Automated scripts that systematically extract data and independently execute control tests are essential audit tools in data-driven organizations. The COVID-19 pandemic has accentuated the importance of such tools as management focuses its attention on activities paramount to organizational survival.
Continuous audits harness these tools to provide baseline assurance that becomes particularly useful in a crisis. By converting manual test steps into programming code or robotic process automation (RPA) that can be executed repeatedly, internal audit can provide regular assurance of operating controls.
How Continuous Audits Help
In a typical audit, internal audit relies on audit clients or the IT function to provide the data that will be used in audit work. This dependence on other parties can create bottlenecks to the audit tests if that data cannot be obtained quickly. During a crisis, business units are unlikely to prioritize audit requests, which can delay the completion of the audit. Being able to automate data extracts and independently execute continuous audits alleviates the reliance on other parties.
Another advantage of continuous audits is their ability to provide frequent and sustainable assurance over critical business controls, rather than covering the same areas only once over the audit cycle. Moreover, continuous audits can provide the baseline for conducting more thorough point-in-time audits (see “The Assurance Pyramid” below).
With access to enterprise data repositories, a single continuous audit can efficiently cover horizontal, enterprisewide controls that previously were handled by individual vertical audits. For example, there is no need to include software patch management controls in multiple IT-business integrated audits when a single continuous audit can encompass all enterprise systems.
In addition, a successful continuous audit test may aggregate data from multiple sources, enabling auditors to use advanced analytical techniques. For example, to review expense transactions for fraud, internal audit can create rule-based continuous audits to identify known exceptions such as duplicate transactions. With sufficient data, auditors can use machine learning to highlight unusual transactions that are difficult to detect through rudimentary data analysis.
A common question is whether internal audit should develop continuous audits when the business should be taking the same approach to developing operational controls. The quick answer is that business units may not possess expertise in risk, controls, and data analytics. Audit functions that are more advanced than the business in using data analytics can lead the way by implementing continuous audits. Once business units gain these skills, they can repurpose continuous audits developed by internal audit to enhance business-as-usual controls.
Not all audit tests can be easily or reliably converted to continuous audits. To assess whether tests can be converted, internal audit should consider several criteria.
Data Access Internal audit should have access to all source data used in continuous audits. For instance, developing a continuous audit that verifies whether payment transactions have gone through specific anti-money laundering controls may require at least one year of payment, regulatory reporting, and counterparty information. Access to such stored data may require the business to provide application accounts, direct access to specific database tables, or application programming interfaces to internal audit. With this access, auditors can independently extract the data in a consistent format.
Ease of Automation The conversion of audit tests into continuous audits can be implemented programmatically, use RPA, or a combination of both. Programming languages such as Python allow internal audit to tap into the vast number of publicly available development libraries and offer significant flexibility in codifying the test steps. RPA software packages provide a good user interface to facilitate the automation process, but they are used primarily to mimic repetitive actions performed by the auditor and do not adapt well to nonstandard workflows.
Precision of Results Continuous audits are expected to run periodically for increased assurance. To avoid consuming unnecessary business resources to follow up on a large number of false exceptions, the results must be relatively precise and identify clear exceptions.
Resources The time and resources spent converting audit tests into continuous audits must translate into meaningful risk assurance. To derive maximum benefit, internal audit should first identify whether controls for high-risk areas can be automated using simple rules before considering areas that require more effort to automate.
Continuous audits may require ongoing updates to ensure they are relevant, especially when there are frequent or unexpected changes to data sources and business processes. To ensure their sustainability, internal audit must allot additional technical resources to maintain these programs and assess whether this investment provides benefit.
Ideally, a fully automated continuous audit will:
- Independently extract data of good quality.
- Systematically analyze this data.
- Execute a control test just like a human auditor.
- Report the results intuitively.
Converting control tests into a continuous audit requires breaking down each test step and translating it into program code for repeatable execution. For instance, the steps to verify whether a privileged system account is adequately managed to prevent unauthorized access can be broken down into typical rules and conditions, which makes account management a good candidate for a continuous audit.
The first, and arguably most time-consuming, step in developing a fully automated continuous audit is to extract data from various source systems, convert it into a format that can be analyzed, and store it in a data warehouse. In the privileged account example, internal audit needs to work with IT application infrastructure and cybersecurity teams to obtain the required data. Auditors must implement data quality checks and ensure the data is free of errors before coding work can start.
Next, auditors should work with IT to systematically upload the required data into the data warehouse, rather than obtaining data in a piecemeal fashion or through emails. Using a central data repository greatly facilitates the overall automation of the continuous audit.
The frequency of continuous audit execution will be impacted by the level of extract, transform, and load (ETL) automation. For instance, if the continuous audit will run weekly, the ETL process should be fully automated because it may be impractical to manually obtain weekly data from the business. To increase efficiency, internal audit can leverage enterprise tools, such as Control-M or Apache Airflow, to automate the execution of each continuous audit and monitor its status.
To convert the privileged account management (PAM) audit test into a continuous audit script, internal auditors must:
- Extract all local and domain administrator accounts.
- Extract all administrator accounts vaulted in the organization’s PAM platform.
- Extract the unique employee identifiers for IT administrators.
- Extract employee IDs (including those in access groups) with the ability to withdraw the accounts in the PAM platform.
- Compare the data in steps 1 and 2 and highlight differences as potential exceptions.
- Compare the data in steps 3 and 4 and highlight differences as potential exceptions.
- Clearly report and detail the results as potential exceptions to the control owners.
While it may be convenient to simply email the results generated from steps 5 and 6 to the IT function and conclude the continuous audit, there are legitimate reasons for identified exceptions. For instance, there could be legacy or third party-managed applications that do not allow privileged accounts to be stored securely — including resetting passwords after each use — in the firm’s PAM platform.
Given the rule-based nature of continuous audits, it is common to implement an allow list that will suppress known false positives to make the results more precise. To create this allow list, internal audit needs to work with the business to review the initial results, verify the false positives, and codify the details into the allow list. This list should be updated regularly to account for frequent technology and business process changes.
Internal audit should design each continuous audit to save results in a standard format that can be readily validated by the auditor and easily read by a visualization tool for management reporting. A case management tool that allows the auditor to easily categorize and formally document the results of each continuous audit can significantly increase efficiency. An elaborate management tool may take the form of an intuitive, web-based user interface that highlights exceptions for follow-up and generates management reports.
A simpler solution can be for the continuous audit test to output results into access-controlled spreadsheets for auditor validation. Each potential exception highlighted should be adequately categorized as pass/no exception, true exception, or false positive, with issues formally raised to management when necessary. Auditors can then chart the results using macros and report them to management using a visualization tool or a spreadsheet’s built-in charts function.
As internal audit develops continuous audits, it will eventually have a sizeable number of automated control tests covering broad areas that can be run regularly. With this capability, auditors can provide automated, baseline assurance. Auditors can consolidate the results of this assurance by business functions, such as payment operations, and technology infrastructure or control themes, such as segregation of duties, and report them to management. The report can progressively grow as new continuous audits are developed.
A successful continuous audit program depends on good data quality, time taken to run each continuous audit, the precision of results, and the upkeep of audit scripts. These are some of the common challenges internal audit is likely to encounter when developing a continuous audit program.
Availability of Good Quality Data The expression “garbage in, garbage out” best describes the consequence when access to good quality input data is unavailable. For example, to develop a continuous audit to detect poor management of privileged accounts, access to accurate data on server inventories, account repositories, and employee information is required. Data cleansing, which involves correcting and removing erroneous or inaccurate input data, is often needed before the auditors can code the test.
Achieving Full End-to-end Automation The ideal continuous audit is a one-click, fully automated process from data extraction all the way to the reporting of results with minimal human involvement. However, this can be difficult to achieve in practice. For example, the data may only be available in hard copy or through emails, which makes automated data processing difficult. Data analysis also may require auditor judgment that cannot be codified into rules within continuous audit scripts.
Given the challenges in automation, internal audit may only produce a partially automated solution when developing the first version of a continuous audit. A practical approach is to run the continuous audit at a lower frequency, and then improve and fully automate it during subsequent revisions. Full automation will save audit resources in the long term and enable audits to be run more frequently.
Potential Audit Fatigue Internal audit should avoid overwhelming the business with frequent requests that turn out to be false positives. Internal auditors can accomplish this by implementing sufficient exception handling in continuous audits to eliminate most false positives. Internal audit can improve the precision of continuous audits by back-testing the findings against historical data. In addition, there should be a feedback loop to continuously improve the precision of audits by incorporating lessons learned from actual results.
Maintenance Costs The integrity of continuous audits depends on business and technology changes that are beyond internal audit’s control. For example, unexpected business process and data schema changes may invalidate the results of existing code and produce inaccurate results. Each continuous audit will require ongoing monitoring to ensure relevance, and the maintenance costs can be significant. Internal audit may need to invest resources to reperform business understanding and recode the continuous audit.
In a crisis such as the COVID-19 pandemic, continuous audits can enable internal audit to provide assurance over high-risk areas even when the business is unable to support audit requests for an extended period. They also may prove useful for businesses as they navigate their bearings once the crisis is over. A new normal for forward-looking internal audit functions may be continuous audit capabilities that provide much-needed baseline assurance before the next crisis arises.