7/30/2019 Continous Auditing Through Leveraging Technology
1/4
JO U R N A L ON L I N E
Copyright 2006 ISACA. All rights reserved. www.isaca.org.
Continuous Auditing ThroughLeveraging Technology
By Srinivas Sarva, CISA
The world we have created today as result of our
thinking thus far has problems which cannot be
solved by thinking the way we thought when we
created them.
Albert Einstein
Use technology to actually audit as opposed to
using technology to automate manual auditing
procedures.
Comments from Big 4 Audit Partners1
With companies annual reports ceasing to be corporateambassadors, quarterly reports are increasingly
taking centre stage in the evaluation process of best-
performing companies. Bowing to time constraints, the benefit
of this quarterly information mix being systematically audited
(for its data integrity) is conspicuous by its absence. In this
scenario, continuous auditing, which leverages technology,
offers considerable advantages over traditional auditing, which
still adopts tools that are neither applicable nor efficacious.
Unfamiliarity with concurrent auditing tools and techniques
will delay the audit professions entry into the online delivery of
information system and/or f inancial statement assurance.
This article is not intended to deplore or discount traditional
auditing techniques, but is directed toward analysing perceptionsof current and future options for the preparation, delivery and
assurance of financial information online. The article attempts to
espouse the urgency of a structure within which continuous
auditing may be developednew ways of thinking, new
standards, new software products and, above all else, new
approaches from the accounting and auditing professions.
For Internet-based, real-time financial information to have
value, decision makers need real-time assurances from an
independent third party that the information is secure, accurate
and reliable. The auditing profession has been slow to adapt to the
information needs of online users of financial data. A 1999
research report co-sponsored by the American Institute of
Certified Public Accountants (AICPA) and the Canadian Institute
of Chartered Accountants (CICA)2 has brought out a pressing
requirement for delivery of practical solutions. This study
concluded that, while continuous auditing of financial data is
technologically viable, real-time assurance will require significant
re-orientation of the auditors role in a real-time information
system. Such issues as security over the audit process and
increased flexibility of reporting formats need to be addressed and
resolved by the auditing profession. Current auditing standards
provide little guidance for information that is presented in non-
standard formats or that is updated on a continuous basis.
What Is Continuous Auditing?Continuous auditing is a methodology that enables
independent auditors to provide written assurance on a subject
matter using a series of auditors reports issued simultaneously
with, or a short period of time after, the occurrence of events
underlying the subject matter.3 A continuous audit relies
heavily on information technologies such as broad bandwidth,
web application server technology, web scripting solutions and
ubiquitous database management systems with standard
connectivity.
Open database architecture empowers auditors to monitor a
companys systems over the Internet using sensors and digitalagents. Incongruities between the records and the rules def ined
in the digital agents are transmitted via e-mail to the client and
the auditor. For example, a digital agent performing analytical
procedures on the accounts receivable would e-mail the auditor
a huge outstanding beyond the receivable parameters defined in
the digital agent. Once an account trigger has occurred, the
digital agent would move to the transactional level to verify the
authenticity of the sale by seeking an e-mail confirmation of
the sale and acceptance of the goods/service by the customer.
The audit routine described above is done electronically and
automatically on a real-time basis as a part of continuous
monitoring. Continuous audit takes off after this when an
auditor, empowered with data, carries out independent
confirmation and collects corroborative evidence to arrive at
his/her own deductions. In this example, the auditor will
re-send the e-mail to the customer to check the correctness of
the mail ID and obtain a confirmation from the customer, if the
situation demands. He/she will also assess the liquidity status of
the customer to honor the debt commitment from publicly
available f inancial statements.
When an organisation tries to implement continuous
auditing, the performance limitation is not the clients systems
ability to perform multiple audit routines in real time on very
high volumes of daily transactions, but the update frequency of
the clients records. If a company updates its system on a dailybasis, the digital agents will be limited to daily execution. But
in a majority of institutions, updating is done on a monthly or
weekly basis.
The time has arrived for the accounting f irms to move
toward some form of continuous auditing to compete. This is
especially true for firms auditing public companies, which are
actively traded on an exchange.
The Need for Continuous AuditingThough the 1999 research report from CICA and AICPA
advocated the urgency and relevancy of continuous audit, the
7/30/2019 Continous Auditing Through Leveraging Technology
2/4
JO U R N A L ON L I N E
industry has not facilitated the electronic access to
information, and the profession has not vigorously pursued the
cause of continuous audit. The spate of financial scandals in
highly publicised companies in the recent past has brought in
its wake the US Sarbanes-Oxley Act of 2002, whose section
404 compliance warrants implementation of continuous
auditing.4 Management and auditors now have to rely on the IT
amenities and tools that facilitate continuous monitoring and
continuous auditing. The availability of affordable technology
has also resulted in the integration of technology withcontinuous auditing. Developments on the IT front that made
the time right for continuous auditing include:
Strong processors capable of being partitioned for running
parallel activities
Disk mirroring and raid systems that provide the ability to
capture transactions
Petabytes (a petabyte is one thousand trillion bytes) of cheap
disk storage
Broadband networks delivering high speed data transfer
Strong encryption algorithms to provide a high level of security
Hurdles in Implementing Continuous AuditingTwo of the biggest hurdles, aside from the technical ones,are the clients buy-in and staff training. Accustomed to annual
audits and all they entail, clients will not be favorably disposed
to continuous monitoring unless it is unobtrusive. In addition,
continuous auditing requires accounting firms to have direct
access to information systems. Companies are already uneasy
about the level of access that auditing firms have now, so
allowing direct access will require high levels of trust and
commitment.
To perform a continuous audit, the auditor has to develop
utility programs that routinely perform during the normal
processing of the enterprises day-to-day operations. Auditors
can also rely on utility software that is used in running thesystem.
Continuous audit warrants access to exception transactions
identified by computer-assisted audit technique (CAAT)
programs and not the whole of the database. Control tools in
the form of role-based access controls (RBACs) incorporated
in the day-to-day programs through transaction objects
(programmed data) and task profiles for each of the roles must
be thoroughly reviewed by auditors before placing reliance on
them. While RBACs are incorprated in the access control
policy of the organisation, its reality check is to be confirmed
by continuous audit. Continuous auditing facilitates online
review of changes either in the assigned membership of a role
or a role prof ile of RBAC. Momentary downgrading ofcontrols and excecution of conflicting roles by the same user
can be tracked and recorded only by continuous audit. For this
requisite software, technical skills, in addition to knowledge of
the subject matter, are to be obtained by the auditors. Further,
external auditors have to rely more on knowledge, expertise
and the work of internal auditors, which can be used most
effectively in setting up a continuous audit process.
Positive fallout from continuous auditing services include
shorter audit cycle, increased flexibility, customisable reports
to clients and third parties, and reduced audit-related costs.
Continuous audits are viable when there is a high degree of
automation of the processes used to capture, manipulate, store
and disseminate data related to the subject matter under audit.
Avenues of Continuous AuditThe continuous audit methodologies can be broken down
into three different data levels, which are basic areas of data
examination:
Keystroke level
Transaction level
Transaction pattern level
Keystroke Level
To be successful in thorough policing through continuous
auditing, the parsing of every keystroke for the operation of
database utilities is essential.
Critical relational databases, used for f inancial statement
compilation, can be manipulated through the use of utilities,
the most common of which is Structured Query Language
(SQL). SQL statements, the standard language for relational
database management systems, are used to perform tasks such
as updating data on, or retrieving data from, a database. Somecommon relational database management systems that use
SQL are Oracle, Sybase, Microsoft SQL Server, Access
and Ingres.
Todays end users are familiar with this utility, and anyone
who is determined to commit a fraud and armed with the
necessary system authorisation can update a master file in
seconds, with no trace whatsoever. For example, standard SQL
commands, such as select, join, project, insert, update, delete,
create and drop, can be used to accomplish almost everything
that one needs to do with a database. The use of such utilities
should never be needed in normal times except when the
referential integrity of database entities may be lost (such
situations require a trained technician, not an application user,to repair).
The utilities must be operated only with the database
administrator password. Password control exists just for this
reasonto prevent unauthorised access to various areas of the
system. But in many real-life situations, the passwords of the
superuser are loosely guarded and frequently changed. To defraud
the company using SQL or SQL derivatives, security clearance is
needed; the user must be signed on at the highest authority.
The auditor electronically watches the selected SQL
commands through continuous monitoring and, upon a system
trigger being generated by an audit tool, will compile through
electronic data interchange the corroborative evidence to
evaluate the impact of the command and take appropriateaction online to curtail the impact of the event. The auditor can
seek explanations from the auditee groups and form an opinion
on real-time compliance of requisite policies and procedures.
Transaction Level
Transactions are generally validated at the time of entry by
the application software. Such validations are relatively simple
processes, e.g., the date is within range, the field is numeric, or
the field is mandatory or non-mandatory. Traditionally, the
auditor checks the master file data with a CAAT, which offers
2
7/30/2019 Continous Auditing Through Leveraging Technology
3/4
JO U R N A L ON L I N E
batch processing of extracted data and performs powerful
investigative examination of transactions.
This review, on many occasions, is too late to prevent
fraudulent transactions. This limitation is not because of the
generic weakness of the tools, but because of its positioning
and timing in the accounting process. If the auditor is able to
invoke the tool in real time and position that tool immediately
after the update of the master f ile, the tool will deliver its
potential in real time, and the naissance of true continuous
auditing will be experienced and felt.Currently developed IT tools provide safe and secure alerts
in the form of e-mail and SMS texts to auditors in real time for
further review at their end. These alerts will be triggered not by
events but by rules, by which data integrity and completeness
can be assured, that are to be endorsed by the auditor. If a
particular event does not satisfy a rule, CAAT tools will
immediately alert the auditors for their intervention. The skills
required by auditors to operate, monitor and maintain these
systems dynamically do not reside wholly within the current
auditing/accounting communities, but rather in the realms of
business information technology experts. To carry out the
fiduciary role assigned to them, auditors must acquire such
skills.
Transaction Pattern Level
Monitoring keystrokes dynamically and running CAAT
software in real time are powerful audit tools, but there is a
third level that will facilitate the auditor to attest to and report
on managements assessment of internal control under section
404 of the Sarbanes-Oxley Act. This level is the monitoring of
data over a period of time using expert systems and rule-based
criteria. For example, the update of a vendor master database is
a continuous and ongoing process for a growing enterprise.
Normally, such updates are in the form of fresh additions to the
vendor list or the complete deletion of a vendor. Partialchanges to particular fields of a vendor record within a short
span of time (say, a few minutes or hours) is an ominous sign
that needs to be reviewed (see the example in figure 1).
Figure 1, while simplistic and far-fetched, highlights the
fact that fraud may be detected only in groups of transactions,
may transpire over considerable time periods and may
eventually culminate in fraudulent activities. To decipher such
activities, a four-level mechanism has to be in place:
1. Data and transactions originating from various sources are
processed in level one, where basic application editing
occurs. At this stage, applications continue to run as normal
interacting with the various users.
2. At level two, all transactions and keystrokes are mapped totheir requisite XCAL schemas, in real time, and are capture
forensically on a daily basis.
3. Level three takes these transactions and keystrokes though
real-time CAAT processing, where the full range of checks
is carried out. This process runs slightly after the application
level, but the delay is measured in nanoseconds. This is the
first level where alerts may be sent out to a designated
online systems audit centre (OLSAC). OLSAC should
include those highly trained and skilled in business
processes, information systems and auditing who can
monitor alerts and investigate them online. The alerts are
delivered through secure virtual private networks (VPNs)
and are graded for levels of gravity. Transactions are kept fo
only one day at this level but pass through immediately to
level four where they are stored for years.
4. Level four is where the expert systems trawl through the
stored and newly arrived transactions looking for patterns a
defined by the expert rules. These rules are treated similarly
to virus definitions and are stored and updated in a central
repository by industry type. As new intelligence develops
new rule sets, they are automatically delivered and applied
to the systems running in level four. This has a similar alert
processing system to level three, but these alerts are more
likely to be of a complex nature and may be graded
differently from others. A further strength of level four is itsability to interface with various agencies to inquire and
verify data given in transactions. An instance may be a new
commercial order placed by a vendor that causes online
inquiries to be made against creditworthiness and business
performance in the last three years.
The investigating OLSAC is also equipped with software
that allows for forensic, evidential capture of transactions and
snapshots of PC hard drives and databases. This software will
be capable of running over existing networks whilst processing
it live. Capture is authorised by the organisation, but users are
unaware when the capture is undertaken. An audit application
runs in concert with standard financial application suites, such
as those offered by SAP, Oracle and PeopleSoft, monitoringeach transaction conducted by the suite and looking out for
exception transactions that violate the rules and practices.
These rules are programmed in beforehand by the companys
auditor. When the application detects a deviation, it issues a
warning report or an alert to top management and the auditor.
Any corrective action and response by management should be
to the satisfaction of the auditor.
Figure 1Monitoring
Action Acceptable to System
1. System administrator (SA) signs on remotely. Yes
2. SA goes to master file maintenance routines. Yes
3. SA opens supplier master file, searches for supplier. Yes
4. SA changes mailing address of supplier. Yes
5. SA selects supplier invoice post routines. Yes6. SA posts invoice for supplier just amended. Yes
7. SA selects payment run and cheques are produced. Yes
8. SA selects mail label run for suppliers with cheques. Yes
9. SA goes back to master file maintenance. Yes
10. SA changes supplier mailing address to original. Yes
7/30/2019 Continous Auditing Through Leveraging Technology
4/4
JO U R N A L ON L I N E
ConclusionThough the principles of auditing have not altered for
centuries, there have been metamorphous changes in the means
of handing over audit deliverables in the past decade. Legacy
audit methodology has lost its relevancy in the current age of
instant certification of information. It has to give way to
continuous audit, which has become a professional imperative.
With all the advances in IT, the cost of adopting continuous
audit is no more prohibitive. The only forbidding thing in
continuous auditing is the development of requisite software.
With programming becoming more lucid and user-friendly,
auditors need to make a one-time investment in getting
programs developed to meet the continuous audit. Auditors
have to visualise different scenarios for embedding them in the
expert rules. By doing this, the auditor will no longer need to
review sample data, but the whole of the transaction population
can be viewed through remote monitoring.
If the auditor has the necessary ability, he/she can remotely
monitor every transaction that has material implications. IT, in
recent times, has come a long way in facilitating the
omnipresence of the auditor. In this ongoing development of
continuous auditing, it remains to be seen whether theprofession is brave enough to seize the opportunities that this
new paradigm presents.
Endnotes1 www.nysscpa.org/cpajournal/2003/0503/dept/d054603.htm2 Wood, Richard L. (study chair); Grant Thornton,
http://csdl2.computer.org/comp/proceedings/hicss/2001/0981/
07/09817049.pdfandwww.cica.ca/index.cfm/ci_id/
987/la_id/1.htm3 Institute of Internal Auditors, Ottawa Chapter Newsletter,
May 2004, www.theiia.org/chapters/pubdocs/94/IIA_May
_2004_Newsletter.pdf4 Interview with Mr. Castellano, chairman of the board of
directors for Baker Tilly International, with WebCPA,
www.webcpa.com/article.cfm?articleid=14584 and
www.aicpa.org/info/sarbanes_oxley_summary.htm
Srinivas Sarva, CISA
is manager of internal audit with Bharat Heavy Electricals
Limited, India, a leading power equipment manufacturer. Sarva
can be contacted [email protected]
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journaldoes not attest to the originality of authors' content.
Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association.All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org
4
Top Related