Title: Continuous Auditing Implications: Rethinking the Roles of Systems of Internal Controls
1Continuous Auditing Implications Rethinking the
Roles of Systems of Internal Controls
- Presented by Rob Nehmer
- Berry College
- at the Fifth Continuous Assurance Symposium,
November 2223, 2002
2Overview
- Current methods of control
- Are there systems of control?
- Current frameworks of internal control
- eCommerce impacts on the current frameworks
- Are the current frameworks sufficient?
- Research agenda for systems of internal control
3Current Methods of Control
- Methods of Management Control
- Methods of Internal Control
- Methods of Assurance
4Methods of Management Control
- Planning, organizing, staffing, leading,
controlling - Internal audit definition
- Insure reliability and integrity of information
- Compliance with policies, plans, procedures,
laws, and regulations - Safeguarding of assets
- Economical and efficient use of resources
- Accomplishment of established objectives and
goals for operations or programs - Theory X, Theory Y
- Charisma
- Organizational design
- Process re-engineering
5Methods of Internal Control
- Pervasive controls
- Control environment
- Plan of the organization
- General scheme of authorization
- General physical security
- Personnel policies
- Application controls
- Preventative Separation of duties, specific
authorization, validation, verification, specific
physical controls - Detective Pre-numbered documents, registers and
logs, reconciliation, review procedures
6Methods of Assurance
- External audits
- Internal control evaluation
- Prospective financial information
- Compliance with laws and regulation
- Other
- WebTrust
- SysTrust
7Systems of Control
- Appeal to auditor judgement
- What risks are pervasive controls actually
lowering? - When and how do pervasive control activities
reduce application cycle risks? - Under what conditions are multiple control
activities likely to actually reduce risk? - How are compensating controls justified with
respect to risk?
8eCommerce Impacts on the Current Frameworks
- Electronic transactions
- inputs
- processes
- outputs
- Continuous monitoring
- Continuous reporting
- Continuous assurance
9Electronic Transactions
- Inputs
- No inside source, entry by the customer on the
web - Blanket authorizations
- Processes
- Transaction stream is continuously automated
points of control must be designed - Outputs
- Effortless duplication, no natural tracing
10Continuous Auditing
- Monitoring
- Points of control disappear into the processing
system - Measures, recording and reporting media, and
measurement tools all change - Assurance
- Decision cycle time decreases
- Decision based more on electronic measures
- Reporting
- On demand, 24/7, web-based
- Must reflect the shorter cycle times
11Sufficiency of Current Frameworks
- COSO
- COBIT
- SAS 55, 78
- IIA Guidelines 300 (C), 520 (Risk)
12COSO
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
13COBIT
- Information Technology Resources
- Information
- Planning and Organizing
- Acquisition and Implementation
- Delivery and Support
- Monitoring
14SAS 55, 78
- Obtain a sufficient understanding of IC to plan
the audit - Assess control risks for F/S assertions
- Additional tests of controls
- Determine the nature, timing, and extent of
substantive tests - COSO framework
15IIA Guidelines 300 (C), 520.04 (Risk)
- Management controls
- Insure reliability and integrity of information
- Compliance with policies, plans, procedures,
laws, and regulations - Safeguarding of assets
- Economical and efficient use of resources
- Accomplishment of established objectives and
goals for operations or programs - Risk Assessment
- Identification of auditable activities
- Identification of relevant risk factors
- Assessment of the relative significance of the
factors
16Researching Systems of Internal Control
- Heuristics on combining risk effects of IC
activities - Risk implications of emerging IT technologies
- Identification and evaluation of points and bands
of control - Further (better) articulation of control goals
and operational and control activities
17Heuristics on Combining Risk Effects
- Use of non-classical mathematics modal logics,
fuzzy sets - Data mining with pattern recognition
- Knowledge elicitation from the experts
- Analysis of known systemic risk and know
subsystem risk - A metaphor what we use now is payback vs. NPV
18Risk Implications of Emerging IT Technologies
- Increased and new risks
- Decreased and eliminated risks
- All technologies
- SW OSs, applications, IDEs
- HW servers, communications, clients
- Administrative network monitoring, SAD
methodologies, programming methodologies
19Identification and Evaluation of Points and Bands
of Control
- Rethink our traditional measure points
(registers, logs) and convert to eCommerce
settings - Determine how to evaluate the placement of points
wrt value added and C/B - Develop systems of activities (bands of control)
which can be evaluated for efficiency and
effectiveness
20Better Articulation of Control Goals and
Operational/Control Activities
- Lining up qualitative dimensions of activities
with the goals they are achieving - Researching the relationships between activities
and goals linear, non-linear, etc. - Tighter linkage of activities and goals to the
different aspects of control - Classification of control needs, the inventory of
activities available to meet those needs, and
missing control classes