By Godwin Kanongovere
THERE is a growing need for timely and ongoing assurance over the effectiveness of risk management and control systems. Organisations are continua
lly exposed to significant errors, frauds or inefficiencies that can lead to financial loss and increased levels of risk. In today’s rapidly changing, highly regulated and globalised economy, there is an even greater need for timely and ongoing assurance that controls are working effectively to mitigate risk
Internal Audit departments are often tasked with the role of providing such assurance. Internal Auditing is defined in the International Standards for the Professional Practice of Internal Auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
The traditional approach to Internal Auditing’s testing of controls has been performed on a retrospective and cyclical basis, often many months after the business activities have occurred. These testing procedures have often been based on a sampling approach involving reviews of policies, procedures, approvals and reconciliations. Unfortunately this approach affords internal auditors a narrow scope of evaluation and is often too late to be of real value to business performance or regulatory compliance.
A new approach is thus needed to meet the growing and changing needs of business for timely reporting if Internal Audit departments are to fully discharge their responsibilities.
Continuous Auditing is defined by the Institute of Internal Auditors as a method used to perform control and risk assessments on a more frequent basis. Technology is key to enabling such an approach. Continuous auditing changes the audit paradigm from periodic reviews of a sample of transactions to ongoing audit testing of 100% of transactions. It becomes an integral part of modern auditing at many levels.
It should be closely tied to management activities such as performance monitoring, balanced scorecard and enterprise risk management. A continuous audit approach allows internal auditors to fully understand critical control points, rules, and exceptions. With automated, frequent analyses of data, they are able to perform control and risk assessments in real time or near real time. They can analyse key business systems for both anomalies at the transaction level and for data-driven indicators of control deficiencies and emerging risk.
In order to address one of the key challenges hampering Internal Audit departments globally of scarcity of resources in discharging their duties, a combined strategy of continuous auditing and continuous monitoring is ideal. Continuous monitoring encompasses the processes that management puts in place to ensure that the policies, procedures, and business processes are operating effectively. It addresses management’s responsibility to assess the adequacy and effectiveness of controls. This involves identifying the control objectives and assurance assertions and establishing automated tests to highlight activities and transactions that fail to comply.
Many of the techniques of continuous monitoring of controls by management are similar to those that may be performed in continuous auditing by internal auditors. Management’s use of continuous monitoring procedures, in conjunction with continuous auditing performed by internal auditors, will satisfy the demands for assurance that control procedures are effective and that the information produced for decision-making is both relevant and reliable.
An important additional benefit to the organisation is that instances of error and fraud are typically significantly reduced, operational efficiency is increased, and bottom-line results are improved.
The level of proactive monitoring performed by management will directly affect how auditors approach continuous auditing. In cases where the continuous monitoring of controls is being performed by management, the same level of detailed transaction testing may not be required under continuous auditing.
Instead, auditors can focus on procedures to determine the effectiveness of management’s monitoring process and, depending on the outcome of such tests, adjust the scope, number, and frequency of audit testing.
The power of continuous auditing lies in the intelligent and efficient continuous testing of controls and risks that results in timely notification of gaps and weaknesses to allow immediate follow-up and remediation.
Organisations must be cognisant of the fact that continuous auditing will change the audit paradigm, including the nature of evidence, timing, procedures, and level of effort required by internal auditors. This will place demands on the audit department.
In particular, it will have to:
*Obtain and nurture audit committee and senior management support for the concept and implementation of continuous auditing.
*Use (or implement) data analysis techniques to support audit projects, including the use of appropriate analytic software tools and development and maintenance of data analysis techniques and expertise within the audit team.
*Sponsor, promote, and encourage the adoption and support of continuous monitoring by management.
*Ensure that continuous auditing is adopted as part of an integrated, consistent approach to risk oriented audit planning.
*Godwin Kanongovere is the Manager for Governance Risk & Compliance at PricewaterhouseCoopers Zimbabwe.