This week, I attended a Chief Audit Executive roundtable in PwC’s new San Jose’s offices. The first topic was continuous auditing, led by their national director out of Chicago. I was able to find a copy of the slides from a similar presentation at the Kansas City chapter of ISACA earlier this year.
What I like about the PwC presentation includes:
- The use of continuous auditing techniques to move from annual or periodic to more continuous risk assessment (slide 10). This enables what I refer to as “auditing what the risks are now” rather than what they used to be when the periodic risk assessment was completed. Continuously assessing risks allows internal audit to change direction and address risks as they emerge, providing greater value to the organization.
- An emphasis on the top-down, risk-based approach to internal audit. I have been advocating this for a long time, and you can see my writing and papers on the topic here. PwC covers this on slide 16. The idea is that internal audit should not change from a risk-based approach when it considers using continuous auditing techniques. Rather, it should go through the same process of identifying the risks to address then ask: (a) is there value in providing assurance on a more continuous basis, rather than as a result of a one-time audit, and (b) what is the best method for providing that assurance? The answer may well be continuous auditing, generally – but not always – using technology. (One common mistake is to think that continuous auditing is only the use of software. If you look at the IIA GTAG, you will see that the term is used to describe any auditing activity that is performed more continuously. So, if you decide to do manual testing of transactions every month, that is continuous auditing as well.) Page 17 is a nice, concise summary.
- Page 20 includes a key point: don’t select a tool and then try to be busy with it. That results in testing of low-level risks. It is better to decide what you need to do and then select the tools (often a combination of tools) necessary to do the job.
- Tools the company already has in place, such as the business intelligence and data warehouse systems used by financial and operational analysts.
- Specialized continuous auditing tools from SAP, Oracle, Approva, Oversight and others.
- More traditional tools for auditors, such as ACL and IDEA.
- Microsoft products, like Excel and Access.