MODULE 9

CONTINUOUS MONITORING
ACELEC 332
ADD YOUR TITLE HERE

The internal audit profession has undergone tremendous

changes over the years and expectations have never been
higher. As business dynamics become more complex, as
organizations grow and expand worldwide, and as the details of
the risk environment multiply, internal auditors must find new,
faster, better and more accurate ways of getting the work done.
Paper-based, cyclical reviews that rely on sampling are being
challenged by fast developments that can’t wait months, much
less years to be detected. Clever employees, vendors and
customers defraud organizations through unique trickery that
may not appear in a sample, and attempting to test every
control reltaed to the process in question would demand having
an army of auditors with virtually no time constraints to go
through it all.
 01 02 03 04

CONTINUOUS DATA USING CAATTs CCM AND

AUDITING OF ANALYSIS TO ACHIEVE CCA
HIGH RISK SOFTWARE OPERATIONAL
ACTIVITIES APPLICATION EXCELLENCE
PART 01
CONTINUOUS AUDITING OF HIGH-RISK ACTIVITIES
ADD YOUR TITLE HERE
HISTORY
Years ago, internal auditors made sample selections to
evaluate attributes of a population of transactions and the
testing procedures were traditionally based on a sampling
approach that included activities such as reviews of policies,
procedures, approvals and reconciliations. Sometimes this
selection was made statistically, sometimes randomly, and
sometimes through judgement. The objective was to have a
representative sample so that a valid conclusion could be
made about the population. As new software tools became
available in the market and organizations stored more
data, internal auditors queried and analyzed the
transactions with the goal of finding attributes of trends
that might indicate if errors occured during processing of
if the reliability of internal and external information and
reports was faulty. This changed traditional approach which
gave internal auditors narrow scope of evaluation that is
often too late to be of real value to business performance or
regulatory compliance since it identified problem after they
occured.
ADD YOUR TITLE HERE

DEPLOY LIMITED INTERNAL AUDIT AND MANAGEMENT

RESOURCES MORE EFFICIENTLY IN SEARCH OF PROBLEMATIC
ACTIVITIES AND TRANSACTIONS
-The objective is to identify what is not working well, and less on validating
what is working well.

INDENTIFY AT-RISK TRANSACTIONS AS SOON AS POSSIBLE FOR

EARLY INTERVENTION
-The objective is to keep problems to a minimum. Problems should not be
allowed to fester because there is typically a cumulative effect involved. In
some cases, there is a compounding effect and for others, grounds for
accusation of neglect that could result in more severe fines, penalties and
judgements.
ADD YOUR TITLE HERE

The last stage of evolution is continuous control

monitoring (CCM), which results in information that
identifies potential anomalies, risk exposures, and
control breakdowns. This information should prompt
immediate attention further investigation, and
remediation

Continuous monitoring takes continuous

auditing and puts the at-risk transactions
at the fingertip of management

Continuous auditing changes the audit

process from periodic reviews o a sample
transactions to ongoing audit testing of
100% transaction
ADD YOUR TITLE HERE

SAMPLE DATA
ANALYSIS
PROCEDURE AND
THEIR PURPOSE
ADD YOUR TITLE HERE

SAMPLE DATA
ANALYSIS
PROCEDURE AND
THEIR PURPOSE
PART 02
DATA ANALYSIS SOFTWARE APPLICATIONS
ADD YOUR TITLE HERE
TRIVIA
Data analytics has been facilitated by the development and
adoption of various tools. Among these, the most widely
known is Microsoft Excel. The days when Excel had a capacity
of 56,000 records are long gone. Current worksheet capacaity
is over a million rows and more than 16,000 columns; this is
more than enough to meet most auditors’s need. Simple but
very useful fomulas include: AVERAGE, CONCATENATE,
CORREL, COUNT, COUTA, COUNTBLANK, COUNTIF, IF , LEN,
MAX, MIN, RIGHT, LEFT, SUM, SUMIF, TRIM and VLOOKUP

Another regarded tool and favorite of many auditors is Audit

Command Language (ACL)- it has a built-in functionality that
auditors generally find helpful to identify gaps, duplication,
and other anomalous transactions. ACL includes many
formulas that are geared for the type of analysis that many
auditors perform, so rather than developing a complex
formula or a macro to perform as Excel’s increased ability to
import files of diverese formats has reduced some of the
advantage that ACL had in this regard, and a similar dynamic is
emerging regarding analytics
ADD YOUR TITLE HERE
ADD YOUR TITLE HERE

ORGANIZATION’S INFORMATION GOVERNANCE

MANAGEMENT PROCESS

THE REQUIREMENTS FOR DEFINING HOW DATA ARE

CREATED, STORED, ACCESSED, USED AND
TRANSMITTED
 ADD YOUR TITLE HERE
The internal auditor ineed to determine what information is critical
for the program or proces, how and where it resides, and who has
access to it. This information can be obtain by performing a risk
assessment, which should identify the critical information. Another
approach is to leverage the existing business continuity and
disaster recovery documentation (if it exists) because the impact
analysis that precedes such documentation should have identified
that critical information. A third approach is to leverage the
organization’s data inventory that indentifies what information is
available

The next step is to determine where the data are stored. Since
these data reside in databases, the IT department may need to
help identify the relevant systems and how the data are stored.
The extraction of data can by done by the auditor or by requesting
the information from the IT department or process owner. While a
common objective is to review the data to determine if the related
controls are present and functioning as intended. Since
operational audit focus on the effectiveness and efficiency of the
programs and processes, data should be analyzed with these
types of goals in mind.
ADD YOUR TITLE HERE

When evaluating the

organization’s risk and
compliance conditions and
readiness for data analytics,
it is helpful to begin with a
gap analysis. . The following
questions can help internal
auditors determine the
condition of their
organization’s risk and
compliance functions
whether they are
performing an assessment
or acting in advisory
capacity.
ADD YOUR TITLE HERE

ORGANIZATIONAL
READINESS
LEVELS FOR DATA
ANALYTICS。
PART 03
USING CAATTs TO ACHIEVE OPERATIONAL EXCELLENCE
ADD YOUR TITLE HERE

Internal auditors have traditionallly performed audits

using a cyclical approach. That is to say that they
review areas intermittently to verify that infrastructure
of the area under review was established effectively
and to verify that controls in place are operating as
expected. While this approach has been quite
effective for decades, it presents some challenges
because problems could lurk in the background for
months before the auditors arrive for their reviews.
CAATTs (Computer Assisted Audit Tools and
Techniques) offer a way to avoid the time lapse that
cyclical reviews create
ADD YOUR TITLE HERE

By establishing Key Risk KRIs are similar to Key

Identification (KRI), and Performance Inidicators (KPI),
CAATTs can help enhance
monitoring their behavior which are quantifiable measures
risk identification by
over time, internal auditors that an organization or industry
leveraging power of metrics
can get an early indication uses to gauge an compare
when underlying risk profile performance in terms of their
is starting to drift. operational and strategic goals
ADD YOUR TITLE HERE

KPI- Accounts Receivable KPI- Production Figures KPI- number of

Balances KRI- number of accidents employees
KRI- aging of AR and errors caused during KRI- morale of workers
*while it is important to the production
*Unmotivated workers are
sell, if you are unable to *KRIs affect the quality of less productive, typically
collect promptly, there is a goods and service higher absenteeism and
significant risk to the sales causing decrease in turnover rates, and
process customer satisfaction, provide lower customer
increasing warranty service.
claims and returns
ADD YOUR TITLE HERE

-SALES GROWTH -NUMBER OF CALLS

-SALES BY PRODUCT RECEIVED
OR SERVICE -INVENTORY -NUMBER OF *internal auditors should
KPI -PROFIT MARGIN TURNOVER CUSTOMERS be familiar with their
includes: -SALES BY -NUMBER OF ORDERS industry’s KPI.
CUSTOMER
PART 04
CCM AND CCA
ADD YOUR TITLE HERE
HISTORY

For many years, internal auditors depdended on

single-transaction testing to determine if controls
were operating as intended. The idea was to apply
audit procedures such as observation and
document inspection to individual transactions.
This practice resulted in tedious and time-
consuming approach to auditing that resulted in
testing samples of populations. By leveraging the
power of KRIs, internal auditor can use data to get
a more objective understanding of risk dynamics
and identify changes in the risk profile within the
organization for more timely intervention and
review.
ADD YOUR TITLE HERE
IMPORTANT
The Standards require internal auditors to remain
independent and objective in performing their work
(Standard 1100). Due to this requirement, internal
auditors must not perform control activities, which
means that while engaging in Continuous Conrol
Auditing (CCA), caution is required to refrain from
engaging in day-to day management activities within
processs that may constitute performance and
control. This can be a thin gray line and the role of
the audito should be explained to management so
they understand the different roles involved. When
designing the continous auditing and monitoring
procedures, auditors and management msut think
through what the metrics are, and what thresholds
would trigger the auditors’desire to gain better
understanding of operational issues.
End of Module 9