You are on page 1of 28

Governance, Risk, and Compliance

A Look into the Future: The Next

Evolution of Internal Audit
Continuous Risk and Control

3 About the Author

4 Executive Summary

5 The Vision
7 The Journey from Traditional Auditing

10 The Next Evolution of Internal Audit

11 Model Overview
12 Continuous Risk Monitoring
13 Continuous Controls and Data Auditing
16 Continuous Fraud Detection
16 On-Demand Data Mining
16 The Monitoring of Key Performance Indicators
17 Continuous Reporting

18 Additional Considerations

20 Other Resources

21 Notes

About the Author

Before joining the governance, risk, and compliance (GRC) solutions team at SAP,
Norman Marks was the leader of internal audit functions at major U.S. and global
corporations for more than 15 years, also serving at times as chief ethics and
compliance officer and chief risk officer. He is a recognized international leader in
the theory and practice of internal auditing and was profiled by the magazines of
the American Institute of Certified Public Accountants and the Institute of Internal
Auditors (IIA) for his innovative practices. He is the author of some of the IIAs
most downloaded publications, including Sarbanes-Oxley 404: A Guide for
Management by Internal Controls Practitioners.
Executive Summary

The not-too-distant future for internal auditing includes

a technology-driven revolution that will enable a dramatic
and necessary change in the way internal auditors operate.
The internal auditing function will be able to provide almost
continuous assurance that risks of significance are effec
tively managed and that related controls are performing as
desired across the organization.

Traditional assurance projects will largely be replaced by

a combination of continuous auditing and monitoring and
rapid-response audits of risk hot spots. Resources will be
freed up for process improvement and other consulting
opportunities. Many of the seeds of that change have
already borne fruit that is ready to be reaped today.

Our vision is illustrated through the telling of a story, set

a few years from now, by the fictional Charles Andrew
Edgar, senior vice president of internal audit for Tap Toes
Inc., a global shoe-manufacturing company based in
San Francisco.

The Vision
Continuous Risk and Control Assurance

This morning my quiet breakfast was monitors the health of the more signifi (By the way, all our assurance func
interrupted by a loud chirp from my cant risks (in this case, those related to tions such as the corporate compli
smart phone. I answered immediately, the safeguarding and accurate report ance and corporate quality teams, as
as it was the special tone I had set for ing of inventory) and related controls. well as internal auditing use CRCS
alerts from our continuous risk and and its multicompliance framework
control assurance system. First, I checked out the general level for risk identification and assessment,
of risk at the Blackpool location, as audit planning, tracking of audit results,
The alert told me that one of our con that would give me an idea whether and the monitoring of remediation
tinuous audit and monitoring routines there was any indication of employee items.)
had detected an unusually large physical- dissatisfaction or other situation that The internal audit team had been to
inventory variance in our Blackpool, could lead to theft. I found that: Blackpool 18 months ago. As with
England, location. Clearly, my normal General risk levels related to the most of our on-site audits, the latest
morning routine was going to change. Blackpool location were recently was an operational audit. This par
raised due to UK press reports that ticular audit was of the lean finance
The message included a detailed the Blackpool plant might be closed. operation (several of the internal
description of the alert, but even with (We have standard feeds from com audit team are Lean Six Sigma Black
todays technology, the screen on the mercial news agencies and supplement Belts) and the resulting assessment
smart phone was too small for me to them with our own search engine. was positive. There were no deficien
read comfortably. I took a cup of coffee The data is both structured, such as cies of significance.
into my home office and, after going government employment reports, and
through the normal security protocols, unstructured, such as articles in the I moved from the top-level Blackpool
opened the alert on my laptop. local press. The results are collected risks to a view that focused on inven
and analyzed in the corporate data tory risks. I first checked out the risk of
Apparently, a routine monthly physical- warehouse and links added to the inventory theft. Our continuous assur
inventory check in the Blackpool location risk management system.) ance program is driven by a top-down,
had identified a large discrepancy in the The latest human resources depart risk-based process for identifying the
finished goods inventory of ballroom ment employee surveys did not iden key controls relied upon to achieve the
dancing shoes. The Blackpool finance tify any elevated employee concerns. companys strategic objectives. For
director had posted a journal entry In general, it appeared employee each of the objectives, we worked
writing off the shoes, which our moni morale was good, in line with the rest collaboratively with management and
toring had detected. The shoes are of the organization. the risk officer to identify the risks to
expensive, so the write-off was above There had not been any significant achieving the objectives. Then we deter
the thresholds (dollar and percentage) change in personnel turnover, includ mined the strategy or response to be
we had set our software to monitor. ing in management. followed to manage each risk (transfer
The most recent external audit had or share, avoid, reduce or mitigate,
I used a hyperlink in the message to not identified any issues. In addition, or accept) and the controls required
enter the corporate risk and control there were no open remediation to ensure that the strategy is effective.
system (CRCS), which drives our con items from external audit, internal Finally, we implemented continuous
tinuous assurance program. CRCS audit, or other assurance functions. testing for each of the controls.1

The dashboard for the controls showed
green lights across the board. Notably:
There were no other unusual inven
tory transactions such as physical-
inventory variances in prior months,
write-offs for quality, transfers between
locations, inventory reclassifications,
or transactions posted directly by IT.
The individuals accessing the inven
tory records did not have incompat
ible functions. (Ours is a real-time test,
rather than the after-the-fact analysis
and reporting that was popular five
years ago.)
All new access rights granted to the
inventory records were approved by
appropriate senior management, and
no new inventory access rights had
been granted in the last quarter.
Prior monthly physical inventories had extracted from the security system, To add perspective, I reviewed the
been performed as scheduled without on a weekly basis, a list of employ latest financial performance results:
significant variances, and the results ees who had access to the inventory The Blackpool location has been
were approved by appropriate senior and verified their business need consistently profitable, although the
management. (based on a lookup of HR system results in the last quarter were 5%
Related application controls were records). below forecast.3
reliable. These included, for example, The risk management system had The inventory write-off was substan
controls to ensure that inventory more details on assessments by the tial but less than 5% of total inventory,
records agree with the general ledger, other assurance providers, including causing the plant to have a small loss
opening inventory plus purchases a copy of the last quarterly inspection for the quarter.4
less sales and adjustments equals by corporate security.2 The corporate Sales were quite seasonal, with the
closing inventory, shipments cannot security team had assessed the risk highest volumes in the fall. Inventory
be made in excess of sales orders, from inventory theft to be low. All the balances were consistent, with sales
and so forth. This was based on con cameras were in place and working at their highest just before the sales
tinuous testing of IT general controls, properly, management and employ peak and at their lowest in the
such as approval for configuration or ees demonstrated the appropriate following quarter.
code changes, and reperformance of level of attention to security, and the
selected key application controls. inventory was properly secured. The The auditor assigned to monitor
Access to the physical inventory was Blackpool security team was at full Blackpool operations and risks was
limited to employees with appropriate strength, and only current employees Fred Eagle. (Each member of our team
business needs. This was achieved had access to the finished goods is assigned to work with the manage
through an automated test. We inventory. ment of selected locations or functions

to understand the business and its signs might be electronically monitored, The Journey from Traditional
more significant risks. In the old days, but every so often a nurse needs to Auditing
we updated the risk-based audit plan check in to make a physical observation.
formally once a year and informally The situation in Blackpool was the same: Edgar describes how his company
every quarter. Now, I expect it to be all the monitors indicated that the con developed the continuous risk and
updated weekly in CRCS by the audit trols were working fine, but sometimes control assurance program.
team.) Fred had confirmed the internal you need that in-person contact.
audit risk assessment as low just For years before we started our pro
last week. In this case, Fred and the local con gram, the internal audit community had
troller convened a meeting with the been very interested in continuous
I called Fred and we talked about what inventory, operations, and finance staff. auditing and monitoring.5 (There is no
to do. We agreed the first step was to Fred walked them through the process fundamental difference between the two.
check that the other Blackpool inven es they had followed to perform the The distinction lies not in the work being
tory risks were all green lights and that inventory and found a problem with performed but in who is performing it:
the updates were current. We were their cutoff procedures. They had not auditing by internal audit and moni
interrupted by a call from the logistics checked to ensure that all the inventory toring by management.6) The value was
manager. I put him on hold while I asked movements were in the system. In seen in:
Fred to check out the other controls response to Freds questions, they Automating certain control tests
and call the Blackpool controller to get realized that one of the shipping clerks where there was a need to test every
a status report. In particular, Fred was had taken ill the day before the inven year for the annual Sarbanes-Oxley
to confirm that the physical inventory tory count. The controller made a call assessment of internal control over
count had followed the correct and confirmed that a couple of pickups financial reporting, for instance
procedures. by the carrier had not been processed. Testing data and gaining insight into
The amounts involved were almost related controls in more sensitive busi
The logistics manager told me that he exactly the inventory shortage. ness processes such as accounts
had also received an alert. He was con payable and payroll, particularly where
cerned that we did not have sufficient The problem was solved, and there was a risk of fraud
inventory on hand in Blackpool to fill Blackpool management agreed to im
a large order from an important custom prove processes for future inventory The focus was on using automation
er. He was glad to know that we were counts. In the meantime, Fred and I to test controls and examine data, but
already looking into the situation and talked about whether we should add there was no linkage to or focus on risk.
asked that we let him know as soon automated risk-monitoring procedures In addition, a number of internal audit
as possible what the resolution was, for inventory counts and then start con leaders had been talking for a long time
so he could work something out with tinuous auditing for related controls. about the fact that our role in internal
the customer. We decided that the current inventory audit is not to perform audits. In fact,
risk monitors were sufficient. That is our role is to provide the board and exe
About an hour later, Fred called back. consistent with our whole approach to cutive management with assurance that
He said that automated continuous continuous assurance: focus on the the organizations risks are understood
assurance only goes so far. Its like more significant risks and improve the and managed within board-established
having a patient in the intensive care program over time as we learn from risk tolerances, and that the system of
unit of the hospital: the patients vital experience. internal control is operating as intended.

(The Institute of Internal Auditors or risks appearing to spike upward, Convergence involved process and
Standards defines internal auditing as internal audit and responsible manage tools. While we considered integrating
an activity that provides independent, ment receive immediate alerts, such as some of the GRC functions, in the end
objective assurance and consulting the one I received during breakfast. we decided to keep them independent
services. Emphasis is added.) We but cooperating. From a process point
recognized that providing this peace of Our program enables us to give man of view, we all decided to take a risk-
mind the ability to sleep during the agement and the board the continuous based approach, especially around
storm could best be done through assurance they value so highly. It also compliance topics. Legal compliance
continuous risk and control assurance. enables us to move to more of a might identify a high-level risk related
We define this activity as follows: monitor and respond approach in the to compliance with U.S. technology
assurance area and focus our project export laws, for example. That would
The ability to provide stakeholders with time on issues and opportunities to be identified as a risk in our risk man
assurance on a continuing basis that drive process efficiencies and other agement system, where we would also
the more significant risks are managed improvements in the operation of the identify the controls in place to manage
and related controls are operating company. the risks. The level of risk, the number
effectively.7 and severity of any adverse incidents,
The success of our continuous assur the controls in place to manage the
We worked with management, espe ance program has been significantly risks, and corrective actions (where
cially the risk management team, to enhanced by the GRC convergence issues are identified) are all monitored
identify the areas of greatest risk to the program we conducted at about the and tracked in the same system. This
companys objectives. The risk man same time. All the functions involved in approach provides the legal compliance
agement team agreed to implement a GRC work together to avoid duplication and risk management leaders with a
continuous risk-monitoring program to of effort, rely on each others work, and single source of truth about the risk
measure and report the status of those use the same systems and processes level and how well it is managed. It also
risks. Next, we identified the key con where possible. In our case, that enables all the operational managers
trols required to manage those risks. involves internal audit, risk management, responsible for any of the processes
For each, a strategy was developed: supply and logistics, physical security, involved, such as supply and logistics,
how would we monitor the performance IT governance, legal compliance, and to include monitoring of this risk in their
of the controls? Where possible, we financial compliance (Sarbanes-Oxley, daily, weekly, and monthly dashboards.
automated the testing of the controls tax and statutory reporting, and so on).
(which often included auditing of related The tools are also shared; we use a
transactions or activities). The results As internal auditors, we are obliged number of products from SAP, includ
of the monitoring activities were used to provide independent and objective ing SAP BusinessObjects GRC
to maintain, in part, the risk status. assurance to our stakeholders. Where solutions for risk management, access
we have decided to rely on other assur control, process control, and global
The continuous risk and control assur ance providers work, we make sure trade services. We also use SAP
ance program provides management in we have performed procedures our BusinessObjects business intelligence
all areas with reports and dashboards selves to give us reasonable assurance solutions to drive our corporate and
showing the status of all the key risks. of the quality and consistency of that internal audit data warehouses, and
Where there are adverse incidents, work. So we perform periodic audits of SAP BusinessObjects Text Analysis
potential control breakdowns or frauds, the risk management office, corporate software for Web-based searches of
security, IT security, and the like. unstructured data.

The internal audit department had assurance, freeing up the audit staff In the old days, when we performed
received overtures from a number of for value-added consulting projects. traditional assurance projects, we had
vendors offering excellent point solu The audit committee and executive an audit management system. It was a
tions designed for internal audit func management have confidence in our software product where we maintained
tions or specifically for internal control risk management and internal control our work papers, tracked the history of
or data auditing. However, we placed processes and have made it a priority our audits, followed up on audit findings
a high value on avoiding software pro for internal audit to perform these and management actions, and generally
liferation in favor of using common projects. managed the audit team project plan
enterprise applications. ning, skills inventory, and the like. The
The results of our consulting projects continuous assurance program has
We perform a large number of audit sometimes indicate an opportunity to eliminated most of that, as follows:
projects that focus on operational effec improve business processes or opera The results of any audit work, includ
tiveness and efficiency. We can do this tions, which we capture in our risk ing risk and control assessments,
because the continuous assurance pro management system. After all, efficiency are captured in the risk management
gram is highly effective. A comparatively is a corporate objective, and we can system. The history is automatically
small portion of our time is spent on identify and monitor related risks. captured.
We also track corrective actions in
the risk management system.
Project planning, where needed, is
done using specialized project man
agement software.
The skills inventory, which is very
important to our ability to staff proj
ects like lean finance or inventory
management, is maintained in our
SAP ERP Human Capital Manage
ment solution.

The Next Evolution of Internal Audit
The Continuous Risk and Control
Assurance Model

Edgars story is typical of the internal There are multiple points of interest in from the Institute of Internal Auditors,
audit executive of the future. In its break the Deloitte vision: which focuses on the provision of
through paper, Internal Audit 2012,8 The focus is on risk, with a forward- assurance rather than the performance
PricewaterhouseCoopers discussed looking and proactive style9 and of audits.10
a consensus projection of the trends dynamic reporting.
likely to shape the world of internal The mandate is business assurance, Internal audit will provide its customers,
audit by the year 2012. Of particular similar to risk and control assurance. the board11 of directors, and executive
note are the following observations The technology application of greatest management with assurance that the
(emphasis added): importance will be automated testing organizations risks are subject to
and continuous monitoring. appropriate and effective processes,
Throughout the next five years, the including related systems of internal
value of the controls-focused approach While there is a need for risk and control. The assurance will be enabled
that has dominated internal audit is control assurance, we believe that the primarily through continuous risk and
expected to diminish. As this occurs, optimal model for the future is one of control monitoring and auditing, with a
internal audit leaders must adopt continuous assurance of risk and con much reduced set of traditional audit
risk-centric mind-sets if they want to trol. This is consistent with guidance projects.
remain key players in assurance and
risk management.
Table 1: Changes Taking Place in Internal Auditing

Some internal audit functions have Historic Mainstream Cutting-Edge

begun to rethink their fundamental value
Focus Audit entities based Prioritize audit entities Focus on strategic, busi
propositions by shifting from an internal on rotational plan based on risk ness, and process risk
audit model focused on controls assur
ance to a risk-centric model where risk Perspective Historic Historic Future
and control assurance are based on
Style Corporate police Father knows best Consultant and advisor
the effectiveness of risk management
processes developed by management. Mandate Compliance with poli Assurance on financial Business assurance
cies and procedures control; compliance
One of the five key trends that will
Risk Focus Financial Financial plus Enterprise risks
drive this reshaping of internal audit by
2012 is technological advancement. Tool Kit Compliance work Audit work programs for Risk frameworks,
programs key processes; controls self-assessments
Deloitte & Touche has a similar perspec
Technology None Automated work papers Automated testing and
tive, according to Patty Miller (a partner continuous monitoring
and chairman of the Institute of Internal
Auditors for 20082009). She uses the
following table to illustrate the major
changes happening in internal auditing.

Model Overview Management of those risks risk after extraction to a data warehouse
responses is enabled by controls.13 (either an existing corporate data ware
Figure 1 illustrates the continuous risk The model includes the continuous house or one developed specifically for
and control assurance model. It is far auditing of the key controls required to this purpose).
more than an application of continuous manage risks within organizational
auditing or monitoring. Rather, it is a tolerances, usually performed by inter Fraud management is built into the
top-down model that starts with under nal audit and other assurance providers, program:
standing enterprise goals and objec sometimes by operating management. Fraud risks are identified together
tives, moves on to determine the poten with other enterprise risks.
tial risks to those objectives, and then Some controls are difficult to test direct The controls over fraud risks are
moves to the assessment and testing ly through automated routines, and the assessed and tested together with
of the controls required to manage the continuous examination or testing of other key controls.
risks. The overall effort usually encom data may provide a reasonable level Data mining techniques can be used
passes the mining of data that can of assurance. The data mining may be to test data and identify potential
provide indicators of the health of risk directly against information within the fraud situations.
management and related controls. organizations applications or indirectly

The models foundation is built upon

the more significant strategic and opera Organizational goals Key performance
tional goals of the enterprise. Achieve and objectives indicators
ment of the goals and objectives is
measured through key performance Continuous risk Key risk
indicators (KPIs). The model includes monitoring indicators
the monitoring of KPIs, as the failure
to achieve organizational objectives is Continuous
often the result of poor risk manage control auditing
ment or control performance.
Risks to the achievement of those goals Enterprise data
and objectives are then identified.12
Continuous risk monitoring, generally by Continuous data
a risk management function and not by On-demand
mining/auditing and
data mining
internal audit, ensures that the program fraud detection
is focused on the more significant risks Data
to the enterprise, which may change warehouse
rapidly. Internal audit is a consumer of
the monitoring but not responsible for
its performance.
Figure 1: The Continuous Risk and Control Assurance Model

When assurance is continuous, informa rather than the result of a separate and related risk levels. The internal audit
tion on the health of risk management potentially redundant risk assessment team responded because this might
and related key controls needs to be process.14 signal a breakdown in related controls
continuously available to stakeholders. and the potential for additional
The model encompasses continuous Internal auditors can (and should, inventory losses.
reporting through dashboards or similar according to IIA standards15) gain com
tools. It also includes more immediate fort in the risk management process Management is typically responsible
alerts signaling the need for a response through periodic audits. These audits for monitoring risks, while the internal
to a spike in risk levels, an adverse should address the adequacy of the audit department is a consumer of risk
incident, a potential controls failure, or process established by management to information. The ability to monitor risks
a data anomaly. identify and assess risks to achieving will become more effective when tech
organizational objectives. Importantly, nology is used to:
On-demand data mining enables an the audits should evaluate whether the Link enterprise information (such as
intelligent response and investigation risk assessment considers all factors financial results, account balances,
of data anomalies, control failures, and that internal auditors believe relevant and health and safety information)
so on. The same tools that provide to the risk assessment, such as the with the risk management process.
continuous control and data auditing results of prior internal audits and the For example, if Tap Toes Inc. sub
will generally also support additional status of open action items. stantially increases sales to China,
data analytics that provide further insight that should result in an increase in
into the problem. Most organizational objectives remain related accounts receivable risks.
relatively constant; typically, organiza Link external information to risk
Each of the major elements of the model tions only review them annually unless assessment processes. Many enter
is discussed in more detail below. there are major changes in business prise risks relate to external events,
conditions. But risks to the organization and geopolitical or economic changes
Continuous Risk Monitoring change constantly. New risks emerge may indicate a need to change risk
while old ones fade in importance, and levels. For example, civil unrest in an
The continuous risk and control assur existing risks rise and fall as business emerging nation may indicate the need
ance program relies on the quality of conditions change. Continuous risk for Tap Toes to change risk levels if
the enterprise risk management process monitoring is required to: the company relies on manufacturing
established by company management. Ensure that assurance is provided on operations in the area.
This process identifies and assesses todays more significant risks
the risks to enterprise objectives to be Identify new or growing risks that These technologies are available today,
covered by the assurance program. require additional risk and control and their ease of use and integration
Although internal auditors may have an monitoring into solutions should improve over the
independent assessment of risks (based Identify sudden rises in risk levels that next few years. The results of risk mon
on their experience, for example), the may merit immediate attention by itoring (including key risk indicators)
auditors rating should be integrated management or internal auditors. The would typically be shown in dashboards
with, or at least be a revision to, the large inventory write-off described and other reports to the board and to
assessment of the management team, earlier led to an increase in inventory- executive and operating management.

Those dashboards enable the monitor In almost all cases, organizations rely It is critical to understand all the key
ing of risk levels and taking of action on a combination of controls to manage controls, since an assurance strategy
where needed. a business risk.17 Most risks will depend has to include measures to obtain
on controls at the entity level (a code assurance for them all. Table 2 lists
In addition, alerts should be provided to of conduct, a corporate policy, and so some of the key controls to manage
appropriate management and internal on), in business processes (accounts the risk of theft of finished goods
audit teams when there are sudden payable, for example), and within IT inventory at a hypothetical company.
changes in risk levels warranting more processes (such as application change
immediate action. Typically, the internal control or security).
audit team will review the alert to deter
mine whether there has been a break
down in either risk management or the Table 2: Example of a Combination of Key Controls
related internal controls. In some cases,
audit projects and even investigations Controls Type of Control
may be required to assess the situation The organization has a code of business conduct. Entity-level
and identify remedial actions.
New employees are required to confirm their understanding of Entity-level
the code of conduct. Records are maintained in the HR system.
Continuous Controls and
Data Auditing All employees sign a code of conduct certification annually and Entity-level
records are maintained in the HR system.
The continuous assurance program
should focus only on the more signifi Hiring procedures include background checks, with records Entity-level
maintained in the HR system.
cant risks and related controls. Once
the risks to be included in the program Physical access to finished goods inventories is restricted based Business process
have been identified, the controls and on business need.
data to be tested can be defined.
The selection process for risks to be Finished goods inventories are physically secured by doors and Business process
monitored by guards; cameras are in place.
included should consider:
The highest-rated risks After inventory counts are entered, the inventory module provides Business process
Risks that may not be likely but reports showing inventory variances. Each report shows the
where an adverse incident could be inventory per the system, the inventory counted, and the calculated
a threat to the entire enterprise variances.
Areas where key stakeholders (such
Only the inventory manager can approve the posting of inventory Business process
as the board or executive manage
adjustments (for example, write-offs following the inventory count).
ment) place a high value on assurance
All inventory program changes are approved by the inventory IT general control
Once the business risks are determined, manager in the change control system.
the next step is to identify the key con
trols required to manage those risks
within organizational tolerances.16

Some of these controls are difficult to of business conduct exists and is avail Key points from the example include:
test directly on a continuous basis, and able to employees. The auditor may Assurance is obtained using a combi
it may be better to test the underlying decide not to test the control directly nation of techniques, including auto
data. For example, the second control or to test it only annually. mated and nonautomated testing (such
above is New employees are required as the annual review of the code of
to confirm their understanding of the It is generally best to test data as it is ethics), the testing of controls and
code of conduct. Records are main being processed by the application sys data, and reliance on other assurance
tained in the HR system. In a traditional tem; if there are questionable results, activities (such as SOX testing and
assurance project, the auditor would they can be investigated promptly and corporate security audits).
review the employee records and con adverse consequences can be prevent Not all the techniques are continuous
firm, through examination of a sample ed or at least minimized. However, there in nature (for example, the periodic
of documents, that the employee had are times when it may be better to use testing of HR record keeping).
signed to confirm understanding. In a data that has been extracted to a data
continuous assurance program, exami warehouse for testing. (This data may This particular example brings out a
nation of signatures is unlikely to be an be in an existing data warehouse or in limitation in most audits of internal con
option. Instead, the HR system records one developed for this particular pur trol, whether using continuous assur
might be tested to identify new employ pose perhaps owned by the internal ance techniques or traditional auditing
ees where there was no record of a audit department.) An example is where methods: the difficulty in auditing
confirmation (a data auditing or data the auditor wants to test trends over a behavioral aspects of internal control.
mining technique). The level of assur period of time. The use of a data ware Do the people who have signed a certi
ance is not as strong as if the actual house may also be valuable when data fication of the code of conduct actually
signatures were tested, but the auditor is being compared to information in other understand and intend to follow the code
may decide that a reasonable level systems. For example, access to an of conduct? The latter, which involves
of assurance is obtained that can be inventory warehouse should be limited the integrity of individual employees, is
upgraded by adding an annual exami to individuals with warehouse responsi hard if not impossible to test; instead,
nation of signatures (if the auditor deter bilities, which can be identified through controls that provide reasonable assur
mines the risk so merits). information in each persons HR records. ance, such as background checks, are
assessed. However, it is possible to test
The auditor may assess as low the The key is that the auditor will consider with reasonable effectiveness whether
risk of noncompliance with a control each of the key controls relied on for individuals understand the code of con
or the risk presented if the control was the risk to be addressed and determine duct: through interviews during tradi
ineffective. In these cases, the auditor the appropriate assurance strategy and tional audits or through online testing.
may decide that sufficient assurance is the specific assurance technique. (For Employees might be asked to answer
achieved by a less-frequent test strate example, the strategy might be to test questions about the content or the loca
gy. An example would be the first con the control, test the data, or rely on the tion of the policy included in continuous
trol above: The organization has a work of other assurance providers.) audit assurance programs.
code of business conduct. Because Table 3 takes each of the controls in
the second control is tested, there is a Table 2 and assigns a strategy and
high degree of assurance that the code continuous assurance technique.

Table 3: Example of Key Controls and Assurance Techniques

Controls Assurance Strategy Assurance Procedure

The organization has a code of business Annual test by examination Review the code of conduct and ensure it is current
New employees are required to confirm their Continuous data auditing of Identify any employees who have not confirmed the
understanding of the code of conduct. HR records code of conduct within 3 months of hire, according to
Records are maintained in the HR system. HR records
Periodic auditing of HR system On a periodic basis, validate that HR records are
maintenance procedures updated accurately and on a timely basis
All employees sign a code of conduct Continuous data auditing of Identify any employees who have not certified the
certification annually and records are HR records code of conduct as required
maintained in the HR system.
Periodic auditing of HR system On a periodic basis, validate that HR records are
maintenance procedures updated accurately and on a timely basis
Hiring procedures include background checks, Continuous data auditing of Identify any employees where a clean background
with records maintained in the HR system. HR records check is not recorded in the HR system
Periodic auditing of HR system On a periodic basis, validate that HR records are
maintenance procedures updated accurately and on a timely basis
Physical access to finished goods inventories Continuous data auditing Identify any individual whose badge grants access to
is restricted based on business need. finished goods inventory but who does not have a
business need based on job function (per HR system)
Finished goods inventories are physically Reliance on physical security Obtain an alert whenever a security audit report is filed
secured by doors and monitored by guards; audits by corporate security, by exceptions
cameras are in place. together with monitoring of
security audits
Continuous data auditing Identify any delays in filing the results of security
audits (required at least quarterly)
After inventory counts are entered, the inven Reliance on annual Sarbanes- Include reperformance of the inventory variance
tory module provides reports showing inventory Oxley (SOX) reperformance calculation in SOX testing
variances. Each report shows the inventory of application controls
per the system, the inventory counted, and the
calculated variances.
Only the inventory manager can approve the Continuous control and data Continuously test access control procedures, including
posting of inventory adjustments (for example, auditing that no changes are made to authority to approve
write-offs following the inventory count). inventory adjustments (an exception report is sent to
IT security and internal audit if there are changes)
All inventory program changes are approved Reliance on annual SOX testing Include continuous data testing in SOX testing: only
by the inventory manager in the change of IT general controls the inventory manager approves program changes
control system.

Continuous Fraud Detection On-Demand Data Mining relevant information to a data ware
house. As with continuous data mining,
Fraud is one risk that needs to be When potential control issues are the data warehouse could be an exist
addressed by every organization. In identified or risk levels rise for unclear ing corporate data warehouse or one
general, the level of effort should be reasons, the auditor is likely to need developed for the continuous assurance
commensurate with the level of risk and additional information to determine the program.
the risk tolerance of the organization. appropriate actions (which can range
from inquiries of management to an The Monitoring of Key
Fraud detection is one element of an Performance Indicators
effective fraud management program,18
and it is more efficient when integrated KPIs are established so that manage
with the continuous risk and fraud ment at each level can monitor the
assurance program. For example: business. They provide the information
Fraud risks are monitored with other necessary to understand the success
organizational risks to ensure that or failure of initiatives and programs
fraud detection activities address and to take action as appropriate.
current risks.
Controls to prevent or detect fraud KPIs are important sources of informa
are assessed, as with controls tion for auditors as well. A failure to
related to other risks. achieve goals and objectives, or finan
Continuous fraud detection is primar cial and operation targets, is often a
ily performed using the same contin strong indicator that related risks are
uous data mining and other testing not effectively managed or related
techniques. internal controls are ineffective.

The level of frauds detected by the nor The monitoring of KPIs should be a key
mal operation of controls or traditional component of the continuous risk and
internal audits (including forensic or control assurance program, and its
fraud audits) is low: 42% according to results considered together with those
a 2008 study by the Association of of the continuous risk-monitoring pro
Certified Fraud Examiners. A continuous gram. The internal audit team should
risk and control assurance program that give strong consideration to periodic
includes monitoring risks, assessing on-site audit or even a formal investiga reviews or audits of the KPI processes
and testing controls, and testing data tion). The information may be obtained to ensure that the KPIs can be relied
should increase significantly the likeli through on-demand data mining of upon by management and used for the
hood that fraud is prevented or detected application data or after extracting the continuous assurance program.
on a timely basis.

Continuous Reporting

Continuous assurance is not provided

without communication to the key stake
holders. They will have peace of mind
and sleep through the storm only if
they have received assurance that the
more significant risks are managed and
related controls are operating effectively.

In the traditional world of internal audit

ing, reports are provided at the conclu
sion of each audit project. In addition,
many leading internal audit departments
provide annual assessments of the
overall condition of the organizations
risk management processes and sys
tems of internal controls. When internal
audit functions evolve and provide con
tinuous risk and control assurance,
these periodic communications have to
be replaced by more current, continuous If the organization has a risk manage needs of each stakeholder. Some may
communications. ment organization in place, separate decide to use dashboards for each high-
from internal auditing, then both organi level risk area, with drill-down features
Each stakeholders needs must be con zations should work together to present allowing them to see the underlying
sidered when developing and providing a single source of truth about the health health of risk management and related
continuous risk and control assurance of risk management and related con controls in detail. Others may want much
information. Some may be satisfied trols. There is no value when the two more detailed reports or have totally
with occasional updates that focus on organizations provide different assess separate reporting for each consumer
exceptions members of the board of ments or assessments in different of the information for example, sepa
directors, for example. Others will prefer forms that serve only to confuse. rate reports for the board, CEO, CFO,
more detailed information, with an chief risk officer, head of environmental
emphasis on risks and controls relevant Each organization will develop the com compliance, head of logistics, and so
to their specific areas of responsibility. munication vehicles that best suit their on. However, it is critical that all the
culture, their mode of operation, and the information be consistent at all times.

Additional Considerations
Continuous Monitoring Versus
Continuous Auditing

The continuous risk and control assur One question each organization will
ance model will enable the internal audit need to address is which monitoring
function at any organization to provide and auditing activities will be performed
more valuable, effective assurance ser by management and which will be per
vices to their stakeholders at board and formed by the internal audit team.19 In
management levels. Traditional, periodic fact, writers on the topic of continuous
assurance engagements of relatively auditing have differentiated continuous
narrow and shallow focus will be re- auditing and continuous monitoring
placed by a continuous assurance pro only by the function responsible for the
gram with broader and deeper insight activities: continuous monitoring is per
into the health of risk management and formed by management and continuous
related controls. auditing by internal audit departments.20
There may be little or no difference in
the tools and techniques used.

We do not take a position in this docu

ment on where the division of duties
should be. That should depend on the
The culture and organizational struc
ture of each entity (factors to consider
include whether there are multiple
compliance or internal control func
tions and whether management, the
internal audit team, or a combination
of the two is expected to monitor
The maturity of the risk management
process (such as whether there is a
separate risk function with resources
to monitor risks and report on the
health of risk management and
related controls)
The efficiency of the entitys applica
tions (such as the ease with which
monitoring can be built into the daily
process of each line of business)

When management performs contin that risk management and control vidual has been granted access to
uous assurance activities, internal aspects of new processes and sys finished goods inventory but his or
auditors will have to determine what tems are part of the initial design and her job description (according to the
procedures they will follow to obtain a implementation, rather than after HR system) does not indicate that
reasonable level of assurance that the thoughts. The same approach can there is a business need for the
monitoring performed by management be taken to internal audit involvement access, then an alert is sent to the
is consistent and effective. The audi in merger and acquisition activities, auditor. Workflow associated with
tors will not be able to provide objective changes in business plans, develop that alert can capture the auditors
and independent assurance on risk and ment of new products, and so forth. resolution of the issue. If management
controls unless they are comfortable Each time, the internal audit team action is required to address a prob
with managements continuous moni assumes an advisory role. It ensures lem (such as to remove the access),
toring activities. that risks associated with the busi then that is recorded in the system,
ness change are considered and routed to management for action,
There will certainly be an initial invest responses are developed, that appro reported as open until completed,
ment required of time and resources, priate risk monitoring will be in place, and the resolution is captured and
and maintenance will be essential to and that all required key controls are retained.
ensure that the continuous assurance identified early and implemented
program continues to be effective in effectively. The level and type of day-to-day work
addressing current risks and related Additional resources are likely to be performed by internal auditors will
controls. But the continuous assurance available for value-added consulting change, and it will involve more and
program should be more efficient and activities that focus not only on deeper discussions with management
consume fewer resources than a tradi whether governance, risk manage about the business, its risks, and
tional, comprehensive assurance pro ment, and internal control processes controls. Auditors will be recognized as
gram. This represents further opportu are effective but also on whether value-adding contributors, so that both
nities for the leading-edge internal audit they are efficient. the work will be more interesting and
department, as follows: In the traditional internal audit model, the recognition for their efforts will be
Resources can be assigned to significant resources may be spent much greater.
monitor and respond to changes in developing audit programs and build
the health of risk management and ing working papers. When technology
related controls, ensuring prompt is used to enable continuous testing,
action by management to mitigate it generally includes the ability to
any adverse effects. maintain a record of the tests per
Internal auditors can turn their atten formed and results obtained
tion to emerging risk areas, where the including workflow for managing and
business is changing. For example, resolving exceptions. For example,
internal audit will have the resources if an automated data mining routine
to participate proactively to ensure identifies an anomaly, where an indi

Other Resources

Material referenced in this document Standards Australia and Standards

includes: New Zealand:
Institute of Internal Auditors: AS/NZS 4360:2004 Risk
Global Technology Audit Guide: Management
Continuous Auditing: Implications PricewaterhouseCoopers:
for Assurance, Monitoring, and Internal Audit 2012, A study
Risk Assessment examining the future of internal
International Standards for the auditing and the potential decline
Professional Practice of Internal of a controls-centric approach
GAIT for IT and Business Risk
Institute of Internal Auditors,
Association of Certified Fraud
Examiners, and the American Institute
of Certified Public Accountants:
Managing the Business Risk of
Continuous Auditing/Continuous
Monitoring: Using Technology to
Drive Value by Managing Risk and
Improving Performance
The Committee of Sponsoring
Organizations of the Treadway
Commission (COSO):
Enterprise Risk Management
Guidance on Monitoring Internal
Control Systems
The Institute of Internal Auditors
Australia and Standards Australia:
Delivering assurance based on
AS/NZS 4360:2004 Risk


1. The continuous testing has several 3. Edgar explains: One of our strate he had called the local controller and the
forms, depending on what is most gies for continuous assurance is that corporate risk manager. Because we
efficient and effective, considering the we monitor the business results for were working together to resolve the
level of risk. It includes: indicators of a change in risk levels. issue and take any necessary actions,
Automated tests of every transac In addition to attending management all he did was make a note and follow
tion, where exceptions are reported operational and financial review up at the end of the month. He told me
through alerts (for instance, invoices meetings with the major subsidiaries, in our next meeting how pleased he was
approved for payment by individuals we download the detailed financial with the added value our continuous
without that authority, or with conflict results each month into our internal assurance program, coupled with our
ing responsibilities) audit data warehouse. Our business problem-solving approach, provided
Semiautomated testing, where spe intelligence software provides us with him and the rest of the executive team.
cific types of activity are reported regular reports of unusual variances The CFO made a point of informing the
periodically for review to determine and trends. For example: audit committee.
whether there are reasonable expla An increase in sales in an emerging
nations or they are exceptions (for nation might indicate increased risks 5. Protiviti Inc., a firm specializing in
example, changes to the configura to revenue recognition and ethics internal audit, risk, and business con
tion of an SAP automated control) compliance. This information is fed sulting, published the 2009 edition of
In a few cases, reliance on manage into the risk assessment and the its Internal Audit Capabilities and Needs
ments continuous monitoring of the underlying analysis retained in the Survey summarizing responses from
controls data warehouse. more than 1,000 internal auditors. These
Generally, an automated request A concentration of purchases through auditors cited continuous auditing,
is sent to management asking a single vendor might be a fraud computer-assisted audits techniques
that it confirm that the control is indicator. (CAATS), data analysis tools (statistical
operating properly. On a periodic A large number of credit memos at analysis), and data analysis tools (data
basis, depending on the level of the beginning of the quarter could manipulation) as the areas where they
risk, we will perform audit proce indicate channel stuffing and needed the greatest improvement,
dures to confirm managements increased revenue recognition risk. regardless of their level of competency
self-assessment. An increase in key inventory metrics in those areas. Further, chief audit exe
(especially the number of days sales cutives participating in the survey agreed
2. This is another result and benefit we held in any inventory category) that they too most wanted to improve
from the GRC convergence program might indicate an efficiency issue: in those areas, compared to more than
(discussed in The Journey from Tradi in procurement, manufacturing, or 40 other topical choices covering inter
tional Auditing section of this docu logistics. nal audit process knowledge.
ment). The risk level for inventory theft
is changed if there is a poor security 4. Although it did not come up during
inspection. Internal audit may respond our work on this incident, we found out
with unannounced attendance at the later that the CFOs daily dashboard
next routine physical inventory. reflected the potential loss situation and

are processed as prescribed. These
definitions are expanded later in the
document: CA [continuous auditing]/
CM [continuous monitoring] needs to
monitor the risks that would prevent
the organization from achieving its

7. The 2008 publication Continuous

Auditing/Continuous Monitoring: Using
Technology to Drive Value by Managing
Risk and Improving Performance by
KPMG notes that while the definitions
of CA and CM may vary across orga
nizations and industries, the goal in
Robert Hirth, executive vice president automatically limitation, as noted in pursuing these disciplines is to provide
and global leader of Protivitis internal this document] on a more frequent greater transparency, effectively man
audit practice stated, Continuous basis. It describes continuous monitor age risk and performance, and provide
auditing, CAATS, and automated data ing as the processes that management continuous assurance. Depending on
analysis are all just the kind of looking puts in place to ensure that the policies, an individuals role within the organiza
through the front windshield rather than procedures, and business processes tion, he or she can think of CA or CM
the rearview mirror techniques internal are operating effectively. KPMG LLPs as a lens to assess and/or monitor the
auditors need in order to be relevant 2008 publication Continuous Auditing/ effectiveness of the organizations
and add value in the eyes of their stake Continuous Monitoring: Using Technol governance, risk, and compliance
holders as well as to stay up with the ogy to Drive Value by Managing Risk (GRC) program.
business itself and effectively help their and Improving Performance describes
organizations manage risk, which by its continuous auditing as the collection 8. Published in 2007.
very definition is future oriented. of audit evidence and indicators by
an internal auditor on information tech 9. KPMGs 2008 publication Contin
6. The IIA, in its global technology nology (IT) systems, processes, trans uous Auditing/Continuous Monitoring:
audit guide, Continuous Auditing: actions, and controls on a frequent or Using Technology to Drive Value by
Implications for Assurance, Monitoring, continuous basis throughout a period. Managing Risk and Improving Perfor
and Risk Assessment, defines contin KPMG defines continuous monitoring mance comments that:
uous auditing as a method used to as a feedback mechanism used by As business risks of all kinds continue
perform control and risk assessments management to ensure that controls to proliferate, management and internal
automatically [we disagree with the operate as designed and transactions audit departments are actively seeking

new ways to quickly gain access to valu Standard 2120 provides further detail: organizations governance, operations,
able information to manage risk and The internal audit activity must evalu and information systems regarding the:
improve performance. Such efforts ate the effectiveness and contribute to Reliability and integrity of financial
increasingly include continuous auditing the improvement of risk management and operational information;
and continuous monitoring of organiza processes. Effectiveness and efficiency of
tional processes, systems, and controls. operations;
Interpretation: Safeguarding of assets; and
It continues: Determining whether risk management Compliance with laws, regulations,
Whats more, management and inter processes are effective is a judgment and contracts.
nal audit efforts to adapt innovative resulting from the internal auditors
ways of assessing and managing risk assessment that: The handbook developed by IIA-
and enhancing performance are now Organizational objectives support Australia and Standards Australia,
more critical than ever. Providing senior and align with the organizations Delivering assurance based on AS/
management with a post mortem after mission; NZS 4360:2004 Risk Management,
a problem has occurred is no longer Significant risks are identified and comments on the need to focus audit
acceptable. . . . As a result, management assessed; and assurance activities on those risks
and internal audit teams are embracing Appropriate risk responses are which, if the controls were absent or
CA and CM as important efforts that selected that align risks with the had failed, would expose us to high and
can provide efficient and continuous organizations risk appetite; and unacceptable consequences. In those
discipline to monitor issues on a frequent Relevant risk information is captured cases assurance activity is there to
or real-time basis, resulting in risk events and communicated in a timely manner provide assurance that key controls
being addressed before issues arise. across the organization, enabling staff, are both adequate and effective.
management, and the board to carry
10. The definition of internal auditing, out their responsibilities. 11. References to the board include
according to the Institute of Internal the board itself and/or one or more of
Auditors, is as follows: Risk management processes are mon its committees, such as the audit com
Internal auditing is an independent, itored through ongoing management mittee, governance committee, risk
objective assurance and consulting activities, separate evaluations, or both. committee, or similar.
activity designed to add value and
improve an organizations operations. Standard 2130.A1 is important, as it 12. The Committee of Sponsoring
It helps an organization accomplish its indicates that the evaluation of controls Organizations of the Treadway
objectives by bringing a systematic, should be as they relate to enterprise Commissions (COSOs) Enterprise
disciplined approach to evaluate and risks: Risk Management Framework (ERM),
improve the effectiveness of risk man The internal audit activity must evalu published in September 2004, defined
agement, control, and governance ate the adequacy and effectiveness of enterprise risk management as follows:
processes. controls in responding to risks within the

Enterprise risk management is a pro 16. The IIA standards define control The concept of key controls has been
cess, effected by an entitys board of processes as the policies, procedures, described in other IIA documents. For
directors, management, and other per and activities that are part of a control example:
sonnel, applied in strategy setting and framework, designed to ensure that The IIA-Australia and Standards
across the enterprise, designed to risks are contained within the risk toler Australia Handbook, Delivering assur
identify potential events that may affect ances established by the risk manage ance based on AS/NZS 4360:2004
the entity and manage risks to be within ment process. Risk Management, defines key
its risk appetite, to provide reasonable control as controls or groups of con
assurance regarding the achievement trols that are believed to be maintain
of entity objectives. ing an otherwise intolerable risk at a
tolerable level. The handbook con
13. COSO ERM defines control activi tinues to discuss control adequacy:
ties as the policies and procedures Adequacy of risk management, con
that help ensure risk responses are trol, and governance processes is
properly executed. Control activities present if management has planned
occur throughout the organization, at and designed them in a manner that
all levels and in all functions. Control provides reasonable assurance that
activities are part of the process by the organizations objectives and
which an enterprise strives to achieve goals will be achieved efficiently and
its business objectives. economically.
Similarly, the IIAs GAIT-R publication,
14. Internal auditors use factors such GAIT for Business and IT Risk, says
as the results of prior audits, the status key controls relied on to ensure fail
of open audit findings, and the time since ures in achieving business objectives
the last audit in addition to operational will be either prevented or detected
factors typically included in manage on a timely basis.
ments assessment of risk (such as the
volume of business and related trends). 17. This document does not include
We believe these factors should be details on how to identify all the key
included in managements risk assess controls required to address a business
ment process as well. risk. There are other publications that
provide such guidance, including the
15. See note 10. IIAs GAIT for IT and Business Risk,

available from the technology section Organizations may select from a wide Continuous monitoring encompasses
of its Web site at variety of monitoring procedures, the processes that management puts
including but not limited to: in place to ensure that the policies,
18. An excellent reference is the joint Periodic evaluation and testing of procedures, and business processes
publication of the Institute of Internal controls by internal audit, are operating effectively.
Auditors, Association of Certified Fraud Continuous monitoring programs built
Examiners, and the American Institute into information systems, The GTAG continues:
of Certified Public Accountants: Analysis of, and appropriate follow-up Many of the techniques of continuous
Managing the Business Risk of Fraud. on, operating reports or metrics that monitoring of controls by management
might identify anomalies indicative of are similar to those that may be per
Principle 2 in that document states: a control failure, formed in continuous auditing by internal
Fraud risk exposure should be Supervisory reviews of controls, auditors.
assessed periodically by the organization such as reconciliation reviews as a
to identify specific potential schemes normal part of processing, Managements use of continuous
and events that the organization needs Self-assessments by boards and monitoring procedures, in conjunction
to mitigate. management regarding the tone they with continuous auditing performed by
set in the organization and the effec internal auditors, will satisfy the demands
Principle 4 addresses fraud detection: tiveness of their oversight functions, for assurance that control procedures
Detection techniques should be estab Audit committee inquiries of internal are effective and that the information
lished to uncover fraud events when and external auditors, and produced for decision making is both
preventive measures fail or unmitigated Quality assurance reviews of the relevant and reliable.
risks are realized. internal audit department.

19. While management as a whole is 20. The IIAs Global Technology Audit
responsible for the system of internal Guide (GTAG) on Continuous Auditing:
control, when it comes to monitoring Implications for Assurance, Monitoring,
the system of internal control, the and Risk Assessment defines contin
board and management may rely on a uous auditing and continuous monitor
combination of management and ing as follows:
internal audit-monitoring procedures. Continuous auditing is a method used
COSOs 2009 publication Guidance on [by auditors] to perform control and risk
Monitoring Internal Control Systems assessments automatically on a more
explains: frequent basis.

We at SAP would like to express our appreciation to the
following individuals (and to those who prefer to remain anony
mous), who contributed with their ideas and constructive
criticism as the continuous risk and control assurance model
was being developed:

Professor Andrew Chambers, Management Audit LLP

David Coderre, CAATS
Mark Gosling, PricewaterhouseCoopers LLP
Roger Herd, Western Refining Inc.
Ed Hill, Protiviti
Robert Hirth, Protiviti
Suzana Keller, Coca-Cola Enterprises Inc.
Marty Patton, Cypress Semiconductor
Michael Rasmussen, Corporate Integrity
James Roth, Audit Trends
Dr. Sri Ramamoorti, Grant Thornton LLP
Miklos A. Vasarhelyi, Rutgers University
Louis Vaurs, Institut de lAudit Interne
Curt Verschoor, DePaul University
Don Warren, DePaul University
Manfred Wolf, SAP AG
David Zechnich, Deloitte & Touche LLP

50 094 751 (09/04)
2009 by SAP AG.
All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge,
ByDesign, SAP Business ByDesign, and other SAP products and services
mentioned herein as well as their respective logos are trademarks or
registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other
Business Objects products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
Business Objects S.A. in the United States and in other countries.
Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their
respective companies. Data contained in this document serves informational
purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies (SAP Group) for
informational purposes only, without representation or warranty of any kind,
and SAP Group shall not be liable for errors or omissions with r espect to
the materials. The only warranties for SAP Group products and services are
those that are set forth in the express warranty s tatements accompanying
such products and services, if any. Nothing herein should be construed as
constituting an additional warranty. /contactsap