AUDIT ANALYTICS AUDIT
x8YaD9
x8YaD9
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ESSAY 1: CONTINUOUS <strong>AUDIT</strong>ING—A NEW VIEW<br />
internal controls within a highly formalized and well-controlled<br />
enterprise resource planning environment. Utilizing the IT audit<br />
plan as a template, auditor expertise as a guide, and manual audit<br />
output as a validation tool, this field study examines the process of<br />
audit formalization and implementation of CCM at a software<br />
division of a large, multinational corporation. (Teeter, 2014)<br />
The results of the applied effort 5 indicated that 62 percent of the controls<br />
arguably could be formalized, creating the possibility of a control<br />
certification or assurance layer on top of the SAP instance. Conceptually,<br />
this layer could be a part of SAP or an add-on, could be generic in<br />
configuration or tailored to the instance, and could be re-thought as a<br />
way to increase audit coverage as the original audit plan was applied in<br />
an 18- to 24-month cycle, and under this design this layer would be<br />
executed every day. Furthermore, the audit plan contained many<br />
qualitative questions such as "Is there documentation for XYZ system?"<br />
Elder et al. (2013) narrate a continuous monitoring effort at a large South<br />
American bank in which internal audit monitored 18 different key<br />
performance indicators (KPIs) for over 1400 branches of a bank. Daily<br />
extracts of variances were obtained and, on a selective basis, followed up<br />
by emails to the regional managers for the branches. These KPIs looked<br />
to control overrides such as credit above allowable level or reversal of<br />
certain types of transactions.<br />
These examples illustrate (1) situations where auditors were in positions<br />
of control over operational controls, which could result in a conflict to the<br />
auditor’s objectivity or independence and (2) that technology has<br />
changed the needs, capabilities, and roles of the assurance function. As<br />
suggested earlier, a more flexible set of conceptualizations must evolve,<br />
concerning auditor independence in particular. These examples are<br />
focused on internal auditors, but a similar monitoring role could be<br />
developed for external auditors and an ongoing monitoring opinion<br />
could potentially be issued as a new CPA product.<br />
Figure 1-2 describes the vision developed for multi-instances of ERPs and<br />
an analytic engine supporting a set of functions. This view, however,<br />
could be immediately after the event based on the two experiences<br />
described above and would be an ex-post-facto overnight process, which<br />
we would describe as retroactive close to the event meta-control or<br />
assurance process.<br />
5 Private notes Teeter, R.A., Warren, J.D., Brennan, R., and Vasarhelyi, M.A. 2007.<br />
9