Implementing Continuous Auditing in a Global
Real Time Economy
Miklos A. Vasarhelyi
KPMG Professor of AIS Rutgers University
Technology Consultant AT&T Laboratories
Continuous Audit and Reporting Laboratory
Outline
•
•
•
•
•
•
The real time economy
Going Global
Measuring Business
Assurance in the Global Real Time Economy
Implementing Continuous Audit
Opportunities and Challenges
2
The Real Time Economy
Continuous Audit and Reporting Laboratory
The real time economy
• The objective
– Reduction of latency
• Inter-Process 7 Intra-Process Latency
• The facilitators
–
–
–
–
–
Sensors – measuring transactions automatically
ERPs
Process Automation
Dashboards
Reengineering, Outsourcing, System Integration
4
Continuous Audit and Reporting Laboratory
RTE
• Processes that are supported by real-time systems
• Processes which are monitored on a close to continuous
basis
• Processes that are highly time dependent
• Processes where timely decisions give competitive advantage
5
Continuous Audit and Reporting Laboratory
6
1Source: GE
Annual Report 2001
Going global
Continuous Audit and Reporting Laboratory
Going global - Preamble
• Over the last 50 years technology has enabled major motion
towards a global economy.
• Consequently it has set into motion social change, economic
rebalancing, and an unprecedented degree of across-country
cooperation.
• However this phenomenon of ubiquitous consequence has
created a wave of challenges to the socio-technical structure of
business and corporate policy making.
8
Continuous Audit and Reporting Laboratory
Going Global - Friedman
• 11/09/1989 (Berlin Wall)
• 08/09/95 (Netscape went Public)
• Three billion new people joining the
fray
• Work flow software
• Open sourcing
• Outsourcing, offshoring, In-forming
• Hardware & software multifuctionality
• Tools of cooperation
9
Measuring Business
Continuous Audit and Reporting Laboratory
•Sales ledgers
•Sales
•Accounts receivable
•Obligations to Collect
•Accounts payable
•Obligations to pay
•Accruals (# of pending orders)
•Obligation to perform services
•Business Relationships
•(# of orders or inventory items
to ship?)
ERS
(Empirical Relational
System)
NRS
(Numerical Relational
System)
Mapping
Represents the “real” set
of relationships in the economic
system
Represents the set
of relationships that exist
In the measurement system:
numerical, semantic,
representational and relational
11
Continuous Audit and Reporting Laboratory
RTEBIS
• Very rapid business cycles
• Instant need of resolution of certain business needs (for example
monthly billing may not be acceptable)
• Service agreements that specify certain degree of data reliability
• Rapid change in the terms of agreements contingent on dynamic
parameters
• Utilization of Service Oriented Architectures that allow for dynamic
servicing of clients and dynamic acquisition of suppliers and service
providers
12
Continuous Audit and Reporting Laboratory
ERS
L0
L1
Environmental
conditionants
Business
Plans
L2
Lead
actions
L3
L5
Business
activities
consequent
events
L5
ERP
NRS
L6
Monitoring
And
L7
Control
13
Assurance in the Global Real Time
Economy
Continuous Audit and Reporting Laboratory
What is Continuous Auditing?
o No consensus on what constitutes a continuous
audit
o Enhanced auditor skill set
o Differences from traditional audit
o New audit risk model
o Continuous reporting and impact on auditor’s
report
o Senior management support
15
Continuous Audit and Reporting Laboratory
A Distinction between Continuous
Auditing and Continuous Monitoring
Continuous auditing does not necessarily have to
generate a report; it is a process that tests transactions
based upon prescribed criteria, identifies anomalies, and
is the responsibility of the auditor.
Continuous
monitoring, on the other hand, is the responsibility of
management, best defined in terms of the COSO Study
control framework. Continuous monitoring, when
employed by auditors, focuses on the control
environment and not transactions.
16
Continuous Audit and Reporting Laboratory
An evolving continuous audit
framework
•Automation
•Sensoring
•ERP
Continuous
Data
Audit
Continuous
Control
Monitoring
•E-Commerce
Continuous
CA = CCM+ C(D)A
CA -> Continuous Audit
CCM -> Continuous Control Monitoring
C(D)A -> Continuous Data Assurance
Audit
17
Continuous Audit and Reporting Laboratory
Unibanco – Advances to Clients Monitoring
18
Continuous Audit and Reporting Laboratory
Some Key Issues
• Two recent surveys (ACL and PWC) show that a large
number of key companies are attempting to perform
continuous audit like functions
• An industry of software is evolving with ACL, IDEA,
APPROVA, and others growing rapidly
• Control Monitoring and Continuous Data Assurance are the
main approaches
• The first recorded application was AT&T Bell Laboratories
CPAS effort in the 1986-1991 period
• The Rutgers CarLab is working in leading applications
19
Overview of CaR-Lab examples
Continuous Audit and Reporting Laboratory
CAR-Lab Experiences
• Control monitoring at Siemens
• Transaction monitoring at Unibanco
• Continuous (data) assurance at HCA
• Other
– Conceptual developments
– Simulating Liberty
– EBR work
– KPMG projects
21
Continuous Audit and Reporting Laboratory
Siemens' – Project Value Proposition
Operational Audit
Why CA at Siemens?
Value Proposition
• Improve Governance (Fraud Detection,
SOX Compliance, Monitoring, etc)
• Reduce Compliance Costs
• Improve skill level and quality of work life
for auditing and compliance Associates
• Move closer to real time reporting
capabilities
• ETC….
“Value = Quality + Cost”
Operational Audit
COST:
•
Consider a large multinational corporation with 400 auditors
(internal & external), each with a fully absorbed (sal./fee,
benefits, travel, etc.) $200,000/yr cost for a total annual
compliance cost of $80 million dollars. Assume further that
the proposed continuous auditing model cost $1 million
dollars to develop and implement and only reduced manual
compliance effort by 25% in the firm. The annual net
estimated savings or cost avoidance of this project for the
firm defined above would be:
$19 Million dollars
(Or nearly $100 million dollars over 5 years)!
Expanded Audit Coverage
Significant Cost Savings
Note: Leverage the model further by increasing the percentage
of impact or in support of other assurance or monitoring
functions and the value proposition grows.
Automated Business Process Controls Monitoring Project
22
Continuous Audit and Reporting Laboratory
Siemens' – Project Features
• Formalize & automate internal audit procedures used for
business process controls monitoring
• Conduct “man vs. model” assessments
• Calibrate “exception rules” to optimize model performance
• Scale up to all SAP instances
• Increase frequency of model application, where feasible
• Transition to Approva application and extend the model where
optimal
23
Implementing Continuous Audit
Continuous Audit and Reporting Laboratory
• Background
– While technologies of continuous audit have
been extensively discussed and are
progressively emerging the more mundane
issues of their implementation in a sociotechnical environment have been neglected
– http://www.theiia.org/itaudit/features/in-depthfeatures-2-10-08/feature-2/
25
Continuous Audit and Reporting Laboratory
1. Priority
Areas
6. Action and
Reaction
2. Rule
Audit Control Panel
5. Follow-up
3. Frequency
4. Parameterization
Six steps of process implementation
26
Opportunities and Challenges
Continuous Audit and Reporting Laboratory
Opportunities for business and research (1)
• Control system measurement
– We are in a pre-paradigmatic stage of control documentation and
measurement
– We do not know how to monitor controls in large ERPs
– We do not know how to provide a really supportable opinion on controls
– We do not know how to rate combinations of controls
• Business Process Monitoring and Alarming
– Auditors have to carve a position on the new monitoring and control
environment
– Auditors can collect exception “alarms” as trusted parties and
incorporate these into evidentiary matter
– Auditors can be “trusted”
28
Continuous Audit and Reporting Laboratory
Opportunities (2)
• Automatic Confirmation Tools
– Confirmations will have an increased evidentiary role with eventual
elimination of population and integrity worries
– Intelligent confirmatory tags can do much
– Database to database hand-shaking will be medium
– Business opportunity for auditors
• Audit bots (agents)
– Many of the basic audit functions can be emulated by software
– These must be eventually developed by the profession to work hand-inhand with human auditors in the new audit world
– These agents will work on all areas including: 1) audit planning, 2)
analytical reviews, 4) confirmations, and )5 evergreen opinions
29
Continuous Audit and Reporting Laboratory
Opportunities (3)
• Collecting forensic trails
– Auditor “black” box
• Publishing real-time authenticated reports for different
compliance masters
• Publishing FD independent compliance reports
30
Continuous Audit and Reporting Laboratory
Challenges
• Standards are needed for CA
– Audit monitoring needs to be defined
– Types of evidence are to change and must be reconsidered
– Independence needs to be re-defined
• The billing model has to be restructured to bill on function not
hours
• Audit firms must put improved knowledge collection and
management processes to feed their audit analytic toolkit
• Audit firms have to engage in auditor automation and pro-actively
promote corporate data collection during-the-process
• Value added must be justified in terms of data quality
31
Continuous Audit and Reporting Laboratory
• Conclusions
– Attention must be paid to the organizational
processes that implement continuous audit
– There are 6 key steps to progressively
implement a CA program module by module
– The CA process is dynamic and CA
management will change schedule and
parameters of each process
– The organization of the audit process must be
evolved progressively
32
Issues
Continuous Audit and Reporting Laboratory
34