2011 UWCISA Symposium
Toronto, Canada
Discussion Paper:
The Acceptance and Adoption of Continuous
Auditing by Internal Auditors: A Micro Analysis
Discussant: Denease Prinold, KPMG
Motivation
“By identifying the drivers and barriers that affect the adoption of continuous
auditing and continuous control monitoring in organizations, we hope we
provide a better understanding of the stage of development and usage of
the methodology.”
Worthy Topic? Yes.
Brings to light differences in interpretation of the subject matter
Addresses differences of opinion regarding its state of adoption
Provides insight into the state of an evolving area that may not be as widely
adopted as one may expect given environment conditions
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Theory
“…the macro-level nature of the surveys does not allow a full understanding of how
precisely the survey subjects are implementing CA ...”
“…continuous auditing is a concept rather than a well defined technological tool or
practice and hence it is not clear what the responding firms actually mean…”
The quote from the PwC survey used as a basis for this paper is subject to
interpretation:
“Eighty-one percent of 392 companies responding to questions about continuous auditing
reported that they either had a continuous auditing or monitoring process in place or were
planning to develop one.”
“From 2005 to 2006, the percentage of survey respondents saying they have some form of
continuous auditing or monitoring process within their internal audit functions increased from
35% to 50%—a significant gain.”
• What % is CA and what % is CM?
• How advanced was the planning stage? Taking steps to adopt it, or just in an
investigation stage?
• What is meant by “some form”? This doesn’t necessarily imply the adoption is to any
great extent. Would a single application of it qualify? It also doesn’t speak to the level of
maturity of the application.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Theory (cont’d)
The quote from a survey jointly undertaken by ACL and the Institute of
Internal Auditors:
“…36% of responding firms stating that they have adopted a continuous auditing
approach across all of their business processes or within select areas, and with
another 39% planning to do so in the near future.”
• How many implementations are “across all of their business processes” vs
“within select areas”?
• Is the reference to “continuous auditing” accurate or are they also including
“continuous monitoring”?
• Are they performing qualitative CA procedures or quantitative?
Justified to perform additional analysis to determine the extent and nature
of adoption and if the results are impacted by respondent bias or
interpretation of the subject matter.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Results
“…although they have certain level of CA/CM, they are just in the initiation
phase... This result is strikingly contrasted with the PwC survey, which
stated that a large number of companies had continuous auditing in
place.”
Did not focus on technicalities of the methods used by the presenters to support
their study (more of an academic subject matter). But instead compared the
results against what is generally seen in practice.
There is less room for different interpretations of the results because:
• The benchmark used to analyze the results is clearly communicated through an
Audit Maturity Model that classifies the audit evolution into four progressive stages
culminating in full CA.
• The data used in the analysis was obtained through interviews, which would provide
more insight into the adoption of CA and/or CM than a survey. The questions used
in the interviews and examples of comments obtained provide insight into specific
examples of what has been implemented.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Interpretation of CA
Varied interpretations:
Often interpreted as something that falls far short of the mature or full continuous
auditing stage described in the Audit Maturity Model (e.g. full automation, audit by
exception, immediate response).
“Continuous” doesn’t always seem to be interpreted as non-stop, real-time, but rather
on a frequent basis throughout a period of time. This may be the result of matching
the frequency of CA to that of the normal business cycle (e.g., sales more frequent
than manual journal entries)
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Definitions and Characteristics of Continuous Auditing &
Continuous Monitoring
Activity
Continuous
Auditing
(CA)
Continuous
Monitoring
(CM)
Definition
Unique Characteristics
Common Characteristics
Collection of audit
evidence and indicators
by an auditor on
information technology
(IT) systems, processes,
transactions, and controls
on a frequent or
continuous basis,
throughout a given period
• Third Line of Defense
• Process can also be used for
Continuous Risk Assessment
for dynamic audit planning
purposes
• Analytic capabilities include:
• Efficient ETL (Extract,
Transform, Load) processes
• Flexible types of analytics
• Scalable and extendable
• Frequency can be modified
Feedback mechanism
(monitoring method) used
by management to ensure
that controls operate as
designed and transactions
process as prescribed
• First and second lines of
defense
• Dynamic reporting with
actionable output
• Responsibility of
management
• Workflow management
capability
• Important component of the
internal control structure
• Integration with a process
• Not intended to become part
of the internal control
environment
• Wide variety of organizational
Data
• Technology-enabled process
• Can provide automated
controls and processes
Definitions taken from KPMG LLP’s Continuous Auditing and Continuous Monitoring: Transforming Internal Audit and
Management Monitoring to Create Value, 2008
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Dimensions of CA/CM
Macro-Analytic Dimension
Macro-Level Analysis for
trends, patterns, results
(e.g., DSO, No. of POs/week)
Controls
Dimension
Changed or deleted
configurable
application controls,
SOD, etc.
Risk /
Performance
Transactions
Dimension
Transaction-based
exception analysis
and business rule
management
Risk and Performance Monitoring is optimized when all three dimensions are implemented
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Analysis
Variation in the balance of the performance of CM between management and IA.
The application of full CA, per the Audit Maturity Model, is not a significant part
of the IA function.
The IA function is still substantially traditional, including:
• Periodic or interim/year-end testing, as opposed to “continuous”
• Periodic reporting on the state of the control environment
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Analysis (cont’d)
However, we are seeing an increase in the frequency of audit procedures and a
more frequent involvement of IA (not always through technology-based
methods)
Performance of sample testing on a more frequent basis than once or twice a year
Inclusion of IA in project team meetings for new implementations
Inclusion of IA on distribution lists of periodic monitoring reports, such as:
• KPI reports used by management, including information on security incidents,
availability, etc.
• system change reports
Periodic meetings between IA and management
Many of these activities support IA’s continuous risk assessment process and include
both qualitative and quantitative aspects.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Suggestions
“Currently, an internal audit department of each company is responsible for control
monitoring, including monitoring exceptional reports and alarms from the system. If there is
any irregular or critical alarm, management will be notified.”
“The company monitors over 5 million customer accounts on a daily basis, and the system
sends out about 6 thousand alerts a month. Internal auditors analyze the alarm and inform
management.”
Highlight the difference between CA and CM
Consider the following:
Responsibilities of management and IA
• Management responsibility for developing and monitoring controls (CM)
• IA responsibility for assessing risk and controls implemented to mitigate those risks,
including management’s monitoring process (CA)
Independence of IA
• Is there impact on independence if IA performs a monitoring role (on behalf of management)
Risk of redundancy/inefficiency in the analysis of information
• Information available to IA in a full continuous audit scenario is the same as would be
available to management, and is available at the same time
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Conclusion
“…although they have certain level of CA/CM, they are just in the initiation
phase... This result is strikingly contrasted with the PwC survey, which
stated that a large number of companies had continuous auditing in place.”
Not seeing a mature implementation of CA in practice.
It’s not clear what definitions for CA and for CM were used in the external surveys
used as a basis for this paper. They are also not clear on the maturity or
pervasiveness of the implementation.
Agree with the paper that, overall, IA departments are in an early stage of CA,
based on the Audit Maturity Model presented.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Contact details:
Denease Prinold
KPMG LLP
(416) 777-8773
dprinold@kpmg.ca
www.kpmg.com
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.