Conference Workshop Continuous Auditing An Approach for Today

Conference Workshop Continuous Auditing: An Approach for Today Univ. of Salford, 3/16/2018 Presented by Anton Bouwer www. acl. com

AGENDA Ø The “Phrase” Ø The “Distinction” Ø Approach for Today’s Requirements Ø Summary

Definition of Continuous Auditing Ø CONTINUOUS Ø Never ends Ø When cycle ends, next starts Ø AUDITING. Ø Access information Ø Know business Ø Verify info Ø Express/Report

Definition of Continuous Auditing Ø Can CA be possible without human interface? Ø Are we disrespecting the auditor? Ø Square peg, round hole? Ø Diluting the concept “audit”? Ø Legal issues? Ignore at own peril!

The Distinction MONITOR/REPORT ØMonitoring & Reporting checks every transaction ØOne record at a time ØType = Control ØImplemented FOR management AUDIT ØAuditing is looking for & verifying exceptions ØIndependently ØComparing each record against expected norms ØAudit efficiency: more than 1 record at a time ØType = Audit compliance or substantive

What is the PROBLEM? The only way to get CA to the masses (auditors): Ø Build bridge from today’s audit program to the Sci. Fi CA system. Don’t start in 2010, start in 2002. Ø Ask auditors what they want & verify result (Majority rules). Remember budget! Ø Messing with age old principles Ø Lets learn from the E-Bubble & Y 2 K & Euro conversion!!! How big a part did we play in this? How much did we cost commerce?

Approach to CA Development Ø NOT Complex Ø NOT Technical Ø Audit approach & result (NOT contol) Ø Obtain top level buy-in & top level sponsor Ø One application at a time Ø Get specialist assistance

Implementing Continuous Auditing Ø Setting up the project Ø Perform detailed risk analysis Ø Link to risk measurement Ø Anticipate exceptions & develop specifications Ø Plan access to data Ø Plan the audit frequency and audit response

Implementing Continuous Auditing Ø Develop and implement the continuous auditing application Ø Test & Acceptance Ø Maintenance and redesign Ø Post Implementation Review Ø Regular auditing of the continuous auditing application

Pitfalls Ø What to measure? Exceptions Ø Trends on statistics & ratios Ø Ø Difficult to get data access Auto update of audit database Ø Top-level sponsor Ø Ø Slow death

Pitfalls Ø Audit independence DO DONT w Test compliance w Control w Substantiate accuracy w Monitor w Substantiate completeness w Prevent w Report on trends w Detect

Case Study Background ØBanking & finance entity ØStrategic risk analysis identified reputational risk as very high due to impact ØManagement expect auditor to review risk on more regular basis

Case Study Solution ØMeasure (audit) risk ØReport on risk measurement ØAutomate process ØSchedule future audits and reporting frequency

Risk Measurement Risk Type = Reputation Abuse of customer funds trough internal theft or fraud Control Audit Procedure Staff are not allowed to transfer customer funds to their own accounts. Such transfers in excess of $ 1000 must be done by another employee. Access data containing information on: w. User ID w. Employee account w. To account w. From account Identify control exceptions

Develop Specifications Objective Search transactions to find: w Transfer of funds w To employee account w Captured by employee who owns account w Amount bigger than $1000 Method Analyse each transaction and identify instances where the TO account equals the account number of the employee who captured the transaction Data Info needed can be found in two files w. Employee master w. Transaction master Both files contain the field Emp. ID which is the employee’s unique ID number in the company.

Technical Specifications Analysis 1. Access both files 2. Join files on Emp. ID and (Emp_Accnt to To_Accnt) 3. Join type MATCHED 4. Extract matches 5. Compute statistics on exceptions 6. Automate analysis Notification 1. Determine if there are exceptions 2. NOTIFY auditor of exceptions 3. Attach exceptions 4. Automate notification Reporting 1. Extract statistical data to permanent file 2. Present file with results as trend analysis to management 3. Automate reporting

Efficient Data Access

Develop Application

Schedule Application

Real-time Notification

Audit Verification

Continuous Reporting

Automated data download Automated audit Report Continuous Audit Cycle Audit Verification Automated scheduling

Summary ØStart ØDo at Risk Analysis not forget 80: 20 ØProve benefits (£££) ØInternal audit implement, external audit share benefits (Consulting opportunities - £££) ØWonderful ØTechnical ØRisk trends!!! barriers are smallest problem can not be measured, managed?

Thank You www. acl. com anton_bouwer@acl. com