Internal auditing is playing an important role in Chinese society today. In recent years, a number of serious scandals and the low performance of government operations have increased the need for government auditors. In addition, because government audit reports are an important source of information in the decision-making process, it is not uncommon for audits to take place before significant decisions are made. These and other events are placing unprecedented performance pressures on government audit departments in China. To meet increasing compliance demands, Chinese government auditors and internal auditors around the world are starting to rely on the use of continuous online auditing (COA). This article discusses the effectiveness of different COA solutions based on a study conducted at the China National Audit Office (CNAO) and provides a case study of how COA is being implemented in China's government sector.
Implementing a COA System
COA, also known as continuous auditing, employs technology to help evaluate, monitor, or review an organization's activities on a more frequent or ongoing basis. Though recent technology advances have made COA available and affordable, many issues need to be considered before its implementation. For instance, a successful COA system should:
Retrieve information from data sources, including databases, operating system files, and system logs.
Analyze data and detect deviations according to predefined rules.
Adapt to different IT environments and organizational changes.
Maintain independence by establishing appropriate segregation of duties during an application's design, implementation, operation, and maintenance phases.
Below is a description of three different ways to implement a COA system based on studies conducted at the CNAO during the design of the agency's automatic audit system.
Embedded Audit Module
|Figure 1: Diagram of Embedded Audit Module|
To implement this COA system, the continuous audit module is embedded or incorporated in the desired business application. Because embedded audit modules — also known as integrated test facility modules — need to be designed as an application component, they are able to identify and report specific transactions or other information based on pre-defined criteria. As a result, reporting should occur as transactions are processed. Figure 1 illustrates what the embedded audit module looks like. Hi-end enterprise resource planning and customer relationship management systems, such as SAP and Oracle, have created solutions of this type.
COA systems that have an embedded audit module provide organizations with a number of benefits. First, they can keep an audit trace of all business activities. Second, they are easy to implement and maintain because all application components are provided by the same vendor. Finally, they enable the organization to conduct complex functions, such as early exception report and fraud alarming. However, these COA systems have limitations. For instance, the COA system may not be compatible with all of the applications used by the organization.Many large organizations today use different enterprise and legacy systems at the same time. Hence, it may be difficult for the COA system to gather data from all the systems.
In addition, the COA system's independence may be limited because the audit module is incorporated as part of the logical access capability of the audited application. Furthermore, integrating system-monitoring software in the audited application may limit the extent of the application's audit, especially if the developer has a limited understanding of what to include in the module. Finally, integrating the continuous audit software with the application may decrease its process productivity and performance.
|Figure 2: Agent-based COA|
An agent is a program that gathers information or processes tasks behind the scenes. These programs can be leveraged to enable COA. Figure 2 illustrates how an agent-based COA architecture works.
According to Figure 2, an agent-based COA architecture consists of different agents playing different roles:
The coordinating agent is the center of the agent group that administers the behavior, information, and communication of other functional agents.
The project management agent is responsible for the organization's audit plan and for dividing the plan into different tasks, such as information retrieval and data analysis, which are then executed by the other agents.
The information retrieval agent searches, collects, and interprets the data from the organization's business systems.
The analysis agent checks the information according to predefined business rules, which are maintained by
the rule library agent. If any discrepancies are detected between the retrieved information and the defined rules, the communication agent sends an alarm via e-mail or short message to the auditor for further investigation.
An agent-based approach is more scalable and flexible than using an embedded audit module system. Agents can be installed in distributed hosts to balance the burden of application servers that communicate through a special protocol. In addition, agent development toolkits are available on the market, such as Agent Builder and VAStudio. The main obstacles of an agent-based approach are the technology's complexity, which is knowledge-intensive, and its high-implementation costs.
Although IT environments may vary, similarities exist. For example, many government agencies have an accounting information system (AIS). Also, organizations may have a system database that houses all the information needed to conduct an audit. In organizations like these, communication between the COA program and the organization's application can be simplified with the exchange of data between the two systems. This exchange of information provides the basis for a data-oriented COA solution. The center of this solution is a data retrieval interface (DRI) that collects and transforms data. This data flow is explained in Figure 3.
|Figure 3: Data flow in a Data-oriented COA.|
Although auditors don't necessarily have to understand the complex internal logic of an application or program, they do have to know what kind of information resides in the application and how it is used. The first advantage of a data-oriented solution, therefore, is that it simplifies the connection between the audited application and the audit system. Second, this solution minimizes the burden on the audit application because analysis is performed on another host and the data transferred consumes fewer resources. Finally, this solution separates the two systems logically and physically and improves audit independence. Thus, a data-oriented COA process is similar to the data warehouses used by many third-party management information systems and executive dashboards.
The main drawback of this system is that DRI development can be a significant task because different applications may need a new DRI. Another limitation is that audits are not performed in real time because data is available only after the transaction has taken place. This may pose a significant concern if strong, preventive process controls are not present in the DRI.
GAIS: A Practical COA Case
In 2002, CNAO launched a countrywide IT program called the Golden Auditing Project (GAP). The program's objective was to build a government audit information system (GAIS) that promotes a new audit model: The simultaneous use of budget tracing — to track the government's budget management process throughout its lifecycle — and COA — to determine the reliability, conformity, and performance of the budget management process. The following were implemented to maximize the use of GAIS:
A network. As part of GAP, CNAO built a specialized wide-area network (WAN) in Beijing where only authorized users have access to the network to provide a safe COA platform. Also called the audit center (see section below for more information), this specialized WAN is similar to the out-of-band networks used by network administrators to manage and monitor sensitive IT equipment and prevent traffic eavesdropping.
A control environment. GAIS' internal control environment is evaluated before any audit to determine whether information quality could impact the audit's quality. This is also called the intermediate station (IDS). (Refer to the section below for more information.)
A DRI. Most government agencies use an AIS to support their operations. COA can connect to the AIS with relative ease, thus lowering the complexity of implementing the COA system. This is also known as the audited database and DRI. (See section below for more information on the DRI.)
The GAIS COA architecture has a data-oriented solution (refer to Figure 4 for a flowchart of the GAIS COA). The architecture can be divided into three components: a DRI, an IDS, and an audit center.
|Figure 4: GAIS COA Flowchart.|
A DRI is the most important part of a COA system because it is responsible for transferring data from the audited system to the audit system. The DRI works in two modes: automatic and manual. Under the automatic mode, the DRI is triggered by predefined audit rules that identify the time, interval, and scope of the data to be gathered. Under the manual mode, only the authorized auditor can start the DRI process manually.
In GAIS, the DRI provides two ways to collect data — through a standard AIS interface or through an open database connection. To access data in a different system, GAIS employs a template mechanism that defines the software vendor, version, data, location, structure, and related information in the database. New templates can be designed and added when a new system is encountered.
The DRI process consists of the following steps:
Filtering. Criteria are used to filter the necessary data elements for auditing.
Extraction. Database information queries are conducted that are saved as a temporary file for later use.
Processing or Conversion. The data extracted from the audited system may not be suitable for direct use. As a result, it may be necessary to reorganize the data by cleaning it.
Verification. This step provides a quality control mechanism to ensure the data's quality, which can be measured for its correctness, integrity, and completeness. The DRI will send a notification if any data qualification problems exist.
Transferring and Loading. In this final step, data is transferred and loaded into the audit database for access by the IDS.
Information security is an important issue in government auditing. In GAIS, the security problem is solved through the use of an IDS and a special switch that separates the audited and audit systems. The IDS performs two functions: data retrieval and data analysis. When a data retrieval process begins, the switch connects the audited system and the intermediate database server, disconnecting the audit application server. When the data retrieval process is completed, the switch connects the IDS and the audit system and disconnects the audited system. In both instances, the audited system and audit application are separated from each other, thus maintaining the COA's independence.
The audit center contains an audit management module that administers tasks, data, documents, and other resources. These materials can be packaged and shared among members of the same group. Supervisors can assign tasks and review work papers through the network platform.
The center works in two modes: manual and automatic. In the manual mode, only authorized auditors may operate the software to analyze the audit data by conducting queries and by sorting, comparing, merging, totaling, or sampling the database information. In the automatic mode, the system executes predefined audit procedures to detect any deviations. Auditors also can add new procedures to the system, which can be archived in a central location or library. This library can be adjusted to meet the audit needs of different organizations or industries.
COA is a promising audit technology not only for the government sector in China, but for internal auditors around the world. With the prosperity of e-governance and e-commerce, there is great demand for online assurance and reporting services. Though the initial study shows a promising future for COA, there is little evidence on the effects of COA, especially on the quality and financial impact of this technology. Before the wide application of COA comes to life, more research needs to be conducted in this area and more information needs to be shared among organizations around the world.
For more information on COA, auditors should read the following publications or visit the Web sites below:
"Recommendations for an Effective Continuous Audit Process," published in the Feb. 10, 2007 issue of ITAudit.
The Insitute of Internal Auditors' Global Technology Audit Guide, Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment.
Zhao Hongli, "The Security Analysis of Online Auditing," Audit Theory and Practice, 2002.
Wu Kaibin, "Study on Far- or Mid-distance Government Auditing Models," China Audit, 2003.
Chen Yuekun, "The Realization of Online Auditing," China Audit, 200
S. M. Groomer and U.S. Murthy, "Continuous Auditing of Database Applications: An Embedded Audit Module Approach," Journal of Information Systems, Vol. 3, No. 2, Spring 1989.
Donald Warren, "Is Continuous Auditing Right for You?," Sarbanes-Oxley Compliance Journal, March 2005.
Alexander Kogan, Ephraim F. Sudit, and Miklos A. Vasarhelyi, "Continuous Online Auditing: An Evolution," Journal of Information Systems, Vol.13, No.2, Fall 1999.
Charles Ling-yu Chou, Timon Du, and Vincent S. Lai, "Continuous Auditing With a Multi-agent System," Decision Support Systems, Vol. 42, No. 4, January 2007.
Mark J. Nigrini, "Continuous Monitoring: Techniques and Technologies for Internal Auditors" (Microsoft Word).