160 likes | 384 Views
Principles and Problems of Audit Automation as a Precursor to Continuous Auditing. Michael Alles Alexander Kogan Miklos A. Vasarhelyi. Drivers and Objectives of Audit Automation. Automation of business processes Labor-intensive repetitive audit work
E N D
Principles and Problems of Audit Automation as a Precursor to Continuous Auditing Michael Alles Alexander Kogan Miklos A. Vasarhelyi
Drivers and Objectives of Audit Automation • Automation of business processes • Labor-intensive repetitive audit work • Cost and availability of qualified audit personnel • Budgetary pressure on internal audit departments • Complexity of business transactions and increasing risk exposure • Scale and scope of audit procedures • Timeliness of audit results
Continuous Auditing (CA) as Implementation of Automated Audit • An automated audit system can run continuously • CA = CCM + CDA • Continuous Control Monitoring (CCM): • Access Control and Authorizations • System Configuration • Business Process Settings • Continuous Data Assurance (CDA): • Master Data • Transactions • Key Process Metrics using analytics (including Continuity Equations)
Formalizing the Audit Program • Automation requires formalization • Formalized is usually automatable • Possibility of formalization is often underestimated • Benefits of formalization: • promotes precision and consistency • improves confidence in audit results • Reduces long-run audit costs • Problems with formalization • Many humans experience difficulties with logical reasoning and formal thinking • Formalization can be very laborious and costly • Certain complex judgments are not amenable to formalization
Reengineering the Audit Program • Conventional audit programs are not designed for automation • Surprisingly large proportion of audit procedures (up to 68% at Siemens) can be formalized and automated • Formalizable and judgmental procedures are often intermixed – redesign is required to separate them out • Re-engineering objective: maximize the proportion of automatable procedures in the audit program (i.e., reduce reliance on informal judgmental techniques) • Substitution of high frequency (“continuous”) automated procedures for eliminated manual methods
Automating Audits through Baseline Monitoring • Traditionally used in configuration management and IT security • Baseline – a snapshot of system configuration and business process settings • Deltas from baseline exceptions • Critical issues: • Definition of baseline (the more static parameters are, the better they are suitable for baselining) • Initial verification of baseline values • Security of baseline (both definition and current values) • Accumulation of deltas redefinition of baseline
System Architecture of Automated Audit • Structure of audit software: • integrated software – vs. • distributed (i.e., multi-agent-based) system • Access to the enterprise system and data: • Direct (either to the database or to the application layer) • Intermediated (through a business data warehouse) • Platform of audit software: • Common enterprise platform (EAM – embedded audit modules, or mobile agents) • Separate platform (MCL – monitoring and control layer) • Providers of audit software: • Common platform – enterprise software vendors • Separate platform – 3rd party vendors and audit firms
Pros and Cons of Common Platform in Automated Audit • Mobile audit agents are transported to the enterprise platform to run there, as EAMs do • Benefits of common platform: • Protection against network connectivity outages • Event-triggered execution of audit procedures potentially zero latency (not affected by network congestion) • More efficient for processing large volumes of enterprise data (on site – vs. moving that data over the network) • Problems with common platform: • Protection of enterprise platform against (possibly malicious) agent/EAM • Protection of agent against possible manipulation by the platform (malicious host problem) • Impossibility of protecting the agent/EAM outweighs the benefits!
Software for Audit Automation (Separate Platform) • Continuous Data Assurance (common data models) • ACL • CaseWare IDEA • Oversight Systems • Continuous Control Monitoring • Approva • Governance, Risk, and Compliance Solutions: • SAP GRC Access Control, Risk Management, Process Control (VIRSA) • Oracle Governance, Risk, and Compliance (LogicalApps) • IBM Workplace for Business Controls and Reporting • Paisley Enterprise GRC • OpenPages • AXENTIS Enterprise • BWise • Protiviti Governance Portal
Securing Continuous Auditing • Location of continuous auditing hardware: • client’s premises • audit shop • Physical access security • Logical access security • Client’s IT personnel access • Super-user privileges • Comprehensive logging of all super-user activities • Export / import of CA system settings (comparison of cryptographic check-sums)
Audit Automation Change Management • Auditing processes have a tremendous amount of inertia • Senior executive champions of the project • Identification and engagement of stakeholders: • Business process owners • IT personnel • Internal auditors • Composition of audit automation teams • Automation of audit procedures • Duplicate automation is ideal but too expensive • Verification of automated procedures • Independent verification by experienced auditors • Approval of automated audit program
Scalability of Audit Automation • Automation of highly specific audit procedures for different enterprise units can incur prohibitive costs • Automation will be scalable across the enterprise only if the repetitive audit procedure automation costs are eliminated • Strategies for making audit automation scalable: • Parameterization of automated audit procedures • Hierarchical structuring of automated audit procedures – from the most generic audit procedures applicable across the enterprise to the more specific ones for major units and subunits • Hierarchical updates
Alarm Management in Automated Audit Systems • Auditing system will be generating alarms caused by anomalies and exceptions and delivering them automatically to auditors and enterprise personnel • It is essential to have an automated closed loop process for capturing information about corrective actions and assuring problem resolution • Auditing system should have a built-in mechanism for evaluating identified control failures using the enterprise risk model to associate appropriate risk levels to them • Various ad hoc solutions and simplifying assumptions can be used to build a continuous auditing dashboard to provide an aggregate view of enterprise control problems in real time
Concluding Comments • AMR Research projects spending on government, risk and compliance applications and services will top $32.1 billion in 2008, up 7.4 % from 2007. In 2009, growth is projected at 7 %. • Hosted, or on-demand solutions • Integration of audit automation with audit working papers software • Transformation of internal audit (the skill sets of internal auditors, the structure and the role of the internal audit departments) • Structural changes in external audit