Wednesday, June 23, 2010

Reflections on IIA International - Input for Continuous Auditing Global Technology Audit Guide (GTAG)

At IIA International conference this month, three of the more interesting presentations were by Dan Kneer, Steve Biskie (ACL Services) and Robert Mainardi. Each presenter spoke on some combination of Continuous Auditing and Continuous Monitoring, but if you attended all three session, you could easily come away a bit confused. While some or even many of the same words were used in the same sessions, each presenter's perspective on Continuous Auditing was quite different.

Steve Biskie is Best Practices Program Director for ACL Services, who writes market-leading data analysis software for internal auditors. ACL software like its peers from IDEA and SAS, among others, is an excellent tool for exception queries and structured data. At Visual Risk IQ, we use IDEA and ACL to analyze millions of records and isolate dozens of exceptions to be investigated by internal auditors. Results are often high-value, and can be made repeatable (i.e. Continual or Continuous Auditing) by automating data extraction and combining with workflow. Caseware Monitor (formerly known as SymSure for IDEA) and ACL's AX/2 are examples of emerging tools for continuous auditing.

Dr. Dan Kneer has retired from Academia and runs a firm called Dan Kneer Advisors. The Holy Grail of auditing according to Dr. Dan is regression analysis, and he advocates using the tool "already on every auditor laptop" (i.e. Microsoft Excel). Dr. Dan focuses on trending queries (e.g. the relationship between sales and costs of sales, or between sales and commissions) to identify outliers to be investigated in greater detail. Trending queries like regression analysis are highly useful, but we would advocate their use together with exception queries. And since IDEA and ACL each have regression analysis features, we would advocate using those tools instead of Excel due to improved audit trails and logging, as well as ability to work with datasets larger than 1 million rows. Dr. Dan's emphasis on analytical procedures have merit, and should be a component of a Continuous Auditing program.

Robert Mainardi's classes on continuous auditing receive high evaluations, in part because he keeps it simple. Strengths include visual reporting of risks and controls (color-coded heatmaps in MS-Office) and consistently reporting the results of audit procedures. A downside, per SAP's Norman Marks, is that "Mainardi designs continuous audit programs for clients that has limited use of technology. Missing the boat" We respectfully disagree with Mr. Marks. Instead of focusing on what's missing, let's focus on what's there. We see Mainardi's glass as at least half full, and would recommend that trending queries and exception queries be combined as part of the continuing auditing that Mainardi recommends.

A continuous auditing program that includes one of the above techniques would add value for most any organization. A program that includes each of these techniques should be considered world-class.