Continuous Audit and Monitoring
View this page in:
“Continuous Auditing is any method used by auditors to perform audit-related activities on a more continuous or continual basis.” Institute of Internal Auditors
Traditionally, fraud and abuse are caught after the event and sometimes long after the possibility of financial recovery. By monitoring transactions continuously, organisations can reduce the financial loss from these risks.
A Continuous Auditing (“CA”) programme will typically include most if not all the following components:
- Continuous risk monitoring, including the monitoring of key performance indicators (KPIs)
- Continuous control monitoring
- Continuous transaction or activity monitoring
- Investigation of potentially inappropriate activities that have been detected
- Continuous reporting to stakeholders
- Timely identification of transaction errors, abuse, fraud and non-compliance
- Ongoing assurance over risk management and internal control systems
- Rapid identification of new issues; continuous risk assessment needed
- More areas under consideration means that traditional audit coverage is increasingly limited
- Ability to assess and prioritise resources to focus on actual issues
How we can help
We can support the whole range of activities required to apply continuous auditing & monitoring, from proof of concept to embedding it within an organisation as “business as usual”.
- Develop rules to detect anomalies: We start with an organisation’s risk profile. The analytical rules are developed to identify anomalies, or deviations from the norm, in the transactional data. Rules are typically developed against a historical data set to maximise their effectiveness in detecting errors, abuse and control circumvention when deployed to run on a continuous basis. Once deployed, rules are iteratively refined, incorporating the results of anomalies which have been detected by the rule and subsequently investigated.
- Deploy rules continuously: Once developed, rules are deployed to run continuously to detect anomalies in new transactions and notify the appropriate individual. The exact frequency (for example every 15 minutes, once per day) depends on the business process being monitored and the inherent value and risk of that process. Rules should be applied sufficiently frequently to allow appropriate action to be taken when an anomaly is detected.
- Operate continuously: The goal is to embed a “closed loop” cycle, where detected anomalies are managed through a workflow from investigation through to remediation. The remedial action may be an improvement to a control, a process intervention or an improvement of the rule which detected the anomaly.
- Continuous auditing & monitoring can reduce the risk of financial loss through the detection of error and typically finds abuse before the financial impact is realised.
- A continuous auditing & monitoring solution provides additional management information which can be used to drive efficiencies in the monitored process. For example, the granular in-process data available in a continuous monitoring solution can be used to track KPIs and identify and fix process bottle necks.
- The closed loop investigation of detected anomalies can lead to ongoing improvements to controls. Besides, using continuous auditing & monitoring helps increase scope of coverage (100% of transactions as opposed to sampling method).
- Continuous auditing & monitoring can be targeted to provide additional assurance over processes which are high in value or risk. It also allows for flexibility in an ever-changing regulatory environment.