Continuous Auditing/Continuous Monitoring (CA/CM) is a relatively new concept which involves real-time and continuous collection of business info with the aid of IT techniques.
A recent KPMG international survey involving seven hundred organizations in the EMA region (Europe, the Middle East and Africa), including Romania, revealed 6 key observations about the adoption of the new concept as a tool for monitoring business risks:
1. Implementation of CA/CM facilitates a real-time operational assurance and a reduced burden of line management, detection and correction of irregularities and timely identification of process improvements.
2. Repetitive processes and those susceptible to risk, such as financial management reporting, require sound control which can be ensured through CA/CM.
3. In most cases, internal audit introduces CA/CM into an organization for the first time as the new concept brings greater efficiency to the internal audit work and enhances the value which internal audit gives to the business.
4. Although organizations do realize the need for timely identification of controls which are not functioning properly, the current adoption rate of CA/CM is still low.
5. The largest barrier to the adoption of CA/CM is the limited insight into the tooling available on the market.
6. Organizations are changing position from just being interested in CA/CM to actually investing in CA/CM – related projects.
„The logical evolution of an internal audit function in the current economic environment consists of using to a larger extent the facilities offered by IT systems,” says Georgiana Iancu, Senior Manager, KPMG in Romania. “As part of their work, internal auditors have constant experience with data analytics which they use to identify irregularities and deviations from a sound internal control environment. This experience has contributed to the message delivered to management on the need for implementing a system able to provide information not only on request, but continuously, to facilitate a quick, cost effective and efficient reaction to business anomalies.
For example, by using traditional auditing methods, the improper approval of a significant transaction might only be identified a couple of months from its initiation and only if it was selected by the internal auditor in his or her testing sample. If CA/CM is implemented, the information system alerts top management and internal audit in real time about the initiation of such a transaction. The manager who receives the alert investigates immediately the circumstances of the erroneous approval and takes necessary measures, while the internal auditor’s job will merely be to ensure that the breach of internal procedures or of the limits of authority was adequately addressed by management and will report on this to the Board.”
The KPMG study indicates that the business processes which would most benefit from CA/CM are Financial Management Reporting and Treasury and Cash Management. According to Richard Perrin, Partner KPMG Romania „typically, the business areas that tend to have greatest return on investment in an initial CA/CM implementation include: manual journal entries, purchase to pay, order to cash, inventory management, as well as time and expense.
For example, organizations can use CM to help align components of the procure-to-pay cycle so vendors are not paid too early but in line with the terms of the contract. CM enables management to evaluate the date of purchase, the due date of the invoice and date of payment. Automating manual processes to detect issues early and prevent escalation can save retrospective remediation costs. Companies that take continuous monitoring seriously will make the most out of the possibilities offered by new IT developments. CA/CM will help them obtain assurance of the quality of their business processes while avoiding surprises and will ensure that these processes are run as reliable and efficiently as possible.”
The KPMG survey shows that the majority of companies currently use conventional methods, such as random tests and letters of representation to provide assurance to management as to the effectiveness of the control measures taken. Only a limited number of companies monitor controls and transactions on an automated and continuous basis. However, growing interest in CA/CM is increasingly prompting organizations to test it through pilot projects of up to 100,000 euros, which will take place over the next two years.
„The process of introducing CA/CM can be complicated, but this investment of time and resources will be highly valuable to a company’s long term development. Once introduced, management will feel much more in control of processes, and better able to plan for growth of the business with confidence. Our experience at KPMG in helping clients to select the proper IT solutions for CA/CM, designing and implementing management reports and internal controls which could be monitored on a continuous basis and their integration with the existing governance, risk and compliance initiatives has shown that CA/CM is definitely the way forward to create greater transparency in an efficient and sustainable way”, concludes Richard Perrin, Partner, KPMG in Romania.