By Peter Miller
Lately there has been resurgence in the topic of Continuous Auditing and Continuous Monitoring (CA/CM). Some great articles have hit the press on what different organizations have been doing in this area and the benefits they have achieved. I especially like the article that was published in CFO.com about Talecris Biotheraputics, a $1.4 billion provider of injectionable medical treatments and their Continuous Controls Monitoring implementation.
This article highlighted a number of key points that have been debated ever since the notion of continuous analysis was introduced. The point that comes up time and again is, “Who is – or should be – responsible for implementing Continuous Monitoring and how does that relate to Continuous Auditing?” In the case of Talecris, the Internal Audit department understood that they were walking a fine line between ensuring their independence from management and getting involved in a monitoring activity that should be owned by management. As stated by Mary Ann Tourney, their Director of Internal Audit, “We can’t help [management] design controls or tell them that a control is the right one to have in place, but we can help them monitor it.” Tourney goes on to state, “We don’t troubleshoot what goes wrong; we send them a note saying, here’s what came out of testing, can you please explain it?”
Talecris was able to establish a balance between Audit and Management that enabled them to move forward and achieve significant benefits, both in terms of hard dollars and increased assurance. And for this they are to be applauded. I hear far too often that, “This isn’t my responsibility, so I’m going to go back to doing my audit.” Well, guess what? Internal Audit departments don’t exist just to do audits. They exist to provide objective assurance and consulting activities designed to add value and improve an organization’s operation.
Don’t believe me? Check out the IIA’s definition of Internal Auditing
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Find out more: ACL Blog