Please enable JavaScript.
Coggle requires JavaScript to display documents.
2.9.1 (CONTINUOUS AUDITING AND MONITORING (Benefits (Continuous auditing…
2.9.1
CONTINUOUS AUDITING AND MONITORING
A distinctive characteristic of continuous auditing is the short time lapse between the facts to be audited, the collection of evidence and audit reporting
Continuous monitoring
Used by an organization to OBSERVE the performance of one or many processes, systems or types of data.
For example, real-time antivirus or IDSs may operate in a continuous monitoring fashion.
Continuous auditing
Enables an IS auditor to perform tests and assessments IN A REAL TIME OR A NEAR REAL TIME environment.
Continuous auditing is designed to enable an IS auditor to REPORT RESULTS on the subject matter being audited WITHIN A MUCH SHORTER TIME FRAME than under a traditional audit approach.
continuous monitoring :heavy_plus_sign: Continuous auditing = continuous assurance can be established
. In practice, continuous auditing is the precursor to management adopting continuous monitoring as a process on a day-to-day basis
Nevertheless, the lack of independence and objectivity inherent in continuous monitoring should not be overlooked, and
continuous monitoring should never be considered as a substitute for the audit function.
How it works?
Continuous auditing efforts often incorporate new IT developments; increased processing capabilities of current hardware, software, standards and AI tools;
and attempts to collect and analyze data at the moment of the transaction.
DATA must be gathered from different applications working within different environments, transactions MUST BE SCREENED
the transaction environment has to be , and
ANALYZED TO DETECT TREND AND EXCEPTIONS AND ATYPICAL PATTERNS
(i.e., a transaction with significantly higher or lower value than typical for a given business partner) must be exposed
Benefits
Continuous auditing aims to provide a more secure platform to
avoid fraud and a real-time process aimed at ensuring a high level of financial control.
Continuous auditing and monitoring tools are often built into many
enterprise resource planning packages and most OS and network security packages.
if appropriately configured and populated with rules, parameters and formulas, can
output exception lists on request while operating against actual data.
CONTINUOUS AUDITING TECHNIQUES
By permitting an IS auditor to evaluate operating controls on a continuous basis without disrupting the organization’s usual operations, continuous audit techniques improve the security of a system.
There are five types of automated evaluation techniques applicable to continuous auditing:
Systems control audit review file and embedded audit modules (SCARF/EAM)—
The use of this technique involves embedding specially written audit software in the organization’s host application system so the
application systems are monitored on a selective basis.
Snapshots—
This technique involves taking what might be termed
“pictures” of the processing path
that a transaction follows, from the input to the output stage.
With the use of this technique, transactions are tagged by applying identifiers to input data and recording selected information about what occurs for an IS auditor’s subsequent review.
Audit hooks—
This technique
involves embedding hooks in application systems
to function
as red flags :red_flag: and induce IS security and auditors to act before an error or irregularity gets out of hand
Integrated test facility (ITF)
In this technique, dummy entities are set
up and included in an auditee’s production files.
An IS auditor can
make the system either process live transactions or test transactions during regular processing runs
and have these transactions update the records of the dummy entity.
The operator
enters the test transactions simultaneously with the live transactions that are entered for processing.
An auditor then compares the output with the data that have been independently calculated to verify the
correctness of the computer-processed data.
Continuous and intermittent simulation (CIS)—
During a process run of a transaction
, the
computer system simulates the instruction execution of the application.
As each transaction is entered,
the simulator decides whether the transaction meets certain predetermined criteria and, if so, audits the transaction.
If not, the
simulator waits until it encounters the next transaction that meets the criteria.
Their selection and implementation depends, to a large extent,
on the complexity of an organization’s computer systems and applications,
and an IS auditor’s ability to understand and evaluate the system with and without the use of continuous audit techniques
Techniques that are used to operate in a continuous auditing environment must work at all data levels—single input, transaction and databases—and include:
• Transaction logging
• Query tools
• Statistics and data analysis
• DBMS
• Data warehouses, data marts, data mining
• Intelligent agents
• EAM
• Neural network technology
• Standards such as Extensible Business Reporting Language (XBRL)
features
The configuration and application of intelligent agents (sometimes referred to as bots) allow for continuous monitoring of systems settings .
and the delivery of alert messages when certain thresholds are exceeded or certain conditions are met
The auditing tools must operate in parallel to normal processing—
capturing real-time data,
extracting standardized profiles or descriptors,
and passing the result to the auditing layers.
Implementation can also reduce possible or intrinsic audit inefficiencies such as
delays, planning time, inefficiencies of the audit process,
overhead due to work segmentation,
multiple quality or supervisory reviews, or discussions concerning the validity of findings.
disadvantage
internal control experts and auditors might be resistant to trust an automated tool in lieu of their personal judgment and evaluation.
mechanisms have to be put in place to eliminate
false negatives and false positives in the reports generated by such audits so that the report generated continues to inspire stakeholders’ confidence in its accuracy.