BAPP 11/25/2010 18:0:5 Page 260 When applicable, formal action plans to address the identified control gaps are required. II. Continuous Auditing Program Outline Testing Overview Target Area Selection & The specific area to be tested will be selected from the current audit universe based on risk, audit frequency, and applicability of use (meets the continuous auditing program testing requirements). & Target areas will include high-risk, high-transaction-volume areas. Document the Testing Objectives & The testing objectives will be created from the business objective and specifically state the purpose of the continuous auditing testing. & The objective must be clear and adequately state what is going to be tested. & The scope statement must detail the controls that are going to be included in the testing and all aspects of the business process that are not being tested as part of the continuous auditing program. Frequency D etermination & The selected frequency must be detailed and documented and based directly on the frequency at which the business unit transactions produce a result. & Consideration must be given to the number of transactions in the population as well as the dollar values (where applicable). & Once the frequency has been determined, all associated testing must be completed as planned. Documentation Requirements & The testing plan will be documente d and specifically detailed for each target area identified, thus maintaining consistency and efficiency. & The documentation must be able to stand alone and completely re- present the reason the work was performed and the associated Mainardi & Associates Copyright 2010 260 & Appendix BAPP 11/25/2010 18:0:5 Page 261 documentation to support the testing conclusion. Ensure that there is sufficient documented evidence to support the continuous auditing testing conclusions. Test Approach Communication & Once the continuous auditing planning has been completed, in partner- ship with your business management client, it should be properly docu- mented and communicated directly to the client. & Internal audit must ensure that both the responsible auditor performing the work and the business unit client understand the expectations, requirements, and deliverables of the continuous auditing methodology. Reporting Req uirements & Every completed continuous auditing program will result in a formal report that is issued, at a minimum, to the process owner plus one level. This ensures accountability. & A standardized report template will be used to communicate the results of all continuous auditing programs executed. & The distribution frequency, especially during a ‘‘6-9-12’’ continuous auditing program, will be at the discretion of the chief audit executive. At a minimum, the results should be fully distributed on a quarterly basis. Performing the Tests The recommended continuous auditing testing schedule (for b usiness units that process multiple transaction s on a daily b asis) w ill be test ed using th e ‘‘6-9-12’’ audit frequency. This frequency requires monthly testing be performed every month for the first six months of testing and then at quarter-end at month 9 and 12. The quarter-end test sample size is the same as the monthly testing previously completed; it should incorporate all three months of the quarter being tested. This frequency allows internal audit to identify potential trends and possibly use the results of the testing as a predictive tool to proactively address opportunities for improvement. Mainardi & Associates Copyright 2010 Appendix & 261 BAPP 11/25/2010 18:0:5 Page 262 III. Continuous Audit Testing Approach All testing planning and execution will be documented in the same fashion and detail as any other full-scope audits by the responsible auditor. The documentation will contain the detailed planning steps and testing approaches as well as a conclusion based on the validated testing results. The documenta- tion will be completed, reviewed, and approved according to the same guide- lines as described in the current risk-based audit methodology. To announce the beginning of the continuous auditing program to business unit management, internal audit will create and issue a notification memorandum notifying applicable personnel of the kickoff of the continuous auditing program. The correspondence will include, but not be limite d to, the continuous auditing process requirements, docum ent requests, time frames, and corresponding expectations. The pilot program initially selected should have a specific, clear objective. Most successful continuous auditing pilot programs select a compliance-based control because of the specifically detailed acceptable performance parameters. Proper selection of the pilot program is critically important to the success of the continuous auditing program because of the testing frequency and interpreta- tion of the corresponding data. Select a pilot program that has very specific parameters as to acceptable performance. This will limit the potential debate of exceptions noted. Because of the recurring testing time frames of a continuous auditing program, it is important that business unit management recognize the impor- tance of timely delivery of the requested business unit documentation for testing. The success of the continuous auditing program depends on the commitment of both business unit management and the responsible auditor to deliver and perform the work as requested and designed. If the requested documentation is not received in a timely manner from the business unit, it will be very difficult to complete the continuous auditing testing. The supporting continuous auditing work paper documentation will be in the same format and include the same critical fields that a full-scope test document would require. Those fields include, but are not limited to, date, source, scope, sampling technique, testing criteria, exceptions, conclusion, responsible auditor, and date. Mainardi & Associates Copyright 2010 262 & Appendix BAPP 11/25/2010 18:0:5 Page 263 IV. Tracking and Reporting Results Continuous auditing results and corresponding exceptions noted will be tracked in the same process as any exceptions noted in a full-scope risk-based audit. The responsible auditor who executed the continuous auditing program will be responsible for populating and updating the issue-tracking database with any exceptions noted during the continuous auditing testing. All issues noted during the continuous auditing testing must have an action plan, and the action plans will be recorded, tracked, and followed up on until their implementation. Upon plan implementation, the responsible auditor must validate that the appropriate action was implemented properly as documented in the formal report. Once an independent internal audit validation has been performed, the open action item may be closed out of the tracking database. Mainardi & Associates Copyright 2010 Appendix & 263 BAPP 11/25/2010 18:0:6 Page 264 INTERNAL AUDIT DEPARTMENT: LESSONS LEARNED (SUGGESTED QUESTIONS) Objective: To provide audit teams a lesson learned tool to identify improve- ment opportunities and serve as a basis for making suggestions to improve the audit approach. Quality of Audit & Were all phases of the audit process and deliverables used? If not, why? & Did you meet target dates? & Were the right resources (skill sets) involved at the right time? & Did team members receive appropriate training prior to the start of the audit? & How well did your team do its homework? & Was the supervisor/manager involved at the right times? & Reduced review comments & Cluster editing of report (staff and manager edit the report at one time, together) & Participation in scope and testing plan decisions & Available for questions when needed & Did we effect positive change to the control structure? & Do you feel that you provided your client with a value-added service? & Would clients pay for the services rendered? & Did you work in the client area? Cost of Audit & Did we perform continuous risk assessment? & Were scoping decisions made at the appropriate time? & Did we use effective testing methods? & Did we effectively use information technology to increase productivity and reduce costs? & Was the audit documentation completed in a timely fashion? Mainardi & Associates Copyright 2010 264 & Appendix BAPP 11/25/2010 18:0:6 Page 265 Culture Change & Were team expectations discussed and agreed on prior to the start o f the audit? & Was there ongoing coaching and guidance throughout the audit? & Were team evaluations completed in a timely manner? & Was risk taking encouraged? & Was communication up, down, and sideways? Team Members & Did you support your team members, when needed? & Was the audit a challenge and opportunity? & Did you increase your knowledge base? & Did you have fun and learn? Mainardi & Associates Copyright 2010 Appendix & 265 BAPP 11/25/2010 18:0:6 Page 266 CONTINUOUS AUDITING PROGRAM EXAMPLE: ACCOUNT RECONCILIATIONS Account Reconciliation Process: Foundation Phase & Objective & To determine that recon ciliations are performed accurately, completely, and in a timely manner. & Frequency & Monthly—for account reconciliations executed monthly. & Quarterly—for account reconciliations executed only at quarter-end. & Testing Technique & Combination of manual and automated & Manual to independently validate the accuracy and completeness of the selected reconciliations. & Automated to validate that the completed reconciliat ions were submitted to the tracking database properly. & Inquiry and inspection & Inquiry into the tracking da tabase and inspection to perform the completeness and accuracy review. Account Reconciliation Process: Approach Phase & Approach & Receive and review policies with process owner & Validate and verify the current account reconciliation procedures to ensure that the continuous auditing testing program accurately reflects the most recent operational procedures. & Judgmental sample of financial operations & Judgmentally select a sample of monthly and quarterly account reconciliations that have been completed. & Identify the account reconciliations that have the largest risk regarding number of journal entries and dollar amounts being processed through the selected accounts. & Request applicable reconciliations Mainardi & Associates Copyright 2010 266 & Appendix BAPP 11/25/2010 18:0:6 Page 267 & Submit a request for the selected account reconciliations to be tested, and actively follow u p o n the receipt of the sample selected to ensure sufficient time is available to complete the required testing. & Validate compliance with policy and procedure & Execute the specific test steps as documented in the continuous auditing program. & Validate the account reconciliations were processed in accordance with existing policy standards. Account Reconciliation Process: Execution Phase & Execution Specifics & Discuss and validate the approach with the process owner & Prior to starting any testing, ensure the criteria being tested match current operational standards. & Request selected documentation & Determine the most effective method to select, and request the corresponding account reconciliations to be sampled. & Identify who will be responsible for physically selecting and delivering the sample to the responsible auditor. Some business units prefer to pull the documentation themselves while others will allow auditors to gather the samples. & Perform testing and record results & Execute the continuous auditing program requirements, and doc- ument the current level of compliance with policies and procedures. & Note noncompliance with procedures & Document potent ial exceptions that represent a difference from the processing standard criteria validated with the process owner prior to the start of testing. Account Reconciliation Process: Execution Phase & Execution & Validate findings with process owner & Review the test result specifics with the process owner to verify whether testing discrepancies represent true exceptions to the processing standard. Mainardi & Associates Copyright 2010 Appendix & 267 BAPP 11/25/2010 18:0:6 Page 268 & Obtain action items and draft report & Once the exceptions have been validated, perform a root cause analysis with the business process owner and request action items to address the root cause. & Validate that the action plan submitted will truly address the root cause and not a symptom. & Draft the formal report and incorporate the action plans into the draft. & Determine distribution & Once the report has been drafted and reviewed by the bus iness process owner, discuss the final distribution list for the report issuance. & Follow up and report on action items & Perform ongoing follow-up on outstanding action items until full implementation. Mainardi & Associates Copyright 2010 268 & Appendix About the Author A FTER 21 YEARS OF working in the internal audit profession in the financial services industry, Robert L. Mainardi started his own com- pany, which develops and facilitates custom internal audit training, and evaluates, creates, and implements formal audit methodologies as well as consults on critical projects. Prior to starting his company, Mr. Mainardi was the Vice President of Internal Audit for the Penn Mutual Life Insurance Company and was responsible for the direction and oversight of the Internal Audit Department. He was responsible for Penn Mutual’s internal audit activities as well as those of its subsidiaries. Prior to joining Penn Mutual, he was a senior audit manager for The Vanguard Group, where he was responsible for the Investment Programs & Services and Methods & Infra- structure teams. As a professional speaker, Mr. Mainardi leads programs to help clients: & Develop and maintain world class internal auditing functions & Create, implement, and maintain continuous auditing programs & Draft, finalize, and issue high-impact audit reports & Establish and facilitate enterprise risk management programs & Improve communication and client relationship development & Develop and implement audit performance dashboards & Identify, recruit, interview, and maintain quality audit staff Mr. Mainardi is an active member of the Institute of Internal Auditors (IIA) and has been a Distinguished Faculty Member for almost 20 years. He is a member of the Vision University Staff and is a featured speaker at IIA and other professional association conferences and events each year as well as MIS Super Strategies and Audit World; the IIA annual International, General Audit 269 [...]... need for, 14, 15 objectives of continuous auditing, 10, 11, 13 program example, 252 purpose of continuous auditing program, 178 reasons for creating methodology, 28 traditional risk-based audits compared, 9, 10, 16, 175–178, 196–199 users of See Users of continuous auditing uses of See Uses of continuous auditing Continuous monitoring continuous auditing distinguished, 6–8, 29 of key performance indicators/... reputation of, 112, 227 role of, 14, 15, 25 target area, knowledge of, 187–191 template for methodology team evaluation, 243, 248, 252, 264, 265 timely reporting, 23, 187, 199–201 uniqueness of continuous auditing, understanding of, 187, 196–199 value provided, 25 Internet, as source of business knowledge, 36, 37 Judgmental sampling, 86, 88, 89 Key performance indicators, continuous monitoring of, 78 Lessons... 165, 167 and client relationship, 19, 20, 24 closed plans, review of, 190, 191 components of, 165–169 condition and cause, addressing, 162–164 effectiveness, 186, 239 as goal of report, 133, 183 management buy-in, 164, 165 as objective of continuous auditing, 11, 224, 226 open plans, review of, 190, 191 overview, 157, 158, 170 ownership of, 173, 184–187 perfection in, attempting, 159–161 271 BINDEX 12/23/2010... continuous auditing to, 208, 209, 215–220 understanding of continuous auditing methodology, importance of, 215, 216, 220, 228 Audits, external, as source of business knowledge, 36, 39, 40 Audits, traditional risk-based continuous auditing compared, 9, 10, 16, 175–178, 196–199, 225 methodology as guide for continuous auditing, 26, 27 scope of audit, 81 as source of business knowledge, 36–39 BINDEX 12/23/2010... formal reports, 183, 261 of process owners, 146, 157–159, 166, 252 Action items See also Action plans continuous auditing, use of to verify newly implemented items, 11 outstanding, 185–187, 190, 191 owner, 166, 167 as source of business knowledge, 36, 40, 41 tracking, 169, 185–187, 252, 255–257 Action plans See also Action items accountability of auditor, 159 accountability of process owners, 146, 157–159,... controls See Critical controls effectiveness of controls See Effectiveness established process, 4, 5 frequency of, 176, 224, 227, 240, 241 See also Frequency of testing objectives See Testing objectives proactive testing, 176 process operating as intended, 5, 6 and root cause analysis, 120, 121, 126, 127 See also Root cause analysis selection of controls, use of SIPOC for, 46 specific controls, 2, 6, 16,... access to, 95, 184, 203, 204 analysis, 13, 192 import and export of, 52, 53 independent audit validation, 205, 206 interpretation, 112–115 origin of, 51, 52 and testing conclusions, 114, 115 validating, 113, 114 Deliverables checklist for phases of continuous auditing, 31, 32 of continuous auditing, 197, 208, 210, 212, 220 expected result of process, 6 internal audit department, 225 outputs, 44 process... About the Author Management, Governance, Risk, and Compliance, All Star, Regional, and District Conferences He received a BS degree from The Pennsylvania State University, where he majored in Accounting and Business Law He also earned a master’s degree in Finance from Temple University Plus, he has merited the Six Sigma Green Belt certification from the American Society for Quality, which recognizes the. .. Testing objectives business objectives, linking to audit objective, 68, 69 client understanding of, 24, 249 of continuous auditing, 10, 11, 224–227, 248, 249 coverage and depth of audit, increasing, 11, 28, 238, 239 defined, 10 and purpose statement, 28, 29 and uses of continuous auditing, 235 See also Uses of continuous auditing Operating as intended, 2, 5, 6, 11, 16, 28, 35, 38, 77, 105, 154, 174, 226,... technology, use of, 193 External auditors continuous auditing methodology, selling to, 220, 221 partnering with, 11, 15 & 277 External audits assistance with and benefits of continuous auditing, 217–219 and audit activity consideration in selecting business unit for continuous auditing, 57 as source of business knowledge, 36, 39, 40 External clients selling continuous auditing to, 209, 220, 221 use of continuous . impor- tance of timely delivery of the requested business unit documentation for testing. The success of the continuous auditing program depends on the commitment of both business unit management and the. timeliness of reporting, 200, 201 tracking, 169, 185 – 187 , 191, 251, 252, 255–257 validating, 11, 73, 1 28, 226, 227, 236, 239, 242 Approach phase overview, 80 , 98, 99 sampling, 80 , 86 –90 scope, 80 83 technology,. 186 audit team, 18, 22, 23, 58, 189 , 1 98, 2 28, 231 and client relationship, 20, 22, 23, 110, 114, 115, 164, 210, 230 exceptions, 110–115, 183 , 199 importance of, 67, 68, 82 , 173, 215, 227, 2 28, 247, 249 lack