Title: Implementing Continuous Auditing in a Global Real Time Economy
1Implementing Continuous Auditing in a Global Real
Time Economy
- Miklos A. Vasarhelyi
- KPMG Professor of AIS Rutgers University
- Technology Consultant ATT Laboratories
2Outline
- The real time economy
- Going Global
- Measuring Business
- Assurance in the Global Real Time Economy
- Implementing Continuous Audit
- Opportunities and Challenges
3The Real Time Economy
4The real time economy
- The objective
- Reduction of latency
- Inter-Process 7 Intra-Process Latency
- The facilitators
- Sensors measuring transactions automatically
- ERPs
- Process Automation
- Dashboards
- Reengineering, Outsourcing, System Integration
5RTE
- Processes that are supported by real-time systems
- Processes which are monitored on a close to
continuous basis - Processes that are highly time dependent
- Processes where timely decisions give competitive
advantage
6(No Transcript)
7Going global
8Going global - Preamble
- Over the last 50 years technology has enabled
major motion towards a global economy. - Consequently it has set into motion social
change, economic rebalancing, and an
unprecedented degree of across-country
cooperation. - However this phenomenon of ubiquitous consequence
has created a wave of challenges to the
socio-technical structure of business and
corporate policy making.
9Going Global - Friedman
- 11/09/1989 (Berlin Wall)
- 08/09/95 (Netscape went Public)
- Three billion new people joining the fray
- Work flow software
- Open sourcing
- Outsourcing, offshoring, In-forming
- Hardware software multifuctionality
- Tools of cooperation
10Measuring Business
11(No Transcript)
12RTEBIS
- Very rapid business cycles
- Instant need of resolution of certain business
needs (for example monthly billing may not be
acceptable) - Service agreements that specify certain degree of
data reliability - Rapid change in the terms of agreements
contingent on dynamic parameters - Utilization of Service Oriented Architectures
that allow for dynamic servicing of clients and
dynamic acquisition of suppliers and service
providers
13(No Transcript)
14Assurance in the Global Real Time Economy
15What is Continuous Auditing?
- No consensus on what constitutes a continuous
- audit
- Enhanced auditor skill set
- Differences from traditional audit
- New audit risk model
- Continuous reporting and impact on auditors
- report
- Senior management support
16A Distinction between Continuous Auditing and
Continuous Monitoring
Continuous auditing does not necessarily have to
generate a report it is a process that tests
transactions based upon prescribed criteria,
identifies anomalies, and is the responsibility
of the auditor. Continuous monitoring, on the
other hand, is the responsibility of management,
best defined in terms of the COSO Study control
framework. Continuous monitoring, when employed
by auditors, focuses on the control environment
and not transactions.
17An evolving continuous auditframework
Continuous Audit
Continuous Audit
Continuous Control Monitoring
- Automation
- Sensoring
- ERP
- E-Commerce
Data
CA CCM C(D)A CA -gt Continuous Audit CCM -gt
Continuous Control Monitoring C(D)A -gt Continuous
Data Assurance
18Unibanco Advances to Clients Monitoring
19Some Key Issues
- Two recent surveys (ACL and PWC) show that a
large number of key companies are attempting to
perform continuous audit like functions - An industry of software is evolving with ACL,
IDEA, APPROVA, and others growing rapidly - Control Monitoring and Continuous Data Assurance
are the main approaches - The first recorded application was ATT Bell
Laboratories CPAS effort in the 1986-1991 period - The Rutgers CarLab is working in leading
applications
20Overview of CaR-Lab examples
21CAR-Lab Experiences
- Control monitoring at Siemens
- Transaction monitoring at Unibanco
- Continuous (data) assurance at HCA
- Other
- Conceptual developments
- Simulating Liberty
- EBR work
- KPMG projects
22Siemens' Project Value Proposition
Automated Business Process Controls Monitoring
Project
23Siemens' Project Features
- Formalize automate internal audit procedures
used for business process controls monitoring - Conduct man vs. model assessments
- Calibrate exception rules to optimize model
performance - Scale up to all SAP instances
- Increase frequency of model application, where
feasible - Transition to Approva application and extend the
model where optimal
24Implementing Continuous Audit
25- Background
- While technologies of continuous audit have been
extensively discussed and are progressively
emerging the more mundane issues of their
implementation in a socio-technical environment
have been neglected - http//www.theiia.org/itaudit/features/in-depth-fe
atures-2-10-08/feature-2/
262. Rule
6. Action and Reaction
3. Frequency
Audit Control Panel
5. Follow-up
4. Parameterization
Six steps of process implementation
27Opportunities and Challenges
28Opportunities for business and research (1)
- Control system measurement
- We are in a pre-paradigmatic stage of control
documentation and measurement - We do not know how to monitor controls in large
ERPs - We do not know how to provide a really
supportable opinion on controls - We do not know how to rate combinations of
controls - Business Process Monitoring and Alarming
- Auditors have to carve a position on the new
monitoring and control environment - Auditors can collect exception alarms as
trusted parties and incorporate these into
evidentiary matter - Auditors can be trusted
29Opportunities (2)
- Automatic Confirmation Tools
- Confirmations will have an increased evidentiary
role with eventual elimination of population and
integrity worries - Intelligent confirmatory tags can do much
- Database to database hand-shaking will be medium
- Business opportunity for auditors
- Audit bots (agents)
- Many of the basic audit functions can be emulated
by software - These must be eventually developed by the
profession to work hand-in-hand with human
auditors in the new audit world - These agents will work on all areas including 1)
audit planning, 2) analytical reviews, 4)
confirmations, and )5 evergreen opinions
30Opportunities (3)
- Collecting forensic trails
- Auditor black box
- Publishing real-time authenticated reports for
different compliance masters - Publishing FD independent compliance reports
31Challenges
- Standards are needed for CA
- Audit monitoring needs to be defined
- Types of evidence are to change and must be
reconsidered - Independence needs to be re-defined
- The billing model has to be restructured to bill
on function not hours - Audit firms must put improved knowledge
collection and management processes to feed their
audit analytic toolkit - Audit firms have to engage in auditor automation
and pro-actively promote corporate data
collection during-the-process - Value added must be justified in terms of data
quality
32- Conclusions
- Attention must be paid to the organizational
processes that implement continuous audit - There are 6 key steps to progressively implement
a CA program module by module - The CA process is dynamic and CA management will
change schedule and parameters of each process - The organization of the audit process must be
evolved progressively
33Issues
34(No Transcript)