audit automation ca - crete2
TRANSCRIPT
-
7/28/2019 Audit Automation CA - Crete2
1/13
Audit Automation as the Foundation
of Continuous Auditing
Michael Alles
Alexander Kogan
Miklos A. VasarhelyiJ. Donald Warren, Jr.
RUTGERS CA/R/Lab
-
7/28/2019 Audit Automation CA - Crete2
2/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
2
The Case for Audit Automation Automation of business processes
Labor-intensive repetitive audit work
Cost and availability of qualified audit personnel Budgetary pressure on internal audit departments
Complexity of business transactions and increasing riskexposure
Scale and scope of audit procedures Timeliness of audit results
-
7/28/2019 Audit Automation CA - Crete2
3/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
3
Audit Automation Work Sequence Identification and engagement of stakeholders:
Business process owners
IT personnel
Internal auditors
Composition of audit automation teams
Automation of audit procedures Duplicate automation is ideal but too expensive
Verification of automated procedures Independent verification by experienced auditors
Approval of automated audit program
-
7/28/2019 Audit Automation CA - Crete2
4/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
4
Formalizing the Audit Program
Automation requires formalization
Formalized is usually automatable
Possibility of formalization is often underestimated
Benefits of formalization: promotes precision and consistency
improves confidence in audit results
Reduces long-run audit costs
Problems with formalization Many humans resist formal thinking Formalization can be very laborious and costly
Certain complex judgments are not amenable to formalization
-
7/28/2019 Audit Automation CA - Crete2
5/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
5
Re-engineering the Audit Program
Conventional audit programs are not designed forautomation
Formalizable and judgmental procedures are often
intermixed redesign is required to separate them out Re-engineering objective: maximize the proportion of
automatable procedures in the audit program (i.e.,reduce reliance on informal judgmental techniques)
Substitution of high frequency (continuous) automatedprocedures for eliminated manual methods
-
7/28/2019 Audit Automation CA - Crete2
6/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
6
Continuous Auditing (CA) as Implementation
of Automated Audit Formalized audit procedures are programmed into an
automated audit system that can run continuously
CA = CCM + CDA Continuous Control Monitoring (CCM):
Access Control and Authorizations
System Configuration and Business Process Settings
Continuous Data Assurance (CDA): Master Data
Transactions
Analytics (including Continuity Equations)
-
7/28/2019 Audit Automation CA - Crete2
7/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
7
Baseline Monitoring (Baselining)
Traditionally used in configuration management and ITsecurity
Baseline a snapshot of system configuration and
business process settings Deltas from baseline exceptions
Critical issues: Definition of baseline (the more static parameters are, the better
they are suitable for baselining) Initial verification of baseline values
Security of baseline (both definition and current values)
Accumulation of deltas redefinition of baseline
-
7/28/2019 Audit Automation CA - Crete2
8/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
8
Scalability of Audit Automation
Automation of highly specific audit procedures fordifferent enterprise units can incur prohibitive costs
Automation will be scalable across the enterprise only if
the repetitive audit procedure automation costs areeliminated
Strategies for making audit automation scalable: Hierarchical structuring of automated audit procedures from
the most generic audit procedures applicable across theenterprise to the more specific ones for major units and subunits
Hierarchical updates
Parameterization of automated audit procedures
-
7/28/2019 Audit Automation CA - Crete2
9/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
9
Architecture of Automated Audit Organization of audit software:
integrated software vs.
distributed (i.e., multi-agent-based) system
Access to the enterprise system and data: Direct (either to the database or to the application layer) Intermediated (through a business data warehouse)
Platform of audit software: Common enterprise platform (EAM embedded audit module)
Separate platform (MCL monitoring and control layer) Providers of audit software:
Common platform enterprise software vendors
Separate platform 3rd party vendors and audit firms
-
7/28/2019 Audit Automation CA - Crete2
10/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
10
Mobile Agents in Automated Audit Mobile agents can be transported to the enterprise
platform to be run there (as EAM!)
Benefits of mobility (and EAM):
Protection against network connectivity outages Event-triggered execution of audit procedures potentially zero
latency (not affected by network congestion)
More efficient for processing large volumes of enterprise data (onsite vs. moving that data over the network)
Problems with mobility (and EAM): Protection of enterprise platform against (possibly malicious) agent
Protection of agent against possible manipulation by the platform
Impossibility of protecting the agent outweighs the benefits!
-
7/28/2019 Audit Automation CA - Crete2
11/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
11
Securing Continuous Auditing
Location of continuous auditing hardware: clients premises
audit shop
Physical access security Logical access security
Super-user privileges
Clients IT personnel access
Export / import of CA system settings
-
7/28/2019 Audit Automation CA - Crete2
12/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
12
Software for Audit Automation ACL
CaseWare IDEA
Approva
Oversight Systems Governance, Risk, and Compliance Solutions: SAP GRC Access Control, Risk Management, Process Control (VIRSA)
Oracle Governance, Risk, and Compliance (LogicalApps)
IBM Workplace for Business Controls and Reporting
Paisley Enterprise GRC OpenPages
AXENTIS Enterprise
BWise
Protiviti Governance Portal
-
7/28/2019 Audit Automation CA - Crete2
13/13
CA/R/Lab
Audit Automation as the Foundation ofContinuous Auditing
13
Whats Coming?
AMR Research projects spending on government, riskand compliance applications and services will top $32.1billion in 2008, up 7.4 % from 2007. In 2009, growth is
projected at 7 %. Hosted, or on-demand solutions
Integration of audit automation with audit working paperssoftware
Transformation of internal audit Structural changes in external audit