What price continuous auditing?

Continuous auditing is nothing new.  It’s tried and tested – proved its worth and here to stay.  Now used by around half of all US companies, the adoption of continuous auditing is nevertheless proving to be a slow burn.

There are many definitions of continuous auditing but it can be neatly summed up as a process that facilitates an in-depth, ongoing review and analysis of financial and business information on a real-time basis.  It’s a process that is invaluable on many levels and one with far-reaching, tangible benefits, providing reassurance that the information produced for decision-making is both accurate and reliable and that the control procedures in place are effective.

The core premise is that both internal and external auditors are able to analyse systems continuously, performing control and risk assessments in real-time or near real-time.  The overriding advantage of continuous auditing is that every single transaction and control is checked – rather than simply a sample as is the case with traditional auditing techniques.  Any failure or anomaly is reported instantly, allowing immediate corrective action to be taken.  There’s no waiting for quarterly, annual or random audits before making checks for possible failures – and this reporting speed cuts out delays that could potentially result in irreversible loss or risk.

Continuous auditing can be viewed as the collection of methods used by various audit ‘owners’ in performing their activity on a more continual basis.  This does not have to be in real time, unless required, but at a frequency appropriate for the particular requirements arising from a specific activity.  For example, a segregation of duties control might be monitored at one-minute intervals, a financial control may be monitored daily or a key performance indicator monitored weekly.  Tests can be implemented over a period of time and prioritised so that ‘hot spots’ that regularly cause compliance failure due to their lack of ‘hard wired’ control can be monitored first.

The concept of continuous auditing can be embraced by any number of areas within a business, including risk management, compliance and operations.  Indeed, strengthening risk management – whether in the area of technology, fraud, inefficiencies or unwitting errors – is a proving to be a critical factor in the adoption of this technology.

Today’s fast-moving business environment demands such high-quality information from across the whole operation as much as, if not more than reliable historical financial statements. 

And there’s more …

Continuous testing is only half the story, of course – it’s what happens next that really makes the difference.  And the auditing process doesn’t disappoint, since it monitors controls and notes changes as they happen – any control failure is detected and fixed almost immediately, thus minimising the period of ineffectiveness.  Adaptability is a key feature of continuous auditing software – new controls can be identified and tested as they arise, modifying the audit approach to changed circumstances when required.

Audit tests can be configured to cover a vast range of options including, for example:

1. Key performance indicators (monthly extraction of general ledger balance, stock wastage comparison by depot, calculated ratios)
2. Standing data monitoring (changes to standard cost or standard price master files, accounts payable standing data changes – bank details, system setting changes – controls disabled, credit limit changes)
3. Exception reporting (credit limit breaches, branch banking variations, large, round sum or out-of-hours adjusting journal)
4. Security monitoring (out-of-hours log-ins, log-in failures, segregation of duties failure, unusual changes to access rights, new super-user created)

This leading edge audit process eliminates the need to download data since the approach is self-supporting and can extract data if required for analysis.  Exception reports – at a specified level of granularity – are produced automatically, with email notification of any aspect that needs attention.  This allows issues to be dealt with while they are fresh so that control failures can be fixed immediately rather than waiting until they are reported after a review of historical data.

Real-time auditing on the functioning of controls and financial transactions can significantly enhance management's ability to make effective key business decisions.  No less important is compliance across the whole corporate governance area, including Sarbanes-Oxley.

Indeed, continuous auditing holds together and supports a broad range of disciplines and activities within the organisation.  It can assist with a risk-based approach to deciding the overall audit plan as well as with specific individual audit objectives.  It also supports the automation of follow-up reports on the audit function's recommendations. This means that audit can track specific data-driven measures of performance to see if they have been implemented by management and if they have been successful.  The audit committee is similarly empowered and is able to exert greater control.

More bang for your buck

Who wouldn’t want to incorporate a tool that lightens the workload AND is more effective into the bargain?  Automated testing takes a fraction of the time compared with manual testing – and is impervious to human error. 

Although the initial effort involved in setting up and implementing the rules for automated testing is greater than for manual testing, the time savings soon kick in.  Typically, a system with 500 controls may take 3750 hours to test manually.  Automated testing will save around 2250 hours in the first year and from year two onwards the saving is the total manual testing time of 3750 hours.

Since controls as well as transactions are tested, there is no need to repeatedly check that a control is working since an alert will be triggered should this occur.

So, more bang for your buck as continuous auditing gives a greater depth of audit for the same cost, thanks to its ability to audit larger amounts of a population down to a greater level of detail, including preventative controls.

The value to the business is also enhanced by the ability to take a proactive approach to solving problems as they occur.

The effect on human resources is positive, too.  The audit workload can be spread more evenly throughout the year, reducing peaks and troughs and enabling more effective staff scheduling.  Furthermore, remote auditing can help reduce travel costs (and lost time).

There are long-term resource benefits.  Assuming that the current audit team is working at full capacity, then as the business grows the percentage of systems they are able to check will be smaller.  Alternatively, more employees will have to be hired if the same percentage is to be checked.  Introducing continuous auditing technology means a substantial improvement can be achieved year-on-year from the amount of information audited – and all without increasing resources.

External auditors can capitalise on the ease of integration using secure, standard technologies to enable communication to their remote offices.  Data need never leave the client site – it is audited in situ and only exceptions are extracted and reported.

So what’s the problem? 
Why are businesses seemingly reluctant to embrace such a positive tool?  There is no downside to continuous auditing so the reasons why companies are surprisingly slow to adopt a technology that can save them money, make their operations more efficient and help protect them from risk are something of a mystery.

Could cost be the stumbling block?  It’s possible that some managers might baulk at forking out a five-figure sum for the software especially if they mistakenly believe its usefulness is limited to financial auditing.  Yet in most cases the investment is likely to be recouped within 12 months.  Every single business transaction has the potential for error so the benefits of applying continuous auditing technology are real, relevant and often very rapid. 

A stronger internal control environment results in cost savings and not only does the system highlight transactional errors – the scale of which comes as something of a shock to most new users – but it also flags up opportunities for early payment discounts and reductions in late payment charges. 

Duplicate payments provide a simple example.  What might be perceived as an easily avoidable problem is actually estimated to cost the average company 0.1% of its spend.  This is because the people who authorise invoices for payment are not necessarily those who actually sign them off.  So this is human error at a cumulatively high cost – it’s not hard to calculate the financial benefits of being able to automatically identify, alert to and halt such duplicates.  What’s more, company officers can be held  responsible for problems with duplicate supplier payments, courtesy of the Sarbanes Oxley Act.  They may be deemed to have committed a criminal offence by failing to investigate and disclose the issue – even if they are unaware of its existence.

So, error and fraud are reduced, as are overpayments and revenue leakage.  However you do the maths, the financial case for using continuous auditing is irrefutable.

Perhaps fear of change is behind the slow take-up?  It’s understandable that internal auditors, worried about the impact on their jobs, might be wary of new, automated systems.   

However, in practice what the continuous auditing software does is enable them to use their skills in a more fulfilling way to better effect.  It frees up the resource in the audit department to focus on building better controls and investigating flagged issues rather than spending time on routine data sampling, looking for issues.  This can result in more focused individual audits since it becomes straightforward to target potential problem areas and risks, whether these are in specific departments or particular processes. 

Categoric’s technology typically resides within the client environment and has mandatory non-invasive connectivity into information sources – in other words, no software is loaded on to the client’s system.  The tool stays on the audit PC and databases are queried with read only access.  Information can be aggregated from multiple sources in order to create complex control or KPI monitoring conditions and these silos of information can generally be accessed across multiple geographical sites.

And, just as the best suppliers will configure the software to integrate with existing systems, they will also ensure that relevant staff are fully trained.

Suck it and see

Whatever it is that is holding people back – and in most cases it is perhaps a combination of factors – those who do take the plunge very soon realise the considerable benefits that accrue from continuous auditing.  Not least of these is the competitive edge they gain, while also being able to transfer resources to other services.

My advice to any company toying with the idea of continuous auditing is to start small.  Identify those areas of operations that are most important from an auditing perspective – these might be production, sales or wastage – and put it to the test.  Those operating areas that are easily defined and measured are the most appropriate to choose for this purpose.  Introducing continuous auditing across the whole spectrum of operations in one hit can work for some organisations but many will find it more satisfactory to ease themselves in bit by bit.

There is little doubt in my mind that continuous auditing is an indispensable tool without which many businesses will find it difficult to thrive.  For the onus on managers to protect their organisations and their stakeholders while remaining competitive in their market place puts them under increasing pressure to ensure that all operations are functioning at optimum efficiency. 

The role of audit is moving towards a more fluid business function and this is provoking a shift in the focus of some audit activities.  Businesses need reassurance that the information produced for decision-making is both accurate and reliable and that the control procedures in place are effective.  Continuous auditing is their greatest ally in this quest.