1 / 41

Access Accounting, Process Attestation, and Continuous Auditing

Access Accounting, Process Attestation, and Continuous Auditing. NYSSCPA Technology Assurance Committee January 23, 2003 Bruce H. Nearon CPA J.H. Cohn LLP Roseland, New Jersey 973-403-6955 bnearon@jhcohn.com. Acknowledgements.

prue
Download Presentation

Access Accounting, Process Attestation, and Continuous Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Accounting, Process Attestation, and Continuous Auditing NYSSCPA Technology Assurance Committee January 23, 2003 Bruce H. Nearon CPA J.H. Cohn LLP Roseland, New Jersey 973-403-6955 bnearon@jhcohn.com

  2. Acknowledgements The Ideas expressed in this presentation are substantially based on the following sources: • “The Future of Accounting and Financial Reporting, Part IV: ‘Access’ Accounting.” Steven M. H. Wallman, Accounting Horizons. June 1997. Vol. 11 Issue 2. • “Feasibility and Economics of Continuous Assurance.” Michael G. Alles, Alexander Kogan, and Miklos A. Vasahelyi. Auditing: A Journal of Practice and Theory. March 2002. Vol. 21 No. 1 • “Twenty-First Century Assurance.”Robert K. Elliott. Auditing: A Journal of Practice and Theory. March 2002. Vol. 21 No. 1 • “Continuous Auditing: Building Automated Capability.” Zabihollah Rezaee, Ahmad Sharbatoghlie, Rick Elam, and Peter L. McMickle. Auditing: A Journal of Practice and Theory. March 2002. Vol. 21 No. 1

  3. A Thought to Ponder • “Accounting and financial reporting is just information”2 • “Nothing is changing more quickly than information technology” 2 • For accountants and auditors to remain relevant accounting and auditing must change with changes in technology 2. The Future of Accounting and Financial Reporting, Part IV: ‘Access’ Accounting.” Steven M. H. Wallman, Accounting Horizons. June 1997

  4. Definitions • Access accounting – online real-time access by users through the Internet to the financial accounting relational databases that support the financial statements and other relevant information • Process attestation – an independent auditor’s opinion on the reliability, security and integrity of an entity’s financial information reporting system to deliver valid and complete data when needed by users • Continuous auditing – automated financial audit procedures performed concurrently with the initiation, recording, processing, and reporting of a transaction.

  5. Breaking News The CPA Letter, December 2002 • New Business Reporting Model • Five fundamental elements including real-time distribution of information • Online real-time reporting is the only way to meet market demands for financial information • For further info see http://www.aicpa.org/download/ebrm/ebrm-AAnderson08O.pdf

  6. Current Accounting and Reporting Model • Why the present structure emerged • User needs • Technological change • Should the future be different? • Will the legacy audit as we know it survive?

  7. Why bother to change? • Regulation vs. market demand • Value proposition • Tech change is the primary driver of financial reporting change

  8. Purpose of Accounting • Facilitate investment and credit decisions • Resource allocation • Settling up • Stewardship • Monitoring • Governance

  9. Production and Delivery • Compile the information • Standard general purpose report • Consistency • Comparability

  10. The Need for Accounting and Auditing • Large organizations need capital to grow • Separation of ownership and control • Communication from managers to owners

  11. What Financial Information to Communicate? • Two choices • Raw data – with prior tech • no cost effective way to deliver • No way for average user to analyze • Compilation • Physical access easy • High-level of aggregation • Easy to understand

  12. The Current Model – GAAP • Businesses– large amount of resources consumed to aggregate financial information • Users, analysts, and auditors – large amount of resources consumed to disaggregate it. • An inefficient process

  13. A New Model – Access Accounting • Provide users with real-time online access to entity financial databases • Requirements: • Data in standardized digital form • Communication channel • Access, Search and analysis tools

  14. Enabling Technology • Digital financial records • Relational databases • Internet • Browsers • Broadband • XBRL • Data visualization techniques

  15. A New Reporting Focus • Focus on the data itself • Importance of sufficient detail • Users choose data which is important to them • Users determine recognition criteria and assumptions • Possible to create legacy financial statements if users desire • Inclusion of data on intangibles

  16. Benefits of Access Accounting • More efficient and faster capital formation • Reduce information overload – users only select what they want when they want it • No need for FASB • No need for disclosure rules • No requirements on companies to disclose anything – just make the required data available in standardized form • No need for international accounting standards • No need for preparation of financial statements or annual audit

  17. What Will Auditors Do Then? • Process Attestation • creating • maintaining • integrity • Delivery • Systrust/SAS 70 • Combine accounting, auditing, and system theory • Why it will supplant GAAS audits.

  18. Benefits of Continuous Auditing • Auditor knowledge and understanding increased: • client’s business and environment • Flow of transactions • Documents, records, and use of information • Controls • Better risk assessment • More effective audit tests • More efficient audit tests with CAAT

  19. A New Audit Focus • Access accounting reports digital evidence of transactions • The validity, competence, and reliability of digital evidence depends on internal control • The audit process moves to a control-risk orientation • The audit is of the adequacy and effectiveness of internal controls • Substantive tests have less importance

  20. Necessity Is the Mother of Invention • User needs and 1890 to 1969 technology led to present day GAAP and GAAS • User needs and 1970 to ??? technology will lead to real-time access to financial information and require process attestation • Its not a question of if, but rather, when

  21. Impediments • Security – how to control who sees what • Disclosure to competitors • Regulators have to buy in • access to data with required elements would replace regulatory filings • Process attestation replace certified audits • Access accounting requires continuous auditing

  22. Auditing and AssuranceWhat’s the Difference? • Auditing – is an audit of financial statements according to GAAS required by law, rule, regulation, or contract • Assurance – “an independent professional service that improves the quality of information, or its context for decision makers”1 1 AICPA Special Committee on Assurance Services www.aicpa.org/assurance/about/comstud/defncom.htm

  23. Continuous Auditing and Continuous Assurance – What’s the Difference? • Continuous auditing means using information technology to monitor financial transactions concurrent with their initiation, recording, and processing and to report unexpected financial events, trends, relationships, or conditions through electronic alerts or writing to an audit log. • Continuous assuranceis the same as continuous auditing; however, it is not limited to financial information, and can be applied to any information that is recorded and processed by IT and used by decision makers.

  24. Continuous Assurance (CA) • Gee whiz! Typically look at CA from technology side. • The business architecture required for CA is overshadowed in the razzle-dazzle of high-tech

  25. CA Issues • Some transactions could benefit from CA • Cost of CA could exceed benefit • Who will pay for it? • CA may reduce auditor independence which reduces the value of the CA

  26. CA – How is it done? • Electronic sensors, agents, and daemons embedded in the operating system and application software • Computer audit software to learn, analyze, query, alert, and report

  27. Required Components of CA • Capture transactional information in digital form • Monitor and analyze • Communicate results

  28. Capturing Digital Transactions • Bar code/POS • E-commerce – web browser client to web server • E-business – database to database over the Internet • EDI – legacy to legacy through store and forward mailbox and translation • Smart warehouse w/ RF smart-chip labels

  29. What to Report? • SCM • ABC • Balanced Scorecard • Value Chain Scoreboard • Elements of financial statements • Legacy financial statements

  30. Costs • Continuous opinion = continuous auditor legal liability • Competitive disadvantage • Reduce information asymmetry between insiders and investors • Once implemented hard to draw back

  31. More Issues • Accruals- Will real-time legacy financial statements require continuous allocations, adjustments and allowances? • Who will pay for the CA • Special cases – e-business partners, banks • The Company • The auditor • Users – per click • Cost • Extremely expensive when built in from start • Prohibitively expensive when tacked on

  32. Independence • Who owns the embedded daemons and software? • If the auditor owns it then the auditor’s CA system is part of the system they are auditing. • If the client owns and controls the CA system then the “audit process” is not independent from the client • With a per-click pay scheme the audit could be seen as a business partner • Auditor Dismissal - Once installed a divorce is almost impossible. • what happens if the auditor is dismissed and takes the system • The large sunk costs give the auditor a vested interest in the client. CA systems are customized to clients and when decommissioned are worthless

  33. Independence (continued) • SEC and Professional Ethics rules – prohibition on designing and implementing IT systems. For integrity of CA auditor must design and implement the CA system • Without independence CA has no value

  34. Implementation Issues • Current business software, even high-end ERP packages do not have CA capability • The Company’s IT department may refuse to cooperate, either to provide information on the system, to embed daemons and implement CA software, or give the auditor access • The CA system will have to audit itself to ensure controls are not tampered with • Companies will need a security system to screen user access

  35. Continuous Auditing Across Clients • All transactions occur with another entity. • Embedded audit daemons on selling company system can talk to daemons on purchasing company system. • If data agree – sale/purchase confirmed – clean opinion; if not,error or fraud alert • Electronic instantaneous 100 % confirmation of all transactions • Science fiction – If in 1979 you said • every company, even the very smallest mom and pops would have a computer….. • Everyone would have cell phones, pdas, digital cameras…..

  36. XBRL and Continuous Assurance • XBRL could tag transactions with an audit meta tag • Ex. 1. There is no assurance that the system that produced and reported this information is reliable. • Ex. 2. The system that produced and reported this information has been reviewed by an independent auditor and nothing came to the auditor’s attention to indicate that it is unreliable • Ex. 3. The system that produced this information has been examined and is reasonably reliable according to generally accepted system reliability standards

  37. Feedback Where No Data Has Gone Before • Who really knows what data in financial statements and audit reports users actually use? • With existing Internet technology there is a record of who clicked on what. • We will know which financial data elements users actually use. • If there is an XBRL audit meta tag we will know if users are even interested in data assurance. • Data mining can detect patterns because access will require a profile and common profile elements across users can be cross-tabulated with data elements. • Real-time feedback allows audit effort to be concentrated in the elements that users access

  38. Wrap it up • Access accounting gives decision makers real-time access to the details of transactions as they occur • Process Attestation reports on the reliability of the system that delivers real-time information • Continuous Auditing monitors the accounting for transactions as they occur and allows early detection of errors and fraud • Results • all users have reliable information on transactions as they occur. • Financial reporting, auditing, decision making, and resource allocations are improved. • The cost of capital is reduced

  39. Questions?

  40. Thank you!

  41. ABOUT THE PRESENTER • Bruce H. Nearon, CPA is the Director of IT Security Audit for The Cohn Consulting Group, a division of J.H. Cohn LLP, Roseland, New Jersey, and is Chair of the NYSSCPA Technology Assurance Committee. He is also a member of the Auditing Standards and Procedures Committee, the Information Systems Audit and Control Association and an associate member, Information Security Committee, Science and Technology section of the American Bar Association. • He received the AICPA Elijah Watt Sells Award for performance with high distinction on the May 1989 CPA exam and holds a Bachelors degree in Accounting (1986) and a Masters of Accountancy (1988) from the University of Florida. • Mr. Nearon is a frequent speaker at professional auditing and information technology seminars, and has published numerous articles in professional publications on IT auditing and network security. • He can be reached at 973-403-6955 and bnearon@jhcohn.com

More Related