Continuous Auditing Can Work For You!

December 7, 2022

After identifying concerns through an audit, we often find the same problems recurring. But how can this be? The client assured us that the issues had been addressed; however, the same risks persisted.
Although different, continuous monitoring and continuous auditing are often mentioned in the same breath and can both increase the effectiveness and efficiency of the organization.

What Differentiates Continuous Monitoring from Continuous Auditing?

Continuous monitoring is an ongoing process used to monitor both processes and risks associated with an organization’s operations and is management’s responsibility. Monitoring programs should be designed to test for inconsistencies, duplication, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, or other possible breakdowns in internal controls. Monitoring techniques may include sampling protocols that permit program managers to identify and review variations from an established baseline. [1]

Continuous auditing is just auditing, but on a more frequent, regular basis than the standard auditing engagement and is performed by the audit department. Continuous auditing is often made possible by technology that can collect and analyze data quickly. [2] Furthermore, the auditor uses more frequent check-ins to provide assurance that controls are adequate and functioning properly. Additionally, continuous auditing may allow the organization to reduce the frequency of traditional assurance audits.

Where Do You Start with Continuous Auditing?

After engaging in conversations with numerous clients and completing your audit plan, you should be aware of key business objectives critical to the university’s operations.

For example, a critical operation for any university is the Admissions Office, and your office recently completed an Admissions audit as part of last year’s audit plan. Several findings were identified, and going forward, you have the opportunity to help your client resolve one or more of these concerns.

Based on this information, you should:

a) Assess the risks associated with those objectives and identify areas that are potential candidates for Continuous Auditing.
Example: The Admissions Office policy required more than one approver per applicant and include documentation comments about their approval. However, your audit found that students were admitted with only one approver and no comments on why they were approved.

b) Obtain an Understanding of How the Process Works
Example: You are now challenged with identifying the weakened control in the admissions process. Based on work from the initial Admissions audit, the admissions process should already be documented. The process should be re-verified with someone who understands the process, and if there are process changes, the documentation should be updated.

c) Use Continuous Auditing to Determine the Cause of the Control Breakdown or Increased Risk
Example: When using continuous auditing to determine how controls are performing, you may have identified that the review process needs modification. For instance, if the admissions application process is not automated, the solution may require an Admissions employee to select some reports periodically (daily, weekly, monthly) for compliance review. This is to determine if more than one reviewer has processed applications with comments justifying admission, as prescribed. In this example, the process was automated, a script modification was needed. This required adding a control which did not allow applications to advance within the process until two approvers signed off with comments justifying admission. Once the control correction had been placed, Internal Audit continuously audited to determine the effectiveness of this control.

d) Collaborate with Your Client
Your client can assist with continuous monitoring efforts by performing compliance checks (daily, weekly or monthly) to determine how frequently errors occur. In our example, the client will likely be able to periodically pull admissions reports to assess whether process improvements are effective. The client may gain the ability to recognize and solve control issues themselves without getting Internal Audit involved.

e) Assess Results and Report
Using the data you have gathered over time, you can determine if the controls are more effective at achieving the desired results.

In reference to our example, your institution will receive the most applications for the Fall semester. Therefore, it is most appropriate to do Fall to Fall comparisons as opposed to Fall to Spring. As we know, your institution will have fewer Freshman admissions in Spring. With a reduced workload, the Admissions review staff may make fewer errors.

However, for Fall admission assessments, Admissions will have more work, and more reviewers could be needed. Because of time constraints and inexperience, following admissions policies may not always happen. The Fall to Fall comparison may be more relevant for an effective evaluation regarding improvements in admission controls.

Example: Below is a visualization of comparative data between Fall 2020 and Fall 2021 for student admissions. Regarding the two Admission policy requirements mentioned in (a) above, which relate to having more than one approver and having approval comments, what is the data telling us?

For the admissions policy requirement of having at least two reviewers mention in (a) above, there are no concerns as this process appears to be working. In both years, there was only one application that showed one reviewer.
However, reviewers are not always documenting comments. In the example, "Reviewer 1" represents one Admissions staff member, "Reviewer 2" represents another, and so on. Reviewer 1 did not add the required comments for nine applications in Fall 2020 compared to 37 applications in Fall 2021. The trend is generally negative for many reviewers and this is where a deeper look into the controls is needed.

After reviewing the trend results, report the outcomes and determine if more continuous auditing is needed. Meet with your client and discuss the results. In our example, without the data analytics information, Admissions may not have known that the number of applications without comments had increased from 2020 to 2021. Using the new information, the client may already know the cause or may need further investigation. In this example, the client knew the automated application process was having problems, and some applicants had duplicated their applications. The client may continue with their own monitoring to determine if other adjustments are needed.

Continuous Auditing Benefits

Collecting audit evidence on a timely basis.
Better analysis of the strength of your controls through more frequent measurement and trending.
Better alignment with the pace of change in highly dynamic environments.
Automated compliance monitoring tools can help save time and resources in evidence collection.
The use of tools to help automate the collection of evidence and data, to perform trending, and to provide insights. [3]

Continuous Auditing Challenges

Understanding how to address the root cause and not the symptom.
Selling your client on the notion that you are there to help them and not get in their way.
Determining when the control is working at acceptable or reasonable levels.
Determining the frequency of performing the continuous audit.
Changing business environment.
Internal Audit’s proficiency in using data analytic tools.
New client staff understanding systems, processes, tools and control monitoring.
Management’s expectation that Internal Audit is the monitoring function.

Conclusion

As mentioned above, establishing a continuous audit program can be challenging. Therefore, continuous auditing should be carefully planned with your audit client. In the end, you can build goodwill with your client, increase operating efficiencies, and account for risks identified within your risk universe.

Additionally, your client’s involvement allows them more flexibility in providing a solution.

[1] Monitoring and Auditing Practices for Effective Compliance: Best Practices for Compliance Officers. Blog Post. (2017, February), Richard P. Kusserow, Strategic Management Services
https://www.compliance.com/resources/compliance-officers-responsibility-ongoing-auditing-monitoring-high-risk-areas/

[2] Continuous Auditing vs. Continuous Monitoring. (2017, April 12). https://study.com/academy/lesson/continuous-auditing-vs-continuous-monitoring.html

[3] What is Continuous Auditing and How Can You Leverage It? (2020, March 03), Paul J. Johnson, WIPFLI, Articles & E-Books, https://www.wipfli.com/insights/articles/ra-what-is-continuous-auditing-and-how-can-you-leverage-it

Special thanks to Paul Tyler, Carol Rapps and Joselyn Rameau, UTSA Data Analysts, for visualization contributions and review.

About the Author

Jaime Fernandez

Jaime Fernandez is a Certified Internal Auditor (CIA), a Certified Fraud Examiner (CFE) and a Certified Government Auditing Professional (CGAP). Jaime graduated from Texas A&M University with a Bachelor of Business Administration in Marketing and Our Lady of The Lake University with a Master of Business Administration in Finance.

Jaime’s work experience includes 23 years in the financial industry, more specifically in credit unions. His credit union experience included 17 years in staff and management positions and 6 years in internal auditing. Following his experience with credit unions, Jaime joined UTSA in September 2006, thus giving him nearly 16 years of experience in higher education.

Articles
Auditing and Adapting to Change on Campus
Continuous Auditing Can Work For You!
Providing Value in the World of College Athletics