CONTINUOUS AUDITING

A South American bank'sinternal audit departmentsuccessfully jugglescontinuous auditing andmonitoring while providingprocess assurance.

Carlos Elder de AquinoEduardo MiyakiNilton Sigolo

ata integrity and assurance at largebanks and other financial institu-tions can present internal auditorswith some of the profession's worstheadaches. The liquidity of themoney product and the rapidity of

its movements have created a set of challenges for the process-ing, control, monitoring, and auditing of the electronic pro-cessing of those transactions.

The internal audit profession accelerated its adoption ofcontinuous audit and assurance processes after implementa-tion of the U.S. Sarbanes-Oxley Act of 2002 led to a broadrethinking of existing processes. The IIA, the CanadianInstitute of Chartered Accountants, the American Instituteof Certified Public Accountants, and ISACA, among oth-ers, have issued guidance on continuous audit and assurancesince 1999, yet substantial conceptual confiision still existsin this domain. The case study of one South /Unerican bank

APRIL 2013 INTERNAL AUDITOR 51

A BALANCING ACT

TO COMMENT onthis article, EMAiL

the author atmikios.vasarhelyi@

theiia.org

illustrates some of these conceptualissues and solutions.

In the case of this bank, companyrules and governmental regulationsrequired that the internal audit depart-ment perform annual audits in eachof the more than 1,400 branches.Because each yearly branch auditentailed 160 hours of audit work,internal audit's capacity to handle this

assurance, and risk management ofbusiness processes.

THE PROCESS

The continuous monitoring and assur-ance installation at the bank follows thegeneric pattern displayed in "BranchMonitoring Process" on page 53. Morespecifically, a nightly extraction routineis executed at each bank branch. This

Continuous auditing and monitoringcan be cost effective and provideexcellent process improvements.

task was insufficient, leading to fre-quent outsourcing at great expense andwith many logistical challenges. Thesolution to this problem involved creat-ing a continuous auditing system thatevaluated all branches based on 18 ormore distinct monitoring indices, anddramatically increased audit efficiencies.More specifically, annual audit hoursper branch decreased from 160 to 40 asa consequence of system implementa-tion. A continuous audit group estab-lished within the internal audit divisionperformed the actual monitoringroutines, which entailed daily reviewsof all variances between the reportedovernight indices and established stan-dards. When concerns emerged, thecontinuous audit group emailed thebank's regional manager—to whombranch managers reported—andrequested that the event be reviewedand explained. This conceptuallysimple solution proved cost effective forthe bank and provided excellent processimprovements, which further reducedwaste and losses. The success of thiscontinuous auditing system generatessome interesting questions concerningthe future of auditing, popular concep-tions of continuous monitoring and

routine captures and reports severalkey performance indicators at thebranch level, as well as supplementalinformation such as specific transac-tion amount, timing, and nature. Allreported values are compared againstboth historical measures for a givenbranch and master files that containclient-specific characteristics, param-eters, and other control factors. Thecombination of standards used gener-ates an average of approximately 800exceptions per week, each of which ismanually reviewed by the continuousauditing group. About half of thesegenerated exceptions are passed on toa regional manager for further action.To facilitate system optimization, thecontinuous auditing manager has thepower to tune the parameters of thesystem filters to prevent the generationof too many or too few exceptions.

Before automated monitoringcould be executed at the bank, therewere four overlapping categories ofdaily audit procedures that requiredimplementation:© Detective procedures — focus

on alerting the continuous auditteam to potential errors in under-lying bank data.

52 INTERNAL AUDITOR APRIL 2013

o Deterrent procedures — seek toidentify events or behaviors thatare outside the scope of normaltransactional behavior.

O Financial procedures — aim toreduce or avoid financial losses.

© Compliance procedures—ensure all transactions followexisting laws, policies, norms,and procedures.

Specific routines subject to theseprocedures include check advances,overdrafts, returned checks, federal taxpayment cancelations, electronic fundtransfers, and cashier imbalances.

CONTINUOUS AUDITING VS.CONTINUOUS MONITORINGThe 2009 KPMG white paper. WhatIs Driving Continuous Auditing andContinuous Monitoring Today?, distin-guishes between continuous auditingand monitoring functions by placingcontinuous auditing under the owner-ship of internal audit, while continuous

monitoring falls under the purview ofmanagement. Continuous auditing aimsto collect audit evidence more effectivelyand efficiently; react more timely tobusiness risks; leverage technology toperform more efficient internal audits;focus audits more specifically; and helpmonitor compliance with policies, pro-cedures, and regulations. Continuousmonitoring aims to improve governanceand transparency, allow for faster reac-tion time and decision-making, reducethe cost of controls, and leverage tech-nology to create efficiencies and oppor-tunities for performance improvements.

The processes implemented at theSouth American bank used internalauditors to perform both the audit andbusiness monitoring functions whileproviding exception-based processassurance. Confiicts between the twofunctions and a subsequent blending ofcontrols seem to be common dilemmasfaced by leading organizations as theyautomate internal audit processes. Such

automation efforts, in practice, oftenlead to confusion between the conceptsof continuous monitoring and con-tinuous auditing. Although continuousmonitoring is a management function, italso is an underlying process in perform-ing continuous auditing. As purportedin Continuous Assurance for the NowEconomy, a research paper by MiklosVasarhelyi, Michael Alles, and KatieWilliams, internal audit departmentshave engaged in continuous monitoringwhen circumstances required, often atthe request, and with cooperation andsupport, of management.

Although the bank decided toimplement a practical and immedi-ate solution, future approaches maybenefit from creating a clear distinctionbetween the two centers of responsibil-ity (monitoring and auditing). Internalaudit often assumes responsibility for thedefault monitoring role when the movetoward automation is applied in an adhoc or responsive manner. However,

BRANCH MONITORING PROCESS

continuous monitoring of bank branches gives way to auditor evaluation of exceptions, considering the specificcircumstances of customer relations and the nature of the transaction. The continuous audit manager canthen change parameters, activate or deactivate procedures, and communicate with audit clients.

ParameterManagement Parameterization

EXCEPTION EVALUATION

OvernightKey Performance

Indicators/Transaction

Monitoring Process

^^• • •^^^• i

IJective Exception ReportingRegionalManager

Indices & Exceptions Branch Remedial Actio

APRIL 2013INTERNAL AUDITOR 53

most uses continuous auditing ( 7 0 % ) and monitoring ( 4 4 % )organizations, according to respondents in Protiviti's 2012 Internal Audit Capabilities and Needs Survey.

in

a forward-looking plan for automa-tion should include an assessment ofresponsibilities to provide more bal-anced controls and incentives withinan organization.

There are clear issues of indepen-dence when internal audit incorporatesbusiness-monitoring roles. In this casestudy, information obtained from theautomated data collection processes isripe for use by management to set vari-ous performance-oriented targets andbenchmarks. In the future, when finan-cial reporting becomes more continu-ous, some of the reporting functionscan be tailored directly to the needs ofcontinuous monitoring and audit. In apipeline where the same internal dataacquisition procedures and reportingare fed into both management and

internal audit representations in realtime, it may be desirable to have dif-ferent indices (key performance indi-cators) applied by management andinternal audit.

Where internal audit assumes con-tinuous monitoring responsibility, it isimportant that: 1) there be good infor-mation flow between internal audit andmanagement, 2) both parties be flexiblein finding the ideal balance of obliga-tions, and 3) not all audit analytics beshared by both parties.

For years, this South African bankhas had the advantage of a more activeand analytic-rich set of activities usedby internal audit, which was cost ben-eficial for the organization. The adop-tion of advanced technologies—bothIT and analytic in nature—will force

organizations to rethink traditionalapproaches to maximize corporate ben-efits and minimize operational risks. E

CARLOS ELDER DE AQUINO is director

of accounting and tax at Diagnósticos da

America S/A in Sao Paulo, Brazil.

EDUARDO MIYAKI, CIA, CFSA, is the

managing director of internal auditing at

Itaú Unibanco Holding in Sao Paulo.

NILTON SIGOLO /s a partner at Auditoria

& Associados and a senior research fellow

at Rutgers Accounting Research Center in

Sao Paulo.

MIKLOS A. VASARHELYI, PHD, KPMG

professor of accounting information

systems and director of the Continuous

Auditing and Reporting Laboratory at

Rutgers University in Newark, N.J., con-

tributed to this article.

Use the new CIA Transition Planning Tool to identify your path during the four-part to three-parttransition of the exam to earn your CIA, the only globally recognized internal audit designation.

Visit www.theiia.org/goto/CIA2013 to view the transition schedule and build your plan for becominga Certified Internal Auditor.

CCSÄ* ^Institute ofirmrnal Auditors

APRIL 2013 INTERNAL AUDITOR 55

Copyright of Internal Auditor is the property of Internal Auditor and its content may not becopied or emailed to multiple sites or posted to a listserv without the copyright holder'sexpress written permission. However, users may print, download, or email articles forindividual use.