The fast pace of business is pressuring internal auditors to speed up their audit cycles and processes, creating momentum for the increased use of “continuous auditing,” according to a study by PricewaterhouseCoopers.
The study, PwC’s annual “state of the industry” report on internal auditing, found that 81 percent of 392 companies surveyed say they either already have a continuous auditing process or plan to develop one.
Chambers
The move to continuous auditing—also commonly called “continuous monitoring”—reflects the increased expectations being placed on internal auditors by companies’ major stakeholders, such as senior management and the audit committee, according to Richard Chambers, a managing director at PwC’s internal audit practice. Auditors, he says, “are seeing that pressure to provide more and more information on a more timely basis.”
That pressure ultimately stems from the Sarbanes-Oxley Act. Given its painfully high costs, all companies want some form of “sustainable” compliance. That means more internal controls that prevent errant behavior—or that spot it immediately. Such real-time analysis of controls requires continuous monitoring to flag infractions as they happen.
Anderson
“For a lot of organizations, Sarbanes-Oxley compliance was time-consuming and expensive,” says Dick Anderson, another partner in PwC’s internal audit practice. “From a sustainability standpoint, companies are asking how you stay on top of it, but do it in a more efficient manner? That lends itself to these types of approaches.”
The Institute of Internal Auditors, responding to PwC’s study in a statement, attributed the increased interest in continuous monitoring to an evolving regulatory environment, increased globalization of businesses, market pressure to improve operations, and rapidly changing business conditions.
“Organizations are continually exposed to significant errors, frauds and inefficiencies that can lead to financial losses and increased levels of risk,” the IIA said. “These demands have put increased pressure on chief audit executives and their staffs to implement a continuous auditing strategy, and technology is key.”
Anderson credits new technology for automating tasks such as monitoring key performance indicators or financial results, or diagnosing a company’s risk profile. All those efforts can lead to shortened audit cycle times.
Fraser
The growing popularity of continuous auditing is just another “swing in the pendulum,” says John Fraser, vice president of internal audit and chief risk officer at Hydro One, a government-owned electricity utility company in Ontario. He believes the internal auditing profession swung too far away from actual audits in the 1990s, eager to style itself as providing consulting services.
“They made a big mistake in going too far away from basic auditing because then we ended up with things like Enron and WorldCom,” Fraser contends. Now that Sarbanes-Oxley has cloaked the business landscape, “they’re almost completely swinging the other way towards doing a lot of detailed work.”
“Internal auditors are paid to add value and look at internal controls for big risks, and over the last two years they got sucked into too much Sarbanes-Oxley work,” Fraser says. “They gave up the ship. Here’s another example of internal auditors not really understanding their role and their priorities. They did all of this non-added-value work, and stopped looking at the real risks of the company.”
What’s The Right Frequency?
“My position is that an internal auditor should never do anything routinely. I don’t think continuous auditing should exist.”
— John Fraser, Vice President of Internal Audit and Chief Risk Officer, Hydro One
Internal auditors should frequently conduct tests and do analyses on their organization’s divisions as a matter of course, Fraser says, but their examinations should not be routine—which goes against the concept of continuous auditing.
“My position is that an internal auditor should never do anything routinely. I don’t think continuous auditing should exist,” Fraser argues. “If an internal auditor identifies a missing control, it is their responsibility to report to management, and management should then perform the check daily, weekly, monthly, quarterly, or however often it needs to be checked. What seems to be happening [with continuous auditing] is that internal auditors are adding another layer of controls and checking things that management should be checking.”
At Hydro One, Fraser and his team have a spreadsheet of the different projects and areas of the company that need to be audited. The list is ranked by degree of risk and by when an audit was last completed. The internal audit group interviews the top 30 executives of the company to solicit input on what needs to be reviewed each year. All of the information is then prioritized into “essential,” “desirable” and “optional” categories.
That list is then discussed with the top management team, and together with Fraser they settle on what will be audited for the year. “It’s a partnership view on what will and won’t be audited,” Fraser explains.
Fraser then goes to the company’s audit committee and informs it not only of what his group plans to audit, but the 10 next most high-risk items on the list that won’t be audited. That way, the committee is aware of other potentially large risks to the company that won’t be covered.
“You can’t cover everything in a big company,” Fraser says. Hydro One’s audit plans are “a dynamic view of the company based on our assessment and management’s assessment.”
The PwC study was conducted in the first quarter of this year. It includes the responses of 444 audit managers, 80 percent of whom were either chief audit executives or internal audit managers. More than half of the respondents’ companies had at least $1 billion of revenue.
No comments yet