Continuous Monitoring and Continuous Auditing with IT-assisted tools
12 / 2017
The Board of Audit & Inspection of Korea Gim Namjin Table of Contents
Part 1. Introduction 1
1. Research Background 1
2. Introduction to IT Audits 6
Part 2. Government’s Audit and Reporting in the U.S. 10
1. who audits 3
2. Government Audit Reporting(“Yellow Book”-GAGAS) 16
Part 3. Continuous Auditing and Continuous Monitoring 28
1. Defining Continuous Auditing 28
2. Differentiating Continuous Auditing from Continuous Monitoring 37
3. The needs of CA/CM 43
4. Skills Required 44
5. Barriers to CM and CA adoption 47
Part 4. Continuous Monitoring Software Tools 49
1. IT Audit Tools Requirement 49
2. Usefulness of CAATs 49 3. Use of Computer-assisted Audit Technique(CAATs) 52
4. Various IT audit tools 56
Part 5. Case studies 60
1. Application of ACL 60
2. Application CaseWare tool 72
3. Government auditing report: using ACL 79
4. Application of BAI audit tool 88
Part 6. Policy suggestions 94
1. Practice of BAI audits 94
2. Policy Recommendation 95
Part 7. Final opinion 98 【Figure】
No contents page
Areas covered by the principles for public-sector 1 9 auditing
2 Flowchart of General Audit Operating Process 61
3 The capability of CaseWare Monitor 74
4 Flowchart of Local Audit Process 82
【Tables】
No contents page
Areas covered by the principles for public-sector 1 2 auditing
Continuous Auditing versus Continuous 2 40 Monitoring
3 Use of Computer-assisted Audit Technique 55 【Appendixes】
No contents page
1 Understanding audits of BAI 3
2 Understanding Financial Audit in the US 8
Federal government organization and financial 3 12 statement reporting flow
4 Issuing the independent auditor reports 23
FY2015 US. Federal Government Combined 5 25 Financial Statements
6 Survey of best suiting area and drivers 45 < 국외훈련 개요>
1. 훈련국 : 미국
2. 훈련기관명 : CKP회계법인(Choi, Kim & Park, LLP)
3. 훈련분야 : 감사원 IT감사 방법론
4. 훈련기간 : 2015. 12. 7. ~ 2017. 12. 6.
5. 훈련기관 소개
○ 인터넷 웹주소 : http://www.ckpcpas.com
○ 대표회계사 : Hoon, Kim([email protected])
○ 주소 : 2010 Main St., Suite 520 Irvine, CA 92614
○ 전화/팩스 : (TEL) 949-757-0900/(FAX) 949-757-0668
○ 조직 : CKP는 미국내 8개 office(*)를 보유한 한국계 최대 회계법인 으로, 미국 5대 회계법인 McGladrey의 member법인
(*) 캘리포니아주 Los Angeles, San Jose, Irvine, San Diego 등 4개, 알라바마주 Montgomery, 조지아주 La Grange, 뉴저지주 Fort Lee, 텍사스주 Houston
○ 주요업무
- 민간 및 공공부문의 재무제표 감사, 세무 및 컨설팅
- 이전가격 및 사전 가격합의서비스
- 자금조달․신용구축자문, 사업체 가치평가 및 M&A서비스
- Single audit, Compliance audit 및 기타 정부관련 회계서비스 Part 1. Introduction
1. Research Background
In the beginning of 2014, the Korean Supreme Audit Institution(SAI), The Board of Audit and Inspection of Korean government(BAI) stressed that BAI should change and develop itself to fulfill its primary missions to protect wrongdoings and frauds in the public sector by adopting an Advanced Information Audit system(IT audit). So the head of BAI set up the new Information audit bereau in the BAI to meet the new challenges that these times require.
However, there were two big and massive governmental-wide negligence of duty and fraudulent public money misuse in a couple years such as “Sewol-ho ferry sinking 2014”, and “the president Park’s governmental wrongdoings and her impeachment case 2017” that made political and socioeconomic shocks to the Korean citizens.
This research background is placed on the basis of limitation of BAI audit that conducting mostly after bad things happenings, not so much predetective and effective to detect fraud. Also the auditees are appeal to the audit fatigue to the BAI that conducts audit ineffectively such as heavy material documentation preparing and unsettlement of audit results.
So that I conducted this research to get the notice of IT audit schema and effective IT audit tools that useful in public sector.
The table 1. shows the range of public sector and the major characters in the public sector auditings following by INTOSAI(International Organization of Supreme Audit Institutions).
- 1 - [Table 1] Areas covered by the principles for public-sector auditing
General Principles
Professional Ethics & Independence judgement, due care Quality control qAudit team management & Scapticism & skills
Audit risk Materiality Documentation Communication
Principles related to the audit Peocess
Planning the audit Conducting the audit Reporting & Follow up ․Established the terms of the ․Perform the planned audit audit ․Prepare a report based on the procedures to obtain audit ․Obtain understanding conclusions reached ⇒ evidence ⇒ ․Conduct risk assessment or problem analysis ․Follow up on reported matters ․Evaluate audit evidence and ․Identity risks of frauds as relevant draw conclusions ․Develop an audit plan
* INTOSAI ISSAI-100, "Fundamental Principles of Public-Sector Auditing" 2014
- 2 - Appendix 1 Understanding audits of BAI
The BAI performs audits to ensure that the taxpayer money is being expended properly, and conducts inspections of government agencies and their employees to assure that their duties are being performed appropriately.
1. Major missions
(1) Verification of accounts (Article 99 of the Constitution; Article 21 of the BAI Act)
BAI examines the final accounts of the state and verifies that the nation’s resources have been spent wisely to benefit the public. To this end, the Minister of Strategy and Finance writes up the final accounts which include the budgets implemented by all the government agencies, and submits the report to BAI.
Then, BAI examines the report meticulously to ensure that the account totals and the actual amount spent are balanced. After BAI has examined the final accounts, the Minister of Strategy and Finance presents the report to the National Assembly on May 31st of the following year.
(2) Financial audit (Articles 22 & 23 of the BAI Act)
BAI audits the central government, local autonomies and public institutions to ensure that the budget which comes from taxpayer money is being used properly for the nation and its citizens. BAI also scrutinizes the budgets to examine whether or not public
- 3 - servants, through willful intent or negligence, are reckless in conducting projects that waste public money.
BAI, in accordance with the BAI Act, must audit 34,300 central and local governments as well as other institutions. Furthermore, there are an additional 30,000 institutions which BAI can audit when necessary or at the Prime Minister’s request.
(3) Inspection (Article 24 of the BAI Act)
Apart from audit, BAI carries out inspection to ensure that the work of government agencies, local autonomies and public institutions and the performance of their employees are being carried out according to the law and principles. Just as financial audit is examination of an auditee’s finance, inspection is examination of public employees’ performance to ensure that they are doing their work properly.
Should government employees break the law or work in an illegal manner, they will face consequences, such as disciplinary action, in order to set the situation right. BAI also works to correct and improve any irrational laws or systems as well as cumbersome administrative procedures.
2. Types of audit
There are four kinds of audits:
(1) Financial audit
When conducting financial audit, the focus is on analyzing and evaluating the use and management of finances of the auditee and on providing recommendations for improvement. Financial audits are
- 4 - conducted on a regular basis to ensure sound and efficient use of financial resources, and also to provide useful information and analysis to the people and the National Assembly.
(2) Management audit The purpose of this audit is to conduct a comprehensive analysis and evaluation of the management of the organization, human resources and budget to ensure that the auditee is carrying out its functions and duties properly. This is to ensure that the work regarding budget proceeds both appropriately and lawfully. Through this process, the audit covers the entire management and thereby contributes to enhancing the transparency and efficiency of the organization.
(3) Performance audit By conducting a systematic diagnosis and analysis of the problems, whether regarding major policies, projects, systems or management, comprehensive and fundamental recommendations for improvement can be made. This audit provides the support needed to ensure that major policies, measures and projects can be carried out smoothly for optimum results.
(4) Special audit
The purpose of special audit is to examine important social and economic issues or matters for which the people or the National Assembly have requested an audit. This type of audit is to be used in a flexible and timely manner as needed.
The focus of BAI’ audits are on the nonfinancial audits, roughly, that of 80%. So is under 20% of the pure financial audit.
- 5 - 2. Introduction to IT Audits
Government entities have increasingly adopted Information and Communication Technologies(ICT) to conduct their functions and deliver various services. Such ICT based systems are commonly, also, referred to as Information Systems(IS) or Information Technology(IT) Systems. Supreme Audit Institutions(SAIs) are mandated to audit the Government and their entities as per their respective audit mandate. SAIs, thus, promote the efficiency, accountability, effectiveness and transparency of public administration. The continuous development of Information and Communication Technology has made it possible to capture, store, process and deliver information electronically. This transition to electronic processing has triggered a significant change in the environment in which SAIs work. Moreover, the government expenditure on IT is growing. Therefore, it becomes imperative for an SAI to develop appropriate capacity to conduct IT Audits.
(1) Definition of IT Audit
The IT Audits are defined as: An examination and review of IT systems and related controls to gain assurance or identify violations of the principles of legality, efficiency, economy and effectiveness of the IT system and related controls. IT Audit is, thus, a broad term that pervades Financial Audits(to assess the correctness and compliance to other assertions of an organization’s financial statements), Compliance Audits(evaluation of internal controls), and Performance Audits(to assess whether the IT Systems meet the needs of the users and do not subject the entity to unnecessary risk). There may however be instances where some audits can be devoted only to the IT component of a system.
- 6 - (2) Mandate for IT Audits
The mandate of SAI for IT audit shall be derived from the overall mandate provided to the SAI to conduct audits.7 Some SAIs may also have specific mandate for conducting IT Audits or audit of IT systems. For many SAIs, the mandate to conduct Financial Audits, Performance Audits, and Compliance audits will be a sufficient mandate to conduct IT Audits. This is because the IT systems support the core operations of an entity which may include financial systems. Thus IT Audits may not need any additional mandates.
- 7 - Appendix 2 Understanding Financial Audit in the US
The focus of audit in the US is on the financial statement auditing process, by far and away the most common type of auditing and assurance service provided in today’s market. Many years ago, the American Accounting Association(AAA) Committee on Baic Auditing Condepts provided a very useful general definition of auditing as follows:
Auditing is a systemetic process of objectively obtaining and evaluating evidence regarding assertion about economic actions and events to ascertain the degree of correspondence between the assertion and established criteria and communicating the results to interested users.
The process involves obtaining and evaluating evidence. Evidence consists of all types of influences that ultimately guide auditor’s decisions and relates to assertions made by management about economic actions and events. When beginning a financial statement audit engagement, an independent auditor is provided with financial statements and other disclosures by management.
External auditors generally begin their work with a focus on those assertions(explicit representations) made by management about the financial statements and information disclosed in footnotes, and then set out to obtain and evaluate evidence to prove or disprove these assertions or representations.
Other auditors, however, often are not provided with explicit representations. An internal auditor may be assigned to evaluate the cost effectiveness of the company’s policy to lease, rather than to purchase, heavy equipment.
- 8 -
A government auditor may be assigned to determine whether goals of providing equal educational opportunities have been achieved with federal grant fund.
Oftentimes, these latter two types of auditors must develop the explicit performance criteria or benchmarks for themselves.1)
〔Figure 1〕Overview of Financial Statement Auditing
* SOURCE: Louwers and 4 others, “Auditing & Assurance Service”, p.5
1) Louwers and 4 others, “Auditing & Assurance Service”, p.5
- 9 - Part 2. Government’s Audit and Reporting in the U.S.
In 1990, the passage of the Chief Financial Officers Act imposed on the federal government a require that, for the first time in the history of the country, annual department or agency-wide financial statements must be prepared and that these statements must be independently audited.
In 2002, Congress passed the Sarbanes-Oxley Act requiring management of publicly companies to annually assess and report on their internal controls over financial reporting. This management reporting had to be evaluated and opined on by the company’s independent auditor in conjunction with the annual audit of the company’s financial statements.2)
1. who audits
(1) US Government Accountability Office
GAO is a federal agency in the legislative branch, established by Congress in 1921 to be its audit, evaluation, and investigative arm. GAO, completely independent of the executive branch and answerable only to Congress.
Within and external to the auditing profession, GAO is highly regarded for its history of professionalism, independence, and objectivity. Some academics have referred to GAO as the world’s premier audit organization for the quality of its financial audits and for being at the forefornt of performance auditing(special-focus audits designed to assess the relative efficiency, economy, and
2) Federal Government Auditing, WILEY(2006), pp. 61~62
- 10 - effectiveness of an entity’s operation).
Government Auditing Standards, initiated in 1972 by GAO, were viewed as criteria for scopes of audits that better addressed the needs and uniqueness of audits of governmental auditing. During the decade of the 1990s, at GAO’s using, laws were passed requiring executive branch departments and agencies to: revamp and strengthen federal financial management practices; modernize outdated financial systems; implement a government-wide, uniform accounting system; and prepare, for the first time in 200 years, annual agency financial statements that had to be independently audited.
(2) Federal Inspectors General
The Inspector General Act of 1978, and as amended, created Inspector General offices in federal departments and agencies. Inspector General of larger federal establishments serve by appoinment of the President and with the advice and consent of the Senate. They may be romoved by the President, who must communicate the reason for the removal to Congress. Inspector Generals of smaller federal establishments are appointed to their positions by the head of their respective agencies or offices.
The Chief Financial Offices Act of 1990 required an agency’s annual financial statements to be audited in accordance with the Government Auditing Standards.3)
3) Federal Government Auditing, WILEY(2006), pp. 65~66
- 11 - Federal government organization and financial Appendix 3 statement reporting flow
* source: FY2015 Financial Report of the United States Government
- 12 - (3) State and Local Government Auditors
Because laws affecting the lead auditor position for states and local governments vary, generalization is almost precluded, and difficulty areses in describing the specifics of each lead governmental audit position. In most instances, though, the governments have passed enabling legislation for the lead audit position that specifically delineates several aspects of the position, such as: nature of appointment, term of office, organizational stature, scope of investigative and audit authority, organizational and reporting independence, and size and salaries of employed auditors, While the lead governmental auditor could be appointed or elected, the staffs of the lead auditor are most often career civil servant appointments.
(4) State Auditors: Elected or Appointed
Audit authority and responsibility of state auditors can be extensive and include the responsibility to conduct: examinations; financial and operational audits; financial statement audits; and special reviews and examinations of state departments, agencies, and offices, and possible state authorities, commissions, various governing boards, educational institutions, and government contractors and grantees that receive or expend the government monies.
(5) Local Government Auditors
Auditors at the county, city, and municipal levels are genetally appintd to their positions by the local government’s chief elected executive or the legislative council or governing body. Almost no lead local government auditor is elected to the auditor’s office. If appointed, the lead local government audit position may be a civil service or meritorious position, The vast majority of audits
- 13 - performed by these auditors are referred to as financial-related audits, as defined in the Government Auditing Standards. These auditors, being primarily appointed, must make a careful review of the independence provisions of the Government Auditing Standards, particularly provisions relating to circumstances common to these types of audit positions.4)
4) Federal Government Auditing, WILEY(2006), pp. 65~76
- 14 -
* source: University of California, Audit Manual, 2017, p.144
- 15 - 2. Government Audit Reporting (“Yellow Book”-GAGAS)
An audit can serve as a valuable tool in providing transparency into the public sector’s finance and accounting.
Each year, the federal government awards billions of dollars in grants, loans, loan guarantees, property, cooperative agreements, interest subsidies, insurance, food commodities and other noncash assistance, and direct appropriations and federal cost reimbursements which are subject to compliance audit requirements. Often, those audit requirements also require financial statement audits performed under AICPA auditing standards and Government Auditing Standards.
Governmental audits include compliance audits(referred to as single audits) performed under the Single Audit Act Amendments of 1996 and the Office of Management and Budget(OMB) Title 2 U.S. Code of Federal Regulations(CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards(Uniform Guidance), program specific audits as defined under the Uniform Guidance, and other compliance audits and attestation engagements performed as required by federal, state, or local laws and regulations.
Governmental audits also include financial statement audits performed under Government Auditing Standards on entities such as states, local governments, not-for-profit organizations, institutions of higher education, and certain for-profit organizations.5)
When performing audits of government entities or audits of entities receiving governmental financial assistance, the auditor must consider Government Auditing Standards(GAS), referred to as the “yellow book”. This is a book of standards issued by the Comptroller General of the US. For those entities receiving major
5) https://www.aicpa.org/interestareas/governmentalauditquality/information-on-governmental-audits.
- 16 - federal financial assistance(more than $500,000 within a single fiscal year), the Single Audit Act must also be considered.
I will break Governmental compliance audits down into 3 different types. All of these audits includes testing compliance with Laws and Regulations. 1) Audits conducted in accordance with GAAS, 2) GAS audits in accordance with GAGAS, and 3) GAS audits performed under the Single Audit Act. These are normally in conjunction with financial statement audits.
(1) Audits conducted in accordance with GAAS
Audits conducted in accordance with GAAS apply when a nongovernmental entity has received Governmental federal financial assistance, or for a governmental entity that is not required by law to adhere to GAS or the Single Audit Act.
AU6) 935 requires the focus of the audit to be on violations of laws and regulations that have a direct and material effect on the amounts in the organization’s financial statements. The GAO “yellow book” suggests that the scope of the governmental audit should also include the financial statements and consideration of program results, compliance with laws and regulations and economy and efficiency.
If significant deficiencies in internal control are identified, then the auditor is required to report upon the scope of the auditors testing of internal control and the scope of tests of compliance with laws and regulations. The reporting of noteworthy accomplishments of the program or recommendations for actions to improve operations
6) US Auditing Standards; Statements on Auditing Standards(SAS) issued by the Auditing Standard Boards(ASB), the senior technical body of the AICPA designated to issue pronouncements on auditing matters applicable to the prearation and issuance of audit reports for nonissuers. (Source: Roger CPAREVIEW 2013 “Auditing & Attestation”, 2-24)
- 17 - is not required.
A standard audit report is normally issued, however if material noncompliance is detected, it is disclosed and treated as a departure from GAAP resulting in a qualified or adverse opinion (disagreement). No compliance report is issued and an internal control report is only issued when significant deficiencies have been identified.
(2) GAS audits in accordance with GAGAS
GAS audits in accordance with GAGAS apply for certain organizations that receive federal financial assistance depending upon the requirements of the program. All the GAAS requirenents (1) above still apply plus more. The audit report on the financial statements is still required, plus a written Internal Control report and a report on compliance with Laws and Regulations are also required. I/C deficiencies, material noncompliance with laws and and regulations and falsification of accounting records should be communicated to legislative and regulatory bodies and a federal inspector general if the auditee fails to communicate them. A qualified or adverse opinion on compliance would also be issued.
Governmental Auditing Standards(GAS) include designing the audit to provide reasonable assurance of detecting material misstatements resulting from noncompliance with contract provisions or grant agreements that have a direct and material effect on the financial statements. For financial audits, GAS prescribes fieldwork and reporting standards beyond those required by GAAS.
Generally accepted government auditing standards(GAGAS) (Yellow-book) include, in the general standards, requirements as to the qualifications of the staff, independence, due professional care,
- 18 - and quality control. The quality control standard requires an auditor to participate in an external quality review program such as those provided by the AICPA, PCAOB or other agencies. Such a review would be performed periodically and will result in a report, which must be provided to the party contracting for the audit and may be distributed. When GAS applies, an audit must still conform to U.S. Generally Accepted Auditing Standards(GAAS). In addition, GAS requires:
Ÿ A report on internal control
Ÿ A report on compliance with laws and regulations GAS does not impose any additional fieldwork standards. To prove that general standards have been satisfied prior to the acceptance of the engagement, the auditor must provide the client with a quality control review report on the CPA firm’s audit practice which establishes its competence to perform an audit under GAAS and GAS.
The GAO standards of reporting for governmental financial audits require auditors to include in their report either 1) a description of the scope of the auditor’s testing of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements and the results of those tests or, if sufficient work was performed, an opinion, or 2) a reference to the separate report(s) containing that information. In some circumstances, auditors must report illegal acts directly to parties external to the audited entity.
(3) Single Audits
GAS audits performed under the Single Audit Act are more extensive than (1) and (2) above and are governed by the OMB
- 19 - through its Circular A-133. The Single Audit Act requires certain state and local governments receiving federal financial assistance to engage an auditor to perform a single coordinated audit of the applicable federal financial assistance program requirements. The SAA requires an auditor to report on the financial statements, compliance with laws and regulations, compliance with program requirements and on internal controls. The Act is implemented by the Office of Management and Budget(OMB) through its Circular A-133. Additionally, the SAA requires the auditor to:
Ÿ Report on compliance with general requirements that apply to federal financial assistance program
Ÿ Report on compliance with specific requirements of major program
Ÿ Report on compliance with specific requirements of nommajor federal programs tested
When the Single Audit Act(SAA) applies, the auditor must conform to GAAS and GAS. In addition, the SAA requires tests of both internal control and compliance with laws and regulations related to major federal financial assistance. In these tests, the materiality level is set at the level of each major program rather than the overall financial statements of the entity, so this will involve a greater audit fieldwork effort than a GAAS audit. In addition to the other reports, the SAA requires:
Ÿ An opinion on internal control related to each major program
Ÿ An opinion on compliance with laws and regulations applicable to each major program
- 20 - Ÿ An opinion on the schedule of expenditures of federal awards The report on internal control under GAS is similar to the management letter that is often issued by an auditor in a non-government financial audit. It should indicate that the auditor obtained an understanding of internal control and assessed control risk as part of the audit of the financial statements. It should identify any significant deficiencies that were discovered during the engagement, and indicate if any are material weakness. Deficiencies are normally communicated to the appropriate legislative or regulatory bodies overseeing the entity.
The report on compliance under GAS describes the scope of tests applied by the auditor to identify laws and regulations with a direct and material effect on the financial statements as well as the auditor’s findings. Noncompliance that results in material misstatement of the financial statements must be identified, as well as any illegal acts that may result in criminal prosecution. Once again, communication may be necessary to appropriate legislative or regulatory bodies.
The auditor will obtain the assistance of management of the entity to identify laws and regulations that have a direct and material effect on the financial statements, and the management representation letter must include an assertion by management that it has identified all such laws and regulations. The auditor’s report will indicate that compliance with laws and regulations is the responsibility of management.
An auditor’s audit documentation must provide sufficient support for these additional required reports as well as for the opinion on the financial statements.
When the SAA applies, the auditor is required to perform additional tests and issue audit opinions on internal control,
- 21 - compliance with laws and regulations, and the schedule of expenditures of federal awards. When there are material weaknesses, noncompliance, or misstatements in the schedule, respectively, these opinions may be qualified or adverse, just as in the case of the opinion on the financial statements.
Occasionally, an auditor may engage in a performance audit that is primarily designed to determine the economy, efficiency, and effectiveness of the organization in achieving its goals. Such audits also include consideration of management controls and compliance with laws and regulations related to achieving theses goals. The auditor’s report will include the auditor’s findings, identification of potential illegal acts, and the views of relevant officials on the auditor’s findings. The report should include the scope of work on I/C and deficiencies in I/C that are significant. If fraud or abuse the occurred, this should also be reported as a finding.
All reports issued in connection with audits under GAS and SAA are directed to specific agencies but available for public inspection.
(4) Reporting internal control deficiencies, fraud, illegal acts, violations & abuse
For all financial audit and attestation engagements, auditors must report, as applicable to the engagement objectives, all instances of fraud and illegal acts unless clearly inconsequential and violations of provisions of contacts or grant agreements and abuse that could have a material effect on the financial statements or the subject matter that is less than material but more than inconsequential, they should communicate those findings on writing to entity officials. Also, auditors should report the following deficiencies in internal control: (a) significant deficiencies; and (b) material weaknesses.7)
- 22 - Appendix 4 Issuing the independent auditor reports
In general, reports issued in connection with audits of federal agencies in accordance with GAO’s GAS and OMB requirements, particularly its Bulletin 01-02, must include:
Ÿ The federal auditee’s financial statements
Ÿ A report by the auditor on the federal auditee’s internal controls
Ÿ A report by the auditor on the federal auditee’s compliance with laws and regulations
Ÿ Management letters issued by the auditor to the federal audtee
Ÿ Specific-purpose repotrs that may be required of the auditor
The auditor’s report should state whether the department or agency’s principal financial statements(including related notes) are fairly stated in all material respects in accordance with the GAAP, which, are promulagated by FASB. The auditor’s opinion or report will usually cover these principal statements:
Ÿ Statement of net costs
Ÿ Statement of changes in net position
Ÿ Statement of budgetary resources
Ÿ Statement of financing
Ÿ Statement of custodial activity(when applicable)
7) “Auditing & Attestation”, Roger CPA Review (2013), 9-12~9-14
- 23 -
In addition to the above, the auditor will report on required supplementary information including:
Ÿ MD&A(Management Discussion and Analysis)
Ÿ Required supplementary stewardship information(e.g., including property, plant, and equipment; investments; and social insurance information)
Ÿ Required supplementary information8)
8) Federal Government Auditing, WILEY(2006), pp. 241~242
- 24 - FY2015 US. Federal Government Combined Appendix 5 Financial Statements
□ Balance Sheets
- 25 - □ Statement of Net Cost
- 26 - □ Statement of Operations and Changes in Net Position
- 27 - Part 3. Continuous Auditing and Continuous Monitoring
1. Defining Continuous Auditing
(1) Notion of KPMG Accounting Firm
Continuous auditing(CA) is the collection of audit evidence and indicators by either the external auditor or the internal auditor in information technology(IT) systems, processes, transactions and controls on a frequent or continuous basis throughout a period.
Continuous monitoring(CM) is a feedback mechanism used by management to ensure that controls operate as designed and that transactions are processed as described. This monitoring method is the responsibility of management and can form an important component of the internal control structure.9)
One of the significant challenges facing internal(external) audit, control specialists, enterprise risk management teams, and business managers all over the world is being able to understand what continuous auditing is and how the approach can be used effectively.
(2) Notion of ISACA
① CA has been defined as a methodology or framework that enables auditors(external and internal) to provide written results on the subject matter using one or a series of reports issued simultaneously. The ability to report on events in a real-time environment can provide significant benefits to the users of audit reports. CA is therefore designed to enable auditors to report on
9) Continuous auditing and continuous monitoring: The current status and the road ahead, KPMG’s EMA region survey, 2012
- 28 - subject matter within a much shorter timeframe than under the traditional model. Theoretically, in some environments it should be possible to decrease the reporting time frame to provide almost instantaneous auditing.
In the traditional audit model used by internal and external auditors, a period of time passes between th completion of fieldwork and issuance of the audit report. In many instances, the impact of this delay makes the information contained in the report less useful or beneficial to the user. This is caused by the historical nature of the information contained in the report, which can be affected by such issues as auditee corrections to identified deficiencies, and deterioration in the control environment(or related auditee data) resulting from identified control weakness or from significant subsequent events that materially affect the original audit opinion.
In the external audit world, the ability to provide audit level auditing on real-time financial information could have a significant impact on an organization's market capitalization and on its cost of capital. In fact, Harvey Pitt, chairman of the US Securities and Exchange Commission, said in a recent speech that "(We) need to move toward a dynamic model of current disclosure of unquestionably material information." Furthermore, there is no doubt that the value of that information, when accomplished by an external audit opinion, will be enhanced.
In the internal audit world, the ability to provide management with real-time auditing on the functioning of controls and on financial transactions can enhance significantly management's ability to make key business decisions.
② CM allows an organization to observe the performance of one or many processes, systems or types of data. In many respects, continuous monitoring systems are similar to executive information
- 29 - systems. Executive information systems are designed to provide users with summary information about an organization's transactions, such as daily sales volume, orders received and shipments. Continuous monitoring systems provide similar information on processes, systems and data. For example, one large telecommunication company has made significant investments in continuous monitoring systems designed to monitor daily transaction volume. These systems identify fluctuations in call volume and help ensure all placed calls are billed. In fact, they even identify possible situations where call fraud, such as a stolen calling card, is occuring. Other organizations have developed continuous monitoring systems that monitor accounts payable and cash disbursement activity. These systems are designed to look for double payments by comparing invoice numbers, vendor numbers and payment amounts to paid invoice files.
The end result of continuous monitoring is to obtain information about the performance of a process, system or data, not the issuance of an audit report.
As a result, there are key differences. The first difference is in the type and sufficiency of evidence generated by continuous monitoring systems. Attestation standards issued by the American Institute of Certified Public Accountants(AICPA) state that, "Sufficient evidence shall be obtained to provide a reasonable basis for the conclusion that is expressed in the report(Many countries have standards with similar wording.)." These attestation standards further state that evidence obtained from independent sources provides the highest level of proof as does evidence obtained from direct examination. Information obtained from an IS auditors direct personal knowledge(such as through physical examination, observation, computation, operating tests or inspection) is more persuasive than information obtained indirectly. Information from a
- 30 - continuous monitoring system provides indirect information about the performance of a process, system or data, whereas information obtained through an IS auditor's observance of a process or system, reperformance of a control, or testing of data provided direct evidence about the process, system or data.
In a continuous auditing engagement, the IS auditor's objective is to accumulate sufficient evidence to reduce risk to a level that is, in the practitioner's judgement, appropriately low for the high level of auditing imparted by the report. This means that an IS auditor must select procedures that provide sufficient evidence about a particular subject matter. The type of procedures performed is based on thd IS audirot's assesment of inherent, control and detection risk. The extent to which selected procedures are performed is based on factors such as materiality, risk of errors and likelihood of misstatements. Information provided by continuous monitoring systems can provide IS auditors with significant information about a process, system or data, but due to its indirect nature, that information alone would not be sufficient in a continuous auditing engagement.
The second issue with continuous monitoring system is more fundamental. The monitoring of processes and systems is a management function. AICPA audit standards state, in part, "Management monitors controls to consider whether they are operating as intended." This clearly incicates that the monitoring of processes, systems and data is a management control function. When an IS auditor performs a management control function, independence is impaired. As a result, the use of continuous monitoring systems by IS auditors may create situations where the IS auditor's independence is impaired.
For example, consider an environment where management uses
- 31 - the monitoring system, evaluates its outpit, identifies error conditions and responds to those errors. If the IS auditor tests the use of the monitoring system by management, then independence should be preserved. However, if the IS auditor identifies the error condition and alerts management, then independence would be impaired. In that situation, the IS auditor performed the management control function, not management.10)
(3) Emperical idea of CA
Continuous auditing is one of the many tools used within the audit profession to provide reasonable assurance that the control structure surrounding the operational environment is:
Ÿ Suitably designed
Ÿ Established
Ÿ Operating as intended
1) Suitably designed
Auditors and control experts use the term “suitably designed” constantly when discussing control testing, but does everyone using the term truly understand what it means? When considering whether a process or control is suitably designed, you must be able to examine the supporting process documentation or clearly written policies and procedures. In the examination of the information, you should be able to identify the process flow, checkpoints, and required reviews necessary to ensure the process flows along its desired path. “Suitably designed” also implies there are documented policies and procedures detailing this process flow. These procedures
10) Information Systems Control Journal, Volume 5, 2002
- 32 - should be examined to determine a sufficient level of documentation. In making this determination, a reasonableness test is applied that basically asks whether a reasonable person, without intimate knowledge of the area, would be able to follow the process and execute the tasks required. As anyone does when looking for sufficient evidence, examine the procedures and consider if there is enough detail included to perform the work. One of the difficult aspects of reviewing policies and procedures is that well over 50 percent of the time the documentation is out of date. In this situation, the reviewer will be required to perform additional steps to determine if the process is suitably designed. Those steps could include facilitating meetings with key process personnel to gain an understanding or creating detailed process maps or flowcharts. In the end, the goal is to be able to make a conclusion, based on examined information, that the process has been suitably designed.
Another component to consider when discussing design is the application and use of controls. In the review of the process documentation, there should be evidence of specific control activity. In other words, can you identify control points in the process where information is validated, reviewed, and/or approved before moving to the next critical step in the process? Control identification is critical in continuous anditing because the “key” controls are going to be the ones selected to test using the continuous methdology. To simplify the key control concept, this type of control holds the process together thightly in an effort to ensure that the desired outcome is achieved as long as the process does not deviate from the established design. To further the explanation, consider that if this type of control fails, one of two things will happen: Either the process will come to a complete stop or the process’s final result will be incorrect. Controls govern the flow of information and provide assurances to protect the outcome.
- 33 - Additionally, a truly suitably designed process will include parameter requirements, established reporting, and a timely deliverable. Parameter requirements establish an upper and lower control limit. Every single control in every business process has control limits. Control limits provide the minimum (lower) and maximum (upper) range of acceptable performance. These limits communicate the range in which the business unit team must perform their assigned responsibilities. Without specific limits, there would be no way to determine whether the process was operating efficiently and effectively. As an example, when the accounts payable manager says that all expense reports submitted will be processed and submitted for payment within one to three days of being received, he is providing the control limits for expense report processing. That range of one to three days provide the control limits or standard for receiving, reviewing, and approving an expense report for payment. Each suitably designed process will have these control limits to provide accountability and guidance for the team. Without control limits, there would be no accountability for performance, which would make it almost impossible to audit with a standard for comparison.
Once the limits have been identified, examine the design of the process to determine if there are any reports generated to measure the process against the standard. In a suitably designed process, reports will be created that detail the effectiveness of the control environment to meet the standard created in the policies and procedures. These reports will also help in developing a focus for potential continuous auditing tests. The timely component mentioned earlier ties to both the reporting and the delivery of the end product. Having reporting as part of the process design is a must, but it won’t help the business quickly identify potential problems or create solutions if it is not timely. If the process being considered
- 34 - processes items multiple times a day, every day, receiving performance reports on a monthly basis will not be very valuable. The same can be said about daily process that just cannot meet the daily demand. If a process does not have timely reporting or cannot deliver a timely product, usually the design is flawed, not the personnel supporting the effort. You have to consider all of these factors when identifying a target area that would be suitable for a continuous audit.
2) Established
The most consideration after determining whether something is suitably designed is determining whether the controlled process is established. This verification may seem simple but it is mission critical in the preparation stage of developing a value-added continuous audit process. When trying to identify if a control structure is established, you need to verify that the process described in the policies and procedures or documented in the work flow is the actual process in place today. Too often a business unit has detailed policies and procedures that are not representative of the day-to-day operational process. The documentation of the current process is considered a low priority for the business unit due to their daily responsibilities taking precedence over the scripting of their activities. If the controlled process does not agree with the documented process requirements, identifying the control points that should be tested as part of a continuous audit is very difficult.
When presented with the scenario of the actual business process not agreeing with the policies and procedures, it will be necessary to understand and document the current process flow before attempting to develop an approach for continuous auditing. It is not
- 35 - that you would be unable to create a continuous audit without knowing the process was established: why would you want to test or verify a process control that is no longer critical or even applicable to the actual business process being executed on a daily basis? For the continuous audit tool to be effective and deliver the expected value, it must be based on the current control process in place and operating today. So when you are examining a department’s policies and procedures, ensure that the documented process agrees with what the staff currently is executing. Once that step has been completed, it will be easier to identify and select the critical controls that govern the process to producing its results.
Another point to customer regarding an established process is the communication of the process requirements. With the speed of business and the demands of customers increasing at an almost daily rate, it is critical to understand how business units communicate changes in the process requirements and/or control limits. Very often, processes change without a formal communication plan. Without a plan to verify that all parties are aware of the change, it is not possible to ensure compliance. Communication within a business unit impacts the processing team’s ability to deliver responsible, reliable results. Ensure that you verify how process rule changes are communicated within a team before selecting it for a continuous audit. This advance knowledge will reduce the amount of potential rework as well as the number of false positives.
3) Operating as Intended
The last component of the definition probable seems to the easist one to verify. Pretty simple question: Is the process operation as intended? What this question really is asking is, is the process
- 36 - creating a result? It is a yes-or-no question. It is straightforward and doesn’t really require any interpretation. You must consider one simple nuance before rushing to answer what appears to be the simplest of questions. First consider this: Everyone will agree that each process, business activity, or task will produce a result. However, what the question is really asking is this: Is the process producing the expected result? After all of the activities have been completed, the question to be asked is this: Did the proper, expected deliverable occur? When a continuous audit is created according to the methodology, it will provide the data and supporting evidence to conclude on the effectiveness and efficiency of the specific controls selected for review. It will confirm or deny that the established process is producing the expected results.
It is important to have a clear understanding of the definition of continuous auditing before racing out to make your first selection. Not only is it required prior to creating your continuous auditing methodology, but it is also necessary for you and your team to have a standard definition that can be clearly explained to your clients when asked.
2. Differentiating Continuous Auditing from Continuous Monitoring
The next step in understanding continuous auditing(CA) is differentiating continuous auditing from continuous monitoring(CM). Many business units, internal audit teams, and risk professionals believe they are performing continuous auditing when in actuality they are not. By definition, they have implemented continuous monitoring. For example, consider a business unit that has created some form of continuous monitoring mechanism that provides activity reports detailing the business process activity that the business unit own or are trying to evaluate. The business unit
- 37 - begins by selecting their main process, obtaining the applicable process volumes, dollars, or man-hours. Once these figures have been compiled, they are compared to the target range or benchmark to determine whether the total number fits within an acceptable range of performance. The process of matching totals to their target or benchmark is not continuous auditing. Without performing any validation testing of the compiled data, it would not be possible to ensure that the key control or controls surrounding the process are working effectively to deliver the expected outcome. To conclude on control effectiveness confidently, testing must be performed. Let’s continue this example and turn the monitoring process described into a continuous audit process. Taking the same report that summarized the volumes, dollars, or man-hours would be a quick reference point in which to select the area for testing. Even if all of the data indicated the process appeared to be working effectively (because all information obtained fell within the target area of acceptable performance), testing would have to be performed to validate that the data, which appears effective or efficient, belongs within the acceptable range as the report incicates. It is not possible to conclude, from a continuous audit perspective, that a process control is operating effectively without performing detailed testing on the control environment for a period of time. That is the only way the process can be proven to produce repeatable, reliable results.
Table 2. further illustrates the differences between CA and CM. Table 2. first identifies the process owner. It is important for all parties involved to understand and agree that management owns monitoring. Management has a responsibility to provide oversight of the process it owns. This oversight should be able to provide a status of the key process deliverables on demand. What that means is that management has the ability to produce status updates of its
- 38 - process at any time during the day, week, or month in which it is requested. If the information is not readily available, how does management run the operation and adjust to change in demand, availability, or client needs when appropriate? It would be seem difficult, if not impossible, to effectively manage an operation without a formal reporting process in place to support the business. If a person encounters an area without management reporting, consider whether this area is ready and willing to commit to a continuous audit. The reason for the skepticism is that without standard monitoring reports, the business owner may struggle when trying to discuss the critical controls and convey the established control limits supporting the process potentially under reviw. Be cautious in this situation, and be sure to communicate client expectations and the objective of the continuous audit.
Just by name alone, it would appear that internal audit owns continuous auditing. Although that is true initially, many times established continuous auditing tests are developed and executed by internal audit and then handed over to the business unit to use as part of its self-assessment process. Although it may be common for continuous auditing tests to be given over to the business unit for its use, it is very rare for the business to give internal audit one of its monitoring procedures. Any business unit can execute the continuous audit work as a proactive measure to identifying potential opportunities for improvement and trends in the workload.
Next, review the definition of continuous auditing and monitoring in Table 2. Monitoring is management’s primary tool to meet its fiduciary responsibility for oversight of the operation. As the owner, management must maintain the quality of the process and institute checks and balances to ensure that the process is as efficient and effective as possible while meeting business, regulatory, and client demands. Management will not be successful in this endeavor
- 39 - without a monitoring process. One word of caution regarding business unit monitoring: For the monitoring to be effective, it must be formal. Business owners who say things like “I trust my people” or “That will never happen to me” are meaning by feel and experience. That approach is dangerous and has been proven to work only for so long before something negative impacts the business. The best way to manage and monitor any process is by obtaining data and analyzing it to verify that it is complying with the process standards.
Here is another summation definition more from a nonaudit perspective. This type of definition is one that could be provided to a potential client to explain the concept more easily: Continuous auditing is another method to verify that the critical controls in a business unit process are working effectively.11)