Continuous Assurance

Document Sample
Continuous Assurance Powered By Docstoc
					Continuous Assurance
Sally Wright
Miklos Vasarhelyi
Arnie Wright
Outline
   I. Introduction: the state of the art
   II. Demand for continuous auditing and assurance
   III. Independence of the auditor/assuror
   IV. Continuous auditing/assurance and earnings
    management
   V. Shift in audit focus from reported numbers
    (output) to system reliability (process)
   VI. The new audit methodology
   VII. Conclusions and Research Questions
Outline
What is Continuous Auditing?
 Continuous auditing is a type of auditing
  which produces audit results simultaneously
  with, or a short period of time after, the
  occurrence of relevant events.
 It would be more accurate to call this type of
  auditing instant rather than continuous.
 Instant is not necessarily frequent.
I. Introduction: the state
of the art
I.    Introduction: the state of the art
I.   The Real-time economy
II. Early efforts (AT&T’s CPAS effort, etc)

III. Professional studies (AIPCA/CICA)

IV. Corporate experiences (HCA, Citibank, Fed
     Reserve)
V. Advances in vendor packages

VI. Technical challenges and issues
Real Time Economy
                                                    •Process Acceleration
                                                    •Sensors
                                                    •Dashboards
                     The Real Time Economy          •ERPSs
                                                    •The Information bus (XML – XBRL)
                                                    •System Integration
                                                    •Re-engineering




                     Monitoring and Control Platform



          Assurance Processes      Management Control Processes

    Financial       Other
      Audit       Assurance                Other hybrid Processes

                Systrust
                WebTrust
GE’s digital cockpit (dashboard)




                      1Source:   GE Annual Report 2001
Some form of close-to-the event assurance
will prevail – state of the art
   The CPAS efforts at AT&T (1986-on)
   The continuous auditing AICPA/CICA
    committee (1999)
   Continuous Systrust CICA/AICPA (2000)
   Center for Continuous Audit (2002)
   European Center for Continuous Audit
   Many corporate efforts
       HCA, Martin Marietta, Federal Reserve of NY, Bank
        Bipop (Italy)
   Increasing synergies with XML / XBRL efforts
CPAS concepts
 metrics
 Analytics / continuity equations
 standards:
     of operation
     of variance
     others
 alarms
 measurement vs monitoring
                          CPAS OVERVIEW
                                                                          System

                                                                               System Operational Reports

                          Workstation

                                               DF-level 2
                                                            Operational              Operational
                                                              Report                   Report



DF-level 1                DF-level 1           DF-level 1
                                                                      Operational
                                                                        Report



                                                                           Filter



                                               Alarm
             DF-level 0

                          Data Flow Diagrams
                                                                          Database
      Reports                Analytics            Metrics
                                                                              FlowFront - Interactive Flow Diagram Viewer - AT&T Bell Laboratories - Murray Hill, NJ

fe          Date: 11/27/89                                                    Set Date       Recalculate Metrics       Starting S analysis server, please wait...

            RPC: Silver Springs                                             PE: 60
                                                                                                                                                      Help              Text           Quit!
            Units: Records
                                                                prod/svc.
                                                                                                           4.3 LDS Billing Subfunctions
                                                                                         fulfillment
                                                                 request

                                                                                                             Order
                   Cus

                                                                                             Input Volumes to Message Validation
                                                                                                 PE: 60 RPC: Silver Springs
                             minutes (x100k) messages (x100k)
                                                                  8
                                                                  7                                                                                   *
                                                                  6                                    *
                                                                  5
                                                                  4
                                                                  3                                         *                       *                               *
                                                                                     *
                                                                  2                              *                   * * *                                    *
                                                                  1
                                                                  0                                                             *       *                 *             *
                                                                 60                                                                                                                            nals CTJ
                                                                 50                                                                                   *
                                                                 40
                                                                                                       *
                                                                 30                                                                                                 *
                                                                                                                                    *
                                                                 20                                         *
                                                                                     *
                                                                 10                              *                   * * *                                     *
                                                                 0                                                              *       *                 *             *
Hierarchy
                                                                8.5
                                                                                                                                                          *         *
                              min / msg




                                                                8.0                                                                 *
                                                                7.5                                         *                           *
                                                                                     *                 *                                              *
                                                                7.0
                                                                                                 *                         *    *                              *        *
                                                                6.5                                                  * *
                                                                6.0

              paymt arr                                                16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 1 2 3                4    5     6 7     8 9      10   11   12
                                                                      Oct                   Oct                  Oct                                 Nov
                                                                      1989                 1989                 1989                                 1989
Many corporate efforts
   HCA
   Martin Marietta – risk management
   Federal Reserve of NY – network
    monitoring
   Bank Bipop (Italy) – SAP KPI overlay
   Citibank
II. Demand for continuous
auditing and assurance
II. Demand for continuous auditing and
assurance
I.    Preliminary findings (Hunton, Wright and Wright
      2002; Hunton, Reck and Pinsker 2002)
II.   User expectations
      I.     Information, agency, and insurance hypotheses
      II.    Information economics
      III.   Effort-accuracy framework (“satisficing” behavior)
      IV.    Level of acceptable assurance
III- Independence
III. Independence of the
auditor/assuror
I.   Who pays?
II. Role of the auditor/assuror in the design of
     controls within the system
III. Role of the internal auditor

IV. The Black box Log proposal (Alles, Kogan
     and Vasarhelyi 2002)
IV. Continuous
auditing/assurance and
earnings management
V. Shift in audit focus
from reported numbers
(output) to system
reliability (process)
VI. The new audit
methodology
IV. Continuous auditing/assurance and
earnings management
I.   Opportunities and incentives to manage
     earnings with more frequent reporting
II. Breadth of services (e.g., auditing, systems
     reliability)
III. Voluntary vs. mandatory

IV. Who pays?

V. Information asymmetry
V. Shift in audit focus from reported numbers
(output) to system reliability (process)
I.    Will audit fees be significantly lower (less
      substantive testing
II.   Economics of the auditing profession
VI. The new audit methodology
I.   A dramatic new model of auditing
     (Vasarhelyi, 2002)
II. Principles of analytic monitoring (Vasarhelyi,
     Alles and Kogan; 2002)
III. New technologies for continuous assurance
A Dramatic Change in the
Audit model
   1. The continuous assurance model has many clients
   2. The continuous assurance model had different Independence considerations
   3. The continuous assurance model has a different justification
   4. The continuous assurance model is an element of the strategic monitoring
   5. The Continuous assurance model will turn the audit process into audit by
    exception
   6. A new set of analytics guides strategic monitoring
   7. The continuous assurance model covers a wider set of quantitative and
    qualitative non-financial data
   8. The continuous assurance model has alternative materiality considerations
   9. The continuous assurance opinion has some futurity implied in it
Principles of Analytic
Monitoring
Miklos A. Vasarhelyi
Michael Alles
Alexandr Kogan
Rutgers Business School
Analytic Monitoring
Transaction       Rule              Estimate          Judgment
Monitoring        verification      verification      assurance
Rule based        Rule heuristics   Upstream /        Exogenous
evaluation                          downstream        data
                                    verification
Continuity        Continuity        Continuity        Continuity
reconciliations   Equations         Equations         Equations
Transparent       Structural        Value chain       Expert Systems
markers           Knowledge         relationships
Confirmatory      Time-series /     Time-series /     Time-series /
extranets         Cross-sectional   Cross-sectional   Cross-sectional
                  analysis          analysis          analysis
The continuous assurance will
change
 1) objectives
 2) levels and hierarchy

 3) controls

 4) timing

 5) process

 6) tools

 7) outcomes
Objective changes
   1) changes in the environment and industry, 2)
    the existence and effectiveness of controls, 3)
    increased human resource risks, 4) process
    continuity and integrity, and 5) coherence
    between endogenous and exogenous factors:
Effects on Controls
   The existence of the controls,
   That they are operational,
   That their warnings are properly observed
    and distributed,
   That the controls are comprehensive,
    covering all relevant aspect of operational
    risk.
  Four levels of CA
•Transaction assurance                                   Audit of judgments and facts


•Rule assurance          Formal spec                                Auditor
                         evaluation at all                                      Rules of measurement interpretation
•Estimate assurance      points
                                                              MC Layer
•Judgment assurance
                              Process 1           Process 2               Process 3           Process 4




                                             Process 5        Process 6
                                                                                         Transaction monitoring
                                                                                         Object and info. flows
Pensions: 4 levels of CA
   Level 1: Flag and extract all transactions that pass resources between the company and its
    pension fund, extract all transactions that affect pension related ledger accounts and vouch for
    these transactions.
   Level 2: GAAP specifies maximum and minimum contributions to pension plans as well as
    ways to account for pension obligations, and other pension related items. This level would
    create a logical template evaluating the obedience for the rules of ERISA and GAAP.
   Level 3: On a more analytical level, the continuous assuror can examine the formally
    disclosed rules relative to pensions that allow for the organizations actuarial estimates.
    Accounting standards require the disclosure and usage of an interest rate in the assumptions
    about pension estimates such as interest rate, employee related obligations vis-à-vis age and
    years of employment, asset returns but the standards do not require a relationship between the
    historical returns of the fund and the future return assumptions. The future will bring
    corporate measurement rules that link endogenous and exogenous data in the measurement of
    business and its assessment.
   Level 4: the auditor could make assertions at a strategic level about the appropriateness of
    pension plan funding and the quality of the management of the fund
Timing issues
   Extensive Front end work
   Monitoring of system changes
   Alarm based intervention
   Evergreen opinion (of different forms)
   Automated interim work
   Continuous confirmation
   Very limited, if any, detail testing
          The Auditing Process
• Traditional                   • Continuous
      • Engagement definition        • MC architecture
      • Audit planning               • Analytic monitoring
      • Internal control               structuring
        evaluation                   • Discrepancy based audit
      • Substantive testing            monitoring
      • Opinion formulation          • Continuous model
      • Reporting                      building and gathering
                                     • Alarming and informing
                                     • Discrepancy analysis
                                     • Multilevel opinions
Evidence
   Major change on the nature of relied evidence
   Automated confirmations will take a progressively
    larger role
   Alarm frequency and nature will be evidential matter
   Joint systems (with other entities) will become
    prevalent
Multiple Outcomes
   Assurance of a wider range of stakeholders
   Front-end work more consulting-like (Sarbanes –
    Oxley ???)
   Opinions will be mainly negative assertions of the
    sort: no alarms level 5 occurred
   Major cultural changes needed
Opinion with futurity
   We have examined the reliability and financial reports of ABC corporation
    and have been engaged on a continuous assurance engagement for the
    fiscal year of xxxx. We will monitor the organization’s operations and
    strategic accomplishments using a wide set of analytics as described in
    http://www.ca.com/analytics and other analytics we deem appropriate and
    will report on an audit by exception basis when more than xx % variance is
    found in operational and strategic standards or when we deem it
    appropriate. This exception report will be issued to all customers registered
    ( paying ) at http://www.ca.com/analytics/customers
Architecture
                                                 Ad hoc Analytic
                                 reports
            Applications                         reports
                                                           reports      Periodic
                                                   reports  reports
                                                             reports reports
                             Feeds for
                                                              reports
                                                                reports
       reports               applications
        reports
         reports
          reports                          alarms
                                            alarms
                                              alarms
                                               alarms
                           Monitoring and control layer
                     intranets                            intranets
                                                                      reports
                Corporate                          Corporate           reports
                                                                        reports
                 Legacy                            Web facing
                 Systems                            Systems
                                              extranets
                                                                          Internet

                                            Systems from other
                                                 entities
Current Practice
   HCA Healthcare
       Several monitoring and auditing functions
   Martin Marietta
       Data driven risk model
   Federal Reserve of New York
       Network Monitoring
AuditMaster Premier V5.0 Demo
VII. Conclusions and
Research Questions
Research opportunities
A Program of Research in COA
Research issues are classified as related to:

 Architecture of COA
 Factors affecting the use of COA

 Major consequences of COA.
General Architecture
Architectural decisions are made very early in
  the process of COA development and
  deployment, and are mostly irreversible.
Research Issue: Develop theoretical models of
  COA that relate formal specifications of a
  COA system with various audit objectives.
Data Capture
Standard formats for enterprise data will
  greatly simplify COA data capture problems.
Research Issue: Explore and design standard
  formats for enterprise data to facilitate data
  capture for COA. Explore the possibility of
  using the eXtensible Markup Language
  (XML) for defining such standard formats
  for presentation of accounting information.
Scope of Auditing
COA systems are potentially capable of
  reprocessing or parallel processing the whole
  population of business transactions.
Research Issue: Investigate whether and when
  the complete reprocessing of the entire
  population of business transactions is feasible
  and desirable.
Systems Audit
Research Issue: Determine the tradeoffs between
  system structure auditing and transactions
  auditing. Analyze whether both have to be
  subjected to high frequency auditing.
Monitoring that the system has not changed can
  be achieved by using cryptographic techniques
  of digital signatures
Real-time Analytical Review
Procedures
Auditing system is a parallel system=> not to be
  relied on for routine control functions=>
  auditing system’s alarms should be truly
  random, i.e. a Poisson-like process.
Research Issue: Develop analytical review
  procedures to take advantage of the
  capabilities of COA systems.
Security of COA
Research Issue: Examine the extent to which
  system security issues will slow down the
  growth of COA.
Research Issue: Examine the adequacy of
  existing security arrangements for remote
  access to a COA system (e.g., through virtual
  private networks and/or extranets).
Distance Auditing
Research Issue: Design innovative forms of
  remote observation, investigate the use of
  video-monitoring tools, and ascertain their
  reliability.
Research Issue: Explore the extent to which the
  auditor can rely on COA distance auditing
  techniques without compromising the quality
  of the audit.
Factors Affecting the Use of COA
 Functional Areas
 Industrial Sectors

 Internal vs. External Use
    Research Issue: Investigate whether the use of COA
     is more likely to be initiated by internal auditors
     than external auditors.
   Characteristics of External Auditor
COA Effects on Direct Costs
Research Issue Determine the degree of
  reduction (if any) in direct audit costs induced
  by COA.
Research Issue: Investigate the extent to which
  the cost of the initial development and
  deployment of online auditing systems can be
  offset by ongoing savings in labor costs
  associated with conventional auditing.
COA Effects on Agency Costs-I
Research Issue: Develop and analyze agency
  models to formally show that higher frequency
  of audits makes it possible to more reliably
  infer the “average” action of the agent from the
  “average” outcome, and thus, the audit of
  outcomes is more meaningful, and the audit of
  actions is not as important.
COA Effects on Agency Costs-II
Research Issue: Analytically investigate whether
  the demand for COA is higher if moral hazard
  or information asymmetry are strong and
  monitoring is cheap.
Research Issue: Determine whether the
  deployment of COA reduces earnings
  management, since high frequency time series
  of earnings is more difficult to manipulate.
Effects on Audit Quality
 Timeliness
 Thoroughness

 Reliability

 Auditor’s Moral Hazard

COA higher audit quality is likely to manifest
  itself in lower litigation or higher audit fees
  (should be empirically tested).
Managerial and Psychological
Effects of COA
Research Issue: Investigate whether managers
  exhibit an adverse or dysfunctional reaction to
  continuous auditing (“Big Brother” effect).
Research Issue: Investigate end users’ ability to
  comprehend and interpret accounting numbers
  corresponding to very short time intervals
  (information overload effect).
COA Effects on Audit Practice
Research Issue: Investigate whether external
  auditor’s deployment of COA makes it more
  costly to replace the external auditor;
  determine if there is a resulting increase in
  auditor’s independence.
Research Issue: Investigate the degree of impact
  of a COA system on the target system being
  audited.
Audit Opinion and Reporting
Research Issue: Analyze the changes in the kind
  of audit opinion that will likely result after the
  deployment of COA. The results of COA can
  be presented in the form of opinions on
  demand, where a client can request an opinion
  at any time on any feature of the client's
  operation, or reports issued at shorter term
  intervals.
Legal and Regulatory Implications
 COA can decrease legal risks by providing
  higher quality, timelier and more
  comprehensive assurance. On the other hand,
  there may be greater litigation exposure if
  fraudulent activity is revealed.
 As COA becomes feasible, it will be more
  tempting for regulators to mandate broader
  audited disclosure.

				
DOCUMENT INFO