can identify patterns by scrutinizing the exceptions that the tools produce. Many exceptions turn out to be false positives. On the other hand, the data, if properly sliced and diced, can alert internal auditors to potential problem areas in certain functions or processes that otherwise would have taken longer to spot.
The depth of Siemens' continuous auditing work might intimidate finance executives at smaller companies that do not have 450 internal auditors at their disposal. Fortunately, getting started with continuous auditing is not rocket science. "There are several ways to start small," says Hirth. "And even though you start small, you can still have a big impact." As a beginning, Hirth recommends the following:
? Reflect on risk. Start by identifying which areas of the company, its transactions and control systems are really important to the company and warrant continual monitoring.
?Deal with the cards in your hand. Now, identify automated capabilities that your organization already has in place. "Many companies can benefit by more fully using the functionality -- the configurable controls -- within an ERP system," says Hirth. "It exists, why don't you use it? Doing so can help reduce compliance workloads and increase confidence levels."
?Dip your toe in the water. "Try something simple," Hirth advises. Give continuous auditing an initial test by downloading the accounts payable vendor master file and comparing it with the employee address file. "If none of the addresses match, hallelujah," Hirth says. "But what if you have three vendor addresses that are the homes of three employees?" You can also monitor overtime. Take a payroll file and sort in descending order of overtime hours. Hirth also speaks highly of ACL Services' data interrogation tools; they are highly focused and much less expensive than a complete continuous auditing application, he says.
As recently as a year ago, the slogan "continuous auditing is coming" was voiced primarily by a select group of academics and vendors and an occasional practitioner. Today, more internal auditors and corporate finance executives have joined the chorus because they have learned firsthand that continuous auditing is a smart move. Now that the need for transactional efficiencies, fraud prevention and real-time financial reporting is acute, mainstream finance is finally jumping on the bandwagon.
Continuous auditing's surprisingly long gestational period is nearing a conclusion. For software vendors, academics, consultants and a handful of practitioners at early-adopter companies, the primary question is: Why has it taken so long for corporations to embrace it? The delay can't be justified by claims of high cost. A $200,000 to $300,000 investment in a continuous auditing (CA) software application that sniffs out errors in masses of A/P, travel and entertainment (T&E), or general-ledger transactions is routinely recouped in less than a year. And that saving is based solely on the dollar amount of the errors that the application identifies. Further, more focused, downloadable CA applications are available for well below six figures.
Whatever the reasons companies have advanced for inaction, regulatory demands, the push for real-time financial reporting and resource-sapping manual audits are propelling them toward adoption of continuous auditing. Ultimately, though, larger forces will provide the biggest boost for change. "How do you maximize value and how do you manage and mitigate risk? ... My personal view is that continuous monitoring and continuous auditing can help to make progress towards both," said David M. Walker, comptroller general of the United States and chair of the Center for Continuous Auditing (CCA) at Rutgers University in New Jersey, in his keynote presentation at Penton Media's BPM Summit in November of last year. "I think this concept of both continuous monitoring within the organization by management, as well as continuous auditing by either internal and/or external auditors who are going to be dealing with test and assurance issues, is going to become much more important."
Finance executives (see Slowly but Surely below) and internal auditors seem to agree. Rod Brennan, director of IT audit for Siemens Corp. in Iselin, N.J., completed his Ph.D. thesis on continuous auditing. Brennan, an MBA who has worked as both a controller and a finance IT manager, says that his research showed him that the decision about whether to adopt continuous auditing "is kind of a no-brainer" due to the cost recovery, efficiency and fraud-prevention benefits the capability provides.


"I think the only way you will effectively address fraud at all levels is by using automation," he says. But continuous auditing's most valuable benefit may be its enablement and support of real-time financial reporting, Brennan adds. "That probably will be a larger impetus for adoption than auditing controls or something else."
Defining 'Continuous'
Hatched in Bell Labs 25 years ago and nurtured today in the Continuous Assurance and Reporting Laboratory and the Center for Continuous Auditing at Rutgers University in New Jersey, technology-assisted continuous auditing automates much of the work usually performed manually by internal audit departments. It takes two forms. The first mode enables companies to accomplish much more transaction oversight than an army of internal auditors can perform manually, thanks to applications that rip through tens of thousands of billing, purchasing, expense and general-ledger transactions and pounce on discrepancies. The Sarbanes-Oxley Act's Section 302, which requires CEOs and CFOs of public companies to certify their quarterly financial statements, nudged many enterprises to increase the frequency of these auditing activities. "In a way, it's good that everybody is complaining about the cost of Sarbanes-Oxley because companies are seeking out ways to be more efficient in reducing that cost," notes Robert Hirth, managing director, internal audit services, at Protiviti Inc., an independent internal audit and risk consulting firm headquartered in Menlo Park, Calif.
Another form of continuous auditing -- one whose importance was magnified by the Sarbanes-Oxley Act -- monitors the controls surrounding financial information systems. The goal of continuous monitoring is to ensure that all of the appropriate "switches" in ERP systems and other accounting applications are operating appropriately throughout the company as business needs and regulatory demands change. This kind of auditing would seem to be effortless. After all, it's easy to click an application box that instructs an alert to appear automatically in the appropriate finance manager's inbox whenever the program encounters an invoice greater than, say, $5,000. However, financial system controls have proven to be a confusing and challenging facet of Section 404 compliance among U.S. public companies.
The different kinds of continuous auditing and the labels associated with them can bewilder companies that are moving toward adoption. J. Donald Warren Jr., director, Center for Continuous Auditing, and professor of accounting at the Rutgers Business School, pointed out during a panel discussion at the 2005 BPM Summit that the terms "continuous auditing," "continuous assurance" and "continuous monitoring" are often used interchangeably. "There is no consensus on the definition," he said.
Nor are there standards for the terms -- yet. But some helpful clarifications seem to be taking root. The Institute of Internal Auditors (IIA), for example, has recognized and promoted the importance of CA. Two IIA papers on continuous auditing appeared last year: the hefty, extremely detailed "Continuous Auditing: An Operational Model for Internal Auditors" and "Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment." The second report, also called the Global Technology Audit Guide (GTAG), is a more accessible introduction for CA newcomers. GTAG clarifies continuous auditing by inserting independence and ownership into its definitions: Continuous auditing is conducted by internal auditors; continuous monitoring is conducted by management.
For his part, Brennan divides continuous auditing approaches into detective activities, which apply new technology that monitors massive amounts of transactions as they occur, and preventative activities, which focus on ensuring that the proper controls are in place within and around ERP systems and other finance and accounting applications.
Control monitoring alone is not infallible, however, and some industry insiders think it should not be the only form of continuous auditing a company uses. A control in an ERP system may be properly set up, or "switched on," yet users can still find ways to work around the control, either because doing so is more convenient or for more nefarious purposes. "The truth," says John Verver, vice president of professional services at Vancouver, British Columbia-based ACL Services Ltd., "is in the transactions."
Cultural and Technological Obstacles
Getting to that truth also requires workarounds. Companies should establish ownership of continuous auditing processes and technology first and then address internal-audit adjustments and technological problems. Early adopters, vendors and other experts tend to agree on ownership.
"It is not internal audit's job to look at every transaction or every anomaly," says Verver. "They would be snowed under if that's all they did all the time." Rather, management can use continuous auditing tools and processes to gauge the effectiveness of their transactional processes. They can also spot and respond to problem controls and transactions when they arise. "And then audit's job is to force that visibility into this process and see over periods of time the nature of the control problems that have been identified," says Verver.
Brennan agrees. "The feeling that we've come around to, and the feeling that the research bears out, is that these tools should be owned by the business and used by auditors," he explains. At Siemens, "our vision is that the businesses will invest in a continuous auditing product, and we'll come in and use it to audit independently. We'll have a secure ID, and we'll use the data to make sure that they're in compliance on a continuous basis."
Brennan also says that Siemens' external auditors may be able to use the same data to aid their analyses in the future. Although the extent to which external auditors can participate in continuous auditing projects remains unclear, their potential involvement is not an obstacle to companies' adoption of continuous auditing.
Independence problems may prevent external auditors from helping auditing clients develop CA applications, but they will not prevent external auditors from using the data that the applications produce. However, the degree to which they feel they can rely on that data is unknown. Even so, public accounting firms and software vendors are currently designing tools that external auditors can plug into financial systems to increase the depth and breadth of their auditing work.
Internal auditors also face challenges. They must learn new tools and, as Brennan notes, their traditional way of operating may also change. "I think you're going to have to find auditors who are much more technologically enabled than they have been in the past," says Warren. That already seems to be happening, as larger companies such as Siemens have created IT audit units within their internal audit functions.
Continuous auditing applications, such as the tools from ACL Services and Approva that Siemens uses, are easy to master. But Brennan and his colleagues at Siemens have discovered that continuous auditing does create a need to rethink how internal audit conducts its work. On a simplistic level, that translates to less traveling and more time in front of the computer screen analyzing transactions that have been identified as exceptions and mining other data.
"We're probably our own worst enemy as internal auditors because [continuous auditing] scares us from a standpoint of job security, new skills and technical activities," Brennan notes. "I don't think in this day and age that's really a valid argument, although it's understandable. ... I don't believe we will ever fully automate auditing. You're not going to get the right tone at the top, or ensure that it exists, through a fully automated approach. You have to go out and meet people and figure out their commitment. I do think it frees up auditors to spend more time on that important relationship element of the work."
An organization's existing technology environment represents a likely final hurdle to the adoption of continuous auditing. Siemens is fortunate on that count; it has a highly homogenized SAP environment. But Brennan points out that many SAP systems in various areas of his company still run differently. "To really automate auditing, or to automate the controls, you need harmonization of ERP systems. And very few companies have truly harmonized ERP systems," he says.
Siemens launched its foray into continuous auditing about three years ago. It established detective monitoring of transactions and preventative monitoring of ERP controls. The preventative project has shown the company that it needs to redefine its internal audit plan. Rather than taking the manual internal audit plan and adding automation to it, Siemens is overhauling its ERP-auditing process to make it as automated as possible. The company is identifying time-consuming, costly and potentially less reliable manual activities, such as interviewing process owners and asking them whether the appropriate controls in the part of the ERP system they use are turned on. Then it is replacing those activities with automation.
The initiative has also shown the company that the exception alerts produced by the continuous monitoring of controls require manual oversight. "Automated alerting is very important and useful," Brennan says. But, "if I have a continuous auditing project that looks at SAP preventative controls every day or even every hour, and someone has a control that has changed, the tool could start sending e-mail alerts out to that person every day or every hour. It has to be carefully managed."
The detective initiatives have borne fruit as well. Siemens has implemented software to scrutinize transactions in its purchase-to-pay cycle as well as in T&E. "We are just about a year into it, and we have seen significant savings," says Brennan.
The company is also working with continuous auditing experts from Rutgers to develop statistical analyses that can identify patterns by scrutinizing the exceptions that the tools produce. Many exceptions turn out to be false positives. On the other hand, the data, if properly sliced and diced, can alert internal auditors to potential problem areas in certain functions or processes that otherwise would have taken longer to spot.
The depth of Siemens' continuous auditing work might intimidate finance executives at smaller companies that do not have 450 internal auditors at their disposal. Fortunately, getting started with continuous auditing is not rocket science. "There are several ways to start small," says Hirth. "And even though you start small, you can still have a big impact." As a beginning, Hirth recommends the following:
? Reflect on risk. Start by identifying which areas of the company, its transactions and control systems are really important to the company and warrant continual monitoring.
?Deal with the cards in your hand. Now, identify automated capabilities that your organization already has in place. "Many companies can benefit by more fully using the functionality -- the configurable controls -- within an ERP system," says Hirth. "It exists, why don't you use it? Doing so can help reduce compliance workloads and increase confidence levels."
?Dip your toe in the water. "Try something simple," Hirth advises. Give continuous auditing an initial test by downloading the accounts payable vendor master file and comparing it with the employee address file. "If none of the addresses match, hallelujah," Hirth says. "But what if you have three vendor addresses that are the homes of three employees?" You can also monitor overtime. Take a payroll file and sort in descending order of overtime hours. Hirth also speaks highly of ACL Services' data interrogation tools; they are highly focused and much less expensive than a complete continuous auditing application, he says.
As recently as a year ago, the slogan "continuous auditing is coming" was voiced primarily by a select group of academics and vendors and an occasional practitioner. Today, more internal auditors and corporate finance executives have joined the chorus because they have learned firsthand that continuous auditing is a smart move.