How to Tackle a Continuous Assurance Implementation?

I learned early on that several factors are the key to success for Continuous Assurance (CA) initiatives. Two such factors are close consultation with the business and a data repository owned by Internal Audit (IA). There is one more, but I'll cover it in a different article.

At the beginning of each implementation, within IA, we'll brainstorm and decide the most suitable processes for CA. Things under consideration here include:

• The levels of risk within operations.
• The viewpoints of the C-Level Suite.
• The ease of access.

The last point is based on what is/are the system(s) supporting a process and the mechanism(s) for accessing the information, among others.

The ideal candidate for CA would be a process with very high risk and an easy way to access the information supporting it. Usually, there will be some trade-off between risk, access, and other factors. Also, this stage usually results in 3-5 processes suitable for CA. I would caution against starting with more than one process. If there is no CA in the organisation, many business and technical challenges will need to be addressed. These include acceptance by the business, working out a way to access systems, etc. So, doing several processes simultaneously will take a lot of work. Once there is a certain level of CA maturity, it's possible to simultaneously bring other processes under the CA umbrella.

Once the "first cab off the rank" is known, it's time to talk to the management of the relevant department. So, if we're looking at, let's say, Procurement, it's best to speak to the CFO, Chief Procurement Officer, or someone at that level responsible for Procurement. We need to tell them what is happening concerning CA and the process, get their opinion on the risks and get suggestions for some CA tests. These tests can go into CA alongside the tests identified by IA. We must remember that the 1st line of defence has an intuitive knowledge of the risks in their area, which IA doesn't. So, consulting the 1st line is a must for a successful CA initiative.

The other important consideration is the environment of CA. Since "Different roads still lead to Rome.", CA implementation approaches can be quite different. My favourite, which I used in all of my CA implementations, is to have a data repository owned by IA. The organisational IT infrastructure team can still manage it, but IA is its owner. The second component is a suitable reporting mechanism. A good option is Oracle BI because it includes both the data repository (database) and reports. Another option, which we have used on a CA project, was Oracle DB and SAP Business Objects. The possible combinations are quite a lot, but the main points remain a data repository owned by IA and a suitable reporting mechanism.?

A BI-based reporting mechanism allows access to tests to be given to 1st line of defence under a different user, while 3rd line of defence can run the same tests independently. Thus, 1st line can run the tests daily/weekly/monthly/etc., while IA can run them quarterly/half-yearly/etc. The intervals will depend on the specific process, risk appetite, etc. For example, CA over Payroll may require fortnightly or monthly runs, while a quarterly billing process in a utility company will require a quarterly run.?

In future articles about CA, I will go into more detail about the points mentioned above.