Putting Continuous Auditing to Use Can Yield Efficiency and Value

The internal audit department at Arrow Electronics took stock of its resources and processes in late 2010 and determined it was time for a change.

Arrow, a $20 billion electronics components company with nearly 400 locations in 53 countries, was collecting massive amounts of data, but it wasn't using the data in its internal auditing function in any meaningful way.

“We understood we were not, from an audit perspective, using that data to decide what audits to do,” says Frank Navarra, senior manager in corporate audit. “So we thought it was a good idea to step into this world.”

By “this world,” Navarra means the world of continuous auditing. It's an approach to analyzing data and checking transactions that occur on a continuous and usually automated basis, rather than at a point in time, so it can turn up issues that need to be addressed before a period closes, for example. Continuous auditing is getting increased attention in audit circles because it can provide better, faster insight into where there may be risks that need to be studied and addressed, and the tools to implement it are getting increasingly sophisticated.

Arrow, guided into the continuous audit approach by its consultants at Deloitte, did what many companies do to get started in applying the concept: Corporate auditors first tried out the idea on travel and entertainment costs and accounts payable, where problems are more common and easier to pinpoint. “We got a lot of quick wins,” says Navarra. Continuous auditing exposed issues in both areas that otherwise might have slipped through unnoticed, he says.

Off the bat, Arrow discovered instances where it paid vendors more than once for the same invoice. But the change not only uncovered problem invoices and expense reports, it also identified some ways that Arrow could improve the business. For example, the company quickly learned it was more cost-effective to pay sales agents for standard mileage than for direct cost of gasoline, so it made a policy change in how it would reimburse those charges, Navarra said. Arrow also found vendors who were receiving immediate payment that would be fine getting a 30-day payment. Switching those vendors to a 30-day pay cycle made a huge improvement in corporate cash flow.

Internal auditors soon discovered they had a powerful new tool at their disposal with lots of potential, and they wanted to put it to greater use. “We took a step back,” Navarra said. “Should we really live in this silo of just doing these [continuous audits] on one function or process at a time? We learned we can help the audit team by identifying the highest risk transactions, especially at remote locations.”

The company learned with its data analytical tools, it could extract data on a particular business location, examine the general ledger, accounts payable, accounts receivable, sales, and many other areas to prepare the audit team before they ever visit the location. “Normally, you would just test 25 transactions, but now we have the highest-risk transactions,” he says. The company identified nine separate audit projects where continuous audit or data analytics would provide significant support to the audit function, he says. “That's where we get the biggest bang for our buck,” he says. “We're getting better and smarter.”

Continuous auditing isn't just for Fortune 150 companies like Arrow. Plenty of smaller companies are finding success with the approach as well. For example, Mindspeed Technologies, a $162 million communications semiconductor company, is using continuous auditing to speed up the audit process and identify trouble spots in real time.

Bill Hagerman, former executive director of internal audit at Mindspeed and now an independent consultant, says he was looking for a way in the early days of Sarbanes-Oxley Act compliance to make the internal control reporting process more efficient. “We were very focused on the quarter end, and it was labor intensive,” he says. “We wanted something that would balance the workload and spread it more evenly over time. If we could get information on a real-time basis, we could audit the information much more quickly rather than doing it all at the end of the quarter.”

“Traditional audit is probably still 80 percent of the audit approach today, but it's old school. The technology is available. It's there, and we're way behind.”

—Bill Hagerman,

Former Executive Director of IA,

Mindspeed Technologies

Hagerman says the company began applying continuous monitoring tools to its key performance indicators and key risk indicators, such as sales turnover, inventory turnover, and others to get “flash reports” that show when a KPI or KRI deviates from a preset accepted threshold. Internal auditors and even external auditors can monitor and leverage those reports as well, he says.

Before Hagerman left Mindspeed to begin his own consulting practice, he said the company reduced its external audit hours from a high of nearly 1,800 hours in the first year after Sarbanes-Oxley to about 600 hours. True, public companies generally saw big declines in audit activity as the work to implement SOX subsided and internal control reporting and auditing improved and became more efficient, but Hagerman believes the results were more dramatic at Mindspeed as a result of its foray into continuous monitoring and continuous auditing.

Adding Value

James Harper, director at New England audit firm BlumShapiro and a former controller for a billion-dollar private company that also put continuous auditing to use, says that the approach not only brings more efficiency to the audit process, but it can score wins in other parts of the business, too. “When you think of audit, you don't think of a lot of value add,” he says. “But we saw this differently.” The company plugged a new tool into its existing SAP system to get a direct feed on general ledger and other data. “We had about 19 different routines that we ran for continuous audit,” he says. “We wanted to use it on corporate accounting to bring more efficiency to the close process.”

IMPLEMENTING CONTINUOUS AUDITING

Below are some insights from the IIA on implementing continuous auditing:

Establishing Priority Areas

The activity of choosing which organizational areas to audit should be integrated as part of the internal audit annual plan and the company's risk management program. Many internal audit departments also integrate and coordinate with other compliance plans and activities, if applicable.

Typically, when deciding priority areas to continuously audit, internal auditors and managers should:

Identify the critical business processes that need to be audited by breaking down and rating risk areas.

Understand the availability of continuous audit data for those risk areas.

Evaluate the costs and benefits of implementing a continuous audit process for a particular risk area.

Consider the corporate ramifications of continuously auditing the particular area or function.

Choose early applications to audit where rapid demonstration of results might be of great value to the organization. Long extended efforts tend to decrease support for continuous auditing.

Once a demonstration project is successfully completed, negotiate with different auditees and internal audit areas, if needed, so that a longer term implementation plan is implemented.

When performing the actions listed above, auditors need to consider the key objectives from each audit procedure. Objectives can be classified as one of four types: detective, deterrent (also known as preventive), financial, and compliance. A particular audit priority area may satisfy any one of these four objectives. For instance, it is not uncommon for an audit procedure that is put in place for preventive purposes to be reconfigured as a detective control once the audited activity's incidence of compliance failure decreases.

Monitoring and Continuous Audit Rules

The second step consists of determining the rules or analytics that will guide the continuous audit activity, which need to be programmed, repeated frequently, and reconfigured when needed. For example, banks can monitor all checking accounts nightly by extracting files that meet the criterion of having a debt balance that is 20 percent larger than the loan threshold and in which the balance is more than U.S. $1,000.

In addition, monitoring and audit rules must take into consideration legal and environmental issues, as well as the objectives of the particular process. For instance, how quickly a management response is provided once an activity is flagged may depend on the speed of the clearance process (i.e., the environment) while the activity's overall monitoring approach may depend on the enforceability of legal actions and existing compliance requirements.

Source: Institute of Internal Auditors.

The company looked at manual journal entries associated with closing a reporting period and determined how they could be batched and managed in the pre-close instead of being left to the end, which bogged down the close process, says Harper. “It took a couple of days out of the close process, so that gave management two extra days of analysis that they didn't have before,” he says. “That's the value add of accelerating the closing process. Continuous auditing can help facilitate that.”

Hagerman in particular is convinced the high-tech tools like continuous audit and data analytics represent the future of auditing. “Traditional audit is probably still 80 percent of the audit approach today, but it's old school,” he says. “The technology is available. It's there, and we're way behind.” He builds his consulting practice now around preaching the virtues of using technology to get more audit coverage for more risks more efficiently.

Not all auditors are convinced, however, that continuous auditing is on the verge of changing the profession. According to the latest research by AuditNet, which polled 1,500 auditors who work in a variety of different settings, most auditors aren't using it. About one-third said few of the auditors in their organizations are proficient at using audit software technology, and only 3 percent have fully integrated data analytics into their departments. “We found that the state of technology for auditors is surprisingly low considering the technology has been available for so many years,” says Jim Kaplan, founder and CEO of AuditNet, an internet portal for auditors. “This really is a wake-up call for the audit profession.”

Dipak Shah, president and CEO of technology provider Reliant Solutions, says many companies are still paralyzed by budget concerns or fears of implementing another high-tech tool. Internal audit executives who have the greatest zeal for pursuing continuous audit approaches tend to be the “mavericks” in the organization, he says, “individuals who feel comfortable about themselves in the organization and feel confident about bringing in new methodologies and new tools.” They also typically have a strong second-in-command who is equally convinced of the value, he says.