Principles and Problems of Audit

fanaticalpumaMechanics

Nov 5, 2013 (3 years and 5 months ago)

87 views

Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

Michael Alles

Alexander Kogan

Miklos A. Vasarhelyi

RUTGERS

CA
/
R
/
Lab


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

2

Drivers and Objectives of Audit Automation


Automation

of

business

processes


Labor
-
intensive

repetitive

audit

work


Cost

and

availability

of

qualified

audit

personnel


Budgetary

pressure

on

internal

audit

departments


Complexity

of

business

transactions

and

increasing

risk

exposure


Scale

and

scope

of

audit

procedures


Timeliness

of

audit

results



Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

3

Continuous Auditing (CA) as Implementation
of Automated Audit


An automated audit system can run continuously


CA = CCM + CDA


Continuous Control Monitoring (CCM):


Access Control and Authorizations


System Configuration


Business Process Settings


Continuous Data Assurance (CDA):


Master Data


Transactions


Key Process Metrics using analytics (including Continuity
Equations)


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

4

Ways of Verifying Existence, Correctness and
Functioning of Business Process (BP) Controls


Verifying that the observations of a BP agree with the
existence, correctness and functioning of a control;
benefit

-

can be applied even if controls are not directly accessible by
the auditor;
problem

-

the observed behavior of the BP may
not completely cover the whole range of control functions.


Verifying by executing a prohibited BP behavior that it either
cannot happen or is detected and compensated for;
problem

-

auditor has read
-
only access to the production
system and cannot run “penetration testing”.


Verifying that retrieved control settings stored in the
enterprise system match the benchmark;
problem



relies
on the assumption that the programming code of the control
in the production system is correct (? customized controls ?).


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

5

Continuous Monitoring of BP Control
Settings


Online access

to automated BP control settings
(available in ERP systems) from the continuous
assurance system.


Enterprise
-
dependent
benchmarks

of acceptable
control settings.


Frequent (e.g., daily, hourly)
comparison

of actual
settings with the benchmarks.


Automatic generation of
alarms

in case of critical
deviations, such as individual accounts without
passwords, aggregation of weaknesses in certain
control areas (e.g., segregation of duties).


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

6

Continuous Data Assurance


Automation of
Transaction Testing
:


Formalization of business process rules as
transaction integrity and validity constraints.


Verification of transaction integrity and validity


detection of
exceptions


generation of
alarms
.


Automation of
Analytical Procedures
:


Selection of critical business process metrics and
development of stable business flow (continuity)
equations.


Monitoring of continuity equation residuals


detection of
anomalies


generation of
alarms
.



Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

7

Enterprise System Landscape

Ordering

Accounts Payable

Materials

Management

Sales

Accounts
Receivable

Human Resources

Business Data Warehouse

Automatic Transaction Verification

Exception Alarms

Automatic Analytical Monitoring:
Continuity Equations

Anomaly Alarms

Continuous Data Assurance System

Responsible
Enterprise
Personnel


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

8

Analytical Procedures In CA


Analytical

procedures

are

used

in

the

planning,

substantive

testing,

and

reviewing

stages

of

an

audit
.

We

focus

on

substantive

testing
.


In

conventional

auditing

analytical

procedures

are

applied

first

to

identify

potential

problems,

Then,

detailed

transaction

testing

is

focused

on

the

identified

problem

areas
.


In

CDA

the

sequence

is

reversed
:

1.
Automated

general

transaction

tests

are

applied

to

all

the

transactions

and

identified

exceptions

are

filtered

out

for

resolution
.

2.
Automated

analytical

procedures

are

then

applied

to

the

filtered

transaction

stream

to

identify

unforeseen

problems
.

3.
Humans

are

then

alerted

to

investigate

anomalies
.


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

9

Formalizing the Audit Program


Automation requires
formalization


Formalized is usually automat
able


Possibility of formalization is often underestimated


Benefits

of formalization:


promotes precision and consistency


improves confidence in audit results


Reduces long
-
run audit costs


Problems

with formalization


Many humans experience difficulties with logical reasoning and
formal thinking


Formalization can be very laborious and costly


Certain complex judgments are not amenable to formalization


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

10

Reengineering the Audit Program


Conventional audit programs are not designed for
automation


Surprisingly large proportion of audit procedures (up to
68% at Siemens) can be formalized and automated


Formalizable and judgmental procedures are often
intermixed


redesign is required to separate them out


Re
-
engineering objective
: maximize the proportion of
automatable procedures in the audit program (i.e.,
reduce reliance on informal judgmental techniques)


Substitution of high frequency (“continuous”) automated
procedures for eliminated manual methods


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

11

Automating Audits through Baseline Monitoring


Traditionally used in configuration management and IT
security


Baseline



a snapshot of system configuration and
business process settings


Deltas

from baseline


exceptions


Critical issues:


Definition

of baseline (the more static parameters are, the better
they are suitable for baselining)


Initial verification

of baseline values


Security

of baseline (both definition and current values)


Accumulation

of deltas


redefinition of baseline



Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

12

System Architecture of Automated Audit


Structure
of audit software:


integrated

software


vs.


distributed

(i.e., multi
-
agent
-
based) system


Access
to the enterprise system and data:


Direct

(either to the database or to the application layer)


Intermediated

(through a business data warehouse)


Platform

of audit software:


Common

enterprise platform (EAM


embedded audit modules, or
mobile agents
)


Separate

platform (MCL


monitoring and control layer
)


Providers

of audit software:


Common platform


enterprise software vendors


Separate platform


3
rd

party vendors and audit firms


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

13

Pros and Cons of Common Platform in
Automated Audit


Mobile audit agents are
transported

to the enterprise platform
to
run

there, as EAMs do


Benefits

of common platform:


Protection against network connectivity outages


Event
-
triggered execution of audit procedures


potentially zero latency
(not affected by network congestion)


More efficient for processing large volumes of enterprise data (on site


vs.
moving that data over the network)


Problems

with common platform:


Protection of enterprise platform against (possibly malicious) agent/EAM


Protection of agent against possible manipulation by the platform
(
malicious host problem
)


Impossibility of protecting the agent/EAM outweighs the benefits!


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

14

Software for Audit Automation (Separate Platform)


Continuous Data Assurance (common data models)


ACL


CaseWare IDEA


Oversight Systems


Continuous Control Monitoring


Approva


Governance, Risk, and Compliance

Solutions:


SAP GRC Access Control, Risk Management, Process Control (VIRSA)


Oracle Governance, Risk, and Compliance (LogicalApps)


IBM Workplace for Business Controls and Reporting


Paisley Enterprise GRC


OpenPages


AXENTIS Enterprise


BWise


Protiviti Governance Portal


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

15

Securing Continuous Auditing


Location of continuous auditing hardware:


client’s premises


audit shop


Physical access security


Logical access security


Client’s IT personnel access


Super
-
user privileges


Comprehensive
logging of all super
-
user activities


Export / import of CA system settings (comparison of
cryptographic check
-
sums)



Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

16

Audit Automation Change Management


Auditing processes have a tremendous amount of inertia


Senior executive champions of the project


Identification and engagement of stakeholders:


Business process owners


IT personnel


Internal auditors


Composition of audit automation teams


Automation of audit procedures


Duplicate automation is ideal but too expensive


Verification of automated procedures


Independent verification by experienced auditors


Approval of automated audit program


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

17

Scalability of Audit Automation


Automation of highly specific audit procedures for
different enterprise units can incur prohibitive costs


Automation will be scalable across the enterprise only if
the repetitive audit procedure automation costs are
eliminated


Strategies for making audit automation scalable:


Parameterization

of automated audit procedures


Hierarchical structuring

of automated audit procedures


from
the most generic audit procedures applicable across the
enterprise to the more specific ones for major units and subunits


Hierarchical
updates


Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

18

Alarm Management in Automated Audit Systems


Auditing system will be generating alarms caused by
anomalies and exceptions and delivering them automatically
to auditors and enterprise personnel


It is essential to have an
automated closed loop process

for
capturing information about corrective actions and assuring
problem resolution


Auditing system should have a built
-
in mechanism for
evaluating identified control failures using the enterprise risk
model to associate appropriate risk levels to them


Various ad hoc solutions and simplifying assumptions can be
used to build a
continuous auditing dashboard

to provide
an aggregate view of enterprise control problems in real time



Principles and Problems of Audit
Automation as a Precursor to
Continuous Auditing

19

Concluding Comments


CA can be defined as a process that continually tests controls
based upon criteria prescribed by the auditor and identifies
exceptions and anomalies for the auditor to perform additional
procedures


When CA software matures, it may be more cost efficient for
the audit procedures to change to match the software rather
than customizing the software to each firm’s individual audit
process


Hosted, or on
-
demand solutions


Integration of audit automation with audit working papers
software


Transformation of internal audit (the skill sets of internal
auditors, the structure and the role of the internal audit
departments)