Upload
wafaa-n-abusadah
View
318
Download
0
Embed Size (px)
Citation preview
CONTINUOUS AUDITING
INTERNAL AUDIT TOOLS & TECHNIQUES
Building Continuous Auditing (CA) Capabilities
Definitions
Computer Assisted Audit Techniques (CAATs): any automated audit
technique that relate to generalized audit software, test data, generators,
integrated test facilities, computerized audit programs, and specialized
audit and system software utilities.
Data Analytics (DA): processes and activities designed to obtain and
evaluate data to extract useful information. The results of DA may be
used to identify areas of key risk, fraud, errors or misuse; improve
business efficiencies; verify process effectiveness; and influence business
decisions.
Data Analysis Cycle: systematic approach to obtain data, perform
analysis and report results
Planning Data Access
Integrity
Verification Data Analysis
Reporting
Results
Internal audit identifies and designs CAATs as
part of internal audit projects:
1. Planning: identify data required for the
audit tests.
2. Fieldwork:
Get access to and extract data from
various resources
Develop the Data Analytics (DA)
using different tools (e.g. MS Excel,
Access, SQL Plus, ACL)
Perform data analysis using DA
3. Reporting: generate exception reports,
document results and report findings.
Audit team will identify CAATs used in conjunction with datasets and process steps to generate the exception reports can be used in future audits ….
Planning Data
Access
Verify
Integrity
Data
Analysis
Reporting
Results
Planning Fieldwork Reporting Audit
Closing
Continuous
Auditing
Continuous
Auditing
Audit Project Phases
Data Analysis Cycle:
CAATs to Continuous Auditing (CA)
Increasing...
Audit quality and consistency
% of controls automated
% of controls tested
Adherence to organization policies
Decreasing...
Audit and compliance costs
Time spent testing controls
# of audit findings
Continuous Auditing (CA)
Continuous Auditing (CA): method used by auditors to perform audit-related
activities on a more frequent basis. It changes the audit approach from periodic
reviews of sample transactions to ongoing audit testing of 100%. Increase efficiency of
audit processes in assessing the effectiveness of risk management and add value to
the organization.
WORK SMARTER!
Example CA Opportunities
IT Systems Security Controls
Automated monitoring of IT internal
controls in accordance with IS Policies
Detect, remediate, and prevent
segregation of duties conflicts and
inappropriate access to sensitive
transactions
Track user activity within and across ERP
and legacy systems
Conduct “what if” analyses to determine
the impact of access control changes
Automated access control certification
process
Banking
Review capital ratio adequacy and
compliance to Basel II accord
Abnormal activities in dormant
accounts
Overdraft facilities for retail customers
Defaulted/blacklisted customers
Compliance with anti-money laundering
regulations
Aviation
Monitor percentage of tickets refunds
Incentive sales per agents
Trend analysis for free tickets usage
Employee rostering patterns
Monitor wastage in catering
Example CA Opportunities
Inventory Controls
Stock-out on shelves
High level of inventory
Non-moving inventory items
Rate/pricelist to invoicing
Level of discounts
Terms of invoicing
Ageing of debtors
Sales and receivables
Accounts Payable
Three way match
Changes to payment terms
Match payee with bank account details
Inventory controls
Track payments to different vendor
addresses
Compare address details and invoice
address details
Vendor & Contractor Management
Compare approved contract spending vs.
actual expenditures
Track contractor payments vs. submitted
expenses
Identify duplicate vendors and/or
duplicate vendor payments
Match vendor information against
employee information to ensure policy
compliance
Monitor changes to vendor or contractor
master records that may indicate fraud
Compare vendors and contractors
against approved contractors list and
send alerts to protect against violation
Payroll and benefits
Compensation and Benefits Structure
Financial and Non-financial
Compensation to employees
Monitor allowances and advances paid
to employees
Building CA Capabilities P
eo
ple
• Management
Support
• Team with the
right skill set
• Education and
training
Pro
cess
• Establish process
to identify and
build CA Library
• Educate users on
the use of the
process
• Review and refine
the CA scripts
Tech
no
log
y
• Getting the data
e.g. connectivity,
extraction
• Developing
scripts and
exception reports
• Automating
scripts
• Archiving results
and datasets
Building Continuous Auditing (CA) is an change management effort.
Successful implementation requires:
Building CA Capabilities - People
Management Support – support from business management. Communication
between internal audit and business management is necessary to get the data,
communicate results and improve control environment.
Build Dedicated Team – team should have the right blend of expertise to create
and support the daily operations, skill sets required:
Technical skills:
Data – database, data extraction, data archiving
Script writing – writing audit test logic using technical tools or
programming languages e.g. ACL scripting, Visual Basic, Excel Macros.
Automation – setup the running of the CA scripts on periodic basis,
automate the exception report generation
Business Knowledge – understanding business processes and transactions.
They can help while developing CA scripts, evaluating the results and refining
CA for future runs.
Basic Users – can write simple CA scripts as part of audit project. Can re-run
the created CA scripts to on different datasets (manual).
Education and Training – invest in training people, acquiring the right skill-set,
understanding new technologies and building a strong business acumen.
Building CA Capabilities - Process
1. Identify CA
Opportunities
2. Develop
CA reports
3. Execute
CA reports
4.
Communicate
CA Results
5. Review
& improve
CA reports
Continuous Auditing
Repository
Objective :
Build and maintain a central repository of continuous auditing scripts.
1. Identify CA Opportunities either from
audit projects or on ad-hoc basis
2. Develop CA reports – convert the CAAT/DA
script to automated script and schedule to run
on periodic basis e.g. Quarterly.
3. Execute CA Reports - the script will run
automatically and produce exception reports.
4. Communicate CA Results - to business
management to investigate and solve the
exceptions.
5. Review & Improve – review results and
trends of exceptions, use to refine the test
scripts or introduce new one.
Technical Layer (Data connection and extraction e.g. ODBC,
SQL scripts, flat files from various systems
CA Reporting Engine
Data Analysis Projects
Report Generation
Procedures/Steps Exception
Reports
Building CA Capabilities - Technology
Application 1 Application 2 Application n
Objective :
Build a technology solution that will support the Continuous Auditing operations.
1.Technical Layer – establish
connectivity to different application
databases. Create and run data
extraction queries, index and archive the
data.
2. CA Reporting Engine – schedule the
CA reports run on periodic basis e.g.
monthly, quarterly. Execution of scripts
result in exception reports. Saving
exceptions in database to provide trend-
analysis.
1. Level of Business Process Automation – depends highly on the level of automation
for business processes, the availability of data, and the ease of accessing data and
extracting it from system(s) especially from off-the-shelve and legacy systems.
2. Data Quality – the quality of data affects the quality/accuracy of test results. Special
consideration required when CA script running on data from different systems or
legacy systems.
3. Data Volume – increased data volume will increase load on CA automation
tools/server and can affect the storage and archiving capacity. Performance might
deteriorate in the absence of proper capacity planning.
4. Staff Competency – recruiting the right talent and ensuring they are provided with
rewarding career paths. Retaining knowledge in case of staff leaving the
organization.
5. Data Privacy Concerns – number of data privacy laws must be considered when
developing and running CA scripts. Assessment should be made at planning stage to
ensure the data will be handled as appropriate.
6. Technology Costs – CA require investment in technology , establishing processes
and training people. Management has to see the benefits in order to invest in CA
solutions.
CA Implementation Challenges
References Audit Standards/Guidelines:
“G3 Use of CAATs” IT Audit and Assurance Guideline. 2010 ISACA.
“G42 continuous assurance”, IT Audit and Assurance Guideline, 2010 ISACA.
IPPF - Practice Guide “Data Analysis Technologies “, 2011, The Institute of Internal Auditors .
IPPF - Practice Guide “Continuous Auditing: Implications for Assurance, Monitoring, and Risk
Assessment”, 2005, The Institute of Internal Auditors.
Journal Articles/White Papers:
“Data Analytics – A Practical Approach” ISACA White Paper , August 2011
S. Sarva, "Continuous Auditing Through Leveraging Technology“ ISACA Journal Online, 2006
Online:
www.acl.com
http://ae.linkedin.com/in/wabusadah/
Wafa’a N. Abu Sa’dah
Thank you!