Embed Size (px)
Citation preview
AN EFFECTIVE FRAMEWORK FOR CONTINUOUS AUDITS
DEFINITIONS
Continuous Auditing Definitions:• Automated and frequent analysis of data through the use
of computer-assisted audit tools and other audit techniques.
• The ability to perform control and risk assessment in real time or as close to real-time as possible.
Source: IIA State of Continuous Auditing Executive Summary Report July 2010
PERIODIC AUDITS
Time
Audit 1Audit 2 Audit 3
Source: Continuous Auditing From a Practical Perspective, Kevin Handscombe
ActualExpectedEffectiveness
Con
trols
’ Effe
ctiv
enes
s
CONTINUOUS AUDITSC
ontro
ls’ E
ffect
iven
ess
Time
ActualExpectedEffectiveness
CA
CA CA
CACA
CA CA CA CA CA CA CA
Source: Continuous Auditing From a Practical Perspective, Kevin Handscombe
CASE STUDY:
• A Cashier was acting as a Supervisor last week• She had access to discount, change prices, etc.• This week, IT reassigned the Cashier role to her, but the
Supervisor role was not removed• She can now do both Cashier and Supervisor functions• Normal discounts are below 5% and amounts are below $100• She enters and approves excessive discounts at the point of
sale for friends and family• In 5 days the company loses US$7,300
TIMELINE – DAY 0
IT reassigns Cashier role
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
TIMELINE – DAY 1
IT reassigns Cashier role
She realises she can approve
discounts
Lost $0
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
TIMELINE – DAY 2
IT reassigns Cashier role
She realises she can approve
discounts
Continues to approve small legitimate discounts (2-5%)
Lost $0 Lost $0
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
TIMELINE – DAY 3
IT reassigns Cashier role
She realises she can approve
discounts
Approves a 40% discount for a
friend
Continues to approve small legitimate discounts (2-5%)
Lost $800Lost $0 Lost $0
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
TIMELINE – DAY 4
IT reassigns Cashier role
She realises she can approve
discounts
Continues to approve small legitimate discounts (2-5%)
Lost $800Lost $0 Lost $0
Approves a 50% discount for her
brother
Lost $2,400
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
Approves a 40% discount for a
friend
TIMELINE – DAY 5
IT reassigns Cashier role
She realises she can approve
discounts
Continues to approve small legitimate discounts (2-5%)
Lost $800Lost $0 Lost $0 Lost $7,300
Approves a 50% discount for her
brother
Lost $2,400
Approves a 70% discount for her
brother
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
Approves a 40% discount for a
friend
CONTINUOUS AUDITING – ALERT 1
Alert # 1
Segregation of Duties violated.
Assigned to:
Store Manager
Escalated to:
Audit Department
IT reassigns Cashier role
She realises she can approve
discounts
Continues to approve small legitimate discounts (2-5%)
Lost $800Lost $0 Lost $0 Lost $7,300
Approves a 50% discount for her
brother
Lost $2,400
Approves a 70% discount for her
brother
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
Approves a 40% discount for a
friend
CONTINUOUS AUDITING – ALERT 2
Alert # 1
Segregation of Duties violated.
Alert # 2
System Abuse – same user creating,
approving discounts
Assigned to:
Store Manager
Escalated to:
Audit Department
IT reassigns Cashier role
She realises she can approve
discounts
Continues to approve small legitimate discounts (2-5%)
Lost $800Lost $0 Lost $0 Lost $7,300
Approves a 50% discount for her
brother
Lost $2,400
Approves a 70% discount for her
brother
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
Approves a 40% discount for a
friend
CONTINUOUS AUDITING - ALERT
Assigned to:
Store Manager
Alert # 2
System Abuse Repeating alert
Escalated to:
Audit Department
IT reassigns Cashier role
She realises she can approve
discounts
Continues to approve small legitimate discounts (2-5%)
Lost $800Lost $0 Lost $0 Lost $7,300
Approves a 50% discount for her
brother
Lost $2,400
Approves a 70% discount for her
brother
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
Alert # 2
System Abuse – same user creating,
approving discounts
Alert # 1
Segregation of Duties violated.
Approves a 40% discount for a
friend
CONTINUOUS AUDITING – ALERT 3
Alert # 3
Discount percentage exceeds tolerance
Assigned to:
Store Manager
Escalated to:
Audit Department
IT reassigns Cashier role
She realises she can approve
discounts
Continues to approve small legitimate discounts (2-5%)
Lost $800Lost $0 Lost $0 Lost $7,300
Approves a 50% discount for her
brother
Lost $2,400
Approves a 70% discount for her
brother
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
Alert # 1
Segregation of Duties violated.
Alert # 2
System Abuse – same user creating,
approving discounts
Alert # 2
System Abuse Repeating alert
Approves a 40% discount for a
friend
CONTINUOUS AUDITING – ALERT 3
Alert # 3
Discount percentage exceeds tolerance.
Repeating Alert.
Assigned to:
Store Manager
Escalated to:
Audit Department
IT reassigns Cashier role
She realises she can approve
discounts
Continues to approve small legitimate discounts (2-5%)
Lost $800Lost $0 Lost $0 Lost $7,300
Approves a 50% discount for her
brother
Lost $2,400
Approves a 70% discount for her
brother
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
Alert # 3
Discount percentage exceeds tolerance
Alert # 1
Segregation of Duties violated.
Alert # 2
System Abuse – same user creating,
approving discounts
Alert # 2
System Abuse Repeating alert
Approves a 40% discount for a
friend
CONTINUOUS AUDITING – ALERT 4
Alert # 4
Discount amount exceeds tolerance.
Assigned to:
Store Manager
Escalated to:
Audit Department
IT reassigns Cashier role
She realises she can approve
discounts
Continues to approve small legitimate discounts (2-5%)
Lost $800Lost $0 Lost $0 Lost $7,300
Approves a 50% discount for her
brother
Lost $2,400
Approves a 70% discount for her
brother
Day 0 Day 1 Day 3 Day 5Day 2 Day 4
Alert # 3
Discount percentage exceeds tolerance.
Repeating Alert.
Alert # 1
Segregation of Duties violated.
Alert # 2
System Abuse – same user creating,
approving discounts
Alert # 3
Discount percentage exceeds tolerance
Alert # 2
System Abuse Repeating alert
Approves a 40% discount for a
friend
WHY NOT DETECTED?
• There is nothing suspicious about her physical activities• A security guard at the door cannot check prices• She is abusing 1 in 2,000 of her transactions and 1 in
400,000 transactions across all stores• Cashier’s till reconciles at the end of day
TOO LITTLE, TOO LATE…It takes an average of 342 days to detect a fraud, at which point 89% of all proceeds are unrecoverable.
KPMG Forensics Fraud Survey
SAMPLE HEAT MAP
12
3
4
56
7
8
9
10
1. Intentionally recording sales prematurely2. FCPA violations3. Creating fictitious sales4. Fraudulent claims by retail customers5. Intentional overcharges by vendors6. Intentional overstatement of assets used
to secure finance7. Unauthorized trades in financial markets8. Unsupported product performance
statements9. False T&E expense claims10.Employee embezzlement
Likelihood
Sign
ifica
nce
Source: Corporate Resiliency, Toby J.F. Bishop & Frank E. Hydoski
WORTHWHILE TARGETS
• Quantifiable impact• Good knowledge of business processes• Data available and understood• Used CAAT to perform audit before• Tests can be scripted
CONTINUOUS AUDIT COMPONENTS
• Repeatable, consistent data access• Testing the controls• Scripting• Scheduling and frequency• Exception management• Support of business process owners• Learn and improve
DATA ACCESS
Sources• Data dumps• Report files• ODBC
Tools• ERPs• CAATs• ETL tools
Types• Transaction vs. master data• New data or pulling everything
SCRIPTING
• Some tools are better than others but use what you have to get going
• Dump exceptions into a central repository• Scripts should use source data and exceptions repository to
determine recurrence and eliminate duplicates• Use parameters/variables to determine how the logic
works to prevent changing the script each time• Some of the simplest scripts yield the greatest business
value
SCHEDULING
Maximum window (A)
Timeline between control breakdown and impact (B)
Time to resolve the exception (C)
A = B + C
SUSTAINABLE REMEDIATIONDetect
Exceptions
Distribute
ResolveLearn
Refine
MANAGEMENT SUPPORT CHECKLIST
• Cost recovery savings from identifying areas of revenue leakage and process inefficiencies
• Identify issues closer to the point of a control failure and resolve them faster, thereby improving recovery rates
• Efficiencies gained from automated exception management• Save IT time and money acquiring and preparing data that
audit can now access directly
STARTING CONTINUOUS AUDITING
• Select a business process that you have audited several times before
• Ensure that data is available and understood• Develop simple logic to test control or reuse existing ones• Determine frequency• Measure impact
