Enable Accessibility

Innovations in Data-Driven Auditing

February 25, 2019

Since the advent of the yearly internal audit, accounting mistakes and operational miscalculations have traditionally been discovered well after corrective action or financial recovery are possible. While audits are still necessary, emerging strategies powered by data analytics provide deeper business insights at the click of a button. 

Continuous auditing (CA) and continuous monitoring (CM) are complementary practices that expose risk and facilitate decision-making based on data from sources inside and outside your company. While traditional audits illustrate the overall health of your company based on a sampling of data over a period of time, CA and CM allow you to regularly calibrate your operations based on real-time performance metrics using a more robust set of data. Organizations that master these strategies are more agile, more adaptive, and more likely to out perform their competitors.   

A Two-Fold Process

CA and CM, while both data-driven in nature, are separate processes with unique features. Continuous auditing is managed outside of your organization and automates the verification of data and transactions as they happen. When the system discovers a discrepancy or error, it triggers an alert so that immediate corrective action can be taken. In contrast, continuous monitoring is an internal management tool that evaluates operations, employees, systems, and processes to detect compliance and efficiency. 

While these processes do not necessarily need to coexist, a two-fold approach supports interactive decision-making across divisions of the organization. Some key capabilities of CA and CM are:

> Simultaneously monitors millions of data records and generates relevant customized reports.

> Increases oversight and improves risk avoidance with constant monitoring and automatic status updates.

> Continuously expands application to expose risks beyond accounting transactions.

> Shifts the auditing paradigm from periodic reporting on a small data sample to continuous reporting on robust volumes of data. 

> Harvests data from previously unavailable or unused sources inside and outside the organization.

Implementing CA and CM 

Whether you adopt one or both of these practices, your entire team should be involved in strategizing implementation. Start the process by considering these six questions:

Who will spearhead?

Every initiative needs a champion, and this effort is no exception. Because CA is driven by internal audit and CM by management, there must be an established leader who can communicate to both entities in the event of a policy or implementation change. The leader also garners support from all stakeholders and establishes systems that maximize the interactive efficiency of the dual functions.  

What are our priorities?

There are myriad approaches to CA and CM, but your company should develop a custom plan based on your own industry, resources, company culture, and goals. Define your unique key risk indicators (KRIs) and decide on a monitoring process and an accountability structure for each. Extrapolate from your KRIs the business systems to be monitored or audited and consider regulatory requirements and performance concerns for each. Make sure your overall approach aligns with your company’s goals and objectives.

Which resources will we use?

The two major assets that must be considered in CA and CM are people and technology. There are numerous computer-assisted auditing and monitoring tools available, but the program you choose is no more important than the people you train to implement it. List all of your sources and systems, and the data available from each, then define universal rules, routines, and procedures.

When is the best time to begin?

Adopting CA and CM will present major shifts in your business paradigm, so take an iterative approach to its implementation. Start slowly, monitoring already well-documented transactions, like accounts payable or accounts receivable. When you become more familiar with the system and its possibilities, you can flesh out its application. Schedule phases based on your unique circumstances with regard to cost and benefits. 

How will data be reported?

Present formal results and key insights regularly using the most recent data available. Determine which managers will receive reports, how often, in what format, and the specific information that will be included in each. Decide early in the process how you will determine if the exercise is meeting its intended goals. 

What will we do with the findings?

Based on results, make appropriate assumptions about discrepancies and risks, then determine adaptive steps. Measure the impact of the findings and determine how and when you will calibrate operations. Set up clear indicators that your operations are getting smarter and that controls are becoming stronger as a consequence.

What’s Stopping You?

While CA and CM provide multiple advantages to your company, there are perceived deterrents that may prevent or delay adoption. Be proactive and tackle these common concerns before they become barriers to your success.

> Get Buy-in. For CA and CM to function properly, senior management must support the idea and provide the necessary data. Managers will not invest in a task of this size if there is no perceived value. Clearly define a return on investment for each company division and involve the key players in determining the performance indicators and processes. 

> Assess Employee Competencies. CA and CM require a sophisticated understanding of analytics and appreciation for how data can be used. Consider the technological skills of your current team to fulfill this role and provide proper training. Also, consult with professional auditors and monitoring providers to determine the best staffing strategy. 

> Manage Costs. The cost to implement and train for CA and CM can be sizable, but cloud computing has enabled subscription-based services that don’t require huge outlays of cash for equipment and software. 

> Consider Regulations. Depending on the nature of your business, your data or reporting may be limited by regulatory requirements. Assign a point person within each of your departments to monitor and ensure compliance and revisit regularly to identify changes in laws that require procedural adjustments.