AUDIT ANALYTICS and CONTINUOUS AUDIT AUDIT ANALYTICS AICPA Assurance Services Executive Committee The mission of the AICPA Assurance Services Executive Committee (ASEC) is to assure the quality, relevance, and usefulness of information or its context for decision-makers and other users by (1) identifying and prioritizing emerging trends and market needs for assurance, and (2) developing related assurance methodology guidance and tools as needed. ASEC achieves its mission by: providing guidance and leadership in identifying and prioritizing significant emerging assurance trends and market needs while engaging users, preparers, and influencers toward action; AUDIT developing assurance guidance by creating suitable criteria when necessary, and/or performance guidance, as appropriate; ANALYTICS communicating new assurance methodologies, guidance, and and opportunities to our members and the profession on a global basis; and creating alliances with industry, government, or other specialized groups to improve CPA access to new assurance opportunities. CONTINUOUS For additional information on the AICPA’s Assurance Services Executive Committee please visit aicpa.org/ASEC. AUDIT AICPA Business Reporting, Assurance and Advisory Services Team Looking Toward the Future The overarching role of the AICPA’s Business Reporting and Assurance & Advisory Services Team is to provide leadership oversight, direction and visioning for emerging business reporting and assurance issues and initiatives that are identified and addressed through input from AICPA members, committees and staff. For more information on the Business Reporting, Assurance and Advisory Services Team initiatives, please visit aicpa.org/AAServices. aicpa.org | cpa.com AUDIT 17970-344_Audit Analytics_final.indd All Pages 7/9/15 10:14 AM ANALYTICS AUDIT ANALYTICSand CONTINUOUS AUDIT Looking Toward the Future 17970-344 17970-344_Audit Analytics_TitlePage.indd 1 7/9/15 10:16 AM Notice to Readers Audit Analytics and Continuous Audit: Looking Toward the Future does not represent an official position of the American Institute of Certified Public Accountants, and it is distributed with the understanding that the author and publisher are not rendering legal, accounting, or other professional services in the publication. This book is intended to be an overview of the topics discussed within, and the author has made every attempt to verify the completeness and accuracy of the information herein. However, neither the author nor publisher can guarantee the applicability of the information found herein. If legal advice or other expert assistance is required, the services of a competent professional should be sought. Copyright © 2015 by American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure for requesting permission to make copies of any part of this work, please email [email protected] with your request. Otherwise, requests should be written and mailed to the Permissions Department, AICPA, 220 Leigh Farm Road, Durham, NC 27707-8110. 1234567890SP198765 ISBN: 978-1-94354-608-4 NOTICE TO READERS This publication has not been approved, disapproved, or otherwise acted upon by any senior technical committees of, and does not represent an official position of, the American Institute of Certified Public Accountants. It is distributed with the understanding that the contributing authors and editors, and the publisher, are not rendering legal, accounting, or other professional services in this publication. If legal advice or other expert assistance is required, the services of a competent professional should be sought. iii TABLE OF CONTENTS Page Preface xi Acknowledgements xiii Author Biographies xv Part I Essays 1 Continuous Auditing—A New View 3 Nancy Bumgarner, Miklos A. Vasarhelyi 1. Introduction—Continuous Assurance the Theory 3 1.1 Continuous Process Auditing 4 1.2 Conceptualizing Various Elements of CA 6 1.3 Guidance on Continuous Auditing 13 2. The Elements of Continuous Assurance Revisited 13 2.1 Continuous Auditing Versus Continuous Monitoring 13 2.2 The Elements of Continuous Audit 17 3. Information Technology and the Auditor 19 3.1 Evolving Database Audit Conceptualization 22 3.2 Incremental Technological Change 23 3.3 The Audit Data Standard 24 4. The New Continuous Audit 26 4.1 Assurance Level 28 4.2 Time Focus 29 4.3 Time Interval 30 4.4 Data Source 31 4.5 Chosen Procedure 32 4.6 Choice of Assertion 33 4.7 Analytic Method 33 4.8 Assurance Entity 35 5. Questions Regarding Some Auditing Concepts in the Modern Environment 35 5.1 Stochastic Opinion Rendering in a World of Statistics 36 5.2 New Audit Products 37 5.3 Management, Control, Assurance, and Other Meta-Processes Confusion of Concepts 38 5.4 Independence 39 v CONTENTS Page 1 Continuous Auditing—A New View—continued 5.5 Migration of Functions to Automation 39 5.6 The Audit Ecosystem 42 6. Conclusions 46 6.1 The New CA 47 References 49 2 The Current State of Continuous Auditing and Continuous Monitoring 53 Paul Eric Byrnes, Brad Ames, Miklos Vasarhelyi Introduction 53 Current Environment 54 Products and Services 55 Promotion Efforts 56 Skills Required 57 Supplemental Findings 58 Conclusions 59 References 60 Appendix—Continuous Auditing and Continuous Monitoring in Action 60 Introduction 60 SAP Key Performance Indicator 61 DSAS/Audit Command Language 61 DSAS Database 61 Dashboard Feature 63 3 Evolution of Auditing: From the Traditional Approach to the Future Audit 71 Paul Eric Byrnes, Abdullah Al-Awadhi, Benita Gullvist, Helen Brown-Liburd, Ryan Teeter, J. Donald Warren, Miklos Vasarhelyi Introduction 71 A Brief History of Auditing in the United States 72 The Traditional Audit 76 Automating the Audit 77 The Future Audit 78 Embedded Audit Modules 79 Monitoring and Control Layer 80 Audit Data Warehouse 81 Audit Applications Approach 81 vi CONTENTS Page 3 Evolution of Auditing: From the Traditional Approach to the Future Audit—continued Other Future Audit Considerations 82 Conclusion 83 References 84 4 Reimagining Auditing in a Wired World 87 Paul Eric Byrnes, Tom Criste, Trevor Stewart, Miklos Vasarhelyi Overview 87 Introduction: Blue Sky Scenario 88 Using Technology to Transform Auditing 91 Technology Enablers 91 Audit Opportunities 92 More Effective Audit Data Analytics 92 More Assurance 95 Auditing With Big Data 96 Continuous Auditing, Continuous Assurance 97 More Effective Fraud Detection 98 Reducing False Positives 98 Audit Process Re-Engineering: An Example 99 Making It Happen 100 Encouraging Audit Research and Development 100 Providing Guidance and Updating Auditing Standards 101 Encouraging and Recognizing New Resource Models 101 Blue Sky Scenario Revisited 102 References 102 5 Data Analytics for Financial Statement Audits 105 Trevor R. Stewart Abstract 105 The Audit Context 105 DA and Generally Accepted Auditing Standards 106 Audit Applications of DA 108 Understanding the Entity, and Risk Assessment 108 Performing Substantive Analytical Procedures 109 Analyzing and Testing Populations of Detailed Transactions and Balances 110 Considering and Testing for Fraud 111 vii CONTENTS Page 5 Data Analytics for Financial Statement Audits—continued Testing the Operating Effectiveness of Internal Control 112 Inquiry 112 A Look Ahead: Cognitive Computing in the Age of Big Data 112 Utilizing Big Data 112 Cognitive Computing 113 Upping Our Game 114 Illustrative Examples 115 Example 1: Simple DA Visualization 115 Example 2: Financial Ratio Peer Analysis 120 Multivariate Ratio Analysis 125 References 128 6 Managing Risk and the Audit Process in a World of Instantaneous Change 129 Paul Byrnes, Gerard Brennan, Miklos Vasarhelyi, Daehyun Moon, Satyajeet Ghosh Abstract 129 Introduction 130 CRMA Architecture—Overview 130 CRMA—General Process 132 CRMA—More Detailed Considerations 133 Risk Identification and Analysis 133 KRI Development and Implementation 134 Auditor Response to Changing Risk Levels 136 Management Response to Changing Risk Levels 137 Hypothetical Illustration of CRMA in Use 138 Systematic Implementation of Risk Management and Assessment in a Process 139 Conclusion 142 References 142 Part II Case Studies A Developing Continuous Assurance at Siemens 147 Ann F. Medinets, Jason A. Gross, Gerard (Rod) Brennan Traditional Internal Audit 148 Continuous Controls Monitoring 148 viii CONTENTS Page B Implementing Continuous Auditing and Continuous Monitoring in Metcash—Change, Capabilities, and Culture 157 Glen Laslett, Catherine Hardy Introduction 157 Value Proposition: Identifying the Need and Addressing the Business Challenge 158 The Importance of Architecture 159 Definitions and Applications of CA/CM in Metcash 161 An Example Application: The Leave Continuous Monitoring Routine (CMR) 162 Moving Forward—Key Risk Indicators 163 Challenges and Lessons Learned 164 Conclusion 166 References 166 C Increasing Audit Efficiency Through Continuous Branch KPI Monitoring 169 Carlos Elder de Aquino, Eduardo Miyaki, Nilton Sigolo, Miklos A. Vasarhelyi, Paul E. Byrnes Abstract 169 Introduction 170 The Process at SAB 170 Potential Enhancements 171 Conclusions 172 References 172 D Implementing Continuous Monitoring at Vodafone Iceland 175 Mar´ıa Arthursd´ ottir,´ Horður¨ Mar´ Jonsson,´ Sindri Sigurjonsson´ Introduction 175 Continuous Monitoring in Vodafone Iceland 176 Revenue Leakage 177 Process of Monthly Financial Closing 178 The Billing Process 179 Fraud Monitoring 181 Customer Relationship Management 181 Culture Change and Enhanced Quality of Work Flow 182 Challenges