Professional Documents
Culture Documents
Li Et Al 2007 XBRL Auditing
Li Et Al 2007 XBRL Auditing
CONTINUOUS AUDITING
Systems such as ERP are required to be deeply A system of internal control consists of policies and
integrated into the creation, authorization, and procedures designed to provide management with
reporting of financial data. The systems’ document reasonable assurance that the company achieves its
management, access to financial data, and long-term objectives and goals. Internal controls play a role in
storage of information must provide auditing helping companies meet the financial reporting
capabilities. objectives [4].
Because the Sarbanes-Oxley Act has demanded Management typically has three broad objectives in
complicated and time-consuming processes from designing an effective internal control system:
public companies and placed legal liability for reliability of financial reporting, efficiency and
financial reports on management, public companies effectiveness of operations, and compliance with
are being pushed to find a cost-efficient way to laws and regulations. SOX requires that management
comply with the Act. Our study focuses on must evaluate the design of internal control over
sustainable compliance with SOX, which includes financial reporting and must test the operating
financial information and the internal controls audit. effectiveness of those controls [2]. For the purposes
In this study, our goal is to explore how XBRL-based of SOX compliance, the SEC has published the rules
ERP systems for continuous auditing can enable pertaining to the section 404 report and what it must
public companies to keep sustainable compliance contain. In addition to several statements of
with SOX. The remainder of the paper is organized responsibility by both management and the auditors,
as follows: Section 1 will briefly explain the auditing these rules describe the specific internal controls
and control requirements of SOX; Section 2 will which must be exercised:
introduce the notion of continuous auditing as it
applies to the SOX problem; Section 3, our primary “...policies and procedures that
contribution, will explain the advantages of XBRL- • pertain to the maintenance of records that in
based ERP systems for SOX compliance; Section 4 reasonable detail accurately and fairly reflect the
will conclude with some challenges and issues transactions and dispositions of the assets of the
associated with our proposed solution. registrant;
• provide reasonable assurance that transactions
AUDITING AND REPORTING are recorded as necessary to permit preparation
REQUIREMENTS FOR SOX of financial statements in accordance with
generally accepted accounting principles, and
Auditing exists because of the separation of receipts and expenditures of the registrant are
ownership and control [15]. “Auditing is the being made only in accordance with
accumulation and evaluation of evidence about authorizations of management and directors of
information to determine and report on the degree of the registrant; and
correspondence between the information and • provide reasonable assurance regarding
established criteria. Auditing should be done by a prevention or timely detection of unauthorized
competent, independent person [2].” According to acquisition, use or disposition of the registrant's
this definition, there are five elements in auditing: 1). assets that could have a material effect on the
Information in a verifiable form; 2). Established financial statements.” [20]
criteria by which the auditor can evaluate the
information; 3). Evidence; 4). Independent auditor; It is towards the performance of these required
5). Report. Typically there are three types of audits: elements of SOX compliance that this discussion of
operational audit, compliance audit, and financial information systems employing XBRL is directed.
statement audit. The auditing evidence includes
physical examinations, confirmation, documentation, CONTINUOUS AUDITING FOR
analytical procedures, inquires of the client, SUSTAINABLE COMPLIANCE WITH SOX
reperformance, and observations [2]. Before SOX,
the public certified accountant (CPA) firms focused In response to a series of business scandals, the SEC
only on financial statement audits for companies and the AICPA have advocated greater reliance on
filing reports to SEC. SOX adds a report for continuous assurance, which utilizes on-line
companies about their internal control related to its information technology to produce audit results.
financial reporting and requires CPA firms to attest it Automation of the monitoring financial process and
as well. the control activities enables a complete and accurate
view of the control environment and a higher level of
confidence [4]. In the past, several studies have
addressed the technical feasibility of continuous improves an organization’s management and control
auditing of financial statements [10, 22, 23, 12, 24]. frameworks by separating them from the underlying
Elliott [9] reports that there is considerable demand operational and financial systems. Integrated
for continuous auditing. Alles et al. [1] point out that monitoring techniques can reduce error and fraud,
the high costs of implementation may make increase operational efficiency and improve
continuous auditing difficult to adopt. However, profitability by lowering costs and reducing
while public companies are mandated to comply with overpayments and revenue leakage. They also
SOX, continuous auditing is turning out to be a cost- facilitate the review of key business systems for
saving process for repetitious reporting [17]. anomalies at the transaction level and for data-driven
indicators of control deficiencies and emerging risk,
Continuous auditing has been defined by the CICA- capabilities which directly address the internal
AICPA1 Joint Study Group [3] as ‘‘a methodology controls required by SOX.
that enables independent auditors to provide written
assurance on a subject matter using a series of The responsibility for process documentation, testing,
auditors’ reports issued simultaneously with, or a and any remediation or enhancement activities
short period after, the occurrence of events resides ultimately with management as required by
underlying the subject matter.’’ By this definition, SOX. Automation of these processes is essential to
continuous auditing for large public companies can establishing a sustainable compliance framework.
only effectively be a technology-driven process in Automation of documentation, monitoring, testing,
which control and risk assessments are performed and enforcement can be made more stable and
automatically. As a result, instead of conducting coherent through the application of information
periodic reviews of transaction samples, the company technology in managing compliance.
is engaged in the ongoing audit testing of all
transactions [21]. This shift impacts the nature of the To continuously maintain compliance with SOX, the
evidence as well as the timing, procedures, and levels most cost-efficient approach for public companies is
of effort required by internal auditors. to implement an ERP system. Since compliance with
the Act is a long-term program for companies, they
Researchers have proposed some methods for cannot cost-effectively take a project-based approach
facilitating continuous auditing. They focus on the to producing the required documentation and reports.
use of embedded audit modules and their variants The companies also cannot implement manual
[10, 22, 3, 11]. Varsahelyi and Halper (1991) procedures or tactical workarounds based on internal
presented a continuous auditing implementation in a control processes. The companies’ ERP system
corporate setting. Murthy and Groomer proposed a should integrate financial reporting and internal
continuous auditing web services (CAWS) model for control functions to drive down costs and complexity
XML-based accounting systems. These studies in the most efficient way. Therefore, companies
mainly focused on the financial statements audit. In should take a strategic view of compliance by
the proposed CAWS model, “continuous auditing adopting a process-centric approach, with a focus on
functionality is defined as a set of Web services that rationalizing their internal controls to ensure that the
reside within the auditor’s computing environment control framework is aligned with the key business
rather than within the auditee’s computer system.” drivers [4].
[14]
To summarize, IT-based continuous auditing
Continuous auditing has benefits for both the auditor functionality is a strategy for companies to reach
and management. The continuous auditing process sustainable compliance. Continuous online auditing
enables auditors to analyze data more frequently by reduces the time and costs of ongoing audits.
performing control and risk assessments in a real- Continuous auditing enables a shift from detective to
time environment. It provides an opportunity to go preventive capabilities. The overarching goal is to
beyond the confines of traditional audit approaches, achieve a state of pervasive compliance in which
such as sampling and point-in-time assessments, to rationalized controls, embedded in optimized
provide timely notification of control gaps and business processes, operate in real time to prevent
weaknesses, laying the groundwork for immediate compliance issues before they arise.
follow-up and remediation. Continuous auditing also
IT FOR CONTINUOUS AUDITING
1
The Canadian Institute of Chartered Accountants
and the American Institute of Certified Public Information technology frameworks, such as
Accountants. extensible business reporting language (XBRL) and
Web services, can be utilized to facilitate continuous financial reporting process to become more efficient
auditing. Relying on a number of components of Web and economical. As a result, it is becoming
services technology, Murthy and Groomer [14] increasingly popular in public financial reporting3.
presented the continuous auditing web service
(CAWS) model for continuously auditing business We now propose to take the idea of a continuously
processes. The primary user of CAWS is the audit auditing system from the CAWS model above, and
firm itself. As seen in Figure 1 below, the CAWS extend it via the use of XBRL to address the
model uses the emerging XML Web services mandates of SOX. The proposed ERP system with
framework to support a ‘‘pull model’’ of continuous sustainable compliance to SOX can be built using
auditing in a world of XML-enabled accounting XBRL technologies, incorporating both the XBRL
systems. Murthy and Groomer also pointed out two general ledger taxonomy and the internal control
paths that could be followed to realize a web-service- taxonomy (see Figure 2 below). Using these tags,
based approach to continuous auditing. One is to every data element is fully described in terms of its
custom-develop an internal accounting system using definition, format, location, calculation, and labeling.
Business Process Execution Language for Web The tags themselves act like barcodes that stick to
Services2 (BPEL4WS) as the underlying XML-based data regardless of their paths, destinations, or usages.
language. The second path involves the creation of XBRL can show how items are related to one
XBRL General Ledger (GL) data hubs, which would another, and can also identify whether they fall into
serve as the intermediary between the internal particular groupings for organizational or
accounting system of the target company and the presentational purposes. When the auditor or
auditor’s system, where the CAWS resides [14]. management searches XBRL-formatted documents,
all related information within the documents can be
presented to them simultaneously. The XBRL
taxonomy thus offers a powerful mechanism for
XBRL-based organization systems to interface with
one another. This XBRL-driven system provides
opportunities for continuous auditing. In particular,
using XBRL Web services technology, the
continuous auditing mechanism can actually reside
within the auditor’s system rather than the auditee’s
systems, as in CAWS [14].
2
BPEL4WS specification here: http://www-
3
128.ibm.com/developerworks/library/specification/w See for example,
s-bpel/ http://accounting.smartpros.com/x37643.xml
In a database, integrity constraints are used as the companies can enhance their control environments
principle tools to detect errors [7, 26, 16]. The and separate conflicting duties through ensuring that
integrity constraints are programmed controls users’ access and privileges within the company’s
integrated within a database management system information and decision-making chain are
(DBMS). The integrity constraints verify the commensurate with their job responsibilities. That, of
objective behind each transaction and require that course, gives companies added protection against
they are satisfied before an input is accepted for malfeasance. Therefore, the integration of this
processing [7]. Monitoring a database at all times function could greatly reduce employee fraud.
through the use of integrity constraints is the most Automation of the testing of access controls and
secure approach to error detection because of its other types of testing makes the ongoing process less
comprehensiveness. However, real-time monitoring burdensome. This could be especially useful when it
in business operations could be extremely expensive comes to tracking who has access rights to certain
if it resulted in significant delays in the transaction types of account information. System administrators
processing. Furthermore, the delay in the transaction are “superusers,” able to assign access rights
processing could lead to additional errors because temporarily to other individuals. Automated testing
some of the data might be lost or become out-dated means that the management has historical
[18, 25]. These are some of the reasons why information of the whole period of time. The result is
continuous monitoring is rarely used [17. a timely and efficient means of ensuring segregation
Transaction integrity monitoring systems of duties.
continuously monitor 100 percent of the transactions
and business activities in financial systems in real A SOX compliance enterprise system provides more
time to evaluate the compliance of every transaction internal control resources and automates testing.
and prevent losses associated with errors, misuses, Management is able to standardize and centralize
and fraud. It can automate the analysis and testing more of its global financial processes in a shorter
steps in an audit, which reduces SOX monitoring and amount of time. A newly installed ERP system could
testing expenses. The real-time analysis prevents facilitate the migration of some manual detective
costly errors within procure-to-pay order-to-cash and controls to more efficient, automated preventive
financial accounting and reporting processes. In the controls [4]. Integrated analysis functions within the
proposed ERP model, instead of monitoring each system enable the management to identify trends that
transaction at the end point of the transaction process, run counter to the management’s expectations, and
we install the real-time monitoring reporting function integrated financial analysis functions will indicate
behind the process. Therefore the transaction process an alert on unusual ratios, warning the management
goes smoothly without the interference of the about any unusual departures from the company’s
monitoring process, but all abnormal results from the historic records or from the industry average.
monitoring will be sent to an alert file to Therefore, the proposed ERP system can verifiably
corresponding managers. improve the company’s overall control capabilities.
According to a special report of an electronic survey The proposed ERP model could reduce auditing fees,
of 180 senior finance executives conducted by CFO because of sustainable compliance and reduced
Research Services in 2005, Sarbanes year-one efforts auditing risks. Continuous monitoring of controls
uncovered some key issues and enabled many improves accuracy in financial information and
companies to improve their compliance processes, enhances internal control activities. According to the
mostly as a result of more thoroughly automating risk audit risk model [2]:
assessments and controls [4].
AAR
The proposed system can improve control PDR =
environments by testing the segregation of duties. For IR × CR
example, the system can allow the creation of user
profiles to closely track each user’s job Where:
responsibilities. A report can be built into companies’ PDR = planned detection risk
enterprise systems, which then enables management AAR = acceptable audit risk
to identify an employee whose functions are violating IR = inherent risk
the segregation of duties; then the management can CR = control risk
correct the conflict accordingly. Eventually,
From the above risk model, as control risk decreases, evaluate companies’ financial reports and internal
the planned detection risk increases provided that the controls. In previous models the auditor gathers
acceptable audit risk is certain. When the planned information about a client’s system electronically and
detection risk increases, the auditor can reduce costly through embedded monitoring tools evaluates the
audit tests and thus reduce the auditing fee. In system reliability at regular intervals during the year
addition, linking financial accounts to processes and [10, 8, 19]. Our model enables real-time monitoring
controls and simplifying the access to information at both auditor and company levels and allows the
can make it easier for business unit managers and company to correct errors immediately.
external auditors to evaluate compliance. “Auditors
can come in and quickly see reports and evaluate The XBRL-based ERP system has continuous
effectiveness down to the account level,” “Internal auditing functionality and enables the company to
resources and external auditors can look at our continuously comply with SOX in a cost-efficient
financial accounts, then link them to processes way. If the company’s related entities all use XBRL-
associated with each, and then see the controls formatted systems, auditors can most conveniently
associated with the processes.”[4] retrieve auditing evidence such as confirmation and
documentation. While the proposed ERP system
Internally, the proposed ERP system reduces costs by targets sustainable compliance with SOX, it also
eliminating redundancy and allowing companies to greatly improves companies’ management in
maintain the control objective in an efficient way. operating efficiency and internal control activities.
Compliance with SOX is a repetitious process and
involves daily business operations. For such a However, management needs to understand that the
process, an automated and real-time monitoring compliance efforts are ongoing efforts that require
process undoubtedly is the best solution. The system the management’s continuous efforts to keep the
also can support continuous inter-company process documentation updated. Companies should
reconciliations and posting of transactions to test whether the controls are working or not and
eliminate tedious manual reconciliations. should have evidence in place to document the
control process. Standardized applications and the
CHALLENGES management’s ongoing updating efforts are keys to
making the ERP system active and useful.
The quality of information is very important to
auditors. Before they express an opinion about a
client’s financial reports, auditors must ensure that
the information generated through a client’s system is REFERENCES
reliable [8, 1]. This requires auditors to evaluate the
adequacy of the controls surrounding a client’s
information processing systems and test them for 1. Alles, M.G., Kogan, A., Vasarhelyi, M.A.,
errors and inconsistencies. In a conventional audit, 2002. Feasibility and economics of continuous
auditors perform such an evaluation and testing only assurance. Auditing, A Journal of Practice and
after a client’s reporting period has ended and when Theory 21 (1), 123–138.
the audit of financial reports begins. Even then, 2. Arens, A.; Elder, R.; Beasley, M., 2006.
auditors do not examine one hundred percent of a Auditing and Assurance Services: An Integrated
client’s system but select only a sample of Approach. Pearson Prentice Hall.
transactions and examine them for errors and 3. Canadian Institute of Chartered Accountants
inconsistencies. In complex processing systems, a and the American Institute of Certified Public
single error in processing could affect multiple Accountants. Continuous auditing, 1999.
records and the high transaction volume would make Toronto: The Canadian Institute of Chartered
detection of these errors difficult [17]. Accountants.
4. CFO Research Services, 2005. A Special Report
The ERP model with a real-time monitoring function on Process Improvement and Automation in the
keeps standard and complete records of a business Age of Sarbanes-Oxley. CFO Publishing Corp.
operation. XBRL-based records can greatly help August.
auditors in audit tests, and give the auditors 5. Congress. The Sarbanes-Oxley Act of 2002,
confidence about system reliability. The business 2002. Pub. L. No. 107-204, 116 Stat. 745. July
process and control activities are monitored on a 30
continuous basis; the external auditors can submit 6. Date, C.J., 1995. An Introduction to Stochastic
requests to the real-time monitoring system and better Processes. Addison-Wesley, Reading, MA.
7. Davis, G.B., Weber, R., 1986. The impact of 18. Redman, T.L., 1992. Data Quality: Management
advanced computer systems on controls and and technology. Bantam Books.
audit procedures: A theory and empirical test. 19. Rezaee, A., Elam, R., Sharbatoghlie, A., 2001.
Auditing, A Journal of Practice and Theory 46, Continuous auditing: Building automated
1–28. auditing capability. Auditing, A Journal of
8. Elliott, R., 1997. Assurance service Practice and Theory 21 (1), 147–163.
opportunities: Implications for academica. 20. SEC 2003-66, 2003. “SEC Implements Internal
Accounting Horizons 11 (4), 61–74. Control Provisions of Sarbanes-Oxley Act, U.S.
9. Elliott, R., 2002. Twenty-.first century Securities and Exchange Commission, available
assurance. Auditing, A Journal of Practice and at http://www.sec.gov/news/press/2003-66.htm ,
Theory (March), 139–146. last accessed March 13, 2007.
10. Groomer, S.M., Murthy, U.S., 1989. 21. United States Government Accountability
Continuous auditing of database applications: Office, 2006. Report to the Committee on Small
An embedded audit module approach. Journal Business and Entrepreneurship, U.S. Senate.
of Information Systems 3, 53–69. Sarbanes-Oxley Act: Consideration of Key
11. Groomer SM, Murthy US., 2003 Monitoring Principles Needed in Addressing
high volume transaction processing systems Implementation for Smaller Public Companies.
using a continuous sampling approach. GAO-06-361, April, 2006. Available at: http://
International Journal of Audit 7:3– 19. www.gao.gov/new.items/d06361.pdf . Last
12. Halper, F.B., Snively, J., Vasarhelyi, M.A., accessed March 13, 2007.
1992. The continuous audit process audit 22. Vasarhelyi, M., Halper, F.B., 1991. The
system: Knowledge engineering and continuous audit of online systems. Auditing, A
representation. EDPACS (4), 15–22. Journal of Practice and Theory 19 (1), 110–
13. Li, Y., Roge’, J., Rydl, L. & Crews, M., 2006. 125.
Information technology addresses transparency: 23. Vasarhelyi, M.A., Halper, F.B., Ezawa, K.J.,
the potential effects of XBRL on financial 1991. The continuous process audit system: A
disclosure. Issues in Information Systems, vol. UNIX based auditing tool. The EDP Auditors
7, #2, pp. 241-245. Journal 3, 85–91.
14. Murthy, S. Uday and Groomer, S. Michael,
2004. A continuous auditing web services 24. Vasarhelyi, M.A., Alles, M.G., Kogan, A.,
model for XML-based accounting systems. 2003. Principles of analytic monitoring for
International Journal of Accounting continuous assurance, Working Paper presented
Information Systems 5: 139– 163 at Continuous Auditing Conference, Texas
15. Nearon, H. Bruce, 2005. Foundations in A&M University, College Station, TX. pp. 1–30.
auditing and digital evidence. The CPA Journal. 25. Wang, R.Y., Storey, V.C., Firth, C.P., 1995. A
Vol. 75, No. 1, pp. 32-34. framework for the analysis of data quality
16. Orman, L.V., 2001. Database audit and control research. IEEE Transactions on Knowledge and
strategies. Information Technology and Data Engineering 7 (4), 623–639.
Management 2 (1), 27–51. 26. Weber, R., 1988. EDP Auditing: Conceptual
17. Pathak, J., Chaouch, B., Sriram, S.R., 2005. Foundations and Practices. Prentice-Hall, New
Minimizing cost of continuous audit: Counting Jersey.
and time dependent strategies. Journal of
Accounting and Public Policy 24: 61–75