audit automation ca - crete2

7/28/2019 Audit Automation CA - Crete2

1/13

Audit Automation as the Foundation

of Continuous Auditing

Michael Alles

Alexander Kogan

Miklos A. VasarhelyiJ. Donald Warren, Jr.

RUTGERS CA/R/Lab


2/13

CA/R/Lab

Audit Automation as the Foundation ofContinuous Auditing

2

The Case for Audit Automation Automation of business processes

Labor-intensive repetitive audit work

Cost and availability of qualified audit personnel Budgetary pressure on internal audit departments

Complexity of business transactions and increasing riskexposure

Scale and scope of audit procedures Timeliness of audit results


3/13

CA/R/Lab


3

Audit Automation Work Sequence Identification and engagement of stakeholders:

Business process owners

IT personnel

Internal auditors

Composition of audit automation teams

Automation of audit procedures Duplicate automation is ideal but too expensive

Verification of automated procedures Independent verification by experienced auditors

Approval of automated audit program


4/13

CA/R/Lab


4

Formalizing the Audit Program

Automation requires formalization

Formalized is usually automatable

Possibility of formalization is often underestimated

Benefits of formalization: promotes precision and consistency

improves confidence in audit results

Reduces long-run audit costs

Problems with formalization Many humans resist formal thinking Formalization can be very laborious and costly

Certain complex judgments are not amenable to formalization


5/13

CA/R/Lab


5

Re-engineering the Audit Program

Conventional audit programs are not designed forautomation

Formalizable and judgmental procedures are often

intermixed redesign is required to separate them out Re-engineering objective: maximize the proportion of

automatable procedures in the audit program (i.e.,reduce reliance on informal judgmental techniques)

Substitution of high frequency (continuous) automatedprocedures for eliminated manual methods


6/13

CA/R/Lab


6

Continuous Auditing (CA) as Implementation

of Automated Audit Formalized audit procedures are programmed into an

automated audit system that can run continuously

CA = CCM + CDA Continuous Control Monitoring (CCM):

Access Control and Authorizations

System Configuration and Business Process Settings

Continuous Data Assurance (CDA): Master Data

Transactions

Analytics (including Continuity Equations)


7/13

CA/R/Lab


7

Baseline Monitoring (Baselining)

Traditionally used in configuration management and ITsecurity

Baseline a snapshot of system configuration and

business process settings Deltas from baseline exceptions

Critical issues: Definition of baseline (the more static parameters are, the better

they are suitable for baselining) Initial verification of baseline values

Security of baseline (both definition and current values)

Accumulation of deltas redefinition of baseline


8/13

CA/R/Lab


8

Scalability of Audit Automation

Automation of highly specific audit procedures fordifferent enterprise units can incur prohibitive costs

Automation will be scalable across the enterprise only if

the repetitive audit procedure automation costs areeliminated

Strategies for making audit automation scalable: Hierarchical structuring of automated audit procedures from

the most generic audit procedures applicable across theenterprise to the more specific ones for major units and subunits

Hierarchical updates

Parameterization of automated audit procedures


9/13

CA/R/Lab


9

Architecture of Automated Audit Organization of audit software:

integrated software vs.

distributed (i.e., multi-agent-based) system

Access to the enterprise system and data: Direct (either to the database or to the application layer) Intermediated (through a business data warehouse)

Platform of audit software: Common enterprise platform (EAM embedded audit module)

Separate platform (MCL monitoring and control layer) Providers of audit software:

Common platform enterprise software vendors

Separate platform 3rd party vendors and audit firms


10/13

CA/R/Lab


10

Mobile Agents in Automated Audit Mobile agents can be transported to the enterprise

platform to be run there (as EAM!)

Benefits of mobility (and EAM):

Protection against network connectivity outages Event-triggered execution of audit procedures potentially zero

latency (not affected by network congestion)

More efficient for processing large volumes of enterprise data (onsite vs. moving that data over the network)

Problems with mobility (and EAM): Protection of enterprise platform against (possibly malicious) agent

Protection of agent against possible manipulation by the platform

Impossibility of protecting the agent outweighs the benefits!


11/13

CA/R/Lab


11

Securing Continuous Auditing

Location of continuous auditing hardware: clients premises

audit shop

Physical access security Logical access security

Super-user privileges

Clients IT personnel access

Export / import of CA system settings


12/13

CA/R/Lab


12

Software for Audit Automation ACL

CaseWare IDEA

Approva

Oversight Systems Governance, Risk, and Compliance Solutions: SAP GRC Access Control, Risk Management, Process Control (VIRSA)

Oracle Governance, Risk, and Compliance (LogicalApps)

IBM Workplace for Business Controls and Reporting

Paisley Enterprise GRC OpenPages

AXENTIS Enterprise

BWise

Protiviti Governance Portal


13/13

CA/R/Lab


13

Whats Coming?

AMR Research projects spending on government, riskand compliance applications and services will top $32.1billion in 2008, up 7.4 % from 2007. In 2009, growth is

projected at 7 %. Hosted, or on-demand solutions

Integration of audit automation with audit working paperssoftware

Transformation of internal audit Structural changes in external audit

audit automation ca - crete2

Documents