Theory to practice: continuous auditing gains.In the wake of Sarbanes-Oxley, chief audit executives (CAEs) are rethinking their strategies for internal audit. Among the challenges they face is the need for much more timely identification of risk and control issues. In today's environment of constant change, coupled with increased expectations on control and governance Governance makes decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems. , CAEs find the traditional annual audit process insufficient. Waiting for an annual audit to identify a control weakness may be too little, too late.
The need for more timely and reliable risk and control assurance has encouraged internal auditors Internal auditor
An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. to revisit re·vis·it
tr.v. re·vis·it·ed, re·vis·it·ing, re·vis·its
To visit again.
A second or repeated visit.
re the theory and practice of continuous auditing. The theory is not new. As a concept, continuous auditing has been explored in internal audit circles since the 1970s. Conceptually, the approach revolves around a process focused on the monitoring and/or and/or
Used to indicate that either or both of the items connected by it are involved.
Usage Note: And/or is widely used in legal and business writing. auditing of key risks and controls on a real-time 1. real-time - Describes an application which requires a program to respond to stimuli within some small upper limit of response time (typically milli- or microseconds). Process control at a chemical plant is the classic example. basis. This process may involve the use of technology. While there have been many attempts to implement the concept of continuous auditing, few organizations have realized its full vision and potential.
To learn more about how internal audit departments are addressing the need for more timely risk and control assurance, PricewaterhouseCoopers conducted its second annual "2006 State of the Internal Audit Profession Study." The study, which included input from over 400 internal audit executives, found that CAEs are actively pursuing strategies designed to shorten (audio, compression) Shorten - A form of lossless audio compression. audit cycle times and provide more timely risk and control assurance. This quest is prompting renewed interest in the practice of continuous auditing.
As the 2006 study confirms, the term "continuous" is more a concept than a practice today. Practices vary and may involve a combination of both computer-assisted audit programs and manual procedures. This monitoring or auditing is "continuous" in relatively few cases--and, in those rare instances, usually involves repetition REPETITION, construction of wills. A repetition takes place when the same testator, by the same testamentary instrument, gives to the same legatee legacies of equal amount and of the same kind; in such case the latter is considered a repetition of the former, and the legatee is entitled of both automated au·to·mate
v. au·to·mat·ed, au·to·mat·ing, au·to·mates
1. To convert to automatic operation: automate a factory.
2. and manual audit procedures. However, there is a clear trend in the majority of departments surveyed towards the implementation of the continuous auditing concept.
Other findings of the PwC study include:
* More than 80 percent of the nearly 400 companies responding to questions about continuous auditing said they either had a continuous auditing or monitoring process in place or were planning on developing one.
* Half of the 2006 survey respondents In the context of marketing research, a representative sample drawn from a larger population of people from whom information is collected and used to develop or confirm marketing strategy. have some form of continuous auditing or monitoring process within their internal audit functions, a significant jump from 35 percent in 2005.
* Both automated and manual processes figure prominently, with 56 percent of respondents saying their continuous auditing processes include both manual and automated elements; 41 percent indicating that their processes are entirely manual; and a scant scant
adj. scant·er, scant·est
1. Barely sufficient: paid scant attention to the lecture.
2. Falling short of a specific measure: a scant cup of sugar. 3 percent reporting that they have fully automated processes.
* So-called "continuous auditing" is continuous in name only: the most common continuous auditing "cycle" is quarterly, with 57 percent of respondents falling into this category. Another 34 percent focus on monthly monitoring activities, while only 9 percent focus on daily applications of their continuous auditing processes.
Implications for Internal Auditors
The evolution towards truly continuous auditing will place new demands on internal audit groups, which often serve as their organizations' internal control "experts." The traditional internal audit cycle is linear, with reports only being issued after a properly conducted internal audit. As a result, audit projects would, at best, take weeks from the initiation of the audit to issuance of the report. Furthermore, audits are typically planned on an annual cycle, following an annual risk assessment. The ability to react to changes in mid-cycle depends on the auditor's capability to identify changes in risk or control performance proactively.
The practical development of continuous auditing will demand a mastery of applying technology to the entire internal audit process. Leading practices in this area involve the use of technology to identify and report changes in risk or control indicators in real time. Changes in risk and control indicators may be reportable events themselves, the catalyst for an audit or identify the need for a refinement to the existing risk assessment. In this way, the traditional linear audit cycle of assessing risk, planning, auditing and reporting is replaced by a more complex yet more responsive and real-time set of audit-related activities.
Implications for Financial Executives
In some organizations, the change of the internal audit process--from a linear, annual cycle to a more dynamic process--may meet with resistance. Internal audit's constituents, in particular the finance function, may be accustomed to a relatively methodical me·thod·i·cal also me·thod·ic
1. Arranged or proceeding in regular, systematic order.
2. Characterized by ordered and systematic habits or behavior. See Synonyms at orderly. and linear audit approach. Internal audit's ability to report control deteriorations more rapidly, even without going through the formalities for·mal·i·ty
n. pl. for·mal·i·ties
1. The quality or condition of being formal.
2. Rigorous or ceremonious adherence to established forms, rules, or customs.
3. of an audit, can change the relationship between the auditor auditor n. an accountant who conducts an audit to verify the accuracy of the financial records and accounting practices of a business or government. A proper audit will point out deficiencies in accounting and other financial operations. and management. Technology-enabled continuous auditing is a more dynamic approach that places internal audit in a much more proactive role.
The CFO See Chief Financial Officer. can take a leadership role in supporting the migration of internal audit to a more continuous audit approach. It's essential that financial executives across the organization recognize that when implemented with care, continuous auditing is about improving the quality and timeliness of communication between auditor and management, providing management more timely input on the state of controls and risks and keeping the auditor better informed.
--Contributed by Anthony O'Reilly (firstname.lastname@example.org), a Partner in PricewaterhouseCooper's Internal Audit Services practice in Boston.