Continuously Audit

Transactions in Retail Banks

Aytekin Guzelis, CISA, CRISC
Ziraat Bank, IT Service Management, Deputy
Department Director
 What is CM & CA?
Continuous Monitoring is a process that
management puts in place to ensure that its
policies, procedures, and business processes are
operating effectively.

Management identifies critical control points and

implements automated tests to determine if these
controls are working properly.1
 What is CM & CA?
Continuous Auditing is
any method used by
auditors to perform
audit-related activities
on a more continuous or
continual basis.
Technology plays a key
role.1
 What is CM & CA?
Reports on implementation of CA/CM
systems are found as early as 1991, with a
system implemented at AT&T to monitor
billing data in real time.

In 1999, the Canadian Institute of Chartered Accountants

(CICA) and the American Institute of Certified Public
Accountants (AICPA) published a joint report on CA.2
 What do CM & CA do?
CM, automated and ongoing process.

Review of business processes by

management.

To detect adherence to and deviation from

planned/designed levels of performance and
effectiveness.3
 What do CM & CA do?
CA, Automated and ongoing
process.

Collecting process data that

supports audit activities by
internal audit.
Both test the transactions close the time at which
they occur.
Conceptual Model

Graph: The Institute of Internal

Auditors, “Continuous Auditing:
Implications for Assurance, Monitoring,
and Risk Assessment”
 Chief Audit Executives’ Paths to Add Value*
1- Focus on Critical Risks
2- Streamline Compliance
3- Leverage Technology Effectively
- 47% do not think their organizations use GRC
technology effectively
- 66% taking advantage of data analytics
4- Elevate the IA Function to be a Strategic Partner
* Findings from Grant Thornton’s 2013 Survey of Chief Audit Executives and Internal Auditors
 Value and Benefits of CM for enterprises
- More timely information, insights
on processes

- Assess the effectiveness of

controls (duplicate controls,
control gaps, needed controls)

- Detect risk issues

- Improve business processes
- Improve compliance and risk management, reduce costs
 Value and Benefits of CA for enterprises
- Supports internal and external auditing
activities.
- Coverage of almost 100 percent of transactions
- From static and cyclical (episodic) reviews to
continous and broader reviews
- Reduce audit costs, shorten audit durations
- Increase effectiveness
- Improve assurance
 Value and Benefits of CM & CA for enterprises

Coexisting is not a must but implementing both CM and

CA creates more enterprise value:3

- İncreasing coordination between management and

audit
- Minimizing the duplication of controls and efforts
- Quick adoption to changes in business, risks and
regulations
 Operation of CM & CA
Process
- Quality and control of the CM &CA testing and
analysis processes themselves 4
- Dealing with false positives and exceptions generated
Technology
- Using data anlysis software that is designed for quick
analysis
People
- Assigning appropriate roles to appropriate individuals
 Implementation Roadmap for CM & CA3
1. Develop the Business Case
2. Develop a Strategy for Adoption
3. Plan the Design and
Implementation
4. Build and Implement the CM & CA
System
5. Monitor Performance &Progress,
and Refine as Needed
Obstacles to Implementing CM & CA (technical & non
technical)-1
- Don’t understanding CM &
CA and implementation
issues (espc. IT side)

- Internal audit’s readiness,

inadequate capability

- IT and software
infrastructure, complexity
 Obstacles to Implementing CM & CA (technical & non
technical)-2
- Unrealistic expectations

- Creating a sense of
shared ownership
(project, data)

- Lack of Management
support & IT support
 Obstacles to Implementing CM & CA (technical & non
technical)-3
- Costs (technology, training)

- Audit-like functions, departments (internal controls,

compliance, fraud, internal audit)

- Staff turnover

- Leadership (not by IT, by Audit/Management)

 Benefits and Value Realization

History of CA in Ziraat Bank

What do CM & CA do in Ziraat Bank?

- CA by Board of Auditors
- CM by Internal Control Department
 How does Ziraat Bank CM & CA operate?

Team

IT Infrastructure

Processes
 How does Ziraat Bank CM & CA operate?

Auditor

DATA Central Audit Branch

DW ANALYTICS Team Mang.

Internal
Controller
 Many CM/CA Examples along with their results

- 63 % of the Bank’s embezzlement cases have been

detected by CA during the first two quarters of 2013.

- Monthly, over 40 Million transactions are processed

and nearly 17.000 of these transactions are reviewed.

- 145 running scenarios for data analysis.

 Conclusion

- Neither CM nor CA is a short-term project, but an

ongoing processes
- Management support and involvement is
fundamental
- Competent personnel (in both business and IT)
- They complement each other
- Quality and control of the CM & CA testing and
analysis processes themselves
 References

1) The Institute of Internal Auditors, “Continuous Auditing: Implications

for Assurance, Monitoring, and Risk Assessment”
2) M. A. Vasarhelyi; S. Romero; S. Kuenkaikaew; J. Littley; “Adopting
Continuous Auditing/Continuous Monitoring in Internal Audit”, ISACA
Journal, Vol. 3, 2012
3) Deloitte, “Continuous Monitoring and Continuous Auditing From Idea
to Implementation”
4) Verver, J.; “Continuous Monitoring and Auditing: What is the
difference?”, KnowledgeLeader by Protiviti
Thank-you…
 ISACA’s IT Professional
Networking and Knowledge Center
Where networking and knowledge intersect.

For more information on this and other Euro CACS / ISRM Topics or to network
with others interested in this topic, please visit ISACA’s
IT and Professional Networking and Knowledge Center:
http://www.isaca.org/Knowledge-Center

WE NEED YOUR FEEDBACK!

Use the Mobile App to give us your feedback for each
session you attend. You can also complete these
surveys through Survey Link from any computer.