For this article, the author interviewed HCA, Microsoft, and AEP - and profiled how each organization uses CA. We feel especially qualified to comment on the article, because Kim Jones and I have been working almost exclusively on CA since our days at PwC in 2006, where he was a key team member on the Microsoft project cited in the article. We also count both HCA and AEP among our circle of friends from the speaking and writing that we each do in the Internal Audit community.
My counsel to the author would be to separate Continuous (which is really Continual) Risk Assessment from Continuous Controls Assessment. One of the reasons that there are such varying definitions of CA, are that are a diverse number of objectives that can be accomplished with CA and especially Continuous Controls Monitoring for Transactions (CCM-T). Organizations that set out to allocate their audit resources based on more up-to-date information than an annual risk assessment are likely to begin their CA efforts here. Companies profiled publicly in articles and cases that match this CA description include McDonald's and Wells Fargo, and usually have a very large number of audit entities (i.e. Stores or Branches), that make it difficult to visit each entity in a three- or five-year audit cycle. We have assisted several organizations to be more like McDonald's and Wells Fargo, by using data to perform more frequent, data-driven risk assessments to allocate their audit resources. Most often, the data used for this activity is aggregate financial or operational information like Financial Performance vs. Budget, Performance Ratios, or Employee Turnover. While it appears from the quotes from Jay Hoffman at AEP that his team is doing Continuous Risk Assessment, the controls being tested per the article seem to be more specific to Continuous Controls Assessment, which is using data-driven techniques to provide greater depth and frequency of audit coverage.
Continuous Controls Assessment are the techniques profiled in the article at HCA, AEP, and Microsoft. Instead of auditing overtime or journal entries only once every two or three years, many organizations use repeating data analysis scripts to assess the effectiveness of a control at multiple intervals during a year. These techniques can alert management to emerging issues with fraud risk or compliance, and also assist in following up on previous audit findings.
At Visual Risk IQ, we assert that "real continuous auditing" is to more fully integrate the Continuous Controls Assessment with Continuous Risk Assessment, so that audit project selection is based on the effectiveness of frequent, data-driven control assessment activities. Example: "What should be next on the audit plan - let's go to the regional office that hit their sales budget (to the penny!), but hasn't updated their allowance for doubtful accounts since the new accounting manager was hired six months ago."
I can think of two or three organizations that are doing real continuous auditing, according to this definition. Both Arrowpoint Capital in Charlotte and RLI Corporation in Peoria have presented at national and regional IIA / MISTI conferences about their CA programs, which originated with repeating the data analysis routines that were used for control assessment. While neither is a household name like Microsoft or HCA, each have been doing CA for more than five years, and are quite mature in their use of data for both control assessment and risk assessment.
In closing the article does a good job of distinguishing between CA and CM (continuous monitoring), which are activities performed by management. The evolution of CA to CM is a particular mark of growing CA maturity. Our work with CM, and especially CCM-T, has allowed us to help management use technology to test the right controls, at the right time, to achieve spectacularly effective results in business performance and internal controls. CA is often the first step on that journey.
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
3 comments:
Good observation re: continuous v. continual. I mentioned that difference to the reporter, and I've been mentioning it in presentations the last 3-4 yrs. Continuous - without interruption. Continual - steady on-going but some degree of interruption.
just wanted you to know that someone other than chase and your mother read this. Nicely done.
I read it too.
Interetsing point migrating CCM into CA I never thought of it like that.
Alawys of the opinion that with CCM the exception results result in process change at enterprise level, but not directly connecting the two.
Post a Comment