Thursday, December 02, 2004
“Continuous” Will Be Key to Compliance
Here's a great article from Business Finance Magazine.
Companies that blend ongoing compliance with continuous auditing processes and technology accomplish more with less.
Can continuous auditing help bring companies into compliance with Sarbanes-Oxley and other regulations -- and can it do so more effectively and efficiently than alternative approaches to corporate governance? Although this question may be slightly ahead of its time, early adopters of the "continuous" concept are nodding their heads in response to it.
Coined by an academic more than 20 years ago, the term "continuous auditing" describes a broad range of approaches to both internal and external audit that enable companies to stay on top of their controls.
Paul Herring, director of business reporting, assurance and advisory services for the American Institute of Certified Public Accountants (AICPA) in New York City, sees audit options on a continuum. The traditional annual audit resides at one end of that line, while the opposite end is occupied by companies that maintain a perpetual connection with their external auditor. Herring emphasizes that a wide array of possibilities exist between those two extremes.
Miklos Vasarhelyi directs the Continuous Assurance and Reporting Laboratory at Rutgers University in Newark, N.J., and is widely considered the godfather of continuous auditing. He notes that practices under the umbrella of continuous auditing enable companies to test massive numbers of transactions for errors on a real-time basis. Companies that implement these practices can identify accounting errors at their root before they create larger problems.
"With a continuous audit process, companies don't need to wait until the end of the quarter," says Anne Marchetti, practice director for Parson Consulting in New York City. "In that way, it's very similar to a rolling forecast."
Some internal audit departments that have taken the lion's share of responsibility for monitoring their company's Sarbanes-Oxley compliance -- which chiefly translates to compliance with Sections 302 and 404 -- are seeking to blend those efforts with ongoing auditing. "To be efficient you're going to want to integrate 302, 404 and your annual audit plan," says Marchetti. Besides, she adds, the activities mandated throughout the year by companies' myriad new compliance requirements translate to a continuous auditing process anyway.
Tools for the Rolling Audit
Currently, most continuous auditing activities take place within a company rather than between the organization and its external auditors. It is not practical to conduct a full-blown traditional audit -- internal or external -- every month, or even every quarter. However, the traditional audit is undergoing fundamental changes. "Whether you are the preparer of that information or the external auditor, you want to put more emphasis on looking at the processes that generate the information rather than looking only at what comes out at the end of the pipe," says Herring.
By automating some of their transactional scrutiny using continuous auditing technology, internal and external auditors gain more time to focus on the business processes and controls that determine the accuracy of the data coming out of the pipe. CFOs and internal audit executives who have begun to blend compliance initiatives with continuous auditing technology are able to monitor more compliance areas with fewer resources. They are sniffing out significant errors and efficiency-improvement opportunities simultaneously.
Kevin Rhodes, CFO of consulting firm Edgewater Technology in Wakefield, Mass., sees interest in continuous auditing growing on two fronts. "The audit approaches at the Big Four firms are beginning to change," he says. "As Sarbanes-Oxley Section 404 comes into play, external auditors will move more toward a controls-based audit approach." Deloitte & Touche, Edgewater's external auditor, is ratcheting up the intensity of its quarterly audit work for the firm. At the same time, Rhodes expects interest in continuous auditing to intensify within organizations, particularly in the finance function. "Corporate finance will use Sarbanes-Oxley to leverage other improvements. You will see a lot of finance executives asking for more and better systems," he says.
Atlanta-based energy services holding company AGL Resources expects its investment in continuous auditing technology to pay off quickly. "It will help us reduce some of our costs related to Sarbanes-Oxley and, specifically, compliance with Section 404," says chief auditor Ron Lepionka, noting the requirement that managers formally assess the company's internal controls related to financial reporting. "Much of that testing is going to be the responsibility of internal audit depart-ments. We can do that testing by hiring additional people. Or we can incorporate continuous auditing techniques and tools to do the testing on a real-time basis, and by doing so we'll be able to conduct the testing much more efficiently."
Lepionka's early experience with software from Oversight Systems indicates that these products will help his 10-person internal audit department identify abnormal items, errors and inefficiencies in finance and accounting processes that would have been difficult to unearth otherwise. "For example, you can identify duplicate payments before they're made, as opposed to after the fact," he explains. Continuous auditing software "also can boost your efficiency by identifying the root causes of errors. You can fix the root cause and reengineer the process," he adds.
From Bell Labs to XBRL
Vasarhelyi spearheaded a continuous auditing project at Bell Labs in the 1980s; the effort was the first attempt to implement continuous auditing in a corporate setting. Vasarhelyi says interest in this type of project began percolating even before the events that precipitated the Sarbanes-Oxley Act, as auditors and finance executives started to realize that traditional audit methods were not keeping pace with the ever-increasing speed and volume of corporate transactions.
Although he agrees that the development of a continuous link between companies and their external auditors remains in its infancy, Vasarhelyi is convinced that technological advances and investor demand will eventually lead to a "very balkanized world of data." He envisions a finance environment in which pieces of data, embedded with tags that identify the reliability of the information according to an external auditor's assessment, travel from system to system and from company to company. Every software system might have some sort of automated gatekeeper that scans the accuracy tag of each bit of information entering or leaving it.
Vasarhelyi's vision may not be far from reality. The Enhanced Business Reporting Consortium (www.ebrconsortium.org) has taken a step in that direction by developing a method for the electronic tagging of financial data using extensible business reporting language (XBRL).
Theory vs. Practice
In the past, the main obstacles to corporate implementation of sophisticated continuous auditing processes were a lack of adequate technology and the expense of such an implementation. The former is no longer a hurdle, and the latter has become less problematic now that most companies have tallied their initial compliance costs and are searching for ways to lower those costs in the future.
Herring thinks three major obstacles remain in the path of the most advanced form of continuous auditing: costs associated with establishing ongoing connectivity between external auditors and their clients, confidentiality concerns, and security concerns.
Dallas-based A. Wayne Avellanet, author of "Practical Guide to Internal Control" (Warren, Gorham & Lamont, 2004), sees an additional barrier to blending compliance monitoring with more automated audits. He says continuous auditing and compliance monitoring should mesh at the "critical junctures where operational processes and accounting systems intersect." But this meshing requires three components: a variable set of data with enough detail to allow for effective analysis, the ability to understand and decipher the variations produced by the analysis, and the right software tools to apply business rules to the ongoing analysis. "I do not think this is an intuitive fit, especially given the Sarbanes-Oxley compliance documentation practices today," notes Avellanet. In his book, he adds, "Documentation and data from operational processes tend to be separated -- often in separate systems -- from the accounting processes and data."
A small group of companies have instituted continuous auditing and monitoring processes internally. An August survey of 76 members of The Institute of Internal Auditors (IIA) found that 84 percent have discussed continuous auditing techniques within their organization, but the percentage of companies that have actually implemented continuous auditing is probably far lower. "My sense is that it is not a very large percentage, primarily because of the investment that the organization needs to make to establish the process," explains David A. Richards, president of the IIA in Altamonte Spring, Fla.
Richards identifies four steps as key to executing continuous auditing:
- Define the processes and transactions that will be monitored.
- Specify the criteria with which the transactions will be evaluated (e.g., a vendor payment of more than $50,000 will generate an exception report).
- Build technology into the routine so that the outputs are generated on at least a daily basis.
- Develop the processes and workflows that will govern how exceptions are addressed.
The Million-Dollar Payoff
Thanks to the challenge and cost of Sarbanes-Oxley compliance, continuous auditing is growing in popularity within the internal audit community. "Part of what the IIA needs to do in terms of challenging the profession is to say, 'This is an emerging trend that can pay high dividends to your organization,' " Richards says. Bryon Neaman, director of internal audit for Bon Secours Health System Inc. in Marriottsville, Md., seconds that point.
AGL initiated a process for continuous monitoring. So far, the energy company's internal audit department has set up a pilot program that uses Oversight Systems software to scour its PeopleSoft accounts payable module. A standard payables audit, says Lepionka, might select a small sample of transactions and examine their accuracy based on a host of parameters, including approvals and the existence of a valid purchase order and receiving document. "With a continuous auditing tool, you can basically look at the entire population of transactions," he says.
"And you can do that every day, as opposed to waiting five years to clean up your entire database."
In the current compliance environment, which will remain in force into the foreseeable future, fewer and fewer companies have the luxury to wait.
Auditing vs. Monitoring
Although continuous auditing has been kicked around for more than 20 years, finance, accounting and auditing professionals remain confused about the concept.
J. Donald Warren Jr. has looked at the process from just about every possible angle. The 31-year public accounting veteran and former PricewaterhouseCoopers partner recently earned his Ph.D. with a dissertation titled "Continuous Auditing: Implications of the Current Technological, Regulatory and Corporate Environment." In 2001 he founded the Center for Continuous Auditing; currently the center is located at Rutgers University, where he is an accounting professor. Warren instructs those interested in continuous auditing processes on the difference between two terms that most finance and internal audit executives use interchangeably:
Continuous monitoring. This is the mechanism by which the CFO, senior financial management and/or the CEO monitors the control and disclosure environment within the corporation on a continuous basis. "It is a management function rather than an audit function," Warren says. Finance executives can start preparing for continuous monitoring by identifying high-risk areas. They should then prioritize business processes according to risk factors. Finally, finance should institute a process (generally supported by technology) that provides feedback to management on whether the controls and disclosures surrounding the process are proper. The process should flag anomalies for immediate follow-up.
Continuous auditing. This is the purview of internal audit, which puts in place procedures that test both business processes (by scrutinizing large volumes of individual transactions) and management's monitoring process. Are the continuous monitoring systems that management uses functioning in accordance with their intention? Warren emphasizes that the management team should not become dependent on exceptions generated by auditors. If it does, the auditing process becomes an integral part of the management process, which qualifies as a classic control breakdown.
posted by Brian Moran @ 4:30 PM