By John Verver, CA, CISA, CMC, Vice President Product Strategy and Alliances at ACL Services Ltd.
Surveys of the internal audit profession repeatedly have ranked increased use of technology – specifically that for audit analytics, continuous auditing, continuous monitoring, and fraud detection – among the top priorities for auditors. Although many of these techniques are similar, it is generally agreed that continuous monitoring is management’s responsibility, as part of its mandate for managing risks and maintaining effective control systems.
Based on its own experience with using data analysis technology, internal audit is often able to demonstrate to management the benefits of transactional testing to identify instances of fraud, error, and abuse, as well as to determine the effectiveness of financial application and other internal controls. As long as auditors are able to maintain appropriate objectivity and independence, they also can advise management on how to best implement continuous monitoring of financial and operational transactions.
Numerous technology issues need to be addressed to implement such a transaction-testing system successfully. A primary issue is identifying and accessing the data required to perform the analysis. Another is building a library of tests that identify transactions that have either evaded financial control systems or those for which no effective control had been designed in the first place. Beyond these technology issues, organizations seeking the greatest benefit from automated transaction testing also must address three common challenges relating to processes and people.
If a transaction monitoring system identifies hundreds or thousands of exceptions on a regular basis, it is almost inevitable that those people tasked with follow up will lose engagement in the process. When first implementing a control test, it is common to miss the facts that certain transactions are treated differently than others, and the underlying business process does not actually work as expected. So the monitoring system may flag transactions as exceptions, even though they do not represent a real control risk. The monitoring system also may detect large numbers of control violations for which the amount of the error is relatively insignificant.
The simplest approach to addressing these issues is to establish monetary thresholds in the tests so that, initially at least, they only identify the most material exceptions. Another approach is to focus on cases where the same transaction failed multiple control tests. This can be a good indication of a significant problem – particularly if few transactions fail multiple tests. For example, a single purchase and payment transaction may be flagged as being a split purchase order, not matching to goods received and being approved for payment by the same person who entered the invoice details. If the monetary amounts involved are material, then this clearly is a high-risk transaction that warrants an immediate response. Those responsible for implementing the monitoring system also should plan an iterative process in which results are analyzed and tests fine-tuned so that they only identify true exceptions representing a real financial control risk.
The question of what is meant by continuous monitoring has been debated for some time. In practice, the answer is straightforward. Continuous monitoring is almost never conducted in real time and is not truly continuous. Instead, it is transactional testing that is performed on a regular basis at a frequency that allows for an appropriate response time to critical exceptions. For example, testing purchase-to-pay transactions for U.S. Foreign Corrupt Practices Act violations could mean daily processing. Payroll testing is likely to be on a time frame aligned with payroll processing – weekly, biweekly, or monthly. Journal entry testing is probably performed on a monthly basis – except, perhaps, for those that meet certain critical high-risk criteria.
One way to determine a frequency of testing that appropriately combines efficiency with effectiveness is to balance risk against the effort required to monitor and investigate the exceptions that are identified. In other words, is the risk and expense related to an error becoming irreversible, or to a fraud being repeated, greater than the cost of performing an investigation and remediation more timely? If the answer is “yes,” then there is a good argument for testing more frequently.
One of the significant issues to address is “whose job is it?” In practice, most transaction monitoring systems route specific exceptions to specific individuals based on their roles and responsibilities. Implementation of an exception management system involves defining the workflow and the individuals involved. Access to the system is usually through a Web browser supported by email notifications. Most systems also involve escalation procedures that route exceptions to more senior management in the event that they are not resolved satisfactorily within a given time frame.
In practice, operational staff and line management may be resistant to responding timely to exceptions and performing reasonable diligence around remediation procedures. This is understandable for a team that is incented to deliver a high level of productivity – perhaps by focusing on volumes of transactions processed – rather than the underlying integrity of the transactions themselves.
One approach to overcoming resistance is for senior leadership to communicate the importance of transaction testing and exception management to achieving overall business objectives. Shortly after the implementation of the U.S. Sarbanes-Oxley Act of 2002, the mantra of “good controls are good business” became more common. Yet, some managers may still see internal controls as an impediment to productivity and transaction testing as an unnecessary burden on the business process. If the controls and testing procedures are not smart ones, then this argument may well be valid. On the other hand, the right balance of implementing controls, testing transactions, and investigating flagged items can improve efficiency while managing risk intelligently.
Source: The IIA: IT Audit Articles