Principles and Problems of Audit

possehastyΜηχανική

5 Νοε 2013 (πριν από 4 χρόνια και 2 μέρες)

79 εμφανίσεις

Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

Michael Alles

Alexander Kogan

Miklos A. Vasarhelyi

RUTGERS

CA
/
R
/
Lab


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

2

Drivers and Objectives of Audit Automation


Automation

of

business

processes


Labor
-
intensive

repetitive

audit

work


Cost

and

availability

of

qualified

audit

personnel


Budgetary

pressure

on

internal

audit

departments


Complexity

of

business

transactions

and

increasing

risk

exposure


Scale

and

scope

of

audit

procedures


Timeliness

of

audit

results



Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

3

Continuous Auditing (CA) as Implementation
of Automated Audit


An automated audit system can run continuously


CA = CCM + CDA


Continuous Control Monitoring (CCM):


Access Control and Authorizations


System Configuration


Business Process Settings


Continuous Data Assurance (CDA):


Master Data


Transactions


Key Process Metrics using analytics (including Continuity
Equations)


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

4

Formalizing the Audit Program


Automation requires
formalization


Formalized is usually automat
able


Possibility of formalization is often underestimated


Benefits

of formalization:


promotes precision and consistency


improves confidence in audit results


Reduces long
-
run audit costs


Problems

with formalization


Many humans experience difficulties with logical reasoning and
formal thinking


Formalization can be very laborious and costly


Certain complex judgments are not amenable to formalization


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

5

Reengineering the Audit Program


Conventional audit programs are not designed for
automation


Surprisingly large proportion of audit procedures (up to
68% at Siemens) can be formalized and automated


Formalizable and judgmental procedures are often
intermixed


redesign is required to separate them out


Re
-
engineering objective
: maximize the proportion of
automatable procedures in the audit program (i.e.,
reduce reliance on informal judgmental techniques)


Substitution of high frequency (“continuous”) automated
procedures for eliminated manual methods


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

6

Automating Audits through Baseline Monitoring


Traditionally used in configuration management and IT
security


Baseline



a snapshot of system configuration and
business process settings


Deltas

from baseline


exceptions


Critical issues:


Definition

of baseline (the more static parameters are, the better
they are suitable for baselining)


Initial verification

of baseline values


Security

of baseline (both definition and current values)


Accumulation

of deltas


redefinition of baseline



Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

7

System Architecture of Automated Audit


Structure
of audit software:


integrated

software


vs.


distributed

(i.e., multi
-
agent
-
based) system


Access
to the enterprise system and data:


Direct

(either to the database or to the application layer)


Intermediated

(through a business data warehouse)


Platform

of audit software:


Common

enterprise platform (EAM


embedded audit modules, or
mobile agents
)


Separate

platform (MCL


monitoring and control layer
)


Providers

of audit software:


Common platform


enterprise software vendors


Separate platform


3
rd

party vendors and audit firms


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

8

Pros and Cons of Common Platform in
Automated Audit


Mobile audit agents are
transported

to the enterprise platform
to
run

there, as EAMs do


Benefits

of common platform:


Protection against network connectivity outages


Event
-
triggered execution of audit procedures


potentially zero latency
(not affected by network congestion)


More efficient for processing large volumes of enterprise data (on site


vs.
moving that data over the network)


Problems

with common platform:


Protection of enterprise platform against (possibly malicious) agent/EAM


Protection of agent against possible manipulation by the platform
(
malicious host problem
)


Impossibility of protecting the agent/EAM outweighs the benefits!


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

9

Software for Audit Automation (Separate Platform)


Continuous Data Assurance (common data models)


ACL


CaseWare IDEA


Oversight Systems


Continuous Control Monitoring


Approva


Governance, Risk, and Compliance

Solutions:


SAP GRC Access Control, Risk Management, Process Control (VIRSA)


Oracle Governance, Risk, and Compliance (LogicalApps)


IBM Workplace for Business Controls and Reporting


Paisley Enterprise GRC


OpenPages


AXENTIS Enterprise


BWise


Protiviti Governance Portal


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

10

Securing Continuous Auditing


Location of continuous auditing hardware:


client’s premises


audit shop


Physical access security


Logical access security


Client’s IT personnel access


Super
-
user privileges


Comprehensive
logging of all super
-
user activities


Export / import of CA system settings (comparison of
cryptographic check
-
sums)



Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

11

Audit Automation Change Management


Auditing processes have a tremendous amount of inertia


Senior executive champions of the project


Identification and engagement of stakeholders:


Business process owners


IT personnel


Internal auditors


Composition of audit automation teams


Automation of audit procedures


Duplicate automation is ideal but too expensive


Verification of automated procedures


Independent verification by experienced auditors


Approval of automated audit program


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

12

Scalability of Audit Automation


Automation of highly specific audit procedures for
different enterprise units can incur prohibitive costs


Automation will be scalable across the enterprise only if
the repetitive audit procedure automation costs are
eliminated


Strategies for making audit automation scalable:


Parameterization

of automated audit procedures


Hierarchical structuring

of automated audit procedures


from
the most generic audit procedures applicable across the
enterprise to the more specific ones for major units and subunits


Hierarchical
updates


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

13

Alarm Management in Automated Audit Systems


Auditing system will be generating alarms caused by
anomalies and exceptions and delivering them automatically
to auditors and enterprise personnel


It is essential to have an
automated closed loop process

for
capturing information about corrective actions and assuring
problem resolution


Auditing system should have a built
-
in mechanism for
evaluating identified control failures using the enterprise risk
model to associate appropriate risk levels to them


Various ad hoc solutions and simplifying assumptions can be
used to build a
continuous auditing dashboard

to provide
an aggregate view of enterprise control problems in real time



Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

14

Concluding Comments


AMR Research projects spending on government, risk
and compliance applications and services will top $32.1
billion in 2008, up 7.4 % from 2007. In 2009, growth is
projected at 7 %.


Hosted, or on
-
demand solutions


Integration of audit automation with audit working papers
software


Transformation of internal audit (the skill sets of internal
auditors, the structure and the role of the internal audit
departments)


Structural changes in external audit