Continuous Auditing Implications: Rethinking the Roles of Systems of Internal Controls

1
Continuous Auditing Implications Rethinking the
Roles of Systems of Internal Controls

• Presented by Rob Nehmer
• Berry College
• at the Fifth Continuous Assurance Symposium,
  November 2223, 2002

2
Overview

• Current methods of control
• Are there systems of control?
• Current frameworks of internal control
• eCommerce impacts on the current frameworks
• Are the current frameworks sufficient?
• Research agenda for systems of internal control

3
Current Methods of Control

• Methods of Management Control
• Methods of Internal Control
• Methods of Assurance

4
Methods of Management Control

• Planning, organizing, staffing, leading,
  controlling
• Internal audit definition
• Insure reliability and integrity of information
• Compliance with policies, plans, procedures,
  laws, and regulations
• Safeguarding of assets
• Economical and efficient use of resources
• Accomplishment of established objectives and
  goals for operations or programs
• Theory X, Theory Y
• Charisma
• Organizational design
• Process re-engineering

5
Methods of Internal Control

• Pervasive controls
• Control environment
• Plan of the organization
• General scheme of authorization
• General physical security
• Personnel policies
• Application controls
• Preventative Separation of duties, specific
  authorization, validation, verification, specific
  physical controls
• Detective Pre-numbered documents, registers and
  logs, reconciliation, review procedures

6
Methods of Assurance

• External audits
• Internal control evaluation
• Prospective financial information
• Compliance with laws and regulation
• Other
• WebTrust
• SysTrust

7
Systems of Control

• Appeal to auditor judgement
• What risks are pervasive controls actually
  lowering?
• When and how do pervasive control activities
  reduce application cycle risks?
• Under what conditions are multiple control
  activities likely to actually reduce risk?
• How are compensating controls justified with
  respect to risk?

8
eCommerce Impacts on the Current Frameworks

• Electronic transactions
• inputs
• processes
• outputs
• Continuous monitoring
• Continuous reporting
• Continuous assurance

9
Electronic Transactions

• Inputs
• No inside source, entry by the customer on the
  web
• Blanket authorizations
• Processes
• Transaction stream is continuously automated
  points of control must be designed
• Outputs
• Effortless duplication, no natural tracing

10
Continuous Auditing

• Monitoring
• Points of control disappear into the processing
  system
• Measures, recording and reporting media, and
  measurement tools all change
• Assurance
• Decision cycle time decreases
• Decision based more on electronic measures
• Reporting
• On demand, 24/7, web-based
• Must reflect the shorter cycle times

11
Sufficiency of Current Frameworks

• COSO
• COBIT
• SAS 55, 78
• IIA Guidelines 300 (C), 520 (Risk)

12
COSO

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

13
COBIT

• Information Technology Resources
• Information
• Planning and Organizing
• Acquisition and Implementation
• Delivery and Support
• Monitoring

14
SAS 55, 78

• Obtain a sufficient understanding of IC to plan
  the audit
• Assess control risks for F/S assertions
• Additional tests of controls
• Determine the nature, timing, and extent of
  substantive tests
• COSO framework

15
IIA Guidelines 300 (C), 520.04 (Risk)

• Management controls
• Insure reliability and integrity of information
• Compliance with policies, plans, procedures,
  laws, and regulations
• Safeguarding of assets
• Economical and efficient use of resources
• Accomplishment of established objectives and
  goals for operations or programs
• Risk Assessment
• Identification of auditable activities
• Identification of relevant risk factors
• Assessment of the relative significance of the
  factors

16
Researching Systems of Internal Control

• Heuristics on combining risk effects of IC
  activities
• Risk implications of emerging IT technologies
• Identification and evaluation of points and bands
  of control
• Further (better) articulation of control goals
  and operational and control activities

17
Heuristics on Combining Risk Effects

• Use of non-classical mathematics modal logics,
  fuzzy sets
• Data mining with pattern recognition
• Knowledge elicitation from the experts
• Analysis of known systemic risk and know
  subsystem risk
• A metaphor what we use now is payback vs. NPV

18
Risk Implications of Emerging IT Technologies

• Increased and new risks
• Decreased and eliminated risks
• All technologies
• SW OSs, applications, IDEs
• HW servers, communications, clients
• Administrative network monitoring, SAD
  methodologies, programming methodologies

19
Identification and Evaluation of Points and Bands
of Control

• Rethink our traditional measure points
  (registers, logs) and convert to eCommerce
  settings
• Determine how to evaluate the placement of points
  wrt value added and C/B
• Develop systems of activities (bands of control)
  which can be evaluated for efficiency and
  effectiveness

20
Better Articulation of Control Goals and
Operational/Control Activities

• Lining up qualitative dimensions of activities
  with the goals they are achieving
• Researching the relationships between activities
  and goals linear, non-linear, etc.
• Tighter linkage of activities and goals to the
  different aspects of control
• Classification of control needs, the inventory of
  activities available to meet those needs, and
  missing control classes