Embed Size (px)
Citation preview
Continuous Assurance 101
Miklos A. Vasarhelyi•AT&T Laboratories•Rutgers University
Outline
ElectronizationContinuous measurement & reportingContinuous assurance
Efforts and statutesConceptsCPAs
Enron ????Conclusions
Electronization of Business
Advertising
Pre-sale care
Sale
Delivery
Payment
Accounting
E-care
Auditing
Web advertisingCustomizationBanners
VRSAuto Responder
Web-based Cash register Shopping cartsClick pathsE-Catalog
Web-basedCredit cardE-cashMicropayments
ContinuousERPSsNew Paradigms
BitableNon-bitable
ContinuousAutomatic Confirmation
Inventory
Manufacturing
Tracking
E-Catalog
B2B PurchasingOpen EDIExtranetsConsortia
Tech supportLead FollowsHelp desk
Purchasing
Tracking
MarketingIndividual targetingSpamingVirtual communitiesCustomer party lines
LogisticsTracking
FinanceE-banking
E-hedging
E-Trading
HumanResources
Tracking
Key Financial processes being electronized
measurement (accounting),controlAssurance
evolving revolution in corporate financial processes and the financial industryseveral world class organizations are leading this effort
Continuous reporting
SEC roundtable of 4/4/2002
Priority no. 1: real-time reporting. Real-time reporting should take highestpriority. More frequent reporting of results will help solve the problem ofmanaged earnings because daily or weekly earnings will be harder to managethan quarterly earnings. SEC's proposal for faster reporting of some 8-Kitems is helpful, but it doesn't go far enough.
Short interval reporting
Cisco’s virtual closeReal balances of certain accounts
Cash, accounts receivable, accounts payable, inventoryEstimates / allocations
Behavioral changesEnd-of-period adjustmentsCompetitive fears
Scorecards (Bob Kaplan)
Increased frequency and scope of reporting
Obstacles are not technicalInternal vs external reportingLitigation fearsWho needs continuous reporting?Increased transparencyQualitative, environmental, social, and other reportingMulti-layered reporting (the FD rule)
Is Continuous Reporting Necessary for Continuous Assurance?
‘continuous’ measurement is necessary, but the time from is contingent on the processBatch process cycles limit the processCompanies measure a much wider set of variables to support a multitude of continuous processes
The Assurance Services (Eliott) Special Committee proposed an evolution of services towards “real-time” assurance
Real-time assurance on on-line databases
Systems Reliability
Assurance
Report on internal control
Tomorrow
Today
Ultimately
Continuous Assurance
History
CPAS effort and embedded modules (ITF) –1987AICPA /CICA monograph 1999Continuous systrust 2001Panel next ?????Much academic interest since 1999 (3 symposia, this year in the UK)
Current Practice
HCA HealthcareSeveral monitoring and auditing functions
Martin MariettaData driven risk model
Federal Reserve of New YorkNetwork Monitoring
Why not?
“my problems are not with transactions but with legal exposures and environmental effects”“this is not auditing, it is supervision”“this opens substantial data for the competition”
A Dramatic Change in the Audit model
1. The continuous assurance model has many clients2. The continuous assurance model has a different justification3. A new toolset4. The continuous assurance model is an instance of operational monitoring5. The continuous assurance model will turn the audit process into audit by exception6. The continuous assurance model covers a wider set of quantitative and qualitative non-financial data7. The continuous assurance model had different Independence considerations8. The continuous assurance opinion has some futurity implied in it
Pseudo report 1– We have examined the reliability and financial reports of
ABC corporation and have been engaged on a continuous assurance engagement for the fiscal year of xxxx. We will monitor the organization’s operations and strategic accomplishments using a wide set of analytics as described in http://www.ca.com/analytics and other analytics we deem appropriate and will report on an audit by exception basis when more than xx % variance is found in operational and strategic standards or when we deem it appropriate. This exception report will be issued to all customers registered ( paying ) at http://www.ca.com/analytics/customers.
CPAS concepts
metricsAnalytics / continuity equationsstandards:
of operationof varianceothers
alarmsmeasurement vs monitoring
CPAS conceptsThe essence of monitoring and control is the comparison of a measured value (metric) with a model of behavior (standard)Control of a process implies detecting variances and either accepting them or exerting action for changeAssurance is a meta-level for measurement, monitoring and control that detects anomalies in this process or provides re-enforcement of its proper performance
Monitoring, control and assurance
metrics
Comparison of actual and model
Management action on discrepancy
Feedback loop of action
Assurance processVerifies, the metrics and the control
MeasurableProcesses
Standard
Discrepancy detected
metricsAre direct measurement of elements that measure corporate processesCan be expressed in many types of units
A phone call has minutes, origination, dollars and modified dollars..Metrics also work in aggregates (e.g. bottles, cases, liters, tons, etc…)
Automated sensor substantially improve the value of a metricsMetrics can be combined to higher level meaning metricsManagers develop intuitive feeling for metrics
Analytics
Traditional analytics encompass time series and cross-sectional analyticsCA adds structural analytics provided by multivariate continuity equationsSome CA analytics include:
Comparisons with constantsRelationships of variablesDaily, hourly, continuous reconciliationsLoose relationships (e.g 10% increase in advertising creates 3% increase in sales)
standards:
Types• of operation• of variance• relationships • Others
Can be• empirically derived• model derived
Have to be realist
ic
Alarms
Multiple levels and purposesA. Inform continuous assurersB. Inform operationsC. Inform operations and auditorsD. Inform operations / auditors / top management / audit committee / regulatorsE. Suspend the processLevel
is an attr
ibute of th
e alarm
Methods of data capture
measurement vs monitoringDatabase queriesCapture of temporary datasetsParsing of electronic reportsDirect process taps programmed into the transaction routes
Principles of Continuity EquationsDifferent stages of the product life life have different metricsContinuity of processes creates relationships between different variablesMost processes have metrics being expressed in different units (volumes, dollars, units, etc…)There are intrinsic relationships between these values that can add substantively to basic analytical reviewStandards must be developed to these relationshipsThe understanding of these relationships will avoid major process discontinuities or will identify them for scrutiny
Continuity Equations / Long Distance Billing
Receiving Call
detail data from
independent
telephone
companies in
mag. tapes
Creating datasets
one-to-one
many-to-many
one-to-many'
Splitting call
detail into
files to be
posted to
different
billers
Posting from one
biller file to accounts
in several billing
cycles
1 2 3 4
Rating each
Billable
Customer
5
Linking financial and non financial processes analytically
CPAS effort (II)The auditor will place an increased level of reliance on the evaluation of flow data (while accounting operations are being performed) instead of evidence from related activities (e.g. preparedness audits). Audit work would be focused on audit by exception with the system gathering knowledge exceptions on a continuous basis.
CPAS OVERVIEW
System
OperationalReport
OperationalReport
OperationalReport
Filter
Database
System Operational Reports
Workstation
DF-level 0Alarm
Data Flow Diagrams
DF-level 1 DF-level 1 DF-level 1
DF-level 2
Reports Analytics Metrics
fer
FlowFront - Interactive Flow Diagram Viewer - AT&T Bell Laboratories - Murray Hill, NJ
Date: 04/01/89 Set Date Recalculate Metrics Recalculating With Check.
Help Text Quit!FlowFront Hierarchy
Overview
Pay
Inquiry
Billing
Bill Upda
AmtDue
Billing System - Customer Billing Module
Errors
Trans CustomerDatabase
ExtractCustomerAccounts
CalculateAmount
Due
Update Billing Info
Journal Files Format Bill Print Bill
Journal FilesAccountsMissing:
10 Table
Process Errors
1000 1000
998 988
2
0
AO
4
R
errors
Flowchart Front End - C.J. Calabrese, F.B. Halper, J.S. Lavin, T-W. Pao, M.A. Vasarhelyi, C.S.Warth
Date: 11/27/89 Set Date/RPC/PE Help Text Quit!
FlowFront Hierarchy
BAC cam
BAR cam
CAM
MPS cam
MIU cam
MFU.bar
CBill bar
MrgBal b
Bill Upd l
AsUse be
BillFmat
AccExtr
UBillDb
TCSS baj
BRICC b
RETURN
MSG VA
MSCOM
BNA mu
Toll.miu
Journals.n
UCase.m
MError.m
CCase.m
CError.m
MGDB n
RPC: SS PE: 60
recmsgmindol
MESSAGE PROCESSING
Duplicates andDropped Records Business
Biller
corrected errors LUB and to other billers
Interrogation/Deletion(to Billers)
RCAMBiller
LUB and to other billers
passed to message completion
errors
Can’t read sql 14 Can’t read sql 15
AT&TLECrejectheld
dropped(excl. invalid IX)
invalid IX code
Returns Transfers
Message CompletionMessage Validation
12324
238605
0
6
8 161
617
0
110668365
0
66449
89744
recycles
errors
MessageInvestigation
(MIU)
TransData
fer
FlowFront - Interactive Flow Diagram Viewer - AT&T Bell Laboratories - Murray Hill, NJ
Date:
RPC:
04/01/89
Silver Springs
Set Date Recalculate Metrics Plot Request graph.level 1
Help Text Quit!PE: 60
FlowFront Hierarchy
Overview
Pay
Billing
Inquiry
Errors
Bill Upda
AmtDue
Billing System - Overview
Percent Of Accounts Successfully Billed
S Graphics
Per
cent
Bil
led
0
20
40
6
0
80
100
10099 99 991009898 97
9598
67
23
85
3/16 3/17 3/18 3/21 3/22 3/23 3/24 3/25 3/28 3/29 3/30 3/31 4/1
Mean: 89.076923076923 StdDev: 21.872591442494
4/1/89Pro
Tra
fernsu
New technologies need new thinking
Internetworking and extreme intrusionConfirmatory extranetsAnalytic webs and fourth and fifth party assuranceIntelligent transaction detection
Sniffers, exposure databases, pattern detectors, common fraud databases
The Enron debacle
Would CA have detected the problem?Would have reduced itIf transparency is desired it can be obtained to the extreme• Other forms of third party monitoring can deal
with management fraud and audit collusion• Are we willing to go that far?
Financial engineering and opacity together are a deadly mix
Monitoring and Control Business at AT&T Laboratories
“Focus group” objectives
Understand the business models that can emerge from the CA effort
Keeping independence of CAPartnershipsChanging the audit paradigmBringing in new confidence on the processLinking with network and IT assurance
Center for Continuous Auditing
A consortium of major Universities led by Texas A&MJ. Don Warren DirectorWill probably host this conference next year
Charter Board of CCA Research FellowsArizona State University
Kurt Pany, Paul Steinbart
Indiana University Michael Groomer
Rutgers University Miklos Vasarhelyi, Alex Kogan, Michael
Alles
Texas A&M University James Flagg, Uday Murthy, Chris Wolfe
University of Tennessee Jake Rose, Jon Woodroof
The Center for Continuous Auditing:An Alliance of Arizona State University, Indiana University, Rutgers University, Texas A&M University and University of Tennessee
Center for Continuous Auditing (cont.)
in the process of finalizing the Advisory Board
The Honorable David Walker, USComptroller General, Robert Herdman, SEC Chief AccountantJim Gerson, Chair, Auditing Standards BoardBarry Melancon, President of AICPABob May, Dean, McCombs School of Business, The University of TexasJohn Verver,Vice-President of ACLSander Wechsler, ISACA
Conclusions
Need to re-think third party assurance wit focus on the clientNeed to rethink the audit to use new technology (analytic, IT and TC)More links are needed with XML derivative technologiesWe need a new business model
