When management at Hewlett-Packard Co. (HP) identified a concern related to the frequency and volume of manual journal entries, the company’s internal audit function initiated a dashboard to enable ongoing evaluations.
HP adopted a continuous auditing and continuous monitoring approach to identify the root cause of such transactions and to enable better decisions through standardized entries made under improved controls. Various governance and compliance teams collaborated to design high-level analytics with drill-down capabilities. They were able to identify and study trends, movements in the accounts, spikes of activity during the period, the nature of the entries, and the individuals who are posting entries. The success of the program, in collaboration with compliance functions and management, has prompted action to reduce the number and risk of journal entries.
“That’s one very simple step forward,” said Brad Ames, CPA, a director of internal audit for HP.
In a business world where change occurs rapidly and organizations have access to a seemingly unlimited supply of data, companies want to act on data in real time. Organizations need to proactively anticipate and mitigate risks, and data analysis that enhances the control environment increasingly is becoming a part of that process. Jason Pett, CPA, the leader of PwC’s internal audit practice, said internal auditors at leading companies are leveraging data to drive everything they do.
“How do we use data to drive our scoping decisions?” he said. “How do we use data to drive our risk assessment process? How do we use data to [help decide] which audits we should be doing? I think the use of data, leveraging data to totally transform how internal audit performs, is the story.”
In this environment, continuous auditing and continuous monitoring are growing as tools for internal auditors to provide more value to their employers. In continuous auditing, the internal audit staff uses technology to analyze data frequently for early identification of outliers. This helps internal audit focus its resources. Continuous monitoring differs slightly from continuous auditing. In continuous monitoring, analytics on key performance metrics are set up for management to review in real time and act on, when necessary. These methods can enhance the timely, ongoing review of financial data and internal control at an organization.
According to the 2014 internal audit capabilities and needs survey conducted by consulting firm Protiviti, skills with computer-assisted audit tools and data analysis are the most-needed competencies in internal audit. These tools and technologies support continuous monitoring and auditing activities.
The highly regulated power and utilities industry is a leader in using forensic data analytics tools for continuous monitoring, according to a 2014 EY global survey report, Big Risks Require Big Data Thinking. A PwC survey report published in 2014 on the power and utilities industry, Empowering Business Agility: Strengthening Internal Audit’s Impact and Value, found that continuous auditing was rated as very important by 57% of chief audit executives, up from 31% in 2012. A 2013 PwC survey on that industry found that areas where continuous auditing was being used the most were:
- Employee expense and procurement cards (72%).
- Accounts payable, disbursement, purchasing, and other expenses (72%).
- Journal-entry testing (40%).
- Fraud audits (40%).
- Supply chain and inventory (36%).
- Payroll, overtime, and time reporting (20%).
- Operations analytics (20%).
- Financial statement analytics (20%).
“One of the biggest benefits … is ongoing evaluations or analytics that shorten the time for getting management to respond to risk,” Ames said. “… As an audit department, you can be more persuasive and enable timely management actions through analytics much more quickly or much more efficiently than you could through an inspection-style audit.”
HP has used continuous auditing and monitoring to make improvements in several areas, including:
Simplifying Sarbanes-Oxley Section 404 attestation around IT general controls and application IT controls. Benchmarking configurable automated controls to measure the timing and extent of change optimizes application control testing. The purpose is to track trends and compare changes with a predefined threshold to sustain and carry forward the baseline conclusion with minimal examination (i.e., automated controls that have not changed since the previous audit would be validated without further examination).
Analysis of journal entries and account reconciliation to provide auditors and management with an ongoing view of journal-entry volume and frequency across the business. Manual journal-entry monitoring is designed to isolate key indicators, outliers such as:
- High-value journal entries posted to high-risk accounts.
- Nonfinance users posting journal entries to financial accounts.
- Journal entries posted using the access of terminated users.
- Segregation-of-duties conflicts (i.e., users who have the capability to initiate review and approve journal entries across applications).
- Users posting journal entries even after month-end close deadlines.
- Journal entries with unclear or missing descriptions or explanations.
Sales compensation monitoring, which consists of ongoing evaluation of bonuses and commissions for reasonableness. Factors that would suggest an outlier may include:
- Performance measurement of target vs. actual sales compensation (i.e., out-of-range commissions that do not correspond with performance).
- Recipients of commissions in nonsales functions.
- High-incentive liability levels (i.e., bonus paid in advance).
Monitoring changes to fixed assets’ useful lives and depreciation to ascertain if assets are conforming to the company’s accounting policy. The dashboard provides a view of the following exceptions for management action:
- Compare and match accuracy of useful life of newly acquired assets based on asset class.
- Highlight outliers of assets that have been assigned a useful life greater than the policy limits.
Monitoring for product warranty fraud. The objective of warranty fraud analytics is to detect potentially fraudulent behavior. Analytics compare data on spare parts that were shipped to customer locations with data on used parts returned to HP to monitor for the following exceptions:
- Parts returned with less value than shipped.
- Parts returned fewer in quantity than shipped.
- Parts returned of a different type from the ones shipped (e.g., network device shipped, hard drive returned).
- Warranty service cases created by engineers and assigned to themselves to resolve.
A summary view is created to show the number of exceptions of each type and the dollar amount per engineer. Another graphic is created to observe a trend per engineer. The reports are used to select cases for further investigation.
Employee expense monitoring risk indicators to isolate potential errors:
- Questionable spending at restricted establishments or for restricted items and key words (e.g., gift card, premium, or upgrade).
- Incorrect categorization (e.g., nonmeal expenses identified as a meal).
- Card activity in home city.
- Unsubmitted expenses and personal activity on delinquent cards (i.e., high balances that roll from month to month due to personal charges that have not been submitted).
ERP systems’ role in continuous monitoring
Large organizations that have spent a lot of money upgrading their enterprise resource planning (ERP) systems particularly are accelerating their use of continuous monitoring, according to Christopher Wright, a consultant and managing director and firmwide leader of finance remediation and reporting compliance for Protiviti.
He said that since most ERP systems hold data all in one place and routine exception reports are standard in these systems, they give internal audit the ability to create and implement continuous monitoring platforms. This allows internal audit and management to maximize the value of ERP systems and make their organizations more agile.
Wright said the first step for companies looking to begin continuous monitoring is taking an inventory of the tools they already have and seeing what data might be easily used in real time.
“Their ERP system isn’t just an expensive word processor,” Wright said. “So it actually functions in a way that adds value, eliminates work flow, and improves the control structure in a way that’s efficient and cost-productive.”
Do benefits outweigh costs?
Nonetheless, cost may be an obstacle to continuous auditing and continuous monitoring for midsize and small organizations that already are facing significant compliance burdens in an increasingly regulated business environment. HP’s Ames said the costs may be justified because of the benefits continuous auditing and continuous monitoring provide on two levels.
First, the benefits are seen throughout the entire audit life cycle, from planning to the engagement (which gets more precise conclusions more quickly) to the recommendation and corrective action, when analytics can be set up to sustain the remediation. Second, there can be multiple beneficiaries, including the ethics and compliance, enterprise risk management, and IT security functions.
“When they carry out continuous monitoring, you’ve got more beneficiaries, more sponsors to whom you can deliver a larger benefit and increase the return on investment,” Ames said.
With that in mind, one thing that can seriously inhibit implementation and usefulness of continuous auditing and continuous monitoring is organizational restructuring, Ames said. He said that a compliance team may be in place and working with internal audit as a strong sponsor of continuous monitoring and auditing, only to have management priorities changed by restructuring. That can lead to frustration in implementing and executing continuous auditing and continuous monitoring. (Ames further discusses the conditions an organization must have in place to successfully implement continuous auditing and continuous monitoring, below in “Do you have what it takes?”)
The focus on continuous monitoring and auditing does not decrease the need for assurance through the traditional audit reporting that internal auditors have performed for many years. Despite all the technological developments of past years, companies remain focused on the fiscal-year quarterly metrics because of regulatory reporting requirements.
External audit requirements also tie some of the traditional internal audit reporting to the fiscal year. But the continuous monitoring does change the focus of some of the traditional internal audit projects.
“Anytime you’re dealing in real time, it shifts the dynamic from triage after the fact to saying, ‘Here’s what we found. Here’s what we fixed. Here’s what we’re doing differently already,’ by the time you report to the board. It compresses the dynamic of audit identification and problem-solving. It can compress it in a way that you can report the solution, if not the status,” Wright said.
In turn, traditional internal auditing and reporting can also spur additional continuous monitoring that can produce further improvements for the organization. At HP, internal auditors performing traditional fieldwork were asked to identify three to five leading and lagging indicators in the areas they were auditing that would sustain remediation and provide new metrics to monitor.
Meanwhile, Ames has seen the HP internal audit planning function become much more strategic and future-focused. And internal audit is planning collaboratively with the risk/compliance function as a strategic partner.
“It’s not just good enough to have the technical capacity and the standardized data,” Ames said. “You have to have the coordination and relationship management capacity to plan jointly with the second line of defense and the compliance function. … We have quite a program in HP that builds up [compliance personnel] and trains them, equips them with technology and the standardized data, and sets the expectation for monitoring risk. That requires leadership.”
Ken Tysiac is a JofA editorial director. To comment on this article or to suggest an idea for another article, contact him at ktysiac@aicpa.org or 919-402-2112.
Do you have what it takes?
Brad Ames, CPA, a director of internal audit for Hewlett-Packard Co., said organizations wishing to be successful with continuous auditing and continuous monitoring must have the following conditions in place:
Support for the vision. Company management needs to be engaged and willing to respond without delay to the outliers that are raised. The audit committee’s support can prevent budgetary restrictions from torpedoing a project and help authorize internal audit to get access to data and technology. The information technology function is needed to help internal audit develop the technology and tools for continuous monitoring. IT assists internal audit in accessing and keeping data in a safe place and often needs to provide resources and support over multiple years as internal audit implements continuous auditing platforms.
Standardized data. This is the raw material that makes the whole process possible and transforms an ad hoc analytic into recurring, ongoing monitoring. Establishing audit data standards provides for the routine valuation and efficient exchange of the company’s data from multiple sources. The Emerging Assurance Technologies Task Force of the AICPA Assurance Services Executive Committee has developed voluntary audit data standards, which help auditors obtain accurate data in a usable format and are available at tinyurl.com/mr32kwc. These voluntary IT standards create a standardized format for data fields (e.g., naming, formatting, and levels of data fields) and files that are commonly requested from auditors, with the theory being that if file formats are standardized, any company’s system would be capable of producing them in the standardized format.
Coordination with second line of defense. The risk management and compliance function—the “second line of defense”—must be willing to work with internal audit to help build tools and then monitor them. Risk/compliance will have a full understanding of business risk that can help auditors plan continuous monitoring and continuous auditing activities around the factors that are critical to the organization’s success. Auditors must be able to relate to the business risks and key risk indicators while still understanding the audit objectives and assertions associated with the audit process.
Auditors willing to lead change. Auditors need to become comfortable with analytics that will allow them to look forward in addition to analyzing historical data, Ames said. Addressing emerging risks requires that forward-looking mentality and is a shift from the traditional mindset that some internal auditors are accustomed to.
AICPA RESOURCES
JofA articles
- “Shooting Straight: How Internal Auditors Can Be Strategic and Collaborative—While Maintaining Independence and Objectivity,” Dec. 2013, page 28
- “Checklist: Internal Audit Oversight,” Aug. 2013, page 20
- “Checklist: Beef Up Internal Audit,” June 2011, page 20
Publications
- Enterprise Risk Management: Guidance for Practical Implementation and Assessment (#APAERM14P, paperback; #APAERMO, one-year online access; #APAERM14E, ebook)
- Essentials of Forensic Accounting (#PFF1401P, paperback; #PFF1401E, ebook)
- Strategic Business Management: From Planning to Performance (#PCG1305P, paperback; #PCG1208E, ebook)
CPE self-study
- Applying the Risk Assessment Standards to Smaller Business Audits (#733578, text)
- Audit Staff Essentials, Levels 1–3 (cpa2biz.com/ASE, one-year online access)
- CGMA Learning Program: Strategic Management Accounting (#165350, one-year online access)
For more information or to make a purchase, go to cpa2biz.com or call the Institute at 888-777-7077.
