340 likes | 598 Views
Implementing Continuous Auditing in a Global Real Time Economy. Miklos A. Vasarhelyi KPMG Professor of AIS Rutgers University Technology Consultant AT&T Laboratories. Outline. The real time economy Going Global Measuring Business Assurance in the Global Real Time Economy
E N D
Implementing Continuous Auditing in a Global Real Time Economy Miklos A. Vasarhelyi KPMG Professor of AIS Rutgers University Technology Consultant AT&T Laboratories
Outline • The real time economy • Going Global • Measuring Business • Assurance in the Global Real Time Economy • Implementing Continuous Audit • Opportunities and Challenges
The real time economy • The objective • Reduction of latency • Inter-Process 7 Intra-Process Latency • The facilitators • Sensors – measuring transactions automatically • ERPs • Process Automation • Dashboards • Reengineering, Outsourcing, System Integration
RTE • Processes that are supported by real-time systems • Processes which are monitored on a close to continuous basis • Processes that are highly time dependent • Processes where timely decisions give competitive advantage
Going global - Preamble • Over the last 50 years technology has enabled major motion towards a global economy. • Consequently it has set into motion social change, economic rebalancing, and an unprecedented degree of across-country cooperation. • However this phenomenon of ubiquitous consequence has created a wave of challenges to the socio-technical structure of business and corporate policy making.
Going Global - Friedman • 11/09/1989 (Berlin Wall) • 08/09/95 (Netscape went Public) • Three billion new people joining the fray • Work flow software • Open sourcing • Outsourcing, offshoring, In-forming • Hardware & software multifuctionality • Tools of cooperation
RTEBIS • Very rapid business cycles • Instant need of resolution of certain business needs (for example monthly billing may not be acceptable) • Service agreements that specify certain degree of data reliability • Rapid change in the terms of agreements contingent on dynamic parameters • Utilization of Service Oriented Architectures that allow for dynamic servicing of clients and dynamic acquisition of suppliers and service providers
What is Continuous Auditing? • No consensus on what constitutes a continuous • audit • Enhanced auditor skill set • Differences from traditional audit • New audit risk model • Continuous reporting and impact on auditor’s • report • Senior management support
A Distinction between Continuous Auditing and Continuous Monitoring Continuous auditing does not necessarily have to generate a report; it is a process that tests transactions based upon prescribed criteria, identifies anomalies, and is the responsibility of the auditor. Continuous monitoring, on the other hand, is the responsibility of management, best defined in terms of the COSO Study control framework. Continuous monitoring, when employed by auditors, focuses on the control environment and not transactions.
An evolving continuous auditframework Continuous Audit Continuous Audit Continuous Control Monitoring • Automation • Sensoring • ERP • E-Commerce Data CA = CCM+ C(D)A CA -> Continuous Audit CCM -> Continuous Control Monitoring C(D)A -> Continuous Data Assurance
Some Key Issues • Two recent surveys (ACL and PWC) show that a large number of key companies are attempting to perform continuous audit like functions • An industry of software is evolving with ACL, IDEA, APPROVA, and others growing rapidly • Control Monitoring and Continuous Data Assurance are the main approaches • The first recorded application was AT&T Bell Laboratories CPAS effort in the 1986-1991 period • The Rutgers CarLab is working in leading applications
CAR-Lab Experiences • Control monitoring at Siemens • Transaction monitoring at Unibanco • Continuous (data) assurance at HCA • Other • Conceptual developments • Simulating Liberty • EBR work • KPMG projects
Expanded Audit Coverage Significant Cost Savings Siemens' – Project Value Proposition Automated Business Process Controls Monitoring Project
Siemens' – Project Features • Formalize & automate internal audit procedures used for business process controls monitoring • Conduct “man vs. model” assessments • Calibrate “exception rules” to optimize model performance • Scale up to all SAP instances • Increase frequency of model application, where feasible • Transition to Approva application and extend the model where optimal
Background • While technologies of continuous audit have been extensively discussed and are progressively emerging the more mundane issues of their implementation in a socio-technical environment have been neglected • http://www.theiia.org/itaudit/features/in-depth-features-2-10-08/feature-2/
Priority • Areas 2. Rule 6. Action and Reaction 3. Frequency Audit Control Panel 5. Follow-up 4. Parameterization Six steps of process implementation
Opportunities for business and research (1) • Control system measurement • We are in a pre-paradigmatic stage of control documentation and measurement • We do not know how to monitor controls in large ERPs • We do not know how to provide a really supportable opinion on controls • We do not know how to rate combinations of controls • Business Process Monitoring and Alarming • Auditors have to carve a position on the new monitoring and control environment • Auditors can collect exception “alarms” as trusted parties and incorporate these into evidentiary matter • Auditors can be “trusted”
Opportunities (2) • Automatic Confirmation Tools • Confirmations will have an increased evidentiary role with eventual elimination of population and integrity worries • Intelligent confirmatory tags can do much • Database to database hand-shaking will be medium • Business opportunity for auditors • Audit bots (agents) • Many of the basic audit functions can be emulated by software • These must be eventually developed by the profession to work hand-in-hand with human auditors in the new audit world • These agents will work on all areas including: 1) audit planning, 2) analytical reviews, 4) confirmations, and )5 evergreen opinions
Opportunities (3) • Collecting forensic trails • Auditor “black” box • Publishing real-time authenticated reports for different compliance masters • Publishing FD independent compliance reports
Challenges • Standards are needed for CA • Audit monitoring needs to be defined • Types of evidence are to change and must be reconsidered • Independence needs to be re-defined • The billing model has to be restructured to bill on function not hours • Audit firms must put improved knowledge collection and management processes to feed their audit analytic toolkit • Audit firms have to engage in auditor automation and pro-actively promote corporate data collection during-the-process • Value added must be justified in terms of data quality
Conclusions • Attention must be paid to the organizational processes that implement continuous audit • There are 6 key steps to progressively implement a CA program module by module • The CA process is dynamic and CA management will change schedule and parameters of each process • The organization of the audit process must be evolved progressively