Consider Solutions: Continuous Audit - Technology Enabled Continuous Assurance
Posted: 12 September 2013 | Author: Dan French, CEO of Consider Solutions | Source: Consider Solutions
Challenging Assumptions With Practical Experience
‘Continuous Audit’ has been discussed and written about for decades. Conferences are run and books get written on the subject. But to this day, the definition is hard to pin down and there is quite a lot of semantic debate about what it is and is not. This debate is most fierce when exploring the perceived differences between Continuous Audit and Continuous Monitoring. Continuous Audit and Continuous Monitoring require technology, but they are not technology projects, they are business change programs. This white paper provides insight, experience and best practice as well as challenges some assumptions.
‘Continuous Audit’ has been discussed and written about for decades. Conferences are run and books get written on the subject. But to this day, the definition is hard to pin down and there is quite a lot of semantic debate about what it is and is not. This debate is most fierce when exploring the perceived differences between Continuous Audit and Continuous Monitoring, of which more later…
A pretty classic view of Continuous Audit is that it is one of many tools used by Internal Audit to provide reasonable assurance that the controls in the business operational environment are suitably designed, established and operating as intended. The ‘continuous’ element of the label can refer to the frequency of testing throughout the year as opposed to end of year snapshots. Robert Mainardi wrote an interesting book on the subject entitled
‘Harnessing the Power of Continuous Auditing’ (Wiley).
A more contemporary view is that Continuous Audit is the application of automated tools to provide continuous assurance over financial or operational control and to check whether internal controls are functioning to prevent error and fraud. But the world is moving on. Businesses are striving for global standardization, simplification and automation.
We are in an era where the core business processes are undergoing a transformation, where the ‘factory processes’ that require no creativity or innovation, are being consolidated into Shared Service Centers even outsourced and become supported by a common system and template that is typically implemented in large scale ERPs.
These transformed processes and support organizations are often set up in geographically separate locations to benefit from labor arbitrage and cost efficiencies and to support global time zones and languages. These centralized service units also require strong control and exception management systems.
The control systems of the past were largely ‘proximity controls’, by which I mean the control implied by co-located process execution and oversight. It is not long ago when the implied control over expenditure was that the financial controller personally approved all high value purchases and the person requesting the purchase and their role was well known to the controller, and usually resided in the same building. These ‘proximity controls’ were rarely written down, but effective. They typically completely break down as a result of finance transformation.
The new world requires an approach to audit (and indeed to management) that recognizes the inherent complexity and volume associated with today’s global processes. Major organizations today are looking for a better way to assure their businesses run ‘as advertised’ and to avoid any issues that could cause reputational damage.
Despite the wide disparity between definitions, widespread application of Continuous Audit remains elusive. 32% of organizations recently surveyed by the Institute of Internal Audit (IIA) reported that they perform continuous auditing. In another recent survey by Price Waterhouse Coopers (PWC) 81% of companies ‘aspired to’ continuous auditing.