Wednesday, December 8, 2010

The Need for Continuous Auditing and Continuous Controls Monitoring

When the foundations of modern auditing were formed, many years ago, the world was a simpler place. Most businesses operated out of one or two locations. They had a manufacturing plant or a retail outlet. Their inventories could be observed and their accounts receivable were due from regular customers who were not far away and could be contacted quite easily. The idea of balance sheet auditing reflected these facts and the idea formed that if you get the opening balances right and the closing balances right, then everything in between must be right. Only classification issues remain. This concept became the core of auditing and remnants of it remain to this day.

Then businesses grew more complex. And they went global. Now auditors were faced with the prospect of auditing assets like inventories in all, sometimes very remote, parts of the world. Even though the audit firms tried to grow so they could do global audits, they had trouble keeping up. It just wasn't practical to observe and confirm a majority of those assets and liabilities.

The recognition grew that reliance needed to be placed on internal controls to gain assurance that the assets and liabilities were being properly controlled while they were out of sight. And so the idea of controls based auditing gained prominence.

Over the past twenty years or so, the auditing profession, through its standards, has tried to find a good balance between the need to examine balances and the need to examine controls. Arguably it has never found a good and viable balance.

Add to the mix an increasingly sophisticated technology environment, with controls issues that most auditors do not understand, incredibly complicated accounting standards, and you have a recipe for disaster. And disasters have happened, with auditors being blamed and paying huge settlements and some CEOs and CFOs going to jail. Some informed observers have concluded that the modern global corporation is virtually unauditable.

A reasonable answer to this seemingly inpenetrable conundrum has been the idea of continuous auditing (CA). CA, the argument goes, enables auditors to gain that ongoing assurance they need that the controls to safeguard the assets and record the liabilities are in place and operating properly. CA is accompanied by the idea of Continuous Controls Monitoring (CCM). The idea is that the there is a good CCM system in place that the auditors monitor and receive exception reports whenever anomolies enter into the system. With this information they can identify issues on a timely basis, and act on them without waiting for the year end audit.

This is a good concept but then there is the reality that good CCM systems have been few and far between, so CA has not achieved the level of acceptance that it deserved and that is needed to address the continuing and very real issues around the auditability of a modern corporation..

A good deal more effort needs to be placed on the development and deployment of good CCM systems - systems that will enable the auditors to do the job that is demanded of them in the 21st century. With current technology, such systems are feasible, and are being developed. Selection of such systems has become a critical process.  A recent article in the ISACA journal (subscription needed) outlines a ten factor model for evaluating CCM systems. CA and CCM is a solution to the auditing dilemna that is long overdue, is now feasible and needs to be acted upon.

No comments: