Professional Documents
Culture Documents
#08b Implementation of The Continuous Auditing System in The ERP Based Environtment
#08b Implementation of The Continuous Auditing System in The ERP Based Environtment
www.emeraldinsight.com/0268-6902.htm
MAJ
28,7 Implementation of the continuous
auditing system in the
ERP-based environment
592
Il-hang Shin and Myung-gun Lee
School of Business, Yonsei University, Seoul, South Korea, and
Woojin Park
School of Government and Business, Yonsei University, Wonju, South Korea
Abstract
Purpose – The purpose of this paper is to introduce the continuous auditing system based on continuous
monitoring and its implementation methodology; also to present a systematic case study of actual
continuous auditing systems implemented in the financial industry and the manufacturing industry.
Design/methodology/approach – The paper examines the method of implementing the
continuous auditing system in the enterprise resource planning (ERP) environment, and suggests
how the continuous auditing system can take firm root by looking at the successful introduction of the
continuous auditing system in the financial industry and the manufacturing industry.
Findings – The proposed method of implementing the continuous auditing system has the 2stage
approaches which can be applied to various kinds of companies in the ERP-based environment. In
addition, the proposed cases have the important practical implications acquired in the process of
implementing the continuous auditing system in the financial industry and the manufacturing industry.
Practical implications – This study will help many corporations facing various types of corruption
or circumvention of internal control, with their internal auditing, by showing them how to use the
continuous auditing system to reinforce internal control. Also, it will make the independent auditor
understand audited company’s continuous monitoring system and lead to use the infrastructure for
efficient and effective external auditing.
Originality/value – The proposed method and cases of implementing the continuous auditing
system offer an innovative approach to auditing in the ERP-based environment because it facilitates
both internal auditor and external auditor to achieve the audit objectives efficiently and effectively.
Keywords Auditing, External auditing, Internal auditing, Continuous auditing system,
Continuous monitoring scenarios, Internal control, Key-risk indicator,
Enterprise resource planning system
Paper type Case study
1. Introduction
This study proposes a method to implement a continuous auditing (CA) system based
on continuous monitoring and presents a systematic case study of actual CA systems
implemented in the financial and manufacturing industries.
Recently, the focus of internal auditing has shifted from review of historical legal and
regulatory violations to the promotion of business efficiency and proactive risk
management. In other words, the internal auditor used to serve as a “policeman,”
Managerial Auditing Journal guaranteeing constant compliance with provisions and guidelines and focusing on
Vol. 28 No. 7, 2013
pp. 592-627 ex-post-facto exposure through, for example, audits of company assets, compliance with
q Emerald Group Publishing Limited
0268-6902
DOI 10.1108/MAJ-11-2012-0775 JEL classification – M420 Auditing
regulations, and exposure/investigation of incidents involving insiders (Flesher and Continuous
Zarzeski, 2002). Now, however, the internal auditor serves as an internal consultant, auditing system
preemptively detecting and taking actions to address core issues and risks hindering the
accomplishment of goals. The internal auditor’s duties have been expanded to include
risk management – , i.e. selecting auditing targets and areas with a high degree of risk –
and efficient, effective audits to detect indications of risk. In addition, the auditor is
expected to implement preventive measures (McNamee and Selim, 1998; Weidenmier 593
and Ramamoorti, 2006).
To apply this transition in the internal auditing function, corporations must focus
on three changes:
(1) switching from periodic auditing to CA;
(2) moving from an auditing approach that is dependent on information collected
by individuals to one that utilizes the system; and
(3) adopting a risk-based auditing support system.
For most large corporations that have insufficient internal auditing manpower and
resources to make these changes, a CA system must be implemented as an essential
infrastructure for auditing.
Due to advances in information technology after 1982[1], the internal control and
accounting information system was integrated with the enterprise resource planning
(ERP) system, and this integrated system has since been running in the computerized
environment. Because of this change, companies that implement a CA system within
the ERP system (embedded audit module) can create an environment that allows
efficient and effective control of the company (Kuhn and Sutton, 2010, 2006; Alles et al.,
2008, 2006, 2002; Daigle and Lampe, 2005, 2004; Debreceny et al., 2005, 2003; Groomer
and Murthy, 1989; Henrickson, 2009).
Thus, it will be meaningful to take a closer look at how corporations implement the
CA system in the ERP environment. The case study methodology was selected in this
study for two reasons: the limitations of CA data and the suitability of the case study
approach.
The influence of the CA system has increased in auditing, and this change has rarely
been led by researchers (Alles et al., 2008). Most research on CA systems has been based
on theoretical discussions or case studies rather than ex-post empirical analysis
(Alles et al., 2008; Brown et al., 2007; Kuhn and Sutton, 2010; Chan and Vasarhelyi, 2011).
This is likely because it is difficult to collect comprehensive data about CA systems, as
such systems are implemented according to a certain procedure over a long period of
time; as a result, there is not a large amount of supportive secondary data. According to
Swanborn (2010), the case study approach is a reasonable method of overcoming lack of
data in order to investigate an issue. In consideration of such research constraints, this
study uses the case study methodology to analyze examples of successful
implementation of CA systems.
The case study approach is eminently suitable for this research topic. According to
previous studies (Swanborn, 2010), the case study method is appropriate for topics that
encompass an extensive range of details on a certain process. As the purpose of this
study is to investigate in detail the long process required to build a CA system, the case
study approach was regarded as appropriate.
MAJ Furthermore, the case study approach can deliver information in a friendlier and
28,7 more compelling way, as it is based in a realistic application; thus, it is more persuasive
than other approaches (Stoecker, 1991). Therefore, to provide qualitative information
for academics and practitioners, the case study approach is believed to be the best for
this study. This study examines a method for implementing a CA system in the ERP
environment; it suggests an approach for successful implementation by studying the
594 successful introduction of such systems in the financial and manufacturing industries.
It is also expected that this study will help many corporations facing various types
of fraud or circumvention of internal control with their internal auditing function, by
showing them how to use the CA system to reinforce existing internal control. In
addition, this study is expected to help independent auditors better understand the
continuous monitoring system in the audited company and use this infrastructure for
efficient and effective external auditing. It is further expected that a case study of
successful implementation of CA systems will expose risks and issues involved in the
process and thus help those companies that will introduce this system in the future to
reduce costs and improve their processes. Moreover, this study is expected to help
bridge the gap between research and reality by presenting actual scenarios; it provides
insight into issues likely to be encountered in the process of implementing a successful
CA system, as well as problem-solving processes unique to the characteristics of each
industry.
This study is composed of seven sections (including the introduction). Section 2
provides an extensive review of the extant literature. Section 3 introduces the concept
of CA and outlines the method to implement a CA system. Section 4 introduces the case
of insurance Company A’s implementation of the CA system in the financial industry,
while Section 5 describes the case of Company B’s implementation of such a system in
the manufacturing industry. Section 6 describes additional subjects that need to be
considered, and the final section offers concluding remarks.
2. Literature review
In 1991, Vasarhelyi and Halper (1991) introduced the concept, and described the
implementation, of CA, calling their system “Continuous Process Auditing System
(CPAS).” This study of AT&T Bell Laboratories was a project that used technologies of the
time (PCs, databases, and corporate networks, but not the internet) to automatically collect
data on and verify the AT&T billing system. It triggered many follow-up studies on CA.
In order to survey studies related to CA, we first provide an overview of these
studies and classify them according to their subjects and approaches. Second, to
examine the characteristics of CA, we compare it with traditional auditing. Lastly, the
study describes in detail those studies concerning CA systems utilizing IT –,
i.e. systems based on a continuous monitoring system.
3.2 Relationship between internal control, internal control over financial reporting and
the CA system
After experiencing large-scale accounting scandals involving Enron and WorldCom,
the US Congress enacted the SOX Act to enhance corporate transparency; Korea,
Figure 1.
Conceptual map of
the CA system
MAJ which suffered its foreign currency crisis at roughly the same time, amended laws
28,7 related to business accounting to enhance the transparency of business accounting and
management. One of the key points of these accounting system regulations is to
reinforce management’s responsibilities related to internal controls mentioned in the
financial reporting and disclosure process to tighten internal control.
To correctly understand the background of the accounting authorities’ regulation,
600 a correct understanding of internal control is essential. According to the COSO Report[4],
which is regarded as the general standard of internal control, internal control is a type of
process that the board of directors, management, and other members of the organization
must follow to accomplish three objectives:
(1) effectiveness and efficiency of operations;
(2) reliability of financial reporting; and
(3) compliance with applicable laws and regulations (COSO, 1992).
These five elements are implemented at the corporate level, while the control activity
element is also implemented at the business-unit level.
Among the five elements of internal control mentioned in the COSO Report, the CA
system supports the monitoring element. The targets of monitoring are the internal
control elements, except for monitoring itself. In particular, the main interest of
monitoring is whether control activity is appropriately conducted. For example, the
purpose of continuous monitoring scenarios, such as “product release list not registered
in the customer master,” is to monitor whether “report and review of exceptions” is
conducted properly in the following examples of control activities.
For the two case studies examined in this study, involving Company A in the
financial industry and Company B in the manufacturing industry, continuous
monitoring scenarios were used to see whether the following types of control activities
in the COSO Report were properly conducted[5]:
.
report and review of exceptions;
.
approval and certification of superiors;
.
system configuration;
.
checking audit of data requiring maintenance of consistency;
. right to access the system;
.
segregation of duties; and
.
interface between systems.
For example, the purpose of Company B’s continuous monitoring scenarios such as
“supplier deferred/released in the master” is to check whether “system configuration”
is properly done. If system configuration is set as “defer” for a certain supplier in the Continuous
master control screen of the purchasing master in the ERP system, no purchasing order auditing system
can be issued to the supplier by the ERP system. In this case, internal control will serve
to reduce the risk associated with continuously issuing purchase orders to an
inappropriate supplier.
Figure 2 uses the COSO Framework, the standard of internal control, to illustrate the
relationship among internal control, the internal control over financial reporting based on 601
SOX act, and the CA system. Seen from the macro-viewpoint of purpose, internal control
can be divided into three types; among them, internal control for ensuring the reliability of
financial reporting can be called the internal control over financial reporting (Korea-SOX).
In addition, when internal control is divided into five components, the component
conducting the monitoring element corresponds to the CA system. Accordingly, the CA
system is the monitoring element, one of the five internal control elements of COSO. It
monitors the other internal control elements of the company and improves the overall
effectiveness and efficiency of internal control. In particular, corporations can view the CA
system as an effective tool supporting the operation of a SOX system (like the internal
control over financial reporting), which is one of the compliance items.
Furthermore, various studies on internal control have reported that effective
internal control has a positive effect on improving the transparency of accounting
information and that effective internal control provides a positive signal to participants
in capital markets[6]. Accordingly, these studies provide empirical evidence that the
CA system can have a positive influence on enhancing corporate value by improving
the effectiveness of internal control through the internal monitoring function.
Figure 2.
Relationship among
internal control, internal
control over financial
reporting (K-SOX), and
CA system
MAJ 3.3 Method of implementing the CA system
28,7 Implementation of the CA system can be divided into two different stages: extraction of
continuous monitoring scenarios and implementation of the risk monitoring system.
First, the continuous monitoring scenario extraction stage is the most important core
element of implementing the CA system. Continuous monitoring scenarios can be
extracted through the following three steps.
602 Step 1. Create the continuous monitoring scenario pool. In this step, various kinds of
company data are utilized to extract the continuous monitoring scenario pool. To
generate the risk pool, issues identified during the internal audit, violations of laws, and
documents (such as the list of issues identified during internal control) will be referenced,
and employees in charge of the internal auditing function, working-level staff, and
IT system managers will be interviewed. This is how the continuous monitoring
scenario pool will be generated.
Step 2. Assess the validity of the continuous monitoring scenarios. To assess the
validity of the continuous monitoring scenario pool, the impact of each scenario and data
availability will be assessed. Business impact refers to the degree to which the scenario
reflects the actual risk of the company. For the continuous monitoring scenario to be
meaningful, the scenario must reflect the actual risk of the company; if there is a
discrepancy with the actual risk, there is no reason to conduct continuous monitoring
based on the scenario. To measure the business impact of each scenario, the opinions of
the internal auditors, department heads, or executives may be reflected, and qualitative
judgments may be made; however, it is more effective to measure it by analyzing actual
data. In other words, the internal auditing department may check whether the scenario
actually extracts abnormal data by cooperating with the IT department, acquire
available data for each continuous monitoring scenario, and conduct the scenario-based
analysis. The IT department may write the SQL query statement under the leadership of
the internal auditing department to conduct this analysis.
Data availability will be assessed in consideration of whether the input data necessary
for implementing the scenario can be obtained from the current system or whether
additional system development is necessary. Even though the continuous monitoring
scenario has a substantial business impact, if the necessary data are not available in the
current system or if scenario implementation is costly, requiring additional system
development, a decision must be made as to whether to implement the scenario.
Step 3. Select the scenario for implementation of the continuous monitoring system.
In this step, the scenario will be confirmed on the basis of the validity assessment
of the continuous monitoring scenario pool. In this step, when the objective of risk
management is considered, we must note that it is more effective to establish a master
plan for each step depending on the internal resources of the company than to clearly
distinguish what does and does not need to be implemented. For instance, if a scenario is
judged to have a substantial business impact, scenarios with high data availability will
be primarily chosen as implementation targets, and scenarios with a large business
impact but low data availability will have a lower implementation priority; however,
future implementation plans will be established in consideration of the scenarios’
importance from the perspective of risk management.
The second stage of CA implementation involves the implementation of the
database and screen related to the scenario selected for continuous monitoring in the
previous step.
Step 1. Produce data and define screens. In this step, the data generation conditions Continuous
for each selected scenario will be clearly defined, and the layout of the inquiry screen auditing system
for each scenario will be defined. To clearly define the data generation conditions for
each scenario, the internal auditing department and related departments must confirm
them. In addition, the necessary data items must be defined when the screen is defined
to allow for their actual use when auditing.
Step 2. Implement the database and screen related to the continuous monitoring 603
system. The database will be designed by clearly defining the source data necessary
for generating data for each selected scenario and the necessary data will be loaded to
the database. The screen for each scenario will also be implemented.
604 Company A also evaluated the importance of the risks of each scenario
through workshops, rechecked the possibility of system implementation,
extracted additional scenarios, and added the scenarios requested by risk
management leaders.
In consideration of the business characteristics of the non-life insurance company,
the risk pool was primarily divided into three divisions: sales, compensation/damage
assessment, and the head office. The sales division was subdivided into underwriting,
contract maintenance, policy loans, and bookkeeping/expenses/commissions; the
compensation/damage assessment division was subdivided into compensation and
payment; and the head office division was subdivided into asset management, general
loans, bookkeeping, reinsurance, general administration, and IT.
To categorize the risk pool, the business process classification system, used during
ERP implementation, was referenced; this categorization of the risk pool was part of
the effort to check whether the continuous monitoring scenarios were complete enough
to cover all processes of the company. The detailed categories of the sales division of
Company A are presented in Table I.
Some of the continuous monitoring scenarios for the middle categories of the sales
division are presented in Table II.
The first continuous monitoring scenario in Table II is “new contracts of long-term
insurance agents.” As explained above, the purpose of these continuous monitoring
scenarios is to extract abnormal data showing signs of fraud and errors. As long-term
insurance agents sell the insurance products of several insurance companies not
affiliated with Company A, fraudulent contracts closed for unearned commissions may
be feared. Accordingly, as transactions with long-term insurance agents are high-risk
transactions, the transaction amount and number of transactions must be continuously
monitored. Therefore, to identify abnormal data to be monitored in relation to the
continuous monitoring scenario called “new contracts of the long-term insurance
agents,” the “total number of new contracts concluded by long-term insurance agents in
the last three months and total gross premiums” data were extracted. The extracted data
were analyzed to select transactions with long-term insurance agents who had high
transaction amounts as intensive auditing targets. The standards for abnormal data
extraction for each continuous monitoring scenario are summarized in the “detailed
standards for continuous monitoring data extraction” column.
to this scenario, Company A developed the following four KRIs to monitor long-term
insurance agents with substantial variation in the number of contracts and contract
amounts:
(1) Number of long-term insurance agents whose percentage change in new
contracts is more than ^ 30 per cent as compared to the previous month.
(2) Number of long-term insurance agents whose percentage change in new
contracts is more than ^ 30 per cent in the past three months.
(3) Number of long-term insurance agents whose percentage change in gross
premiums of new contracts is more than ^ 30 per cent as compared to the
previous month.
(4) Number of long-term insurance agents whose percentage change in gross
premiums of new contracts is more than ^ 30 per cent in the past three months.
For a KRI index (such as above) to provide an adequate early warning function –,
i.e. detecting risks in advance – the rules, roles, and responsibilities for the management
of the KRI index must be defined in advance. In other words, for each KRI, the following
must be defined: which department will generate and monitor the KRI index
28,7
606
MAJ
Table II.
Company A
the sales division of
monitoring scenarios of
Examples of continuous
Large Continuous monitoring Detailed standard for continuous
Division category Middle category scenario Reason for selection monitoring data extraction
The sales division Underwriting Analysis of new New contracts of long- It is feared that long-term 1. Number of new contracts,
contracts term insurance agents insurance agents may conclude concluded by long-term
bad contracts aiming at insurance agents, and total
defraudation of commissions gross premiums of the previous
three months
2. Including employee information
The sales division Underwriting Analysis of new The same insurance Many large-amount contracts with 1. Those new contracts of the day
contracts salesperson and the the same insurance salesperson which had two or more large-
same policyholder with and the same policyholder are amount contracts with the same
multiple large-amount likely to be subsidiary contracts to insurance salesperson and the
contracts meet contracts same policyholder within three
months (the criterion for large-
amount contracts is monthly
insurance premium in excess of
KRW300,000)
The sales division Underwriting Financial Contracts with the Checking whether the sale is 1. Those new contracts of the day
incidents policyholder different complete and the insurance whose policyholder resident
than the insurance salesperson paid insurance registration numbers are
premium automatic premiums by proxy different than insurance
transfer account holder premium automatic transfer
account holders (however, group
insurances are excluded)
(continued)
Large Continuous monitoring Detailed standard for continuous
Division category Middle category scenario Reason for selection monitoring data extraction
The sales division Underwriting Bad contracts Contracts many of Bad contracts due to the insurance 1. New long-term insurance
which are contracts salesperson’s payment by proxy or contracts within the last six
with the same defraudation of commission months which had ten or more
insurance premium through false contracts contracts with the same
automatic transfer insurance salesperson and
account holder automatic transfer account
holder (However, group
insurances are excluded.)
The sales division Underwriting Bad contracts Underwriting of Checking for bad contracts in Underwriting of contracts
contracts prohibited advance according to business prohibited according to the
according to the logic underwriting guideline for each
underwriting guideline insurance line (the generation
for each insurance line method needs to be specified)
The sales division Underwriting New contracts New contracts with no Policies that have only the basic 1. Those new contracts of the day
special option contracts without any special which had only the basic
option to avoid underwriting may contracts without any special
be subsidiary contracts to meet option
targets
The sales division Underwriting New contracts Canceling the policy Insurance salespeople, sales offices 1. Contracts that were cancelled on
and branches who cancel contracts the day
frequently are likely to be
associated with incomplete sale or
subsidiary contracts
The sales division Underwriting New contracts Contracts concluded Likely to be bad contracts or 1. Those contracts cancelled on the
this month and subsidiary contracts to meet day which were concluded in the
cancelled the next targets previous month
Continuous
auditing system
607
Table II.
MAJ (department in charge), how often the KRI data will be monitored (generation cycle), and,
28,7 if the KRI index exceeds a certain pre-determined standard, whether it will be perceived
as a warning (prior threshold). In particular, a careful approach to the prior threshold
(tolerance limit)[9] is required. Company A set up prior thresholds for the KRIs based on
past statistical performance and adjusted them through consultation between
departments in order to confirm the KRI thresholds.
608 Table III shows examples of KRIs selected on the basis of the continuous
monitoring scenarios of the sales division, along with the attributes of each KRI.
According to Table III, each KRI index is calculated according to the KRI generation
formula column and is monitored according to the value entered in the monitoring cycle
column. The threshold is divided into “red” and “green” to perceive risks in stages. That
is, green refers to a risk in the early stage; red refers to a risk that requires an immediate
response. For example, in the KRI called “number of long-term insurance agents whose
percentage change in new contracts is more than ^ 30 per cent as compared to the
previous month,” green is 0 and red is 1. This means that risks in the early stage will not
be perceived, and risks requiring immediate response will be perceived instantly. In the
early stage, Company A is not differentiating between the green and red warning stages,
and if the CA system is further stabilized, the company will set up different thresholds
for green and red.
In addition, to embed the EWS, Company A systematically defined the risk
management process. If the KRI index exceeds the pre-determined threshold, it will be
regarded as a sign of risk; the IT system will automatically send an e-mail and SMS to
the employees in charge, who will report to the department heads and management
and conduct predefined preventive activities. At the same time, the internal auditing
team will determine the reason that the early warning index exceeded the threshold
through continuous monitoring and by tracking related information. If necessary,
relevant areas will be audited in detail.
The audit process map and process map for defining the requirements of Company A’s
auditing system were used to generate the auditing information system menu structure
map shown in Tables IV and V.
This audit information system is closely related to the CA system and KRIs. It will
have a direct influence on the update of continuous monitoring scenarios of the CA
system by systematically managing the audit history and issues. In other words, the
audit history and identified issues are used to add new continuous monitoring scenarios.
If scenarios added this way are high-risk and need immediate correction, KRIs will be
Large Middle Continuous monitoring Threshold Threshold
Division category category scenario KRI classification KRI generation formula Unit Cycle (red) (green)
The Underwriting Analysis New contracts of Number of agents specializing Number of agents specializing Person Month 1 0
sales of new long-term insurance in long-term insurance with the in long-term insurance with
division contracts agents percentage change of new [(Number of new contracts of
contracts as compared to the the month 2 Number of new
previous month being ^ 30 per contracts of the previous
cent or greater month)/Number of new
contracts of the previous
month] being ^30 per cent
or greater
The Underwriting Analysis New contracts of long- Number of agents specializing Number of agents specializing Person Month 1 0
sales of new term insurance agents in long-term insurance with the in long-term insurance with
division contracts percentage change of new [(Number of new contracts of
contracts as compared to the the month 2 Number of new
previous three months being contracts of the previous three
^ 30 per cent or greater months)/Average number of
new contracts of the previous
three months] being
^ 30 per cent or greater
The Underwriting Analysis New contracts of long- Number of agents specializing Number of agents specializing Person Month 1 0
sales of new term insurance agents in long-term insurance with the in long-term insurance with
division contracts percentage change of new [(Total new contract sales
contract sales premium as insurance premium of the
compared to the previous month 2 Total new contract
month being ^30 per cent sales insurance premium of the
or greater previous month)/Total new
contract sales insurance
premium of the previous
month] being ^ 30 per cent
or greater
(continued)
Continuous
monitoring scenarios
Examples of continuous
generated by Company A
auditing system
Table III.
609
28,7
610
MAJ
Table III.
Large Middle Continuous monitoring Threshold Threshold
Division category category scenario KRI classification KRI generation formula Unit Cycle (red) (green)
The Underwriting Analysis New contracts of long- Number of agents specializing Number of agents specializing Person Month 1 0
sales of new term insurance agents in long-term insurance with the in long-term insurance with
division contracts percentage change of new [(Total new contract sales
contract sales insurance insurance premium of the
premium as compared to the month 2 Average total new
previous three months being contract sales insurance
^ 30 per cent or greater premium of the previous three
months)/Average total new
contract sales insurance
premium of the previous three
months] being ^30 per cent or
greater
The Underwriting Analysis Multiple large-amount Number of insurance sales Number of insurance Person Month 3 1
sales of new contracts with the same people who signed three or salespeople who had three or
division contracts insurance salespeople and more large-amount long-term more large-amount contracts
the same policyholders insurance contracts with the with the same insurance
same policyholder within three salespeople, and the same
months policyholder’s sales insurance
premium in excess of
KRW300,000 in the last three
months
The Underwriting Bad Number of long-term 1. Long-term insurance policies Number of long-term insurance Person Month 1 0
sales contracts insurance policies with the with the same account holder policies with the same account
division same account holder transferring insurance holder transferring insurance
automatically transferring premiums for more ten policies premiums for more than ten
insurance premiums (however, group insurance is policies
excluded)
Continuous
Mega process Process chain Process
auditing system
1. Audit planning 1.1 Establishing audit plans 1.1.1 Establishing annual audit plans
1.1.2 Establishing monthly audit plans
1.2 Managing external documents 1.2.1 Managing external audits
2. Auditing 2.1 Periodic audits 2.1.1 Preparing for audits
2.1.2 Conducting audits 611
2.2 Daily audits 2.2.1 Daily audits
3. Audit results 3.1 Post-management 3.1.1 Registering audit reports
3.1.2 Requesting field actions
3.1.3 Requesting actions (audited department)
3.1.4 Requesting actions (HR team) Table IV.
3.2 Other 3.2.1 Transfer of duties Company A’s audit
3.2.2 Managing surveys process map
developed, as well. Therefore, the audit information system plays a supplementary role
in the effective operation of the CA system and KRIs. Furthermore, the CA system and
KRIs affect actual auditing, helping in the selection of intensive audit items by
extracting abnormal data showing signs of fraud and errors. Accordingly, the
relationships among the CA system, EWS, and audit information management system
can be represented as shown in Figure 3.
MAJ
28,7
612
Figure 3.
Relationship between
Company A’s CA system,
EWS, and audit
information management
system
of duties (SOD) index. The environmental index is related to the organization and
system of the business division, and the percentage (%) change in manpower is the
representative item. The management index is related to the management performance
of the business division, and sales/bad debt expenses by month, product, and customer
are representative items. The SOD index is intended to check for transactions
conducted by the same person that are not compatible with one another, according to
segregation of duties. A representative example is the customer generation/change and
invoice generation/change performed by the same person. One of the characteristics of
this Entity-Level index is that it is generated only for risk assessment.
Continuous
Classification Description Example
auditing system
Unusual Showing abnormal and non-ordinary Reviewing abrupt and frequent increase/
transactions transactions or exceptions decrease of the credit limit (more than
XX%/KRW XX)
Information If there are many pieces of identical data Reviewing the inconsistency between the
GAP due to interface in the flow of information, Sales Order quantity and the Delivery 617
there will be gap between these data Order quantity
Incomplete/ Showing incomplete and delayed Reviewing incomplete purchase orders
delayed transactions that have not been fulfilled for a long time
transactions past the requested delivery date
Segregation Showing cases where jobs with conflicting Reviewing cases where the person in
of duties interests are not separated, and processed charge of warehousing is the same
by the same person according to the list of purchase order
creators
Statistical Making it possible to discover non- Reviewing cases where there are many
information ordinary transactions based on the manual entries of non-ordinary
distribution of transaction details transactions (by company, by related
department and by person in charge)
Master Showing the defects and errors of the Reviewing the accuracy of the customer,
management master that hurt the integrity of and GL distribution entries of the vendor
transactions master Table VII.
Configuration Showing the defects and errors of Reviewing cases where accounts payable Types of Company B’s
automatic control implementation in slips were generated due to the goods continuous monitoring
the system receipt slip cancelled after receipt scenarios
Process Sub_Process
At the Process Level, individual continuous monitoring scenarios are scored, and the total
score is calculated for risk assessment. Risk scores are calculated for the sales index, the
purchasing index, the production index, and the financial index. The sales index considers
credit management, order management, logistics management, sales management,
and collection management process. The purchasing index considers the purchase
MAJ
Process Sub_Process Scenario type Item (auditing scenario) Description
28,7
Purchasing Purchase Master Supplier deferred/released
Reviewing the
request/ management in the master appropriateness of supplier
quotation deferred/released in the
management master to reduce the risk of
618 continuous issuance of
purchase orders to
inappropriate suppliers
Purchasing Purchase Statistical % of rejected materials Reviewing the rejection rate
request/ information by lot and supplier to reduce
quotation the risk (quality) of
management inappropriate purchasing
interfering with efficient
production
Purchasing Purchase information Accounts payable slips Reviewing accounts
request/ GAP directly generated by ERP payable slips directly
quotation (TOPS data inconsistent generated in the ERP
management with ERP data with regard financial master without
to expendables/repair costs) going through the
purchasing process to
reduce the risk of
inappropriate accounts
payable appropriated
without going through the
purchasing process or
making payments
Purchasing Purchase Incomplete/ Reviewing purchase Number of customers with
request/ delayed requests with no purchase only basic credit who have a
quotation transactions order generated large amount of AR as
management compared to the basic credit
Purchasing Purchase Reviewing Continuous purchases from Extracting those companies
request/ abnormal suppliers with a high with a high return ratio in
quotation transactions rejection rate the warehousing stage for
management which purchase orders and
warehousing transactions
occur continuously
Purchasing Purchase Configuration (Construction Purchasing) Checking if the right to
request/ Limited access to the access the estimated cost of
quotation estimated cost of construction is
management construction appropriately limited to
reduce the risk of lower
transparency of the bidding
process and back-
scratching alliance with
bidders due to the leak of
the estimated cost of
construction
Table IX. Purchasing Purchase Division of Approval by inappropriate Reviewing the approval path
Examples of Company B’s request/ duties approvers (self-approval) set as self-approval in the
continuous monitoring quotation purchase request to reduce
scenarios in the management the risk of bypassing the
purchasing process appropriate approval path
request/quotation management, contract/order management, warehousing/purchase Continuous
confirmation, and payment process. The production index considers the production auditing system
management, inventory management, and fixed asset management. The financial index
considers fund management, accounting management, and tax management process. One
of the characteristics of this process-level index is that the continuous monitoring
scenarios utilized by the CA system are used for risk assessment.
The scores of individual risk items will be aggregated, and risk grades at the Entity 619
Level and the Process Level will be classified as “High/Medium/Low”. Company B
implemented a dashboard screen for viewing the risk grades for each division, identified
the intensive audit universe, and is using them to conduct efficient and effective internal
auditing.
6. Discussion
The purpose of this study was to help enterprises hoping to implement a CA system –
and to help internal and external auditors better understand such systems and their
implementation – by examining two enterprise cases that introduced the CA system.
This chapter describes several problems likely to occur in the process of introducing
and running the CA system.
Notes
1. SAP, the world’s largest ERP system provider, was first released as an integrated business
process software application in 1982 (www.sap.com/corporate-en/our-company/
history/1982-1991.epx).
2. An important subset of CA is the continuous monitoring of business process controls
(CMBPC), a task made particularly relevant by the passage of Section 404 of the
Sarbanes/Oxley Act. The Section requires both managers and auditors to verify controls
over the firm’s financial reporting processes (Alles et al., 2006).
3. The conceptual model of the continuous monitoring system proposed in this paper
emphasizes the utilization of the continuous monitoring system more than the architecture of
the generic CMBPC, as proposed by Alles et al. (2006).
4. The COSO Report (Internal Control – Integrated Framework), published in 1992, presented
an evaluation tool that enabled a unified concept of the internal control system and helped
companies evaluate its internal control system and find ideas for improvement. Afterwards,
a majority of American corporations adopted the COSO Framework to diagnose the internal
control system. The definition of “internal control” is not mentioned in laws, but the
definition included in the COSO Report was accepted by the US Government and affiliated
organizations (US Government Audit Standard AU 319), and is regarded as the standard
representing the integrated system of the internal control structure across the world.
5. Company A in the financial industry and Company B in the manufacturing industry used
the continuous monitoring system to monitor the control activities as described above
among the various control activities exemplified in the COSO Report.
6. Doyle et al. (2007) analyzed the relationship between the quality of accruals and the internal
control over financial reporting. The study showed that vulnerable internal control over
financial reporting are related to a low quality of accruals. DeFranco et al. (2005) showed that
the stock market reacts negatively to those enterprises that report major vulnerabilities
related to internal control over financial reporting.
7. Boards and senior executives are looking to develop metrics or indicators to help monitor
potential future shifts in risk conditions or new emerging risks more effectively, allowing
management and boards to more proactively identify potential impacts on the organization’s
portfolio of risks. This puts the management and board in a better position to manage events
that may arise in the future on a more timely and strategic basis. This type of metric or
indicator is frequently referred to as a key-risk indicator (KRI) (www.coso.org: Guidance
Paper Developing Key Risk Indicators to Strengthen Enterprise Risk Management).
8. CSA is a process that allows individual line managers and staff to participate in reviewing
existing controls for adequacy, and recommending, agreeing and implementing
improvements (IIA) (https://na.theiia.org).
MAJ 9. The prior threshold refers to the level of KRI that the company must perceive as a risk and
respond to in advance. Accordingly, if the KRI index exceeds the prior threshold, the
28,7 early-warning function will be activated, and this prior threshold must be continuously
updated according to the changes in the business environment.
10. Existing studies show different results as to whether the non-audit service provided by
auditors hurts their independence in auditing services. Rankel et al. (2002) suggest that the
624 provision of non-audit service or compensation is positively (þ ) correlated with
discretionary accruals, and provision of non-audit service ultimately lessens the
independence of the auditor. Thus, they argue that an auditor’s non-audit activities must
be restricted. Meanwhile, Ashbaugh et al. (2003) and Chung and Kallapur (2003) did not find
any evidence that an auditor’s provision of non-audit service decreases the independence of
auditors, and proposed that the independence of the auditor was actually enhanced when
non-audit service was provided in addition to auditing services.
11. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a
commission established in 1985 to handle matters relating to false financial reports. In 1992,
COSO published “COSOI related to Internal Control,” and modified the existing internal
control model in October 2004, proposed as a new COSO Report. It became more specific in
the Enterprise Risk Management Framework.
ERM provides an overall perspective on the risks facing the company and can generate
the best risk management plans by effectively mixing financial solutions and organizational
solutions. In addition, ERM created a new paradigm that can effectively manage the
uncertainties in the process of accomplishing the strategic, operational and financial goals.
ERM makes it possible to integrate and perceive enterprise-wide risks, as well as establish
the best response plans (Meulbroek, 2002).
References
Alles, M., Kogan, A. and Vasarhelyi, M.A. (2002), “Feasibility and economics of continuous
assurance”, Auditing: A Journal of Practice & Theory, Vol. 21 No. 1, pp. 125-138.
Alles, M., Kogan, A. and Vasarhelyi, M.A. (2004), “Real time reporting and assurance: have their
time come?”, Institute of Chartered Financial Analysts of India, ICFAI Reader (Special
Issue – Finance in 2004).
Alles, M., Kogan, A. and Vasarhelyi, M.A. (2008), “Putting continuous auditing theory into
practice: lessons from two pilot implementations”, Journal of Information Systems, Vol. 22
No. 2, pp. 195-214.
Alles, M., Brennan, G., Kogan, A. and Vasarhelyi, M.A. (2006), “Continuous monitoring of
business process controls: a pilot implementation of a continuous auditing system at
Siemens”, International Journal of Accounting Information Systems, Vol. 7 No. 2,
pp. 137-161.
Ashbaugh, H., LaFond, R. and Mayhew, B. (2003), “Do non-audit services compromise auditor
independence? Further evidence”, The Accounting Review, Vol. 78 No. 3, pp. 611-639.
Brown, C.E., Wong, J.A. and Baldwin, A.A. (2007), “A review and analysis of the existing
research streams in continuous auditing”, Journal of Emerging Technologies in
Accounting, Vol. 4, pp. 1-28.
Canadian Institute of Chartered Accountants (CICA) (1999), Continuous Auditing: Research
Report, CICA, Toronto.
Chan, D.Y. and Vasarhelyi, M.A. (2011), “Innovation and practice of continuous auditing”,
International Journal of Accounting Information Systems, Vol. 12, pp. 152-160.
Chung, H. and Kallapur, S. (2003), “Client importance, nonaudit services, and abnormal accruals”, Continuous
The Accounting Review, Vol. 78 No. 4, pp. 931-955.
Daigle, R.J. and Lampe, J.C. (2004), “The impact of the risk of consequence on the relative demand
auditing system
for continuous online assurance”, International Journal of Accounting Information
Systems, Vol. 5 No. 3, pp. 313-340.
Daigle, R.J. and Lampe, J.C. (2005), “The level of assurance precision and associated cost
demanded when providing continuous online assurance in an environment open to 625
assurance competition”, International Journal of Accounting Information Systems, Vol. 6
No. 2, pp. 129-156.
Davis, J.T., Massey, A.P. and Lovell, R.E.R. (1997), “Supporting complex audit judgment tasks:
an expert network approach”, European Journal of Operations Research, Vol. 103 No. 2,
pp. 350-372.
Debreceny, R.S., Gray, G.L., Ng, J.J.J., Lee, K.S.P. and Yau, W. (2005), “Embedded audit modules
in enterprise resource planning systems: implementation and functionality”, Journal of
Information Systems, Vol. 19 No. 2, pp. 7-27.
Debreceny, R.S., Gray, G.L., Tham, W.L., Goh, K.Y. and Tang, P.L. (2003), “The development of
embedded audit modules to support continuous monitoring in the electronic commerce
environment”, International Journal of Auditing, Vol. 7 No. 2, pp. 169-185.
DeFranco, G., Guan, Y. and Lu, H. (2005), “The wealth change and redistribution effects of
Sarbanes-Oxley internal control disclosures”, working paper, University of Toronto,
Toronto.
Doyle, J.T., Ge, W. and McVay, S. (2007), “Accruals quality and internal control over financial
reporting”, The Accounting Review, Vol. 82 No. 5, pp. 1141-1170.
Elliott, R.K. (1998), “Assurance services and the audit heritage. What’s new and what’s rooted in
the past”, CPA Journal, Vol. 68 No. 6, pp. 40-47.
Elliott, R.K. (2002), “Twenty-first century assurance”, Auditing: A Journal of Practice & Theory,
Vol. 21 No. 1, pp. 139-146.
Flesher, D.L. and Zarzeski, M.T. (2002), “The roots of operational (value-for-money) auditing in
English-speaking nations”, Accounting & Business Research, Vol. 32 No. 2, pp. 93-104.
Glover, S.M., Prawitt, D. and Romney, M.B. (2000), “The software scene”, Internal Auditor,
August, pp. 49-57.
Groomer, S.M. and Murthy, U.S. (1989), “Continuous auditing of database applications: an
embedded audit module approach”, Journal of Information Systems, Vol. 3 No. 2, pp. 53-69.
Henrickson, R. (2009), “Practitioner discussion of principles and problems of audit automation as
a precursor for continuous auditing”, paper presented at University of Waterloo Centre for
Information Integrity and Information Systems Assurance 6th Bi-Annual Research
Symposium, Toronto, October.
Hunton, J.E., Mauldin, E.G. and Wheeler, P.R. (2008), “Potential functional and dysfunctional
effects of continuous monitoring”, The Accounting Review, Vol. 83 No. 6, pp. 1551-1569.
Kuhn, J.R. and Sutton, S.G. (2006), “Learning from WorldCom: implications for fraud detection
through continuous assurance”, Journal of Emerging Technologies in Accounting, Vol. 3,
pp. 61-80.
Kuhn, J.R. and Sutton, S.G. (2010), “Continuous auditing in ERP system environments: the
current state and future directions”, Journal of Information Systems, Vol. 24 No. 1,
pp. 91-112.
McNamee, D. and Selim, G.M. (1998), Risk Management: Changing the Internal Auditor’s
Paradigm, Institute of Internal Auditors Research Foundation, Altamonte Springs, FL.
MAJ Martens, D., Bruynseels, L., Baesens, B., Willekens, M. and Vanthienen, J. (2008), “Predicting going
concern opinion with data mining”, Decision Support Systems, Vol. 45 No. 4, pp. 765-777.
28,7 Menon, K. and Williams, D.D. (2001), “Long-term trends in audit fees”, Auditing: A Journal of
Practice & Theory, Vol. 20, pp. 116-136.
Meulbroek, L.K. (2002), “Integrated risk management for the firm: a senior manager’s guide”,
Journal of Applied Corporate Finance, Vol. 14, pp. 56-57.
626 Min, J.H. and Lee, Y.C. (2005), “Bankruptcy prediction using support vector machine with
optimal choice of kernel function parameters”, Expert Systems with Applications, Vol. 28
No. 4, pp. 603-614.
PricewaterhouseCoopers (2006), State of the Internal Audit Profession Study: Continuous
Auditing Gains Momentum, available at: www.pwc.be/en/systems-process-assurance/
pwc-state-of-internal-audit-2006.pdf (accessed 25 March 2013).
Rankel, R., Johnson, M. and Nelson, K. (2002), “The relation between auditor’s fees for non-audit
services and earnings quality”, The Accounting Review, Vol. 77 No. 4, pp. 71-105.
Rezaee, Z., Ford, W. and Elam, R. (2000), “Real-time accounting systems”, The Internal Auditor,
Vol. 57 No. 2, pp. 62-67.
Rezaee, Z., Sharbatoghlie, A., Elam, R. and McMickle, P.L. (2002), “Continuous auditing: building
automated auditing capability”, Auditing: A Journal of Practice & Theory, Vol. 21 No. 1,
pp. 147-163.
Searcy, D.L. and Woodroof, J.B. (2003), “Continuous auditing: leveraging technology”, The CPA
Journal, Vol. 73 No. 5, pp. 46-48.
Stoecker, R. (1991), “Evaluating and rethinking the case study”, Sociological Review, Vol. 39 No. 1,
pp. 88-112.
Stringer, K.W. and Stewart, T.R. (1986), Statistical Techniques for Analytical Review in Auditing,
Wiley, New York, NY.
Sung, T.K., Chang, N. and Lee, G. (1999), “Dynamics of modeling in data mining: interpretive
approach to bankruptcy prediction”, Journal of Management Information Systems, Vol. 16
No. 1, pp. 63-85.
Swanborn, P. (2010), Case Study Research: What, Why and How?, Sage, Englewood Cliffs, CA.
Tam, K.Y. (1991), “Neural network models and the prediction of bank bankruptcy”, Omega,
Vol. 19 No. 5, pp. 429-445.
Vasarhelyi, M.A. and Halper, F.B. (1991), “The continuous audit of online systems”, Auditing:
A Journal of Practice & Theory, Vol. 10 No. 1, pp. 110-125.
Vasarhelyi, M.A., Alles, M. and Kogan, A. (2004), “Principles of analytic monitoring for continuous
assurance”, Journal of Emerging Technologies in Accounting, Vol. 1 No. 1, pp. 1-21.
Weidenmier, M.L. and Ramamoorti, S. (2006), “Research opportunities in information technology
and internal auditing”, Journal of Information Systems, Vol. 20 No. 1, pp. 205-219.
Wu, C.-H., Tzeng, G.-H., Goo, Y.-J. and Fang, W.-C. (2007), “A real-valued genetic algorithm to
optimize the parameters of support vector machine for predicting bankruptcy”, Expert
Systems with Applications, Vol. 32 No. 2, pp. 397-408.
Further reading
Beasley, M.S., Branson, B.C. and Hancock, B.V. (2010), Developing Key Risk Indicators to
Strengthen Enterprise Risk Management: How Key Risk Indicators can Sharpen Focus
on Emerging Risks, available at: www.coso.org/documents/COSOKRIPaperFull-
FINALforWebPostingDec110_000.pdf (accessed 7 November 2012).
Committee of Sponsoring Organizations of the Treadway Commission (2009), Guidance on Continuous
Monitoring Internal Control Systems – Introduction, available at: www.coso.org/documents/
COSO_Guidance_On_Monitoring_Intro_online1.pdf (accessed 7 November 2012). auditing system
Committee of Sponsoring Organizations of the Treadway Commission (2011), Internal Control –
Integrated Framework, available at: www.coso.org/documents/coso_framework_body_v6.
pdf (accessed 7 November 2012).
David Coderre (2007), Recommendations for an Effective Continuous Audit Process, available at: 627
www.theiia.org/ITAuditArchive/index.cfm?catid¼21&iid¼519 (accessed 7 November 2012).
Gehrke, N. (2010), “The ERP AuditLab – a prototypical framework for evaluating enterprise
resource planning system assurance”, Proceedings of the 43th Annual Hawaii
International Conference on System Science.
Liebenberg, A. and Hoyt, R. (2003), “The determinants of enterprise risk management: evidence
from the appointment of chief risk officers”, Risk Management and Insurance Review,
Vol. 6 No. 1, pp. 37-52.