Companies are affected by external environments that are constantly changing due to new technologies, regulations and economic conditions. With the speed of these changes, audit committees and management are demanding their internal audit functions to provide increased, faster assurance.
To meet these growing expectations, internal audit groups can no longer afford to dedicate significant resources to routine functions as opposed to focusing on new risks arising from these changing environments. A good way to provide assurance on high-volume, stable processes — including procurement, AP, AR, etc. — while reducing resource requirements, is through continuous auditing.
What is continuous auditing?
Continuous auditing is the routine use of electronic auditing tools and methods. Electronic tools offer advantages over the traditional audit process, such as the ability to effectively and efficiently analyze an entire data set, rather than testing by sampling. They also allow you to automate these processes for repetitive performance, creating the ability to schedule analyses at any time.
How continuous is continuous?
“Continuous” has different meanings depending on the business process audited. For example, you may perform a daily audit of potential duplicate invoices but only search for vendors related to employees once a month. In both situations, the audits are on a routine, continual basis. The key is identifying the risk inherent in the process and determining how quickly you can identify potential problems. That speed is the definition of continuous for that process and is, essentially, the speed of your business.
Continuous auditing versus continuous monitoring
The phrases “continuous auditing” and “continuous monitoring” are commonly used interchangeably, but differentiating between the two is important for organizations looking to implement continuous auditing. While the underlying principles are very similar, process ownership and problem resolution differ significantly. Internal audit owns the continuous auditing process and provides results to process owners, e.g., accounts payable directors, for resolution. Management is responsible for continuous monitoring and resolution of identified problems.
Despite these differences, the two processes are closely related, and many procedures are the same in both. Internal audit groups often provide significant value to their companies by developing, testing and finalizing a continuous auditing process; once the kinks are worked out, they provide management with that process as their continuous monitoring process. Continuous auditing and monitoring processes are inversely related — the more monitoring management performs, the less auditing is needed by internal audit. This is a win-win proposition: Internal audit has just provided value to their company while reducing the resource commitment needed to maintain assurance over that control environment.
A multibillion-dollar manufacturing company’s internal audit department performed many electronic tests on an ad hoc basis, using sampling to accomplish its goals. It decided to implement continuous auditing for related-party testing and duplicate payment testing within accounts payable. After identifying risks and designing the tests accordingly, the company can now analyze its entire vendor and employee population (more than 100,000 vendors and nearly 10,000 employees) for potential relationships. In addition, it can analyze more than 2 million payment records for potential duplicate payments with 100 percent coverage.
To begin implementing continuous auditing in your organization, there are three key items to address. The first is risk. A well-designed continuous audit program focuses on key organizational risks. You also will need to identify an electronic audit tool that meets your organization’s needs. With multiple tools available, it is important to research tools and consider the features in relation to your organization’s risks and areas of personnel expertise. Finally, determine what data are available in your accounting systems. This may include conversations with your information technology staff and process owners. This process is integral in designing your continuous auditing program.
After addressing these areas, you are ready to embark on the journey to continuous auditing — auditing at the speed of your business.
For more information, contact a BKD advisor. To reach Selina Wilbur, mail to email@example.com. To reach Jeremy Clopton, mail to Jclopton@bkd.com.
Article reprinted with permission from BKD, LLP, bkd.com. All rights reserved.