Continuous Auditing Is Possible (Really)

IMGCAP(1)]Since the Sarbanes-Oxley Act of 2002 and Auditing Standard No. 5 were issued, momentum continues to shift towards continuous monitoring or automation solutions.

Such systems are often the focus of cost reduction efforts, conference presentations or seminars.

When SOX first came out and transactional testing was significantly larger, PricewaterhouseCoopers directly identified such technology solutions as the key to cost reductions in an Internal Audit Advisory, noting, “Technology-enabled auditing, when deployed as part of a broader continuous auditing program, can make the audit process faster, cheaper, more efficient, and more effective… You can also improve assurance quality because of the new-found ability to rapidly audit 100 percent of a transaction universe as opposed to being restricted to data samples alone.”

Continuous auditing certainly makes a lot of sense at the transactional level. Since those early years of SOX, AS5 provided some relief to public companies by redirecting compliance efforts towards high-risk areas and higher-level controls. The change in AS5 allowed companies to reduce transactional testing while relying more on manual internal controls, but we continue to hear that continuous auditing and monitoring are the wave of the future.

I remember one of the first continuous monitoring webinars I attended. The very first question from the audience was, “How do you continuously monitor a manual process?” The response from the solution provider was simple. They monitor items in the general ledger or items that are already electronic, which certainly is a piece of the puzzle, but ignored the reality the participant was pointing out.

As a former Big Four auditor for over a dozen years, I recognized the point being made by the participant was that his company, like all other companies, relies heavily on manual processes and controls, which are typically performed via Excel, Word, e-mail, paper, closing binders, etc.

You know, they are performed manually! Now, while most accountants and finance departments have moved past the days of the abacus, seven- or 15-column ledger paper and pencil calculations, they still make sure the numbers are right by using detect-type controls.

As an auditor, you recognize that more than likely 75 to 85 percent of your company’s key controls are manual, which by their very nature makes them difficult to continuously monitor, without hiring someone to stand over someone’s shoulder. This is a big elephant in the room for most internal auditors or accounting and finance departments when deciding how to be more efficient and proactive. Continuous monitoring of manual controls is possible and extremely efficient, but before we cover that, consider some of the hoops we have had to jump through to date.

Linkage of Process Documents to Supporting Evidence
As we know, SOX compliance required new types of documentation and analysis, such as process narratives, flowcharts, internal control risk matrices, supporting documentation and audit programs. Numerous solutions attempted to assist with this portion of compliance; however, many companies recognized that they could document in Excel or Word what the process should be, and many elected not to purchase solutions that solely focused in this area.

The primary reason was that after documenting the business processes the first time around, this part of compliance is simply not that difficult, and the real time is spent in the data testing and mining procedures.

Auditors do not have supporting documentation at their fingertips, as their evidence and documents for controls are spread all over the company. Such files and documentation are not linked to the documented processes. SOX itself pushed for the documentation of the process and then required testing after the fact to make sure evidence existed to prove the procedure was followed.

Wouldn’t it make more sense to have the process linked to the control at the very level of creation of such evidence? Wouldn’t the controller or accounting manager now be able to know the items that are not done automatically?

As a former controller, I know the items that are missing are where most of the errors occur, and they likely are missing because there is a problem. Technology has made this possible and will help make sure that the blocking and tackling of producing manual control support is completed. Having documentation and signoffs to support a key control should be a given, and systems can now monitor for these items on a real-time basis. There will always be judgment issues or errors from an accounting perspective, but the basics should be a given.

Continuous Monitoring for Manual Processes
Manual controls continue to be the lifeblood of companies and auditors nationwide. Certainly, if controls can be automated fully, they should be, but that may only get a company to 50 percent of their controls being automated. The manual controls need to be included in any continuous monitoring or auditing program.

The keys to achieving continuous monitoring of manual processes include deploying technology that combines file management and workflow for approvals, but also integrates a process documentation tool that incorporates a rules engine. Documented processes for most companies are stagnant. They document what is supposed to happen without regard to what actually is happening until the audit process starts. Many solutions allow auditors to put documentation in as support for their testing, which helps you understand where the audit stands, but it will not tell you what is or is not done in the accounting department today. And that is mission-critical information.

Using a file management system with a central repository, from which all stakeholders can efficiently work, will help finance teams achieve the efficiencies of a paperless work environment as well as allow critical information to be shared and stored in one place. As a result, security rights are a key feature to look for, so that segregation of duties can be upheld and access to information remains appropriate. Since the supporting evidence is now in one place, the process-monitoring system can take over and monitor for the existence of the evidence and further monitor for completion by monitoring for sign-offs as well.

As a result of identifying the existence of the evidence in a given period and the appropriate sign-offs, the system can simply report the outstanding items. So, you can continuously monitor a manual process on a real-time basis.

Even more interesting are all the things companies can do once the manual process is being monitored on a real-time basis. Now the appropriate finance team can see where the holes are and what needs to be done, something that can’t be done today in a manual, closed environment. Overnight the process has moved from reactive to proactive. Additionally, if the system is monitoring and tracking evidence being created on a real-time basis, then the auditors can test it in real time, i.e., continuous auditing for manual processes.

Further, the system can deliver the supporting evidence for the controls directly to the internal audit team without having to ask someone in finance to pull a sample or interrupt their daily work. Auditors can test remote locations without incurring travel expenses and can support their samples without having to scan or import the information because the documentation and proof of compliance is already there.

Both private and public companies are seeing the benefits of continuously monitoring their manual processes today. So, if you have not looked into such solutions, opportunity is knocking on your door to cut costs and effort.

Jeff Reibel, CPA, is founder and CEO of Conexxus, LLC, which develops, markets and supports software and accompanying solutions that offer increased visibility and decreased costs for accounting, finance and internal audit departments. For more information, contact Jeff.Reibel@conexxus.com.

For reprint and licensing requests for this article, click here.
Audit Regulatory actions and programs
MORE FROM ACCOUNTING TODAY