Continuous Controls Monitoring and Continuous Auditing
advertisement
Continuous Controls Monitoring and Continuous Auditing – an integrated technology approach John Verver CA, CISA, CMC VP Professional Services ACL Services Ltd Topics Continuous Controls Monitoring and Continuous Auditing Definitions, Distinctions, Relationships An integrated approach for CCM and CA Management role and activities Audit’s role and activities Technology requirements Examples Continuous Auditing Shift from traditional approach of periodic cyclical audit processes Method used to automatically perform audit procedures on an ongoing basis Allows audit to provide ongoing risk and control assessments Technology is key Continuous Controls Monitoring Process performed by management to determine whether policies and controls are operating effectively Establishes control objectives and assurance assertions – and uses automated tests to identify activities and transactions that fail to comply with controls Allows management to fix control problems on a timely basis – improves controls and improves operational performance Technology is key CA and CCM – an integrated approach Many of the techniques used in CA and CCM are similar How can both approaches be integrated and how does this affect roles and responsibilities of audit and management? CA and CCM – an integrated approach CA and CCM – an integrated approach Effective use of automated continuous auditing and controls monitoring techniques can substantially reduce the time required for ERM activities and controls testing Helps to make it clear to management that they – and not audit - are primarily responsible for determining effectiveness of controls Audit (internal and external) needs to be able to rely upon the integrity of the Continuous Controls Monitoring process Audit reliance on Continuous Controls Monitoring Validation of control monitoring tests Design Processing Security over access to the CCM system Security over changes to tests and test parameters Processing audit trail Follow up procedures – response to control deficiencies detected Technology requirements for Integrated Approach Comprehensive range of standard control tests Configurability of additional tests Ad hoc analysis to support CCM and CA process Ability to access and monitor data, transactions and activities from across the enterprise Security and control over CCM process Auditability of CCM process Integration with ERM software ACL Experience Increasing recognition by internal audit and operational management that CCM process should be owned by management Internal audit designing procedures around CCM processes External auditing firms beginning to consider issues of CCM audit reliance – security and control of CCM process a significant concern ROI argument for CCM repeatedly validated
