FPREF 12/10/2010 14:24:30 Page 14 Harnessing the Power of Continuous Auditing FFIRS 12/10/2010 14:5:48 Page 2 FFIRS 12/10/2010 14:5:48 Page 3 Harnessing the Power of Continuous Auditing Developing and Implementing a Practical Methodology ROBERT L. MAINARDI John Wiley & Sons, Inc. FFIRS 12/10/2010 14:5:49 Page 4 Copyright # 2011 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or trans- mitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762- 2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Cataloging-in-Publication Data: Mainardi, Robert L., 1964–– Harnessing the power of continuous auditing : developing and implementing a practical methodology / Robert L. Mainardi. p. cm. — (Wiley corporate F&A series) Includes index. ISBN 978-0-470-63769-2 (hardback) ISBN 978-1-1180-0700-6 (ebk); ISBN 978-1-1180-0701-3 (ebk); ISBN 978-1-1180-0702-0 (ebk) 1. Auditing, Internal. I. Title. HF5668.25.M35 2011 657 0 .458—dc22 2010037965 Printed in the United States of America 10987654321 FFIRS 12/10/2010 14:5:49 Page 5 To my father, Angelo Michael Mainardi, who continues to inspire me as he watches over me, and to my mother, Lucy, who impresses me more everyday. FFIRS 12/10/2010 14:5:49 Page 6 Contents Preface xi Acknowledgments xv Chapter 1: Defining Co ntinuous Auditing 1 The Real Definition 1 Differentiating Continuous Auditing 6 Segregating Continuous Auditing and Control Testing 9 Continuous Auditing Objectives 10 Dispelling the Continuous Auditing Myths 11 Summary 13 Chapter 2: Where to Begin 14 Recognize the Need 14 Potential Need/Fit Considerations 15 Client Relationship Score 18 Summary 25 Chapter 3: Continuous Auditing Methodology Development 26 Continuous Auditing Methodology 26 Methodology Requirements 27 Summary 33 Chapter 4: Preparing for a Continuous Audit 34 Building the Business Knowledge 34 Developing Business Knowledge 35 Understanding the Rules 46 Identifying Technology 51 Summary 53 vii FTOC 10/31/2010 16:35:50 Page 8 Chapter 5: Continuous Auditing: Foundation Phase 54 Target Area 54 Testing Objectives 63 Frequency 70 Testing Technique 74 Summary 79 Chapter 6: Continuous Auditing: Approach Phase 80 Approach Phase 80 Scope 81 Volumes 83 Sampling 86 Testing Criteria and Attributes 91 Technology 94 Summary 98 Chapter 7: Continuous Auditing: Execution Phase 100 Execution Phase 100 Performance 100 Exception Identification 105 Summarizing Results 110 Summary 115 Chapter 8: Root Cause Analysis 116 Root Cause 116 Root Cause Defined 117 Team Understanding 119 Do I Need to Find Root Cause? 124 Root Cause ‘‘Why’’ Approach 125 Root Cause Keys 126 Summary 127 Chapter 9: Continuous Auditing Reporting and Next Steps 129 Reporting and Next Steps 129 Reporting Options 130 viii & Contents [...]... assurance regarding the support structure of the operational environment is provided only for the specific controls selected during the development of the continuous audit This is a critical distinction that must be understood by both the group using this approach and the client who is partnering in the effort The continuous audit is not concluding on the total control environment for the process selected... assistance during the development, implementation, and management of the continuous auditing methodology Chapter 12 discusses the selling of the continuous auditing methodology to the business unit client and to the internal audit department staff Although the method is not the same as a full-scope audit, it is necessary for internal audit to understand and be able to appropriately articulate the continuous. .. critical development and implementation phases of the continuous auditing methodology It is critically important that each department takes the necessary time to understand the objectives of the approach, adequately plan and document its own methodology, and facilitate the communication of the methodology to its own team and business partners The development of the continuous auditing methodology is time... continuous auditing because, as you will learn in Chapters 5, 6, and 7, the ‘‘key’’ controls are going to be the ones selected to test using the continuous methodology To simplify the key control concept, this type of control holds the process together tightly in an effort to ensure that the desired outcome is achieved as long as the process does not deviate from the established design To further the. .. Once the limits have been identified, examine the design of the process to determine if there are any reports generated to measure the process against the standard In a suitably designed process, reports will be created that detail the effectiveness of the control environment to meet the standard created in the policies and procedures These reports will also help in developing a focus for potential continuous. .. accomplish The reason that the continuous auditing objective is so important is simple: If the objective is not known, no one will be able to grasp the concept of why the work is being performed The lack of a fully developed continuous auditing objective can and will cause confusion for the individuals performing the work and any clients involved Now that we have clarified the definition, let’s discuss the. .. that the process has been suitably designed Another component to consider when discussing design is the application and use of controls In the review of the process documentation, there should be evidence of specific control activity In other words, can you identify control points in the process where information is validated, reviewed, and/or approved before moving to the next critical step in the process?... work flow is the actual process in place today Too often a business unit has detailed policies and procedures that are not representative of the dayto-day operational process The documentation of the current process is considered a low priority for the business unit due to their daily C01 11/23/2010 16:9:3 Page 5 The Real Definition & 5 responsibilities taking precedence over the scripting of their activities... Did the proper, expected deliverable occur? When a continuous audit is created according to the methodology, it will provide the data and supporting evidence to conclude on the effectiveness and efficiency of the specific controls selected for review It will confirm or deny that the established process is producing the expected results It is important to have a clear understanding of the definition of continuous. .. main process, obtaining the applicable process volumes, dollars, or manhours Once these figures have been compiled, they are compared to the target range or benchmark to determine whether the total number fits within an acceptable range of performance The process of matching totals to their target or benchmark is not continuous auditing Without performing any validation testing of the compiled data, it . FPREF 12 /10 /2 010 14 :24:30 Page 14 Harnessing the Power of Continuous Auditing FFIRS 12 /10 /2 010 14 :5:48 Page 2 FFIRS 12 /10 /2 010 14 :5:48 Page 3 Harnessing the Power of Continuous Auditing Developing. 978 -1- 118 0-0700-6 (ebk); ISBN 978 -1- 118 0-07 01- 3 (ebk); ISBN 978 -1- 118 0-0702-0 (ebk) 1. Auditing, Internal. I. Title. HF5668.25.M35 2 011 657 0 .458—dc22 2 010 037965 Printed in the United States of. taking care of me; and to Maria Martin at Unique Images for taking a great picture. xvi & Acknowledgments FLAST 11 /23/2 010 16 :18 :37 Page 17 Harnessing the Power of Continuous Auditing FLAST 11 /23/2 010