If "continuous auditing" were a marketing term it would be one of the worst on record. For managers inured to enduring financial audits for a couple weeks after the end of the fiscal year, it implies a never-ending ordeal. With IT controls, it implies that someone is constantly looking over the staff's shoulders. But if done right, sources agree that continuous auditing should actually result in less work and expense than traditional auditing. Problems can be caught on the fly rather than after-the-fact during a periodic audit. By the end of the year there should be no surprises. However, that assumes that the task is approached correctly, the right fundamentals in place, and you avoid various pitfalls.

Fundamentals

A correct approach involves understanding that difference between monitoring and auditing. Monitoring is what management does. Auditing involves an outsider (the auditor) checking to see if management responded appropriately to whatever problems were identified by the monitoring. However, the two processes often use the same tools, noted Everett Johnson a retired Deloitte & Touche partner in Boston and former international president of ISACA. Continuous IT auditing, for example, assumes the presence of automated monitoring tools, either as part of the server operating system, the enterprise's security packages, an ERP system, or third-party scripting software, Johnson added.

But whatever it is, the automated system has to be running smoothly before continuous auditing is practical. "Typically, with continuous auditing you tend to be auditing by exception, and if the system is not well run you can get to the stage where everything is an exception and you are no better off than before," warned Kevin Handscombe, a senior manager for KPMG in London.

Meanwhile, "continuous" usually means monthly, sources agreed-although, since the process is automated, the interval merely reflects the comfort level of the auditor.

As with any new initiative, management support is critical, and not just because management needs to commit the necessary resources. "The auditors will be accessing much more data than they used to, and the response of any IT department worth its salt is to deny everyone's access to everything," Handscombe noted. "And then you need managerial support to do something about the things that the auditor identifies. When a control is broken, and they don't do anything about it, that defeats the object."

Careful Planning

Next comes careful planning. Sources agree that you should target the control that seems to involve the most risk, and run automated tests on it at appropriate intervals. With IT controls, a common choice is to check for the presence of ex-employees on the network.

For instance, "We run a number of continuous auditing scripts, mostly to identify terminated users on the network and dormant accounts-unused for more than 90 days-on various systems," said Jill Daigle, internal auditing director for Amedisys Home Health Services in Baton Rouge, LA. "We make sure that management has taken the necessary steps to ensure that terminated users and dormant accounts are not on our network."

But such follow-ups are not a given, sources warned. "We find that when they start these projects there is a grand plan for automating and not a lot of planning for interventions," noted Sheri Fedokovitz, with the Detroit office of Deloitte & Touche. "It takes time to identify the key controls you want to monitor, decide who is responsible for following up exceptions, and refining the criteria to reduce false positives. These are the keys that you want the business to focus on."

Avoid Self-Auditing

Creating the scripts used for the automated tests risks pitfalls unique to the field of internal auditing, explained Daigle. Each script should be developed by one internal audit team member and then independently tested by another team member, Daigle noted. That implies that the scripts need to be fully documented, including the input files, the run-time procedure, the output files, who gets the results, and the purpose of the test. While management is allowed to use the scripts, the auditors should not specifically develop scripts for management use, because they could eventually end up auditing their own work, Daigle cautioned.

"When the auditors go into an area to review the internal controls and assess whether they're adequate, you cannot review internal controls that you developed," she said. "Anyone in management who wants to run a script is asked to sign a form that outlines what their responsibilities are and what our responsibilities are."

"The internal auditors should not be the ones monitoring the controls," agreed Fedokovitz. "They are supposed to audit the monitoring of the controls. Management should monitor the controls. Exception reports should be part of management responsibilities, and an internal audit should cover how management is responding, how they resolve the exceptions, and what remediation activity occurred."

Helpful Tips

The first run of a new script is often traumatic, sources agreed, since it is usually done with substantial back-history file and the parameters of the script have not been refined to remove false exceptions. Subsequently, "The main danger is that you will set up a continuous auditing program and, since it's computerized, presume that it will always work," warned Sam BowerCraft, with the accounting firm of McKonly & Asbury LLP, in Camp Hill, PA. "It is important to go back and test the program to make sure it is doing what you think it is doing. You could have put the decimal in the wrong place and everything is passing because of that. "It is also important make sure your information systems are secured-prevent tampering," he added.

Danny M. Goldberg, formerly the internal audit director for Tyler Technologies in Dallas, suggested submitting lists of people with access to various business systems to the managers of those systems, to make sure their access levels were appropriate. Regardless of what the system owners say, the auditors should then collect a sample of users and verify that their access level is appropriate, and that they actually had that access. The auditor should then ensure that there were no segregation-of-duty issues among those users. Daigle said her IT controls included a script that listed everyone with access to the firm's revenue stream. Initially they ran it monthly, but changed it to quarterly when no problems were found.

Traps to Avoid

Beyond that, "The biggest challenge I have had is obtaining input data files for testing that do not change over time," Daigle said. "Any user may request a new field, and suddenly you need to modify the import statement for your script. I did not realize the amount of time that script maintenance would take, for scripts in production."

Another big challenge, Daigle added, was getting team members up to speed on scripting software. But once they are up to speed, a script can be developed in two to four hours, depending on complexity. Documentation takes longer, but the truly time-consuming part is identifying the needed data files and getting them into usable form, Daigle said.

Your First Step

The biggest step, as always, is the first one. "It should be done via baby steps, on a case-by-case basis, and not through a big bang approach where tomorrow you're doing continuous auditing throughout the firm," Handscombe said.

"How do you eat a whale? One bite at a time," BowerCraft added. "You may identify 20 things you want to do continuous auditing on, then start one to get your methodology established and see the value in it. Do one this year, and next year do two and double-check your planning assumptions. Then if you do three the next year you will have six up and running."

"The more continuous auditing you do the more areas you will find that are great candidates for continuous auditing," added Jim Kirkpatrick, director of internal auditing at Shaw Industries Group, a flooring manufacturer in Dalton, GA. "The areas where you always had trouble, those are the prime candidates. And the more you get involved in an area the more you will find controls that could be automated, without taking any more of your time."

Lamont Wood is a freelance writer in San Antonio who has been covering the information technology field for a quarter century.