CONTINUOUS AUDITING

INTERNAL AUDIT TOOLS & TECHNIQUES

Building Continuous Auditing (CA) Capabilities

Definitions

Computer Assisted Audit Techniques (CAATs): any automated audit

technique that relate to generalized audit software, test data, generators,

integrated test facilities, computerized audit programs, and specialized

audit and system software utilities.

Data Analytics (DA): processes and activities designed to obtain and

evaluate data to extract useful information. The results of DA may be

used to identify areas of key risk, fraud, errors or misuse; improve

business efficiencies; verify process effectiveness; and influence business

decisions.

Data Analysis Cycle: systematic approach to obtain data, perform

analysis and report results

Planning Data Access

Integrity

Verification Data Analysis

Reporting

Results

Internal audit identifies and designs CAATs as

part of internal audit projects:

1. Planning: identify data required for the

audit tests.

2. Fieldwork:

Get access to and extract data from

various resources

Develop the Data Analytics (DA)

using different tools (e.g. MS Excel,

Access, SQL Plus, ACL)

Perform data analysis using DA

3. Reporting: generate exception reports,

document results and report findings.

Audit team will identify CAATs used in conjunction with datasets and process steps to generate the exception reports can be used in future audits ….

Planning Data

Access

Verify

Integrity

Data

Analysis

Reporting

Results

Planning Fieldwork Reporting Audit

Closing

Continuous

Auditing

Continuous

Auditing

Audit Project Phases

Data Analysis Cycle:

CAATs to Continuous Auditing (CA)

Increasing...

Audit quality and consistency

% of controls automated

% of controls tested

Adherence to organization policies

Decreasing...

Audit and compliance costs

Time spent testing controls

# of audit findings

Continuous Auditing (CA)

Continuous Auditing (CA): method used by auditors to perform audit-related

activities on a more frequent basis. It changes the audit approach from periodic

reviews of sample transactions to ongoing audit testing of 100%. Increase efficiency of

audit processes in assessing the effectiveness of risk management and add value to

the organization.

WORK SMARTER!

Example CA Opportunities

IT Systems Security Controls

Automated monitoring of IT internal

controls in accordance with IS Policies

Detect, remediate, and prevent

segregation of duties conflicts and

inappropriate access to sensitive

transactions

Track user activity within and across ERP

and legacy systems

Conduct “what if” analyses to determine

the impact of access control changes

Automated access control certification

process

Banking

Review capital ratio adequacy and

compliance to Basel II accord

Abnormal activities in dormant

accounts

Overdraft facilities for retail customers

Defaulted/blacklisted customers

Compliance with anti-money laundering

regulations

Aviation

Monitor percentage of tickets refunds

Incentive sales per agents

Trend analysis for free tickets usage

Employee rostering patterns

Monitor wastage in catering

Example CA Opportunities

Inventory Controls

Stock-out on shelves

High level of inventory

Non-moving inventory items

Rate/pricelist to invoicing

Level of discounts

Terms of invoicing

Ageing of debtors

Sales and receivables

Accounts Payable

Three way match

Changes to payment terms

Match payee with bank account details

Inventory controls

Track payments to different vendor

addresses

Compare address details and invoice

address details

Vendor & Contractor Management

Compare approved contract spending vs.

actual expenditures

Track contractor payments vs. submitted

expenses

Identify duplicate vendors and/or

duplicate vendor payments

Match vendor information against

employee information to ensure policy

compliance

Monitor changes to vendor or contractor

master records that may indicate fraud

Compare vendors and contractors

against approved contractors list and

send alerts to protect against violation

Payroll and benefits

Compensation and Benefits Structure

Financial and Non-financial

Compensation to employees

Monitor allowances and advances paid

to employees

Building CA Capabilities P

eo

ple

• Management

Support

• Team with the

right skill set

• Education and

training

Pro

cess

• Establish process

to identify and

build CA Library

• Educate users on

the use of the

process

• Review and refine

the CA scripts

Tech

no

log

y

• Getting the data

e.g. connectivity,

extraction

• Developing

scripts and

exception reports

• Automating

scripts

• Archiving results

and datasets

Building Continuous Auditing (CA) is an change management effort.

Successful implementation requires:

Building CA Capabilities - People

Management Support – support from business management. Communication

between internal audit and business management is necessary to get the data,

communicate results and improve control environment.

Build Dedicated Team – team should have the right blend of expertise to create

and support the daily operations, skill sets required:

Technical skills:

Data – database, data extraction, data archiving

Script writing – writing audit test logic using technical tools or

programming languages e.g. ACL scripting, Visual Basic, Excel Macros.

Automation – setup the running of the CA scripts on periodic basis,

automate the exception report generation

Business Knowledge – understanding business processes and transactions.

They can help while developing CA scripts, evaluating the results and refining

CA for future runs.

Basic Users – can write simple CA scripts as part of audit project. Can re-run

the created CA scripts to on different datasets (manual).

Education and Training – invest in training people, acquiring the right skill-set,

understanding new technologies and building a strong business acumen.

Building CA Capabilities - Process

1. Identify CA

Opportunities

2. Develop

CA reports

3. Execute

CA reports

4.

Communicate

CA Results

5. Review

& improve

CA reports

Continuous Auditing

Repository

Objective :

Build and maintain a central repository of continuous auditing scripts.

1. Identify CA Opportunities either from

audit projects or on ad-hoc basis

2. Develop CA reports – convert the CAAT/DA

script to automated script and schedule to run

on periodic basis e.g. Quarterly.

3. Execute CA Reports - the script will run

automatically and produce exception reports.

4. Communicate CA Results - to business

management to investigate and solve the

exceptions.

5. Review & Improve – review results and

trends of exceptions, use to refine the test

scripts or introduce new one.

Technical Layer (Data connection and extraction e.g. ODBC,

SQL scripts, flat files from various systems

CA Reporting Engine

Data Analysis Projects

Report Generation

Procedures/Steps Exception

Reports

Building CA Capabilities - Technology

Application 1 Application 2 Application n

Objective :

Build a technology solution that will support the Continuous Auditing operations.

1.Technical Layer – establish

connectivity to different application

databases. Create and run data

extraction queries, index and archive the

data.

2. CA Reporting Engine – schedule the

CA reports run on periodic basis e.g.

monthly, quarterly. Execution of scripts

result in exception reports. Saving

exceptions in database to provide trend-

analysis.

1. Level of Business Process Automation – depends highly on the level of automation

for business processes, the availability of data, and the ease of accessing data and

extracting it from system(s) especially from off-the-shelve and legacy systems.

2. Data Quality – the quality of data affects the quality/accuracy of test results. Special

consideration required when CA script running on data from different systems or

legacy systems.

3. Data Volume – increased data volume will increase load on CA automation

tools/server and can affect the storage and archiving capacity. Performance might

deteriorate in the absence of proper capacity planning.

4. Staff Competency – recruiting the right talent and ensuring they are provided with

rewarding career paths. Retaining knowledge in case of staff leaving the

organization.

5. Data Privacy Concerns – number of data privacy laws must be considered when

developing and running CA scripts. Assessment should be made at planning stage to

ensure the data will be handled as appropriate.

6. Technology Costs – CA require investment in technology , establishing processes

and training people. Management has to see the benefits in order to invest in CA

solutions.

CA Implementation Challenges

References Audit Standards/Guidelines:

“G3 Use of CAATs” IT Audit and Assurance Guideline. 2010 ISACA.

“G42 continuous assurance”, IT Audit and Assurance Guideline, 2010 ISACA.

IPPF - Practice Guide “Data Analysis Technologies “, 2011, The Institute of Internal Auditors .

IPPF - Practice Guide “Continuous Auditing: Implications for Assurance, Monitoring, and Risk

Assessment”, 2005, The Institute of Internal Auditors.

Journal Articles/White Papers:

“Data Analytics – A Practical Approach” ISACA White Paper , August 2011

S. Sarva, "Continuous Auditing Through Leveraging Technology“ ISACA Journal Online, 2006

Online:

www.acl.com

http://ae.linkedin.com/in/wabusadah/

Wafaa.abusadah@gmail.com

Wafa’a N. Abu Sa’dah

Thank you!