Continuous Assurance

1
Continuous Assurance

• Sally Wright
• Miklos Vasarhelyi
• Arnie Wright

2
Outline

• I. Introduction the state of the art
• II. Demand for continuous auditing and assurance
• III. Independence of the auditor/assuror
• IV. Continuous auditing/assurance and earnings
  management
• V. Shift in audit focus from reported numbers
  (output) to system reliability (process)
• VI. The new audit methodology
• VII. Conclusions and Research Questions

3
Outline
4
What is Continuous Auditing?

• Continuous auditing is a type of auditing which
  produces audit results simultaneously with, or a
  short period of time after, the occurrence of
  relevant events.
• It would be more accurate to call this type of
  auditing instant rather than continuous.
• Instant is not necessarily frequent.

5
I. Introduction the state of the art
6
Introduction the state of the art

• The Real-time economy
• Early efforts (ATTs CPAS effort, etc)
• Professional studies (AIPCA/CICA)
• Corporate experiences (HCA, Citibank, Fed
  Reserve)
• Advances in vendor packages
• Technical challenges and issues

7
Real Time Economy
8
GEs digital cockpit (dashboard)
1Source GE Annual Report 2001
9
Some form of close-to-the event assurance will
prevail state of the art

• The CPAS efforts at ATT (1986-on)
• The continuous auditing AICPA/CICA committee
  (1999)
• Continuous Systrust CICA/AICPA (2000)
• Center for Continuous Audit (2002)
• European Center for Continuous Audit
• Many corporate efforts
• HCA, Martin Marietta, Federal Reserve of NY, Bank
  Bipop (Italy)
• Increasing synergies with XML / XBRL efforts

10
CPAS concepts

• metrics
• Analytics / continuity equations
• standards
• of operation
• of variance
• others
• alarms
• measurement vs monitoring

11
CPAS OVERVIEW
System
System Operational Reports
Workstation
Operational Report
Operational Report
DF-level 2
Operational Report
DF-level 1
DF-level 1
DF-level 1
Filter
Alarm
DF-level 0
Data Flow Diagrams
Database
Reports
Analytics
Metrics
12
FlowFront - Interactive Flow Diagram Viewer -
ATT Bell Laboratories - Murray Hill, NJ
fe
11/27/89
Date
Set Date
Starting S analysis server, please wait...
RPC
Silver Springs
PE 60
Help
Text
Quit!
Units
Records
4.3 LDS Billing Subfunctions
prod/svc. request
fulfillment
Order
Cus

Input Volumes to Message Validation PE 60
RPC Silver Springs
8 7 6 5 4 3 2 1 0


messages (x100k)













nals CTJ
60 50 40 30 20 10 0


minutes (x100k)













Hierarchy
8.5 8.0 7.5 7.0 6.5 6.0





min / msg










16 17 18 19 20 21 22 23 24 25
26 27 28 29 30 31 1 2 3 4
5 6 7 8 9 10 11 12
paymt arr
Oct 1989
Oct 1989
Oct 1989
Nov 1989


13
Many corporate efforts

• HCA
• Martin Marietta risk management
• Federal Reserve of NY network monitoring
• Bank Bipop (Italy) SAP KPI overlay
• Citibank

14
II. Demand for continuous auditing and assurance
15
II. Demand for continuous auditing and assurance

• Preliminary findings (Hunton, Wright and Wright
  2002 Hunton, Reck and Pinsker 2002)
• User expectations
• Information, agency, and insurance hypotheses
• Information economics
• Effort-accuracy framework (satisficing
  behavior)
• Level of acceptable assurance

16
III- Independence
17
III. Independence of the auditor/assuror

• Who pays?
• Role of the auditor/assuror in the design of
  controls within the system
• Role of the internal auditor
• The Black box Log proposal (Alles, Kogan and
  Vasarhelyi 2002)

18
IV. Continuous auditing/assurance and earnings
management
19
V. Shift in audit focus from reported numbers
(output) to system reliability (process)
20
VI. The new audit methodology
21
IV. Continuous auditing/assurance and earnings
management

• Opportunities and incentives to manage earnings
  with more frequent reporting
• Breadth of services (e.g., auditing, systems
  reliability)
• Voluntary vs. mandatory
• Who pays?
• Information asymmetry

22
V. Shift in audit focus from reported numbers
(output) to system reliability (process)

• Will audit fees be significantly lower (less
  substantive testing
• Economics of the auditing profession

23
VI. The new audit methodology

• A dramatic new model of auditing (Vasarhelyi,
  2002)
• Principles of analytic monitoring (Vasarhelyi,
  Alles and Kogan 2002)
• New technologies for continuous assurance

24
A Dramatic Change in the Audit model

• 1. The continuous assurance model has many
  clients
• 2. The continuous assurance model had different
  Independence considerations
• 3. The continuous assurance model has a different
  justification
• 4. The continuous assurance model is an element
  of the strategic monitoring
• 5. The Continuous assurance model will turn the
  audit process into audit by exception
• 6. A new set of analytics guides strategic
  monitoring
• 7. The continuous assurance model covers a wider
  set of quantitative and qualitative non-financial
  data
• 8. The continuous assurance model has alternative
  materiality considerations
• 9. The continuous assurance opinion has some
  futurity implied in it

25
Principles of Analytic Monitoring

• Miklos A. Vasarhelyi
• Michael Alles
• Alexandr Kogan
• Rutgers Business School

26
Analytic Monitoring
27
The continuous assurance will change

• 1) objectives
• 2) levels and hierarchy
• 3) controls
• 4) timing
• 5) process
• 6) tools
• 7) outcomes

28
Objective changes

• 1) changes in the environment and industry, 2)
  the existence and effectiveness of controls, 3)
  increased human resource risks, 4) process
  continuity and integrity, and 5) coherence
  between endogenous and exogenous factors

29
Effects on Controls

• The existence of the controls,
• That they are operational,
• That their warnings are properly observed and
  distributed,
• That the controls are comprehensive, covering all
  relevant aspect of operational risk.

30
Four levels of CA

• Transaction assurance
• Rule assurance
• Estimate assurance
• Judgment assurance

31
Pensions 4 levels of CA

• Level 1 Flag and extract all transactions that
  pass resources between the company and its
  pension fund, extract all transactions that
  affect pension related ledger accounts and vouch
  for these transactions.
• Level 2 GAAP specifies maximum and minimum
  contributions to pension plans as well as ways to
  account for pension obligations, and other
  pension related items. This level would create a
  logical template evaluating the obedience for the
  rules of ERISA and GAAP.
• Level 3 On a more analytical level, the
  continuous assuror can examine the formally
  disclosed rules relative to pensions that allow
  for the organizations actuarial estimates.
  Accounting standards require the disclosure and
  usage of an interest rate in the assumptions
  about pension estimates such as interest rate,
  employee related obligations vis-à-vis age and
  years of employment, asset returns but the
  standards do not require a relationship between
  the historical returns of the fund and the future
  return assumptions. The future will bring
  corporate measurement rules that link endogenous
  and exogenous data in the measurement of business
  and its assessment.
• Level 4 the auditor could make assertions at a
  strategic level about the appropriateness of
  pension plan funding and the quality of the
  management of the fund

32
Timing issues

• Extensive Front end work
• Monitoring of system changes
• Alarm based intervention
• Evergreen opinion (of different forms)
• Automated interim work
• Continuous confirmation
• Very limited, if any, detail testing

33
(No Transcript)
34
Evidence

• Major change on the nature of relied evidence
• Automated confirmations will take a progressively
  larger role
• Alarm frequency and nature will be evidential
  matter
• Joint systems (with other entities) will become
  prevalent

35
Multiple Outcomes

• Assurance of a wider range of stakeholders
• Front-end work more consulting-like (Sarbanes
  Oxley ???)
• Opinions will be mainly negative assertions of
  the sort no alarms level 5 occurred
• Major cultural changes needed

36
Opinion with futurity

• We have examined the reliability and financial
  reports of ABC corporation and have been engaged
  on a continuous assurance engagement for the
  fiscal year of xxxx. We will monitor the
  organizations operations and strategic
  accomplishments using a wide set of analytics as
  described in http//www.ca.com/analytics and
  other analytics we deem appropriate and will
  report on an audit by exception basis when more
  than xx variance is found in operational and
  strategic standards or when we deem it
  appropriate. This exception report will be issued
  to all customers registered ( paying ) at
  http//www.ca.com/analytics/customers

37
Architecture
38
Current Practice

• HCA Healthcare
• Several monitoring and auditing functions
• Martin Marietta
• Data driven risk model
• Federal Reserve of New York
• Network Monitoring

39
AuditMaster Premier V5.0 Demo
40
(No Transcript)
41
VII. Conclusions and Research Questions
42
Research opportunities 
43
A Program of Research in COA

• Research issues are classified as related to
• Architecture of COA
• Factors affecting the use of COA
• Major consequences of COA.

44
General Architecture

• Architectural decisions are made very early in
  the process of COA development and deployment,
  and are mostly irreversible.
• Research Issue Develop theoretical models of COA
  that relate formal specifications of a COA system
  with various audit objectives.

45
Data Capture

• Standard formats for enterprise data will greatly
  simplify COA data capture problems.
• Research Issue Explore and design standard
  formats for enterprise data to facilitate data
  capture for COA. Explore the possibility of using
  the eXtensible Markup Language (XML) for defining
  such standard formats for presentation of
  accounting information.

46
Scope of Auditing

• COA systems are potentially capable of
  reprocessing or parallel processing the whole
  population of business transactions.
• Research Issue Investigate whether and when the
  complete reprocessing of the entire population of
  business transactions is feasible and desirable.

47
Systems Audit

• Research Issue Determine the tradeoffs between
  system structure auditing and transactions
  auditing. Analyze whether both have to be
  subjected to high frequency auditing.
• Monitoring that the system has not changed can be
  achieved by using cryptographic techniques of
  digital signatures

48
Real-time Analytical Review Procedures

• Auditing system is a parallel systemgt not to be
  relied on for routine control functionsgt
  auditing systems alarms should be truly random,
  i.e. a Poisson-like process.
• Research Issue Develop analytical review
  procedures to take advantage of the capabilities
  of COA systems.

49
Security of COA

• Research Issue Examine the extent to which
  system security issues will slow down the growth
  of COA.
• Research Issue Examine the adequacy of existing
  security arrangements for remote access to a COA
  system (e.g., through virtual private networks
  and/or extranets).

50
Distance Auditing

• Research Issue Design innovative forms of remote
  observation, investigate the use of
  video-monitoring tools, and ascertain their
  reliability.
• Research Issue Explore the extent to which the
  auditor can rely on COA distance auditing
  techniques without compromising the quality of
  the audit.

51
Factors Affecting the Use of COA

• Functional Areas
• Industrial Sectors
• Internal vs. External Use
• Research Issue Investigate whether the use of
  COA is more likely to be initiated by internal
  auditors than external auditors.
• Characteristics of External Auditor

52
COA Effects on Direct Costs

• Research Issue Determine the degree of reduction
  (if any) in direct audit costs induced by COA.
• Research Issue Investigate the extent to which
  the cost of the initial development and
  deployment of online auditing systems can be
  offset by ongoing savings in labor costs
  associated with conventional auditing.

53
COA Effects on Agency Costs-I

• Research Issue Develop and analyze agency models
  to formally show that higher frequency of audits
  makes it possible to more reliably infer the
  average action of the agent from the average
  outcome, and thus, the audit of outcomes is more
  meaningful, and the audit of actions is not as
  important.

54
COA Effects on Agency Costs-II

• Research Issue Analytically investigate whether
  the demand for COA is higher if moral hazard or
  information asymmetry are strong and monitoring
  is cheap.
• Research Issue Determine whether the deployment
  of COA reduces earnings management, since high
  frequency time series of earnings is more
  difficult to manipulate.

55
Effects on Audit Quality

• Timeliness
• Thoroughness
• Reliability
• Auditors Moral Hazard
• COA higher audit quality is likely to manifest
  itself in lower litigation or higher audit fees
  (should be empirically tested).

56
Managerial and Psychological Effects of COA

• Research Issue Investigate whether managers
  exhibit an adverse or dysfunctional reaction to
  continuous auditing (Big Brother effect).
• Research Issue Investigate end users ability to
  comprehend and interpret accounting numbers
  corresponding to very short time intervals
  (information overload effect).

57
COA Effects on Audit Practice

• Research Issue Investigate whether external
  auditors deployment of COA makes it more costly
  to replace the external auditor determine if
  there is a resulting increase in auditors
  independence.
• Research Issue Investigate the degree of impact
  of a COA system on the target system being
  audited.

58
Audit Opinion and Reporting

• Research Issue Analyze the changes in the kind
  of audit opinion that will likely result after
  the deployment of COA. The results of COA can be
  presented in the form of opinions on demand,
  where a client can request an opinion at any time
  on any feature of the client's operation, or
  reports issued at shorter term intervals.

59
Legal and Regulatory Implications

• COA can decrease legal risks by providing higher
  quality, timelier and more comprehensive
  assurance. On the other hand, there may be
  greater litigation exposure if fraudulent
  activity is revealed.
• As COA becomes feasible, it will be more tempting
  for regulators to mandate broader audited
  disclosure.