Technology and the audit - PricewaterhouseCoopers

Technology
and the audit
Back to the Future

Technology and the audit,
Back to the future
Technology underpins most core business processes and this gives
rise to questions about the use of technology by internal audit functions.
While electronic working papers are typical, the audit process itself has
lagged business in automation which can in itself raise questions about
internal audit strategy particularly in technology intensive businesses.
As a result, many chief audit executives are challenging the status
quo by turning to technology for help.
Tools that extract and analyse data from business systems will answer
audit questions faster, more accurately and more frequently than can be
done through a traditional interview and sampling approach. Their use also
provides a mechanism for improving business insights and developing
recommendations for ways to strengthen governance, risk management
and compliance.
Moreover, given internal audit’s important role in embedding sound
governance, risk and control practices within the business, there is a
clear case for chief audit executives to be the change agent in bringing
about more continuous monitoring of controls by management.
We offer the following 3-step guide for chief audit executives who are
considering increasing their use of technology to deliver the audit:

1. Set the strategy
A technology strategy should contemplate:
• the level of maturity and engagement of the business controls:
–
–
if business controls monitoring is not technology-based, internal
audit can focus on areas where technology could provide deeper
and more analytical information
if the business controls are sophisticated, internal audit may be better
focused on the framework’s effectiveness.
• opportunities to replace more traditional audit techniques with technology
that can test entire populations against specific risks. The new tools that are
emerging are significantly changing our ability not only to execute an audit
efficiently and systematically, but also to enhance audit quality and value
while demonstrating the merits of a more analytical monitoring strategy.
2. Assess the skills/capability gap
Where an organisation is considering business-led technology to monitor controls
continuously, internal audit will need the appropriate business, risk, data and IT skills
to evaluate and challenge the implementation. Such skills will also enable internal audit
to provide a higher level of assurance over the business monitoring process. Without
these skills – either within the audit function or sourced externally – there is a risk that
internal audit will lose pace with one of the key organisational monitoring mechanisms.
Where an organisation has not yet focused on the benefits of continuous monitoring
by the business, internal audit is likely to require access to and deep knowledge of
tools as well as the skills referred to above. In this situation internal audit will also have
a leadership role in demonstrating the value to the business of investing in greater use
of technology and analysis with regard to the control framework.
3. Take action: Quick wins
At this stage you might want to achieve some quick wins and consider how to pilot
your approach. This should be addressed in the context of the organisation’s risks
and internal audit plan. For example:
• Are there risks that could be quickly and efficiently monitored using
techniques such as business monitoring daily reports, exception reports
and dashboards?
• Can in-built internal audit modules, such as control validation, be used?
• Is the organisation ready for more sophisticated risk-monitoring systems,
such as continuous monitoring of fraud risk or environmental risk?
• Do you have a business unit or area in mind which could be the best place
to pilot your new approach?
Summary
Technology will be part of the future of internal audit. To maintain its edge,
internal audit needs to include in its strategy a technology stream. The goal is
to deliver greater efficiency, depth and breadth of coverage for the audit, while
also providing an increased level of comfort and insights to the business.
PricewaterhouseCoopers |

Case study 1
The internal audit team of a listed company with extensive international
operations faced several challenges, including disparate IT systems,
operational, cultural and language differences across multiple
geographies, and extensive travel costs for local site visits.
The team has used technology to address these challenges in
a number of ways:
• Audit coverage – Rather than the team reviewing a sample of
transactions in some countries, a central data analysis team
in Australia extracts data from all countries of operation and
analyses it remotely before a site visit
• Planning – The same central team analyses data across all
locations to identify anomalies to be investigated or indicators
for placing a particular location in scope. This means that the
audit team can focus on identified problem areas, reducing
time and cost
• Consistency – Acquisitions and rapid growth in Asia had
resulted in disparate systems and processes. Interrogation
of underlying data consistently provided the same level of
information regardless of the source system. The ability to
undertake data analytics on the collected information also
facilitated benchmarking and site comparisons.
How did internal audit benefit?
The technology used and the flexibility of this approach gave the team
insights into the underlying transactional and master data that they
would not have obtained from sample testing. They were able to
quantify control weaknesses across the entire population rather than
on a sample basis. Transactions and entities of interest were easily
identified and trends across sites were captured and reported.
How did the organisation benefit?
The organisation achieved a cost-effective and consistent approach to
its internal audit across high-risk areas, regardless of the wide range of
locations, financial applications and languages involved.
The use of technology complemented the existing schedule of
controls testing, and enhanced findings to give management
additional data on which to base decisions.
| Technology and the audit – Back to the future

Case study 2
A national Australian consumer goods retailer’s process for detecting
potential fraud was lengthy and, while using some technology, still
manually intensive. The process was run by internal audit and involved
extracting data from the financial and payroll systems, manually
linking the data between each system, and running tests on a
desktop computer – often requiring several days work per test.
Internal audit was looking to streamline this process, improve the
detection of fraud and reduce the risk of errors resulting from manual
testing. With a limited budget, they were able to address this by:
• identifying, in a workshop, the 10 tests that would bring
the most value (ie those that addressed current
control-related issues)
• developing a user-friendly interface and integrating
the tests into the financial and payroll systems.
Once integrated, the tests could be executed:
• in under three hours
• on a periodic basis
• without the need for specialised software.
How did internal audit benefit?
Internal audit has gained efficiencies (less time is required to run each
test). In addition, because of the reduced timeframe, there is increased
flexibility and tests can be carried out periodically if there is a concern.
Also, less technology savvy people can run the tests, freeing up the
more specialist skills for other work or to focus on any changes to the
tests, should they be needed.
How did the organisation benefit?
The organisation has achieved cost reductions, as the tests do not
need to be re-performed each year as part of the audit. In addition,
with automation meaning less manual intervention in each test, the
level of risk has been reduced.
PricewaterhouseCoopers |

Key messages for chief audit executives
• Technology should be an integral part of the strategy of all leading
internal audit functions. The tools are now so flexible and easy to use
that the initial investment is low for a potentially high payback. But,
more importantly, leading functions need to know when, where and
how to apply technology-based techniques – or risk losing credibility.
• At a time when value is being questioned everywhere, the core
analytical skills of internal audit teams can be applied to produce
indicators and reports that will increase quality and efficiency, while
delivering great value to the business.
• Ownership of continuous monitoring activities should be with the
business, but internal audit has a critical role in design and transition.
This will take place over different timeframes depending on business
readiness. Following transition, internal audit will have a critical
monitoring and assurance role. Consequently, the strategy needs
strong business sponsorship.
• There is a range of tools that support continuous auditing, and these
will continue to evolve. The key to taking advantage of this is to
identify those areas where technology will enhance quality, value and
effectiveness, then to work out the best strategy for delivery in the
short and longer term, allowing for further technology innovation.
What is continuous auditing?
• Continuous auditing is a phrase coined by major software providers to
describe a technology-based solution that continuously monitors and
‘audits’ the business for risk or control exceptions.
• While this sounds very attractive, the term has caused great confusion,
because of the use of the term ‘auditing’, particularly in terms of the role
of internal audit.
• It has also created the image of a dashboard providing real-time feedback,
allowing management to act on exceptions immediately and reducing the
risk of surprises. The reality is that the risks and controls to be monitored
need to be determined first, and parameters set for tolerances. This can
be a significant task, and often raises questions about cost and benefit.
• While the terms ‘continuous auditing’ and ‘continuous monitoring’ are
relatively new, many businesses are using these techniques. For example,
a call from a credit card provider to ask whether a purchase is valid is
continuous monitoring in action. Many exception reports for high risk or
anomalous transactions that are outside accepted parameters are a type
of continuous, or at least frequent, monitoring.
• So while there are certainly some new terms, the questions still need to be
answered about where the need (risk) is and whether the cost is justified.
Internal audit can take a leading role in this process.
| The role of Internal Audit in difficult times

Where do you want to be?
Business dashboard
reviewed by IA
Internal audit dashboard
across the business
Regular monitoring across a
range of controls/parameters
(eg case study 2)
Data analysis to support
planning and targeting
transactions (eg case study 1)
Ad hoc use of CAATs
Electronic workpapers etc
PricewaterhouseCoopers |

pwc.com/au/internalaudit
Contacts
Robin Low
Partner, Internal Audit Leader,
Sydney
Tel: (02) 8266 2977
E: robin.low@au.pwc.com
Cassandra Michie
Partner, Risk and Controls Solutions,
Sydney
Tel: (02) 8266 2774
E: cassandra.michie@au.pwc.com
Steve Ingram
Partner, Risk and Controls Solutions,
Melbourne
Tel: (03) 8603 3676
E: steve.ingram@au.pwc.com
Trudy Delmenico-Gray
Partner, Internal Audit,
Sydney
Tel: (02) 8266 5628
E: trudy.delmenico-gray@au.pwc.com
Kim Cheater
Partner, Internal Audit,
Adelaide
Tel: (08) 8218 7407
E: kim.cheater@au.pwc.com
Justin Eve
Partner, Internal Audit,
Perth
Tel: (08) 9238 3554
E: justin.eve@au.pwc.com
Chris Johnson
Partner, Internal Audit,
Brisbane
Tel: (07) 3257 8570
E: chris.johnson@au.pwc.com
Mark Ridley
Partner, Internal Audit,
Canberra
Tel: (02) 6271 9215
E: mark.ridley@au.pwc.com
Patrick Farrell
Partner, Internal Audit,
Melbourne
Tel: (03) 8603 3250
E: patrick.farrell@au.pwc.com
© 2009 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to PricewaterhouseCoopers,
a partnership formed in Australia or, as the context requires, the PricewaterhouseCoopers global network or other
member firms of the network, each of which is a separate and independent legal entity.
| The role of Internal Audit in difficult times
This document is printed on Heaven 42, which is an environmentally responsible 100% recycled
paper made from 100% post–consumer waste that is FSC CoC certified and bleached chlorine
free (PCF). The mill operates under the ISO 14001 Environmental Management System which
guarantees continuous improvement and is PEFC certified for traceability.