“Continuous Auditing is any method used by auditors to perform audit-related activities on a more continuous or continual basis.” Institute of Internal Auditors.
Traditionally, fraud and abuse are caught after the event and sometimes long after the possibility of financial recovery. By monitoring transactions continuously, organisations can reduce the financial loss from these risks.
A Continuous Auditing (“CA”) programme will typically include most if not all the following components:
We can support the whole range of activities required to apply continuous auditing & monitoring, from proof of concept to embedding it within an organisation as “business as usual”.
We start with an organisation’s risk profile. The analytical rules are developed to identify anomalies, or deviations from the norm, in the transactional data. Rules are typically developed against a historical data set to maximise their effectiveness in detecting errors, abuse and control circumvention when deployed to run on a continuous basis. Once deployed, rules are iteratively refined, incorporating the results of anomalies which have been detected by the rule and subsequently investigated.
Once developed, rules are deployed to run continuously to detect anomalies in new transactions and notify the appropriate individual. The exact frequency (for example every 15 minutes, once per day) depends on the business process being monitored and the inherent value and risk of that process. Rules should be applied sufficiently frequently to allow appropriate action to be taken when an anomaly is detected.
The goal is to embed a “closed loop” cycle, where detected anomalies are managed through a workflow from investigation through to remediation. The remedial action may be an improvement to a control, a process intervention or an improvement of the rule which detected the anomaly.