AUDIT ANALYTICS AUDIT
x8YaD9
x8YaD9
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CASE STUDY B: IMPLEMENTING CONTINUOUS <strong>AUDIT</strong>ING AND CONTINUOUSMONITORING<br />
cannot be universally applied because business units have unique<br />
business rules. Exceptions are managed using the CaseWare Monitor<br />
software. The software supports notifications of exceptions, the person<br />
responsible, actions taken, the required time frame and when it has been<br />
resolved. Movement and pending reports have been developed out of<br />
CaseWare Monitor to better analyse the queues. By having greater<br />
visibility over the resolution process, the internal audit group is able to<br />
focus its attention on higher level oversight.<br />
DEFINITIONS AND APPLICATIONS OF CA/CM<br />
IN METCASH<br />
There is a range of definitions used for CA/CM (Hardy 2014). While<br />
some distinctions are based on roles, this was not a significant issue in the<br />
early stages of development in Metcash. The internal audit group led the<br />
development of the CM system. Responsibility for the CM system was<br />
handed over to the business owners after it was fully functioning. At this<br />
stage, the internal audit department played more of an oversight role,<br />
examining trends and reviewing whether business owners were using the<br />
system as intended. This approach supports the view that neither CA or<br />
CM needs "to be present for the other to be implemented" (KPMG 2012b,<br />
3), but by combining them there is a more efficient use of technical and<br />
human resources through coordinated efforts (KPMG 2012b, 3). However,<br />
similar to Vasarhelyi et al. (2012, 275), findings, the monitoring systems<br />
shared between audit and management at the full continuous audit stage<br />
were not being fully used by management. Internal audit was generating<br />
exception reports and monitoring results that were being passed on to<br />
management. There was a degree of uncertainty as to when and how<br />
these exceptions were being acted on. Metcash developed a complete<br />
exception management system to monitor and determine how exceptions<br />
are being actioned by management using the CaseWare Monitor<br />
workflow application. The architecture is discussed in the following.<br />
Definitions of CM that emphasise how weaknesses in control<br />
designs or operations can be identified may also cause some level<br />
of confusion. It is challenging to monitor controls directly. For<br />
example, a review of segregation of duties (SOD) violations may<br />
reveal conflicts, but it does not address mistakes or possible fraud<br />
of authorised users. The continuous review of master data and<br />
transaction exceptions allows inferences to be drawn regarding the<br />
effectiveness of the controls and where gaps may exist. For<br />
example, Metcash policy requires staff to declare related party<br />
interests. In order to confirm that this policy is effective, a CMR<br />
compares changes to the vendor master file to the employee<br />
master file on a daily basis. Matches between the master files on<br />
161