So far, this series has covered three of the six focus areas of a Quality Assessment (QA): Audit Structure, Risk Assessment & Audit Planning and Staff Proficiency. The fourth area is Information Technology: Is information technology (IT) risk coverage in audit plans adequate? Does the internal audit (IA) group use tools and continuous auditing methodologies to extract and analyze data for real-time and online testing?
Many IA teams don’t have the appropriate IT skills to audit every identified risk. Rather than the organization acquiring the needed skill sets—either through hiring or a co-sourcing arrangement—many simply eliminate IT audits from their annual audit plan or “water down” the scope of the audits and have a financial auditor perform the work. In addition, many perform IT audits separately from the non-IT audits when an integrated audit approach is preferable. It’s rare for any organization to operate without significant IT applications, and controls related to these applications affect operations throughout the organization.
One common criticism of IA teams relates to the timeliness of reporting results—by the time results are tallied and reviewed and reports are drafted and scrutinized, audit results can be months old. Such an observation is often noted during a QA. However, data mining technologies now allow IA teams to immediately add value and improve timeliness by performing tests through continuous auditing techniques and methodologies.
Continuous auditing has been used for years and continues to gain popularity as data mining technologies improve. When continuous auditing is used, testing is performed by extracting current data on a continuous, routine basis, e.g., daily, weekly, monthly, and data reports are often generated by exception only. This results in a much more efficient use of the internal auditor’s time since exceptions requiring a follow-up already have been identified. It also allows for testing over an entire population versus a sample of items.
For example, an organization wants to implement continuous auditing procedures to help identify potential fraudulent payments made through the accounts payable process. Procedures could be implemented to identify real-time payments to vendors who share an employee’s name or address or payments sent to vendors at a post office box or mailbox service address. Real-time investigations of such payments could help quickly identify whether fraudulent payments have begun.
When assessing the value added by IA activity, a QA should determine if continuous auditing procedures are in place, and if not, whether implementing such procedures would benefit the organization.
Read about other key areas that should be considered for QA by clicking the links below:
How BKD CPAs & Advisors Can Help
BKD’s Enterprise Risk Solutions (ERS) practice provides specialized resources that deliver the right combination of expertise and skills to achieve integrated results. Our ERS division features experienced professionals who provide Quality Assessment services to organizations seeking to improve their IA activity’s effectiveness and value. Contact us to learn more.
Latest posts by Cynthia Bosotin (see all)
- Six Ways a Quality Assessment Adds Value to Internal Audit: Part 6 - October 29, 2014
- Six Ways a Quality Assessment Adds Value to Internal Audit: Part 5 - October 27, 2014
- Six Ways a Quality Assessment Adds Value to Internal Audit – Part 4 - October 21, 2014