2011 UWCISA Symposium Toronto, Canada Discussion Paper: The Acceptance and Adoption of Continuous Auditing by Internal Auditors: A Micro Analysis Discussant: Denease Prinold, KPMG Motivation “By identifying the drivers and barriers that affect the adoption of continuous auditing and continuous control monitoring in organizations, we hope we provide a better understanding of the stage of development and usage of the methodology.” Worthy Topic? Yes. Brings to light differences in interpretation of the subject matter Addresses differences of opinion regarding its state of adoption Provides insight into the state of an evolving area that may not be as widely adopted as one may expect given environment conditions © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Theory “…the macro-level nature of the surveys does not allow a full understanding of how precisely the survey subjects are implementing CA ...” “…continuous auditing is a concept rather than a well defined technological tool or practice and hence it is not clear what the responding firms actually mean…” The quote from the PwC survey used as a basis for this paper is subject to interpretation: “Eighty-one percent of 392 companies responding to questions about continuous auditing reported that they either had a continuous auditing or monitoring process in place or were planning to develop one.” “From 2005 to 2006, the percentage of survey respondents saying they have some form of continuous auditing or monitoring process within their internal audit functions increased from 35% to 50%—a significant gain.” • What % is CA and what % is CM? • How advanced was the planning stage? Taking steps to adopt it, or just in an investigation stage? • What is meant by “some form”? This doesn’t necessarily imply the adoption is to any great extent. Would a single application of it qualify? It also doesn’t speak to the level of maturity of the application. © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Theory (cont’d) The quote from a survey jointly undertaken by ACL and the Institute of Internal Auditors: “…36% of responding firms stating that they have adopted a continuous auditing approach across all of their business processes or within select areas, and with another 39% planning to do so in the near future.” • How many implementations are “across all of their business processes” vs “within select areas”? • Is the reference to “continuous auditing” accurate or are they also including “continuous monitoring”? • Are they performing qualitative CA procedures or quantitative? Justified to perform additional analysis to determine the extent and nature of adoption and if the results are impacted by respondent bias or interpretation of the subject matter. © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Results “…although they have certain level of CA/CM, they are just in the initiation phase... This result is strikingly contrasted with the PwC survey, which stated that a large number of companies had continuous auditing in place.” Did not focus on technicalities of the methods used by the presenters to support their study (more of an academic subject matter). But instead compared the results against what is generally seen in practice. There is less room for different interpretations of the results because: • The benchmark used to analyze the results is clearly communicated through an Audit Maturity Model that classifies the audit evolution into four progressive stages culminating in full CA. • The data used in the analysis was obtained through interviews, which would provide more insight into the adoption of CA and/or CM than a survey. The questions used in the interviews and examples of comments obtained provide insight into specific examples of what has been implemented. © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Interpretation of CA Varied interpretations: Often interpreted as something that falls far short of the mature or full continuous auditing stage described in the Audit Maturity Model (e.g. full automation, audit by exception, immediate response). “Continuous” doesn’t always seem to be interpreted as non-stop, real-time, but rather on a frequent basis throughout a period of time. This may be the result of matching the frequency of CA to that of the normal business cycle (e.g., sales more frequent than manual journal entries) © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Definitions and Characteristics of Continuous Auditing & Continuous Monitoring Activity Continuous Auditing (CA) Continuous Monitoring (CM) Definition Unique Characteristics Common Characteristics Collection of audit evidence and indicators by an auditor on information technology (IT) systems, processes, transactions, and controls on a frequent or continuous basis, throughout a given period • Third Line of Defense • Process can also be used for Continuous Risk Assessment for dynamic audit planning purposes • Analytic capabilities include: • Efficient ETL (Extract, Transform, Load) processes • Flexible types of analytics • Scalable and extendable • Frequency can be modified Feedback mechanism (monitoring method) used by management to ensure that controls operate as designed and transactions process as prescribed • First and second lines of defense • Dynamic reporting with actionable output • Responsibility of management • Workflow management capability • Important component of the internal control structure • Integration with a process • Not intended to become part of the internal control environment • Wide variety of organizational Data • Technology-enabled process • Can provide automated controls and processes Definitions taken from KPMG LLP’s Continuous Auditing and Continuous Monitoring: Transforming Internal Audit and Management Monitoring to Create Value, 2008 © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Dimensions of CA/CM Macro-Analytic Dimension Macro-Level Analysis for trends, patterns, results (e.g., DSO, No. of POs/week) Controls Dimension Changed or deleted configurable application controls, SOD, etc. Risk / Performance Transactions Dimension Transaction-based exception analysis and business rule management Risk and Performance Monitoring is optimized when all three dimensions are implemented © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Analysis Variation in the balance of the performance of CM between management and IA. The application of full CA, per the Audit Maturity Model, is not a significant part of the IA function. The IA function is still substantially traditional, including: • Periodic or interim/year-end testing, as opposed to “continuous” • Periodic reporting on the state of the control environment © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Analysis (cont’d) However, we are seeing an increase in the frequency of audit procedures and a more frequent involvement of IA (not always through technology-based methods) Performance of sample testing on a more frequent basis than once or twice a year Inclusion of IA in project team meetings for new implementations Inclusion of IA on distribution lists of periodic monitoring reports, such as: • KPI reports used by management, including information on security incidents, availability, etc. • system change reports Periodic meetings between IA and management Many of these activities support IA’s continuous risk assessment process and include both qualitative and quantitative aspects. © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Suggestions “Currently, an internal audit department of each company is responsible for control monitoring, including monitoring exceptional reports and alarms from the system. If there is any irregular or critical alarm, management will be notified.” “The company monitors over 5 million customer accounts on a daily basis, and the system sends out about 6 thousand alerts a month. Internal auditors analyze the alarm and inform management.” Highlight the difference between CA and CM Consider the following: Responsibilities of management and IA • Management responsibility for developing and monitoring controls (CM) • IA responsibility for assessing risk and controls implemented to mitigate those risks, including management’s monitoring process (CA) Independence of IA • Is there impact on independence if IA performs a monitoring role (on behalf of management) Risk of redundancy/inefficiency in the analysis of information • Information available to IA in a full continuous audit scenario is the same as would be available to management, and is available at the same time © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Conclusion “…although they have certain level of CA/CM, they are just in the initiation phase... This result is strikingly contrasted with the PwC survey, which stated that a large number of companies had continuous auditing in place.” Not seeing a mature implementation of CA in practice. It’s not clear what definitions for CA and for CM were used in the external surveys used as a basis for this paper. They are also not clear on the maturity or pervasiveness of the implementation. Agree with the paper that, overall, IA departments are in an early stage of CA, based on the Audit Maturity Model presented. © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Contact details: Denease Prinold KPMG LLP (416) 777-8773 dprinold@kpmg.ca www.kpmg.com © 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.