In recent years, challenges concerning automation, technology risk and operational improvements were often put on the backburner as organizations responded to an all-hands-on-deck need to address Sarbanes-Oxley (SOX) compliance requirements.
Today, chief audit executives (CAEs), management committees and audit committees are taking action to allocate resources more evenly between compliance audits and operational audits. According to Grant Thornton LLP’s 2011 CAE survey, nearly one-quarter of CAEs say that the number of hours dedicated to operational auditing at their organization will rise, and almost one-half see their time commitment to continuous audits increasing over the next 12 months. Yet only one-third of respondents currently perform continuous auditing.
Internal audit focuses on evaluating emerging risks, ensuring appropriate corporate governance and incorporating new technologies into the internal audit process. When you weave continuous auditing into the fabric of the organization, you are adding the capability of checking and sharing financial and other information in real time — an invaluable improvement in the internal audit function.
Three central factors contribute to effective continuous auditing: process, technology and people.
First Key to Effective Continuous Auditing: Process
We need to get smarter about how we conduct effective internal audits by auditing higher-volume areas in greater numbers with fewer resources. This means that our process must be planned and executed flawlessly.
While this may make some internal auditors cringe, it is best to set aside the old process and start with a blank piece of paper when building a continuous auditing plan. A good process allows an organization to identify ineffective systems, take corrective action and ultimately support continuous improvement. Lack of a solid internal audit process can lead to an increase in costs, hours of wasted resources, and system and process breakdowns.
For continuous auditing to be effective, internal audit must maintain direct and ongoing dialogue with C-suite executives about current business, financial and strategic risks. Identifying areas as good candidates for continuous auditing is where the planning begins.
Continuous auditing goes beyond underlying accounting practices. For example, using a traditional internal audit process, an organization looking to build a new factory would assess the basic accounting elements of the project, such as payment applications, accounts payable and contracts. Using a continuous audit in the same scenario, the CAE would develop an audit approach using analytical scripts and tools to routinely monitor the data and identify potential anomalies that require further review.
Second Key to Effective Continuous Auditing: Technology
When it comes to using technology, CAEs see plenty of room for improvement. According to Grant Thornton’s survey, 44 percent of respondents say that their organizations are not effectively leveraging governance, risk and compliance (GRC)-specific technology, which enables an organization to perform and manage related strategy and implementation.
Emerging tools are heightening the CAE’s ability not only to execute an audit efficiently, systematically and continuously, but also to enhance audit quality and stakeholder value. Using automated auditing tools is one of the most common approaches to leveraging technology and delivering value across the internal audit function. The best areas to automate are those with a large volume of daily transactions and a high degree of conformity throughout the organization such as shipping, invoicing and accounts payable.
Data analytics, an underlying premise to continuous auditing, has been adopted by two-thirds of CAEs to facilitate more efficient internal audit processes and increase coverage, according to the Grant Thornton survey. Data analytics has the potential to transform internal audit and boost its value by helping identify and manage risks more promptly, effectively and efficiently.
Using traditional methods to review accounts payable, internal auditors would typically sit in a room full of invoices and identify a sample of, say 100 depending on the population. This process is labor-intensive and produces imprecise results. Using data analytics and other technology to perform continuous audits allows internal audit to harness, manipulate, analyze and audit nearly all of the data population throughout the year in a fraction of the time.
Effective use of data analytics can achieve more efficient internal audit processes; allow for quicker pattern, trend and relationship identification; and gain more substantial internal audit coverage.
Data analytics also adds considerable value to controls monitoring. For example, when married with continuous auditing, data analytics can help organizations recover revenue from instances of fraud or other sources of lost revenue by promptly allowing the company to identify the root cause.
Organizations that are new to data analytics and continuous auditing might experience a spike in the amount of internal audit time they consume; after all, they will need to master unfamiliar systems, set up training and develop appropriate processes. However, once they get through the initial learning curve, most organizations will realize considerable time savings.
Audit technologies are essentially enablers that help internal audit departments achieve their larger strategic goals. But technology should not be a goal in itself. Nor should it become a stumbling block as an organization moves toward a mindset that favors continuous auditing.
Third Key to Effective Continuous Auditing: People
Organizations value internal audit work, as demonstrated by in-house staffing trends. According to Grant Thornton’s CAE survey, 23 percent of CAEs expect their departments to grow in 2012, while 73 percent expect their staffing numbers to remain unchanged and only 4 percent predict a decrease in headcount.
While the overall size of internal audit departments will likely not change dramatically, the talent mix of the individuals within those departments may. Internal audit needs people with good data analytics and IT skills as well as a broad aptitude for conducting audits.
Inadequate skills can be one of the greatest obstacles to providing high-quality service. As the complexity of its tasks expands even further, the internal audit department will need to hire people with a wider variety of backgrounds and experiences who are ready and willing to drive change. Professionals who perform well in several areas will enable the internal audit department to be more flexible and responsive in a crisis.
Continuous auditing frees organizations from having to use a set workplan at a set point in time, year after year, for every audit. Because continuous auditing requires internal audit professionals to learn new ways of auditing, master unfamiliar technologies, think critically about the process, and question what is being done to obtain results, investing in training is necessary to break the cycle of old-school auditing.
As a business function that can help save money, eliminate inefficient business practices and minimize risk, it’s not surprising that CEOs and CFOs are demanding more from the internal audit function than ever before. Internal audit personnel need broad experience, solid technological and business acumen, and key leadership skills to be effective in today’s rapidly changing economic environment.
Continuous auditing success rests on breaking the cycle of traditional auditing methods — and yes, taking auditors out of their comfort zone. Does transitioning to continuous auditing entail a vigorous, laborious process? Absolutely, because it is a change management effort.
Does it ultimately produce better, quicker, more comprehensive results? Absolutely. The fact is that there is a greater level of risk and more economic volatility than ever before. To be successful, internal auditors must look at the organization critically and be willing to drive change.
About the Author
Warren Stippich is the National Governance, Risk and Compliance Solution Leader and the Market Leader of the Chicago Business Advisory Services Group at Grant Thornton LLP. He has over 20 years experience working with multi-national, entrepreneurial, and high-growth public companies, including boards of directors and audit committees. Warren brings experience to the business risk consulting and internal audit services areas from both the public accounting firm and industry perspectives. He leads many Sarbanes-Oxley consulting, internal audit services and SAS 70 projects for a wide-array of publicly traded and private businesses with international operations. He has worked extensively with international internal audit, Sarbanes-Oxley and business consulting assignments in Europe, Russia, China, Southeast Asia, Central and South America and Canada.