When folks talk about continuous auditing practices, data analytics run a close second in the conversation. And using data analytics is great – if it’s the right tool for the job.
Norman Marks is a retired CAE and thought leader on risk management and internal audit. Marks says that “Continuous auditing isn’t always using software. Continuous auditing is simply auditing activities on a more frequent basis.”
In other words, continuous auditing isn’t tethered exclusively to data analytics.
If continuous auditing doesn’t strictly mean automated data analytics or fancy software, then it means a larger group of internal audit shops can employ continuous auditing. Below are five ways you can continuously audit your business without all the software and by just using your brain.
Define continuous audit for your shop
First, let’s define continuous auditing. Internal audit uses continuous auditing to monitor company process (e.g., accounting practices, risk controls, compliance, information technology (IT) systems, and business procedures) on a more frequent, or continuous, basis.
In a continuous system, anomalies and errors are swiftly detected and trigger an alarm to the audit team and other recipients. The idea behind this process is to mitigate risk quickly or ahead of a disaster.
Another subject matter expert clarifies the definition. “There’s continuous auditing and then there’s continual auditing.” The first implies the use of algorithms and data to audit processes, while the latter requires management and audit to maintain a pulse on risky areas.
Auditor tip: You don’t need a fancy algorithm to define areas of risk in the company that require additional attention. When problems pop up, ask if the problem present a risk that requires additional monitoring and whether analytics are the answer.
Know what’s up in the business
By maintaining a pulse on the business, you can perceive risk outliers in a business and request specific data.
“Understand what’s happening in the business,” says Marks. “Get out there, listen, read reports, and read the news and industry magazines. One of the things we need to understand is that management is educating themselves, so you need to do the same. Read what they read. Know what they know.”
Additionally, it’s amazing how much the human brain can soak in just by being present. Board meetings, CFO team meetings, and quarterly close meetings are all perfect environments for learning risks that may require audit’s investigation.
Auditor tip: Understand how management runs their business; attend meetings, research, and spot those opportunities where audit can help monitor and consult the business.
Monitor immature areas
Immature areas are areas in the business that don’t function correctly all of the time. These processes may just require additional assurance for a while (until the process works correctly), but not forever.
“In one company I was with, we were trading millions and millions of dollars,” recounts Marks. “We would audit every year, and I would get reports every week to keep my finger on the pulse and ask questions if something looked odd. After the processes matured, we were able to back off.”
Employing short, continuous audit techniques are a common theme among consultants.
Jason Claycomb, founder of INARMA LLC, says, “There are times when I have used continuous auditing because of a continuing concern. If I don’t believe management has processes in place, to protect the organization, I may use a continuous auditing technique to help manage the process.” For Claycomb, those techniques can either be automated or auditor-driven.
Auditor tip: Continuous auditing doesn’t mean forever auditing. Processes that require additional monitoring might only need to be monitored temporarily.
Determine your goal, then choose a tool
When we go to a store without a list, sometimes we end up purchasing items we didn’t really need. How else do I explain the unused snorkel and fishing gear that line my garage shelves?
Sometimes business invests in superfluous items too – like software for data analytics.
When is the right time to make the plunge into data analytics software? Just like how we should have waited until a beach vacation to buy snorkel gear, the company should invest in software development when there’s a problem that requires software as the solution.
“A lot of consultants (i.e., CPA firms) are pushing analytics to define problems. I think that is really overblown,” asserts Marks.
“Focus on the risks that are today and tomorrow – the ones that matter. How are we going to do that? If continuous auditing is the answer, then great. But, don’t start with continuous auditing and then figure out where to use it.”
Auditor tip: If you’re auditing the same area frequently, then developing software to audit that area is going to have some ROI. Otherwise, occasional audits don’t yield great ROI for software.
In our personal lives, when we find something concerning (like our health), we pay more attention to it. The same idea goes for auditing cyber. Marks explains, “If I don’t have high confidence in our company’s protection and response, then I’m going to pay attention more often.”
Auditing cyber proves that continuous auditing isn’t just about business data.
“For example,” says Claycomb, “Auditing the process of when patches are applied and how quickly they’re applied upon patch releases is an example of continuous auditing.” But these types of continuous controls on cybersecurity aren’t always present.
“At the moment, I don’t believe many organizations have mature cyber defenses and responses,” says Marks.
To combat a general lack of cybersecurity, you can raise awareness to gaps in the cyber defense infrastructure. One step to auditing cyber is to gather and analyze as much continuing information as possible from the information security team about the levels of cyber attacks and responses.
Auditor tip: Learn information security’s comfort level of cyber risk, and determine that it aligns with the company’s comfort level for cyber risk. You can continuously monitor processes that aid in prevention or detection of cybersecurity.
Data analytics and continuous auditing are just tools to risk assessment. In the end, Marks believes that management should take onus for detecting problems.
“It’s not IA’s responsibility to identify problems; it’s management’s responsibility. What IA should be doing is seeing whether the management is identifying problems well – not [identifying management’s problems] for them. I’m okay with finding problems on a temporary basis, but we should be teaching [management] how to fish rather than giving them the fish.”