Download - Continous Auditing Through Leveraging Technology

7/30/2019 Continous Auditing Through Leveraging Technology

1/4

JO U R N A L ON L I N E

Copyright 2006 ISACA. All rights reserved. www.isaca.org.

Continuous Auditing ThroughLeveraging Technology

By Srinivas Sarva, CISA

The world we have created today as result of our

thinking thus far has problems which cannot be

solved by thinking the way we thought when we

created them.

Albert Einstein

Use technology to actually audit as opposed to

using technology to automate manual auditing

procedures.

Comments from Big 4 Audit Partners1

With companies annual reports ceasing to be corporateambassadors, quarterly reports are increasingly

taking centre stage in the evaluation process of best-

performing companies. Bowing to time constraints, the benefit

of this quarterly information mix being systematically audited

(for its data integrity) is conspicuous by its absence. In this

scenario, continuous auditing, which leverages technology,

offers considerable advantages over traditional auditing, which

still adopts tools that are neither applicable nor efficacious.

Unfamiliarity with concurrent auditing tools and techniques

will delay the audit professions entry into the online delivery of

information system and/or f inancial statement assurance.

This article is not intended to deplore or discount traditional

auditing techniques, but is directed toward analysing perceptionsof current and future options for the preparation, delivery and

assurance of financial information online. The article attempts to

espouse the urgency of a structure within which continuous

auditing may be developednew ways of thinking, new

standards, new software products and, above all else, new

approaches from the accounting and auditing professions.

For Internet-based, real-time financial information to have

value, decision makers need real-time assurances from an

independent third party that the information is secure, accurate

and reliable. The auditing profession has been slow to adapt to the

information needs of online users of financial data. A 1999

research report co-sponsored by the American Institute of

Certified Public Accountants (AICPA) and the Canadian Institute

of Chartered Accountants (CICA)2 has brought out a pressing

requirement for delivery of practical solutions. This study

concluded that, while continuous auditing of financial data is

technologically viable, real-time assurance will require significant

re-orientation of the auditors role in a real-time information

system. Such issues as security over the audit process and

increased flexibility of reporting formats need to be addressed and

resolved by the auditing profession. Current auditing standards

provide little guidance for information that is presented in non-

standard formats or that is updated on a continuous basis.

What Is Continuous Auditing?Continuous auditing is a methodology that enables

independent auditors to provide written assurance on a subject

matter using a series of auditors reports issued simultaneously

with, or a short period of time after, the occurrence of events

underlying the subject matter.3 A continuous audit relies

heavily on information technologies such as broad bandwidth,

web application server technology, web scripting solutions and

ubiquitous database management systems with standard

connectivity.

Open database architecture empowers auditors to monitor a

companys systems over the Internet using sensors and digitalagents. Incongruities between the records and the rules def ined

in the digital agents are transmitted via e-mail to the client and

the auditor. For example, a digital agent performing analytical

procedures on the accounts receivable would e-mail the auditor

a huge outstanding beyond the receivable parameters defined in

the digital agent. Once an account trigger has occurred, the

digital agent would move to the transactional level to verify the

authenticity of the sale by seeking an e-mail confirmation of

the sale and acceptance of the goods/service by the customer.

The audit routine described above is done electronically and

automatically on a real-time basis as a part of continuous

monitoring. Continuous audit takes off after this when an

auditor, empowered with data, carries out independent

confirmation and collects corroborative evidence to arrive at

his/her own deductions. In this example, the auditor will

re-send the e-mail to the customer to check the correctness of

the mail ID and obtain a confirmation from the customer, if the

situation demands. He/she will also assess the liquidity status of

the customer to honor the debt commitment from publicly

available f inancial statements.

When an organisation tries to implement continuous

auditing, the performance limitation is not the clients systems

ability to perform multiple audit routines in real time on very

high volumes of daily transactions, but the update frequency of

the clients records. If a company updates its system on a dailybasis, the digital agents will be limited to daily execution. But

in a majority of institutions, updating is done on a monthly or

weekly basis.

The time has arrived for the accounting f irms to move

toward some form of continuous auditing to compete. This is

especially true for firms auditing public companies, which are

actively traded on an exchange.

The Need for Continuous AuditingThough the 1999 research report from CICA and AICPA

advocated the urgency and relevancy of continuous audit, the


2/4


industry has not facilitated the electronic access to

information, and the profession has not vigorously pursued the

cause of continuous audit. The spate of financial scandals in

highly publicised companies in the recent past has brought in

its wake the US Sarbanes-Oxley Act of 2002, whose section

404 compliance warrants implementation of continuous

auditing.4 Management and auditors now have to rely on the IT

amenities and tools that facilitate continuous monitoring and

continuous auditing. The availability of affordable technology

has also resulted in the integration of technology withcontinuous auditing. Developments on the IT front that made

the time right for continuous auditing include:

Strong processors capable of being partitioned for running

parallel activities

Disk mirroring and raid systems that provide the ability to

capture transactions

Petabytes (a petabyte is one thousand trillion bytes) of cheap

disk storage

Broadband networks delivering high speed data transfer

Strong encryption algorithms to provide a high level of security

Hurdles in Implementing Continuous AuditingTwo of the biggest hurdles, aside from the technical ones,are the clients buy-in and staff training. Accustomed to annual

audits and all they entail, clients will not be favorably disposed

to continuous monitoring unless it is unobtrusive. In addition,

continuous auditing requires accounting firms to have direct

access to information systems. Companies are already uneasy

about the level of access that auditing firms have now, so

allowing direct access will require high levels of trust and

commitment.

To perform a continuous audit, the auditor has to develop

utility programs that routinely perform during the normal

processing of the enterprises day-to-day operations. Auditors

can also rely on utility software that is used in running thesystem.

Continuous audit warrants access to exception transactions

identified by computer-assisted audit technique (CAAT)

programs and not the whole of the database. Control tools in

the form of role-based access controls (RBACs) incorporated

in the day-to-day programs through transaction objects

(programmed data) and task profiles for each of the roles must

be thoroughly reviewed by auditors before placing reliance on

them. While RBACs are incorprated in the access control

policy of the organisation, its reality check is to be confirmed

by continuous audit. Continuous auditing facilitates online

review of changes either in the assigned membership of a role

or a role prof ile of RBAC. Momentary downgrading ofcontrols and excecution of conflicting roles by the same user

can be tracked and recorded only by continuous audit. For this

requisite software, technical skills, in addition to knowledge of

the subject matter, are to be obtained by the auditors. Further,

external auditors have to rely more on knowledge, expertise

and the work of internal auditors, which can be used most

effectively in setting up a continuous audit process.

Positive fallout from continuous auditing services include

shorter audit cycle, increased flexibility, customisable reports

to clients and third parties, and reduced audit-related costs.

Continuous audits are viable when there is a high degree of

automation of the processes used to capture, manipulate, store

and disseminate data related to the subject matter under audit.

Avenues of Continuous AuditThe continuous audit methodologies can be broken down

into three different data levels, which are basic areas of data

examination:

Keystroke level

Transaction level

Transaction pattern level

Keystroke Level

To be successful in thorough policing through continuous

auditing, the parsing of every keystroke for the operation of

database utilities is essential.

Critical relational databases, used for f inancial statement

compilation, can be manipulated through the use of utilities,

the most common of which is Structured Query Language

(SQL). SQL statements, the standard language for relational

database management systems, are used to perform tasks such

as updating data on, or retrieving data from, a database. Somecommon relational database management systems that use

SQL are Oracle, Sybase, Microsoft SQL Server, Access

and Ingres.

Todays end users are familiar with this utility, and anyone

who is determined to commit a fraud and armed with the

necessary system authorisation can update a master file in

seconds, with no trace whatsoever. For example, standard SQL

commands, such as select, join, project, insert, update, delete,

create and drop, can be used to accomplish almost everything

that one needs to do with a database. The use of such utilities

should never be needed in normal times except when the

referential integrity of database entities may be lost (such

situations require a trained technician, not an application user,to repair).

The utilities must be operated only with the database

administrator password. Password control exists just for this

reasonto prevent unauthorised access to various areas of the

system. But in many real-life situations, the passwords of the

superuser are loosely guarded and frequently changed. To defraud

the company using SQL or SQL derivatives, security clearance is

needed; the user must be signed on at the highest authority.

The auditor electronically watches the selected SQL

commands through continuous monitoring and, upon a system

trigger being generated by an audit tool, will compile through

electronic data interchange the corroborative evidence to

evaluate the impact of the command and take appropriateaction online to curtail the impact of the event. The auditor can

seek explanations from the auditee groups and form an opinion

on real-time compliance of requisite policies and procedures.

Transaction Level

Transactions are generally validated at the time of entry by

the application software. Such validations are relatively simple

processes, e.g., the date is within range, the field is numeric, or

the field is mandatory or non-mandatory. Traditionally, the

auditor checks the master file data with a CAAT, which offers

2


3/4


batch processing of extracted data and performs powerful

investigative examination of transactions.

This review, on many occasions, is too late to prevent

fraudulent transactions. This limitation is not because of the

generic weakness of the tools, but because of its positioning

and timing in the accounting process. If the auditor is able to

invoke the tool in real time and position that tool immediately

after the update of the master f ile, the tool will deliver its

potential in real time, and the naissance of true continuous

auditing will be experienced and felt.Currently developed IT tools provide safe and secure alerts

in the form of e-mail and SMS texts to auditors in real time for

further review at their end. These alerts will be triggered not by

events but by rules, by which data integrity and completeness

can be assured, that are to be endorsed by the auditor. If a

particular event does not satisfy a rule, CAAT tools will

immediately alert the auditors for their intervention. The skills

required by auditors to operate, monitor and maintain these

systems dynamically do not reside wholly within the current

auditing/accounting communities, but rather in the realms of

business information technology experts. To carry out the

fiduciary role assigned to them, auditors must acquire such

skills.

Transaction Pattern Level

Monitoring keystrokes dynamically and running CAAT

software in real time are powerful audit tools, but there is a

third level that will facilitate the auditor to attest to and report

on managements assessment of internal control under section

404 of the Sarbanes-Oxley Act. This level is the monitoring of

data over a period of time using expert systems and rule-based

criteria. For example, the update of a vendor master database is

a continuous and ongoing process for a growing enterprise.

Normally, such updates are in the form of fresh additions to the

vendor list or the complete deletion of a vendor. Partialchanges to particular fields of a vendor record within a short

span of time (say, a few minutes or hours) is an ominous sign

that needs to be reviewed (see the example in figure 1).

Figure 1, while simplistic and far-fetched, highlights the

fact that fraud may be detected only in groups of transactions,

may transpire over considerable time periods and may

eventually culminate in fraudulent activities. To decipher such

activities, a four-level mechanism has to be in place:

1. Data and transactions originating from various sources are

processed in level one, where basic application editing

occurs. At this stage, applications continue to run as normal

interacting with the various users.

2. At level two, all transactions and keystrokes are mapped totheir requisite XCAL schemas, in real time, and are capture

forensically on a daily basis.

3. Level three takes these transactions and keystrokes though

real-time CAAT processing, where the full range of checks

is carried out. This process runs slightly after the application

level, but the delay is measured in nanoseconds. This is the

first level where alerts may be sent out to a designated

online systems audit centre (OLSAC). OLSAC should

include those highly trained and skilled in business

processes, information systems and auditing who can

monitor alerts and investigate them online. The alerts are

delivered through secure virtual private networks (VPNs)

and are graded for levels of gravity. Transactions are kept fo

only one day at this level but pass through immediately to

level four where they are stored for years.

4. Level four is where the expert systems trawl through the

stored and newly arrived transactions looking for patterns a

defined by the expert rules. These rules are treated similarly

to virus definitions and are stored and updated in a central

repository by industry type. As new intelligence develops

new rule sets, they are automatically delivered and applied

to the systems running in level four. This has a similar alert

processing system to level three, but these alerts are more

likely to be of a complex nature and may be graded

differently from others. A further strength of level four is itsability to interface with various agencies to inquire and

verify data given in transactions. An instance may be a new

commercial order placed by a vendor that causes online

inquiries to be made against creditworthiness and business

performance in the last three years.

The investigating OLSAC is also equipped with software

that allows for forensic, evidential capture of transactions and

snapshots of PC hard drives and databases. This software will

be capable of running over existing networks whilst processing

it live. Capture is authorised by the organisation, but users are

unaware when the capture is undertaken. An audit application

runs in concert with standard financial application suites, such

as those offered by SAP, Oracle and PeopleSoft, monitoringeach transaction conducted by the suite and looking out for

exception transactions that violate the rules and practices.

These rules are programmed in beforehand by the companys

auditor. When the application detects a deviation, it issues a

warning report or an alert to top management and the auditor.

Any corrective action and response by management should be

to the satisfaction of the auditor.

Figure 1Monitoring

Action Acceptable to System

1. System administrator (SA) signs on remotely. Yes

2. SA goes to master file maintenance routines. Yes

3. SA opens supplier master file, searches for supplier. Yes

4. SA changes mailing address of supplier. Yes

5. SA selects supplier invoice post routines. Yes6. SA posts invoice for supplier just amended. Yes

7. SA selects payment run and cheques are produced. Yes

8. SA selects mail label run for suppliers with cheques. Yes

9. SA goes back to master file maintenance. Yes

10. SA changes supplier mailing address to original. Yes


4/4


ConclusionThough the principles of auditing have not altered for

centuries, there have been metamorphous changes in the means

of handing over audit deliverables in the past decade. Legacy

audit methodology has lost its relevancy in the current age of

instant certification of information. It has to give way to

continuous audit, which has become a professional imperative.

With all the advances in IT, the cost of adopting continuous

audit is no more prohibitive. The only forbidding thing in

continuous auditing is the development of requisite software.

With programming becoming more lucid and user-friendly,

auditors need to make a one-time investment in getting

programs developed to meet the continuous audit. Auditors

have to visualise different scenarios for embedding them in the

expert rules. By doing this, the auditor will no longer need to

review sample data, but the whole of the transaction population

can be viewed through remote monitoring.

If the auditor has the necessary ability, he/she can remotely

monitor every transaction that has material implications. IT, in

recent times, has come a long way in facilitating the

omnipresence of the auditor. In this ongoing development of

continuous auditing, it remains to be seen whether theprofession is brave enough to seize the opportunities that this

new paradigm presents.

Endnotes1 www.nysscpa.org/cpajournal/2003/0503/dept/d054603.htm2 Wood, Richard L. (study chair); Grant Thornton,

http://csdl2.computer.org/comp/proceedings/hicss/2001/0981/

07/09817049.pdfandwww.cica.ca/index.cfm/ci_id/

987/la_id/1.htm3 Institute of Internal Auditors, Ottawa Chapter Newsletter,

May 2004, www.theiia.org/chapters/pubdocs/94/IIA_May

_2004_Newsletter.pdf4 Interview with Mr. Castellano, chairman of the board of

directors for Baker Tilly International, with WebCPA,

www.webcpa.com/article.cfm?articleid=14584 and

www.aicpa.org/info/sarbanes_oxley_summary.htm

Srinivas Sarva, CISA

is manager of internal audit with Bharat Heavy Electricals

Limited, India, a leading power equipment manufacturer. Sarva

can be contacted [email protected]

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary

organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit

and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journaldoes not attest to the originality of authors' content.

Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association.All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the

association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles

owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,

and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the

association or the copyright owner is expressly prohibited.

www.isaca.org

4