Communicating Continuous Auditing and Monitoring to the Audit and Controls Professions:

1
Communicating Continuous Auditing and Monitoring
to the Audit and Controls Professions

• Progress on the IIAs GTAG

9th World Continuous Auditing and Reporting
Symposium Malta May, 2005 John Verver CA, CISA,
CMC Vice-President, Professional Services
Group ACL Services Ltd.
2
Professional Institute Publications on Continuous
Auditing

• Continuous Auditing
• Research Report published by the Canadian
  Institute of Chartered Accountants (CICA) and the
  American Institute of Certified Public
  Accountants (AICPA) in 1999
• Continuous Auditing Potential for Internal
  Auditors (Don Warren and Xenia Parker)
• Published by Institute of Internal Auditors
  Research Foundation in 2003
• .and
• Continuous Auditing, Monitoring and Assurance
• IIA General Technology Audit Guide planned for
  2005 publication

3
IIA General Technology Audit Guides (GTAGs)

• Intent is to provide internal auditors,
  particularly non-technical audit management, with
  guidance on technology audit issues
• 8 guides currently planned by Institute of
  Internal Auditors
• 1- Information Technology Controls released 2005
• Included whitepaper on Building and Implementing
  a Continuous Controls Monitoring and Auditing
  Framework
• 2 - Change Patch Management
• 3? Continuous Auditing, Monitoring and
  Assurance

4
IIA GTAG on Continuous Auditing, Monitoring and
Assurance

• Process
• Project Lead IIA Advanced Technology Committee
  member
• Author David Coderre, Manager Continual
  Auditing, RCMP, Canada
• Input
• Center for Continuous Auditing
• Auditors in Industry
• Auditors in Public Practice
• Review
• IIA Advanced Technology Committee
• IIA selected reviewers
• Final editorial control IIA

5
IIA GTAG on Continuous Auditing, Monitoring and
Assurance

• Structure of Draft
• Introduction
• Summary
• Historical and current role/relevance
• Definition of terms and conceptual model
• Scope and applicability of Continuous Auditing
  and Monitoring
• Implementation Approach
• Practical challenges
• Discussion guides
• References
• Glossary

6
GTAG Questionnaire

• Definitions of
• Continuous Assurance
• Continuous Monitoring
• Continuous Auditing
• What is the relationship/difference between the
  three terms?
• What do you feel is involved in CA/CM high
  level overview?
• What are the pre-conditions for performing CA/CM?
• What are applications/uses for CA/CM?
• Are there specific areas (types of audits) where
  CA/CM is applicable?
• Please describe your approach to the development
  and implementation of CA/CM?
• --------------------------gt

7
GTAG Questionnaire

• Has your organization implemented CA/CM? (Y/N)
• If No, do you plan to in the next year? (Y/N)
• If Yes, What challenges had to be overcome? And
  What benefits were accrued?
• How often are CA/CM tests run and how is the
  frequency of these tests determined?
• To whom are the results of CA/CM test reported
  and how?
• What should a CAE know when they think about
  implementing CA/CM?
• Other Comments

8
Model for Continuous Controls Monitoring and
Auditing
Data
Data
Data
Access transactional data from disparate sources
Transactional Data
Test transactional data against established
internal control parameters and transactional
profiles
Controls Compliance Rules
Significant Control Breaches
Alerts
Immediate notification of critical exposures
Historical and statistical transactional profiling
Financial Business Unit Managers Audit
Findings
Suspect Transactions
Transactions summarized for further analysis
Management Audit Action
Investigations, recoveries, and improved controls
and procedures
9
ACL Continuous Control Monitoring Products for
Core Business Processes

• Existing
• Purchase-to-Pay
• Travel and Entertainment
• Procurement Card
• Payroll
• Order to Cash
• Under Development
• Segregation of Duties
• General Ledger
• Inventory
• Bank Treasury
• Fixed Assets

10
The Roles of Management and Internal Audit in
Continuous Monitoring A Question of
Responsibility
AUDITORS RESPONSIBILITY
MANAGEMENTS RESPONSIBILITY
To determine whether management is doing its job
To implement and maintain effective controls
Continuous Controls Monitoring Framework
Controls Infrastructure

• Management and audit are both stakeholders in
  Continuous Controls Monitoring.

11
Continuous Auditing, Monitoring and Assurance
Conceptual Model
Continuous Assurance
Audit
Results of CA and CM process
Continuous Auditing
CA
CA
Audit Testing of CM
ATCM
ATCM
Continuous Monitoring
CM
CM
Management
Activities, Transactions and Events
Systems and Processes
12
Scope and Applicability of Continuous Monitoring
and Auditing

• Any controls area for which data is available and
  for which a control rule can be established
• Examination of data as evidence of controls
  effectiveness
• Business process transactions
• Financial, operational and regulatory controls
  within transactional process areas
• Use COSO control objectives and audit assertions
  to determine rules to be tested
• System controls
• Access and authorisation tables(SOD)
• Access and security logs
• System configuration settings
• Use CobIT control objectives

13
Implementation Issues

• Data access and processing
• Independence
• Disparate systems
• Impact on operational performance
• Timing of automated processes
• Type of analysis/software
• Analytical review/profiling
• System controls testing
• Rules-based analysis
• Statistical analysis
• Predictive modelling
• AI

14
Implementation Issues

• Managing the CA/CM process
• Executive sponsorship
• Managing notifications and results
• Varying parameters and thresholds
• Ranking and quantification of findings
• Response to findings / case management
• Auditing the Continuous Monitoring process /
  Control of the Continuous Auditing process
• Change controls
• Totals reconciliations
• Audit trails

15
GTAG on Continuous Auditing, Monitoring and
Assurance

• Input still needed and welcomed
• Expected to be made available to all IIA members
• Great opportunity to spread the word!

16
(No Transcript)