Technology and the audit - PricewaterhouseCoopers
Technology and the audit - PricewaterhouseCoopers
Technology and the audit - PricewaterhouseCoopers
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Technology</strong><br />
<strong>and</strong> <strong>the</strong> <strong>audit</strong><br />
Back to <strong>the</strong> Future
<strong>Technology</strong> <strong>and</strong> <strong>the</strong> <strong>audit</strong>,<br />
Back to <strong>the</strong> future<br />
<strong>Technology</strong> underpins most core business processes <strong>and</strong> this gives<br />
rise to questions about <strong>the</strong> use of technology by internal <strong>audit</strong> functions.<br />
While electronic working papers are typical, <strong>the</strong> <strong>audit</strong> process itself has<br />
lagged business in automation which can in itself raise questions about<br />
internal <strong>audit</strong> strategy particularly in technology intensive businesses.<br />
As a result, many chief <strong>audit</strong> executives are challenging <strong>the</strong> status<br />
quo by turning to technology for help.<br />
Tools that extract <strong>and</strong> analyse data from business systems will answer<br />
<strong>audit</strong> questions faster, more accurately <strong>and</strong> more frequently than can be<br />
done through a traditional interview <strong>and</strong> sampling approach. Their use also<br />
provides a mechanism for improving business insights <strong>and</strong> developing<br />
recommendations for ways to streng<strong>the</strong>n governance, risk management<br />
<strong>and</strong> compliance.<br />
Moreover, given internal <strong>audit</strong>’s important role in embedding sound<br />
governance, risk <strong>and</strong> control practices within <strong>the</strong> business, <strong>the</strong>re is a<br />
clear case for chief <strong>audit</strong> executives to be <strong>the</strong> change agent in bringing<br />
about more continuous monitoring of controls by management.<br />
We offer <strong>the</strong> following 3-step guide for chief <strong>audit</strong> executives who are<br />
considering increasing <strong>the</strong>ir use of technology to deliver <strong>the</strong> <strong>audit</strong>:
1. Set <strong>the</strong> strategy<br />
A technology strategy should contemplate:<br />
• <strong>the</strong> level of maturity <strong>and</strong> engagement of <strong>the</strong> business controls:<br />
–<br />
–<br />
if business controls monitoring is not technology-based, internal<br />
<strong>audit</strong> can focus on areas where technology could provide deeper<br />
<strong>and</strong> more analytical information<br />
if <strong>the</strong> business controls are sophisticated, internal <strong>audit</strong> may be better<br />
focused on <strong>the</strong> framework’s effectiveness.<br />
• opportunities to replace more traditional <strong>audit</strong> techniques with technology<br />
that can test entire populations against specific risks. The new tools that are<br />
emerging are significantly changing our ability not only to execute an <strong>audit</strong><br />
efficiently <strong>and</strong> systematically, but also to enhance <strong>audit</strong> quality <strong>and</strong> value<br />
while demonstrating <strong>the</strong> merits of a more analytical monitoring strategy.<br />
2. Assess <strong>the</strong> skills/capability gap<br />
Where an organisation is considering business-led technology to monitor controls<br />
continuously, internal <strong>audit</strong> will need <strong>the</strong> appropriate business, risk, data <strong>and</strong> IT skills<br />
to evaluate <strong>and</strong> challenge <strong>the</strong> implementation. Such skills will also enable internal <strong>audit</strong><br />
to provide a higher level of assurance over <strong>the</strong> business monitoring process. Without<br />
<strong>the</strong>se skills – ei<strong>the</strong>r within <strong>the</strong> <strong>audit</strong> function or sourced externally – <strong>the</strong>re is a risk that<br />
internal <strong>audit</strong> will lose pace with one of <strong>the</strong> key organisational monitoring mechanisms.<br />
Where an organisation has not yet focused on <strong>the</strong> benefits of continuous monitoring<br />
by <strong>the</strong> business, internal <strong>audit</strong> is likely to require access to <strong>and</strong> deep knowledge of<br />
tools as well as <strong>the</strong> skills referred to above. In this situation internal <strong>audit</strong> will also have<br />
a leadership role in demonstrating <strong>the</strong> value to <strong>the</strong> business of investing in greater use<br />
of technology <strong>and</strong> analysis with regard to <strong>the</strong> control framework.<br />
3. Take action: Quick wins<br />
At this stage you might want to achieve some quick wins <strong>and</strong> consider how to pilot<br />
your approach. This should be addressed in <strong>the</strong> context of <strong>the</strong> organisation’s risks<br />
<strong>and</strong> internal <strong>audit</strong> plan. For example:<br />
• Are <strong>the</strong>re risks that could be quickly <strong>and</strong> efficiently monitored using<br />
techniques such as business monitoring daily reports, exception reports<br />
<strong>and</strong> dashboards?<br />
• Can in-built internal <strong>audit</strong> modules, such as control validation, be used?<br />
• Is <strong>the</strong> organisation ready for more sophisticated risk-monitoring systems,<br />
such as continuous monitoring of fraud risk or environmental risk?<br />
• Do you have a business unit or area in mind which could be <strong>the</strong> best place<br />
to pilot your new approach?<br />
Summary<br />
<strong>Technology</strong> will be part of <strong>the</strong> future of internal <strong>audit</strong>. To maintain its edge,<br />
internal <strong>audit</strong> needs to include in its strategy a technology stream. The goal is<br />
to deliver greater efficiency, depth <strong>and</strong> breadth of coverage for <strong>the</strong> <strong>audit</strong>, while<br />
also providing an increased level of comfort <strong>and</strong> insights to <strong>the</strong> business.<br />
<strong>PricewaterhouseCoopers</strong> |
Case study 1<br />
The internal <strong>audit</strong> team of a listed company with extensive international<br />
operations faced several challenges, including disparate IT systems,<br />
operational, cultural <strong>and</strong> language differences across multiple<br />
geographies, <strong>and</strong> extensive travel costs for local site visits.<br />
The team has used technology to address <strong>the</strong>se challenges in<br />
a number of ways:<br />
• Audit coverage – Ra<strong>the</strong>r than <strong>the</strong> team reviewing a sample of<br />
transactions in some countries, a central data analysis team<br />
in Australia extracts data from all countries of operation <strong>and</strong><br />
analyses it remotely before a site visit<br />
• Planning – The same central team analyses data across all<br />
locations to identify anomalies to be investigated or indicators<br />
for placing a particular location in scope. This means that <strong>the</strong><br />
<strong>audit</strong> team can focus on identified problem areas, reducing<br />
time <strong>and</strong> cost<br />
• Consistency – Acquisitions <strong>and</strong> rapid growth in Asia had<br />
resulted in disparate systems <strong>and</strong> processes. Interrogation<br />
of underlying data consistently provided <strong>the</strong> same level of<br />
information regardless of <strong>the</strong> source system. The ability to<br />
undertake data analytics on <strong>the</strong> collected information also<br />
facilitated benchmarking <strong>and</strong> site comparisons.<br />
How did internal <strong>audit</strong> benefit?<br />
The technology used <strong>and</strong> <strong>the</strong> flexibility of this approach gave <strong>the</strong> team<br />
insights into <strong>the</strong> underlying transactional <strong>and</strong> master data that <strong>the</strong>y<br />
would not have obtained from sample testing. They were able to<br />
quantify control weaknesses across <strong>the</strong> entire population ra<strong>the</strong>r than<br />
on a sample basis. Transactions <strong>and</strong> entities of interest were easily<br />
identified <strong>and</strong> trends across sites were captured <strong>and</strong> reported.<br />
How did <strong>the</strong> organisation benefit?<br />
The organisation achieved a cost-effective <strong>and</strong> consistent approach to<br />
its internal <strong>audit</strong> across high-risk areas, regardless of <strong>the</strong> wide range of<br />
locations, financial applications <strong>and</strong> languages involved.<br />
The use of technology complemented <strong>the</strong> existing schedule of<br />
controls testing, <strong>and</strong> enhanced findings to give management<br />
additional data on which to base decisions.<br />
| <strong>Technology</strong> <strong>and</strong> <strong>the</strong> <strong>audit</strong> – Back to <strong>the</strong> future
Case study 2<br />
A national Australian consumer goods retailer’s process for detecting<br />
potential fraud was lengthy <strong>and</strong>, while using some technology, still<br />
manually intensive. The process was run by internal <strong>audit</strong> <strong>and</strong> involved<br />
extracting data from <strong>the</strong> financial <strong>and</strong> payroll systems, manually<br />
linking <strong>the</strong> data between each system, <strong>and</strong> running tests on a<br />
desktop computer – often requiring several days work per test.<br />
Internal <strong>audit</strong> was looking to streamline this process, improve <strong>the</strong><br />
detection of fraud <strong>and</strong> reduce <strong>the</strong> risk of errors resulting from manual<br />
testing. With a limited budget, <strong>the</strong>y were able to address this by:<br />
• identifying, in a workshop, <strong>the</strong> 10 tests that would bring<br />
<strong>the</strong> most value (ie those that addressed current<br />
control-related issues)<br />
• developing a user-friendly interface <strong>and</strong> integrating<br />
<strong>the</strong> tests into <strong>the</strong> financial <strong>and</strong> payroll systems.<br />
Once integrated, <strong>the</strong> tests could be executed:<br />
• in under three hours<br />
• on a periodic basis<br />
• without <strong>the</strong> need for specialised software.<br />
How did internal <strong>audit</strong> benefit?<br />
Internal <strong>audit</strong> has gained efficiencies (less time is required to run each<br />
test). In addition, because of <strong>the</strong> reduced timeframe, <strong>the</strong>re is increased<br />
flexibility <strong>and</strong> tests can be carried out periodically if <strong>the</strong>re is a concern.<br />
Also, less technology savvy people can run <strong>the</strong> tests, freeing up <strong>the</strong><br />
more specialist skills for o<strong>the</strong>r work or to focus on any changes to <strong>the</strong><br />
tests, should <strong>the</strong>y be needed.<br />
How did <strong>the</strong> organisation benefit?<br />
The organisation has achieved cost reductions, as <strong>the</strong> tests do not<br />
need to be re-performed each year as part of <strong>the</strong> <strong>audit</strong>. In addition,<br />
with automation meaning less manual intervention in each test, <strong>the</strong><br />
level of risk has been reduced.<br />
<strong>PricewaterhouseCoopers</strong> |
Key messages for chief <strong>audit</strong> executives<br />
• <strong>Technology</strong> should be an integral part of <strong>the</strong> strategy of all leading<br />
internal <strong>audit</strong> functions. The tools are now so flexible <strong>and</strong> easy to use<br />
that <strong>the</strong> initial investment is low for a potentially high payback. But,<br />
more importantly, leading functions need to know when, where <strong>and</strong><br />
how to apply technology-based techniques – or risk losing credibility.<br />
• At a time when value is being questioned everywhere, <strong>the</strong> core<br />
analytical skills of internal <strong>audit</strong> teams can be applied to produce<br />
indicators <strong>and</strong> reports that will increase quality <strong>and</strong> efficiency, while<br />
delivering great value to <strong>the</strong> business.<br />
• Ownership of continuous monitoring activities should be with <strong>the</strong><br />
business, but internal <strong>audit</strong> has a critical role in design <strong>and</strong> transition.<br />
This will take place over different timeframes depending on business<br />
readiness. Following transition, internal <strong>audit</strong> will have a critical<br />
monitoring <strong>and</strong> assurance role. Consequently, <strong>the</strong> strategy needs<br />
strong business sponsorship.<br />
• There is a range of tools that support continuous <strong>audit</strong>ing, <strong>and</strong> <strong>the</strong>se<br />
will continue to evolve. The key to taking advantage of this is to<br />
identify those areas where technology will enhance quality, value <strong>and</strong><br />
effectiveness, <strong>the</strong>n to work out <strong>the</strong> best strategy for delivery in <strong>the</strong><br />
short <strong>and</strong> longer term, allowing for fur<strong>the</strong>r technology innovation.<br />
What is continuous <strong>audit</strong>ing?<br />
• Continuous <strong>audit</strong>ing is a phrase coined by major software providers to<br />
describe a technology-based solution that continuously monitors <strong>and</strong><br />
‘<strong>audit</strong>s’ <strong>the</strong> business for risk or control exceptions.<br />
• While this sounds very attractive, <strong>the</strong> term has caused great confusion,<br />
because of <strong>the</strong> use of <strong>the</strong> term ‘<strong>audit</strong>ing’, particularly in terms of <strong>the</strong> role<br />
of internal <strong>audit</strong>.<br />
• It has also created <strong>the</strong> image of a dashboard providing real-time feedback,<br />
allowing management to act on exceptions immediately <strong>and</strong> reducing <strong>the</strong><br />
risk of surprises. The reality is that <strong>the</strong> risks <strong>and</strong> controls to be monitored<br />
need to be determined first, <strong>and</strong> parameters set for tolerances. This can<br />
be a significant task, <strong>and</strong> often raises questions about cost <strong>and</strong> benefit.<br />
• While <strong>the</strong> terms ‘continuous <strong>audit</strong>ing’ <strong>and</strong> ‘continuous monitoring’ are<br />
relatively new, many businesses are using <strong>the</strong>se techniques. For example,<br />
a call from a credit card provider to ask whe<strong>the</strong>r a purchase is valid is<br />
continuous monitoring in action. Many exception reports for high risk or<br />
anomalous transactions that are outside accepted parameters are a type<br />
of continuous, or at least frequent, monitoring.<br />
• So while <strong>the</strong>re are certainly some new terms, <strong>the</strong> questions still need to be<br />
answered about where <strong>the</strong> need (risk) is <strong>and</strong> whe<strong>the</strong>r <strong>the</strong> cost is justified.<br />
Internal <strong>audit</strong> can take a leading role in this process.<br />
| The role of Internal Audit in difficult times
Where do you want to be?<br />
Business dashboard<br />
reviewed by IA<br />
Internal <strong>audit</strong> dashboard<br />
across <strong>the</strong> business<br />
Regular monitoring across a<br />
range of controls/parameters<br />
(eg case study 2)<br />
Data analysis to support<br />
planning <strong>and</strong> targeting<br />
transactions (eg case study 1)<br />
Ad hoc use of CAATs<br />
Electronic workpapers etc<br />
<strong>PricewaterhouseCoopers</strong> |
pwc.com/au/internal<strong>audit</strong><br />
Contacts<br />
Robin Low<br />
Partner, Internal Audit Leader,<br />
Sydney<br />
Tel: (02) 8266 2977<br />
E: robin.low@au.pwc.com<br />
Cass<strong>and</strong>ra Michie<br />
Partner, Risk <strong>and</strong> Controls Solutions,<br />
Sydney<br />
Tel: (02) 8266 2774<br />
E: cass<strong>and</strong>ra.michie@au.pwc.com<br />
Steve Ingram<br />
Partner, Risk <strong>and</strong> Controls Solutions,<br />
Melbourne<br />
Tel: (03) 8603 3676<br />
E: steve.ingram@au.pwc.com<br />
Trudy Delmenico-Gray<br />
Partner, Internal Audit,<br />
Sydney<br />
Tel: (02) 8266 5628<br />
E: trudy.delmenico-gray@au.pwc.com<br />
Kim Cheater<br />
Partner, Internal Audit,<br />
Adelaide<br />
Tel: (08) 8218 7407<br />
E: kim.cheater@au.pwc.com<br />
Justin Eve<br />
Partner, Internal Audit,<br />
Perth<br />
Tel: (08) 9238 3554<br />
E: justin.eve@au.pwc.com<br />
Chris Johnson<br />
Partner, Internal Audit,<br />
Brisbane<br />
Tel: (07) 3257 8570<br />
E: chris.johnson@au.pwc.com<br />
Mark Ridley<br />
Partner, Internal Audit,<br />
Canberra<br />
Tel: (02) 6271 9215<br />
E: mark.ridley@au.pwc.com<br />
Patrick Farrell<br />
Partner, Internal Audit,<br />
Melbourne<br />
Tel: (03) 8603 3250<br />
E: patrick.farrell@au.pwc.com<br />
© 2009 <strong>PricewaterhouseCoopers</strong>. All rights reserved. “<strong>PricewaterhouseCoopers</strong>” refers to <strong>PricewaterhouseCoopers</strong>,<br />
a partnership formed in Australia or, as <strong>the</strong> context requires, <strong>the</strong> <strong>PricewaterhouseCoopers</strong> global network or o<strong>the</strong>r<br />
member firms of <strong>the</strong> network, each of which is a separate <strong>and</strong> independent legal entity.<br />
| The role of Internal Audit in difficult times<br />
This document is printed on Heaven 42, which is an environmentally responsible 100% recycled<br />
paper made from 100% post–consumer waste that is FSC CoC certified <strong>and</strong> bleached chlorine<br />
free (PCF). The mill operates under <strong>the</strong> ISO 14001 Environmental Management System which<br />
guarantees continuous improvement <strong>and</strong> is PEFC certified for traceability.