Harnessing the Power of Continuous Auditing_1 docx

Preface xi The Real Definition 1Differentiating Continuous Auditing 6Segregating Continuous Auditing and Control Testing 9Continuous Auditing Objectives 10Dispelling the Continuous Audit

FPREF 12/10/2010 14:24:30 Page 14

Harnessing the Power

of Continuous Auditing

FFIRS 12/10/2010 14:5:48 Page 2

FFIRS 12/10/2010 14:5:49 Page 4

Copyright# 2011 by John Wiley & Sons, Inc All rights reserved

Published by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or mitted in any form or by any means, electronic, mechanical, photocopying, recording,scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976United States Copyright Act, without either the prior written permission of thePublisher, or authorization through payment of the appropriate per-copy fee to theCopyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978)750-8400, fax (978) 646-8600, or on the Web at www.copyright.com Requests tothe Publisher for permission should be addressed to the Permissions Department,John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011,fax (201) 748-6008, or online at http://www.wiley.com/go/permissions

trans-Limit of Liability/Disclaimer of Warranty: While the publisher and author have usedtheir best efforts in preparing this book, they make no representations or warranties withrespect to the accuracy or completeness of the contents of this book and specificallydisclaim any implied warranties of merchantability or fitness for a particular purpose Nowarranty may be created or extended by sales representatives or written sales materials.The advice and strategies contained herein may not be suitable for your situation.You should consult with a professional where appropriate Neither the publisher norauthor shall be liable for any loss of profit or any other commercial damages, includingbut not limited to special, incidental, consequential, or other damages

For general information on our other products and services or for technical support,please contact our Customer Care Department within the United States at (800) 762-

2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.Wiley also publishes its books in a variety of electronic formats Some content thatappears in print may not be available in electronic books For more information aboutWiley products, visit our web site at www.wiley.com

Library of Congress Cataloging-in-Publication Data:

Mainardi, Robert L., 1964––

Harnessing the power of continuous auditing : developing and implementing

a practical methodology / Robert L Mainardi

p cm — (Wiley corporate F&A series)Includes index

ISBN 978-0-470-63769-2 (hardback) ISBN 978-1-1180-0700-6 (ebk);

ISBN 978-1-1180-0701-3 (ebk); ISBN 978-1-1180-0702-0 (ebk)

1 Auditing, Internal I Title

HF5668.25.M35 2011

6570.458—dc22 2010037965Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

FFIRS 12/10/2010 14:5:49 Page 5

To my father, Angelo Michael Mainardi, who continues to inspire me as hewatches over me, and to my mother, Lucy, who impresses me more everyday

FFIRS 12/10/2010 14:5:49 Page 6

Preface xi

The Real Definition 1Differentiating Continuous Auditing 6Segregating Continuous Auditing and Control Testing 9Continuous Auditing Objectives 10Dispelling the Continuous Auditing Myths 11

Recognize the Need 14Potential Need/Fit Considerations 15Client Relationship Score 18

Chapter 3: Continuous Auditing Methodology Development 26

Continuous Auditing Methodology 26Methodology Requirements 27

Building the Business Knowledge 34Developing Business Knowledge 35Understanding the Rules 46Identifying Technology 51

vii

Chapter 9: Continuous Auditing Reporting

Reporting and Next Steps 129Reporting Options 130viii & Contents

FTOC 10/31/2010 16:35:50 Page 9

Advantages and Disadvantages of Report Type 139Reporting Options Summary 140Five-Component Approach 147

Contents & ix

FTOC 10/31/2010 16:35:50 Page 10

Developing Technique 244Effective Concept 246Lessons Learned Template 248

x & Contents

CO N T I N U O U S A U D I T I NG H A S B E E Naround for quite some time,

but there has always been an active discussion regarding its truedefinition and how to effectively incorporate the targeted testingmethodology into an existing audit department The other challenge thatinternal audit departments face is to differentiate continuous monitoring fromcontinuous auditing Although there does not appear to be a significantdifference between the two, the one thing that remains constant is that amonitoring approach will not provide any control validation

There is always a risk that audit departments, in an effort to implement amore streamlined testing approach, will rush through critical developmentand implementation phases of the continuous auditing methodology It iscritically important that each department takes the necessary time tounderstand the objectives of the approach, adequately plan and documentits own methodology, and facilitate the communication of the methodology

to its own team and business partners The development of the continuousauditing methodology is time consuming and requires adequate planningand resources However, this up-front investment will pay off significantly asthe methodology is implemented

This book addresses many misconceptions about continuous auditing;none is more significant than the belief that in order to implement continuousauditing successfully, the internal audit department must be supported by anautomated technology This could not be further from the truth Continuousauditing programs are being executed daily without any technology at all Thetrue key to a successful continuous auditing implementation is not the type oftechnology solution used but the detailed, documented continuous auditing

xi

in a target approach to evaluating the effectiveness of critical controls—canclearly understand and successfully create and implement his or her owncontinuous auditing methodology.

Chapter 1 provides a clear definition of continuous auditing that is used as

a foundation for the rest of the book

Chapter 2 helps you identify how continuous auditing can be integratedinto your existing methodology with a need and fit questionnaire encompass-ing five specific questions to ensure that a benefit will be realized once thecontinuous auditing methodology is developed and implemented

Chapter 3 discusses the requirements of the critical fields that are requiredand should be included in the formal continuous auditing methodologydocument and provides a suggested format

Chapter 4 outlines the specifics of preparing to perform a continuousauditing program This is accomplished by detailing the requirements ofdeveloping the business knowledge, understanding the specific business pro-cess rules, and identifying the technology Each one of these topics is required toexecute the corresponding work program successfully

Chapters 5, 6, and 7 provide the individual continuous auditing ology requirements for the three phases: (1) foundation, (2) approach, and(3) execution Each chapter defines each phase and its purpose and specifiesthe particular deliverables needed to document the continuous auditingmethodology properly

method-Chapters 8, 9, and 10 address the continuous auditing methodologyreporting requirements They encompass the critical need for root causeanalysis (Chapter 8), the suggested report format and documentation require-ments (Chapter 9), and the definition of real action (Chapter 10) that must beobtained to address the opportunities for improvement identified during theexecution phase of the continuous auditing methodology

xii & Preface

FPREF 12/10/2010 14:24:30 Page 13

Chapter 11 focuses on the business unit management, internal audit, andtechnology conditions that provide guidance and assistance during the devel-opment, implementation, and management of the continuous auditingmethodology

Chapter 12 discusses the selling of the continuous auditing methodology tothe business unit client and to the internal audit department staff Although themethod is not the same as a full-scope audit, it is necessary for internal audit tounderstand and be able to appropriately articulate the continuous auditingmethodology to all parties involved

Chapters 13 and 14 provide guidance in recognizing the challenges ofimplementing the custom methodology and its specific potential uses.Chapter 15 provides a tool that can be utilized to evaluate and record thesuccesses and opportunities for improvements in planning, testing, executing,and reporting on the continuous auditing methodology

The Appendix provides a detailed example of a successful continuousauditing methodology as well as all the templates mentioned throughout thebook

Preface & xiii

FPREF 12/10/2010 14:24:30 Page 14

TH R O U G H O U T T H E B O O K D E V E L O PM E N Tand writing process, I

had tremendous support from many people I want to say thank you toeveryone who waited patiently and tolerated my unavailability fromthe concept phase up to and including the final revisions

First, I owe special thanks to my son, Robert, and my daughter, Gabrielle,for all of their sacrifices during the creation of this book Because of theirunderstanding, I was able to focus and dedicate all of my time and effort towriting You are both amazing, and I could not be any more proud to say that I

Thanks to Barumbi for the inspiration and support during this creation Ilook forward to working with you long into the future Your unique insight andskills should be shared I look forward to seeing you often

Thanks to my best friend, Lieutenant Colonel Henry ‘‘Pat’’ Campbell Youhave been by my side since Penn State, and I know that I can always count onyou and Laura for support or anything I could ever need Always rememberFilet, Tom Z, Kevin ‘‘Ice’’ Anderson, and laughing until it hurts I want to alsosay thank you again for your 21 years of service in the U.S Air Force You are a

xv

Thanks to two of the best people I ever hired, Stephanie Jones and VictoriaRobinson I appreciate your effort, team dedication, and willingness to follow

me on new adventures at different companies We created great work ments, produced valuable audits, and built great relationships Your creative-ness and ingenuity regarding the audit process have helped shape the initialcreation of this continuous auditing methodology

environ-Thanks to Ken Frantzen for helping me get through all of those painfulMonday morning staff meetings Our five years together were such an adven-ture I appreciate your patience and willingness to always listen Ken, I finallymade it to the ‘‘big boy’’ table

Thanks to Dino and Scott Borghi at Borghi’s Restaurant for always takingcare of me, my clients, family, and friends Your food, dedication to excellence,superior service, and making everyone (especially me) feel like family are just afew reasons for your success

Thanks to my business partners over the years Although I may haveforgotten some, this list includes: Suzanne Barron, Jill Benson, Lina Borrelli,Tom Cassidy, Kristi Coombs, Arnaldo Diaz, Ken Ebbage, Cynthia Fetterman,Todd Freeman, Jorge Green, John Hall, Denise Johnson, Susan Panzer, JimmyParker, Vinit Rajpara, Bruce Rice, Cyndi Summers, and John Wisz

Thanks to all my former audit team members over the years I am sure Ihave forgotten a few names, but the list includes: William Baugh, Robin Benns,Bob Campbell, Lisa Chadwick, Andrew Cooper, Jayne Cravens, Jeff ‘‘Hefe’’Croasmun, Lou DiGiovine, Cari DeRose, Sam ‘‘Pooh Bear’’ Dungee, Mike Eyre,James Huff, Denise Joyce, Alton Knight, Eric Kramer, Ola Laniya, Tomeka Lee,Cara McWilliams, Ed Merenda, Jim Mullin, Christopher Nace, Jason Pandolfo,Eric Pettis, Jack Rockenbach, Frank Satterthwaite, Deborah Sullivan, CrystalTucker, Jennifer Valentine, and Dwayne Weldon

Thanks to Erin and Cathy at Catarinas for always fitting me in and takingcare of me; and to Maria Martin at Unique Images for taking a great picture

xvi & Acknowledgments

FLAST 11/23/2010 16:18:37 Page 17

Harnessing the Power

of Continuous Auditing

FLAST 11/23/2010 16:18:37 Page 18

THE REAL DEFINITION

One of the significant challenges facing internal audit, control specialists,enterprise risk management teams, and business managers all over the world

is being able to understand what continuous auditing is and how theapproach can be used effectively As you read through this book, keep inmind that continuous auditing has been around for decades As I travel andspeak around the world on this topic, I have found each individual team,department, or company has its own definition of what it believes theapproach represents and how to maximize its value So let us start off thiseducational process by establishing a clear-cut definition of continuousauditing and understanding the characteristics that make it a uniquetool The definition will be broken down into two distinct parts: (1) theformal ‘‘book’’ definition for personnel familiar with the audit profession and(2) the ‘‘nonaudit’’ definition for clients to clearly understand the objective ofthe approach

1

C01 11/23/2010 16:9:3 Page 2

Continuous auditing is one of the many tools used within the internal auditprofession to provide reasonable assurance that the control structure sur-rounding the operational environment is:

& Suitably designed

& Established

& Operating as intended

Before discussing these three components, it is important to immediatelyidentify a clarification regarding the definition The assurance regarding thesupport structure of the operational environment is provided only for thespecific controls selected during the development of the continuous audit.This is a critical distinction that must be understood by both the group usingthis approach and the client who is partnering in the effort The continuousaudit is not concluding on the total control environment for the processselected but only for the selected controls being reviewed Time and timeagain, I have witnessed clients who receive results of a continuous audit(which was appropriately focused on a specific control) and then extrapolatethe results of the control testing across the entire operation or controlenvironment It is not possible to use the results of a continuous audit toprovide validation of an entire operation Let’s discuss the three criticalcomponents of the definition

Suitably Designed

Auditors and control experts use the term ‘‘suitably designed’’ constantlywhen discussing control testing, but does everyone using the term trulyunderstand what it means? When considering whether a process or control

is suitably designed, you must be able to examine the supporting processdocumentation or clearly written policies and procedures In the examina-tion of the information, you should be able to identify the process flow,checkpoints, and required reviews necessary to ensure the process flowsalong its desired path ‘‘Suitably designed’’ also implies there are documentedpolicies and procedures detailing this process flow These procedures should

be examined to determine a sufficient level of documentation In making thisdetermination, a reasonableness test is applied that basically asks whether

2 & Defining Continuous Auditing