While industry is eager to move on from traditional auditing to Continuous Audit- Is it prepared? Does 2016 holds the possibility?
Its 1230 AM already and while the whole world progressed into a New Year 2016 the audit really hasn't.
Tom, the seasoned auditor, asserted, "Well that's how it's done, Steve". And Tom served a quick insight into the sampling methodology. "If you testing 25 samples out of 1000000 transactions then how on this earth you think you gonna find the 'one' you are supposed to find?!", cried Steve knowing the 'one' is right in there but hasn't been found yet.
Steve demanded, "Tom, why can't you just test the entire population of transactions and help find the 'one' which shoot off the cliff".
So whats wrong with the traditional one. Check this out from a study of 2000 fraud cases:
- 42% of all fraud are collusive-100% of financial frauds are collusive (doesn't this makes the much hyped 4-eye control obsolete and futile?!)
Let's top it up with some more findings:
- External auditors can detect 3% of frauds ( aint this just 3%!!!)
- Internal auditors can detect 14% of frauds ( still, aint this just 14%!!!)
This indicates that auditors, in today's complex business setup, are not able to do 'just enough' with traditional methods and tools. (*complex as one single transaction moves across few dozen systems and these systems are on different technology platforms and guess what there are many interfaces which aggravate the concerns around data completeness and integrity).
Oh common auditors we all know no assurance/audit stands true in spirit or in letter. Fine tuning the words only rescues one side from the liability but the risk persists right there- Upright and Tall. Revamping and renaming traditional auditing methods wont earn a dime in today's complex scenario.
Today we have Focused audits, Risk driven audits, Analytics, CAATS but aren't these (mostly!) just another marketing cup cakes- sounds new but doesn't serve anything better. There are many a fraud happening despite the best ERP and Analytics being put together (not to forget the cost and efforts involved!).
Could we make a better 2016? Can we move on from Traditional sample based auditing to Population based testing? And wait, isn't this 'sampling' non-statistical, actually speaking?!! Can we help make integrated audit work the way it does on paper (and during training and meetings, huh)?
Well it can, if we can possibly understand what's traditional and what are its implicit limitations/challenges. And if auditors (business and technology) get out of silos and gear-up to leverage technology to step-build a strategy for Continuous Audit.
One interesting study suggests that the 'perception of continuous monitoring at all time' can negate the possibility of such undesired incidents to a large extent. Imagine if we can actually enact the perception- swiftly gearing from detective mode to preventive mode or simply put adapt to Continuous Audit.
So whats could be a good way forward - Lets collaborate!
Share your thoughts, throw your queries and lets get talking.
And oh yeah, Happy New Year 2016 to Tom and Steve!
Cyber Security Architect
9 年Thanks Navneet. It was very helpful.
Cybersecurity& GRC Thought leader| AI Governance & Risk Advisor| Speaker | Mentor | Top Voice| Best Selling Author | Top 10 Global Women in Cybersecurity| Certified Board Member| Top Emerging Technology Leader| Harvard
9 年Agreed! however CCM and CA complement each other particularly in terms of evidence requirements for testing control operating effectiveness. If there is no process in place for continuous monitoring of internal controls in an organization, it will become laborious task for the internal auditor to gather the evidences to audit the internal control design and operating effectiveness. This is a debated topic since a decade now and many large organizations have successfully implemented CCM, CA & Analytics to make the enterprise risk management program successful. It is undoubtedly good for audit team to have continuous audit and the enablers like analytical tools, automated audit management tools however without continuous monitoring of internal controls, it will be a ambitious task for auditors to have continuous audit implemented and make it successful!
Cybersecurity& GRC Thought leader| AI Governance & Risk Advisor| Speaker | Mentor | Top Voice| Best Selling Author | Top 10 Global Women in Cybersecurity| Certified Board Member| Top Emerging Technology Leader| Harvard
9 年Very Good Writeup! Organizations who have implemented Enterprise Risk Management, continuous controls monitoring have successfully moved to continuous auditing as well. CCM and CA complement each other and is the need of the hour in most of the organizations. Regarding sample based and population based auditing, it is not always possible to perform audit using a population so in such cases sampling needs to be adopted. Data Analytics and analytics tools helps a lot in continuous audit as the evidences can be further used for continuous auditing and generate audit reports as per the requirement with dashboards based on sample, population of data, geography etc.
Cyber Security Architect
9 年But let me ask you a very simple question... Is it practically possible of tasting crores of JE's and thousands of T-codes....? Don't you think audit companies design their sampling methodology keeping all things in mind?
Cyber Security Architect
9 年Good Article Navneet.