C09 11/25/2010 17:46:33 Page 136 many words should be required to illustrate and convey the risk and impact of the identified gap between the actual testing performed in the execution phase and the business unit standard identified in the foundation phase. If the overall opinion and the continuous auditing objectives have been rated consistently and the exceptions are built using the five-component approach, independent readers will be able to follow the information and link the exception detail to the objective rating that in turn will tie directly to the overall report opinion. Background Section Describing the Business Process Revie wed The final component that should be included in the continuous auditing report is the background. Background, for reporting purposes, is the section that provides a high-level overview of the business unit that partnered with internal audit on the continuous auditing program. Although the background section should be the simplest to create, it usually ends up being one of the hardest sections to draft. Internal auditors experience so many challenges as they create the background section because they tend to include every detail of the business unit function; their assumption is that such a level of detail is necessary for independent readers to understand what the business unit does. In reality, the background section does not have to be at a granular level and explain every task that the target business unit produces. Especially for a continuous auditing program, the background section should be focused on the particular objectives related directly to the controls identified in the foundation phase of the methodology. When drafting the background section of your continuous auditing report, go back and review the foundation phase details before beginning to write. This quick refresher of the continuous auditing objectives will help you focus on what details need to be included in the background section. The backgr oun d does not need to be multiple pages or even multiple paragraphs . It should be clear, concise, and focused on providing supporting information explaining what the business unit does in regard to the particular objectives identified in the objectives grid illustrated in Table 9.2. You can validate the clarity of the background by matching the operational business summary in the background to the continuous auditing objectives. Limit any additional information included in the background section to how the business unit 136 & Continuous Auditing Reporting and Next Steps C09 11/25/2010 17:46:33 Page 137 operations link to the function or division in which it operates. Figure 9.1 provides a template for internal auditors to develop a focused background for the continuous auditing report. Exception Memorandum An exception memorandum is used to communicate the results of the com- pleted continuous auditing testing. This format resembles audit work paper detail more than a formal communication of the continuous audit. The objective of this document is the same as for a formal report in that it is designed to communicate the result s of the specific audit work performed. The biggest difference between the formal audit report and the exception memo- randum is that the latter does not provide any formal assessment regarding the level of effectiveness of the control environment nor does it document the exceptions. The most attractive component of the exception memorandum, from the business owner’s perspective, is that internal audit does not provide an overall opinion based on the work performed during the execution phase of the continuous auditing methodology. At a minimum, an exception memorandu m contains an objective state - ment and a listing of any discrepancies identified in the execution phase of the continuous auditing program. Each component plays a critical role in convey- ing the results of the completed continuous auditing work. Next we describe the two necessary components. Objective Statement The audit objective represents an explanation to independent readers of what testing was actually performed during the continuous auditing program. This objective statement is directly linked to the targeted area that was deter- mined in the foundation phase of the continuous auditing methodology. FIGURE 9.1 Continuous Auditing Background Format Background Enterprise Process: Subprocess: General Background: Reporting Options & 137 C09 11/25/2010 17:46:33 Page 138 Again, remember that it is critical for the audit objective to be developed from the b usiness objective. The objective statement is direct and usually obtained from the corresponding work paper evidencing the continuous audit work performed. Unlike the objectives grid in the formal report (illustrated in Table 9.2), the exception memorandum audit objective statement is direct and requir es no additional explanation or background. It is a pure statement that repeat s the testing objective used in the work paper documentation. Also, this audit objective does not have a corresponding rating as to performance efficiency and effectiveness. It is used as a lead statement to explain specifically why the testing was performed. This is one of the main reasons that internal audit departments prefer to use an exception memorandum as opposed to a formal report to document the continuous auditing testing results: No long expla- nations are required to support the audit objective, and a rating does not have to be assigned and explained. Without these additional details, the audit objective should take responsible auditors only moments to create; often the testing objective can be taken directly from the work paper documentation. Whether you draft or copy the audit objective from the work papers, remember to verify that it relates directly back to the overall continuous auditing objective and the business object ive. Discrepancy Listing The discrepancies reporting in the exception memorandum is very different from the exceptions reporting in the formal report format. In the exception memorandum type of continuous auditing report, any discrepancies, identified during the execution phase where the actual work performed does not agree with the business operational standard, are documented in a bulleted format. This summary format lists the raw results that were identified during the testing. This type of summary for exception documentation detail is also known as a laundry list. As in the audit objective for the exception memoran- dum, here there is no need for details surrounding the testing, sample selection, or work details. Only the discrepancy facts are listed. Also, another significant difference between the exception memorandum and the formal report is that the responsible auditor creating the memorandum does not have to write the identified discrepancies using the five-component approach. As a matter 138 & Continuous Auditing Reporting and Next Steps C09 11/25/2010 17:46:33 Page 139 of fact, any internal auditors, regardless of their audit experience, can develop a very successful exception memorandum; all it requires is transferring the continuous auditing testing results verbatim from the work paper to the memorandum for communication to the business owner. Although the discrepancy listing is not the most well thought out compo- sition of writing due to its lack of supporting details, it still accomplishes the goal of communicating to business owners the results of the continuous auditing program that was executed in their area. The aim is for the discrepancy listing to provide sufficient detail for business owners to understand exactly what was identified during the testing. It is hoped that business owners have the process knowledge to understand the severity of the risk associated with the discrep- ancies listed in the exception memorandum. The goal, as with any internal audit report, is to convey the noted exceptions to ensure not only that business owners are aware of them but also that they recognize and agree to address the identified gaps. At the completion of the continuous auditing program, the discrepancies noted must be communicated to business owners so that they can be addressed. Depending on business owner experience and expertise, an exception memo- randum may be sufficient to communicate the information; if business owners do not have the ability to recognize the risk and the corresponding action that needs to be developed and implemented to reduce the exposure to the company, then a formal report may have to be used to convey the exception detail and request for corresponding action. There are many factors to consider when determining the type of report to communicate the continuous auditing results. Take into account the advantages and disadvantages of each type of report discussed next before finalizing your continuous auditing methodology as to the report format that will be used consistently to report and obtain the appropriate business owner actions. ADVANTAGES AND DISADVANTAGES OF REPORT TYPE As with any internal audit report, there are always different formats responsible auditors can use to communicate the results of the particular testing performed. The choices for the continuous auditing methodology are a formal audit report, just as would be issued for a full-scope audit, or an exception memorandum. Advantages and Disadvantages of Report Type & 139 C09 11/25/2010 17:46:34 Page 140 To help evaluate these two distinct reporting formats, Table 9.3 lists advantages and disadvantages for each one. This table is not designed to capture every advantage and disadvantage of the two types of reports but provides a solid outline to make an informed decision. When determining which format will be the most effective for you and your company, consider the advantages and disadvantages listed before making a decision. It is hoped that this table will help you focus on the different aspects of the report formats that correspond to your internal audit department as well as your business unit clients. REPORTING OPTIONS SUMMARY A significant amount of information has been provided regarding the different reporting types available for the execution phase of the continuous auditing TABLE 9.3 Report Format Advantages and Disadvantages Formal Report Exception Memorandum Advantages Provides overall opinion Quick and easy to create Five-component detail for exceptions Requires no ratings or overall opinion Identifies corresponding risk Informal Requires management action Requires no experience to develop Consistent report format No distribution (usually) Taken more seriously No formal management action Distributed No management buy in needed Formal communication Documents specific objectives Disadvantages Requires experience to draft Lacks detail First one is time consuming Contains no ratings for comparison Need management buy-in No distribution Requires risk knowledge and interpretation Assumption of risk understanding by business owner Assigns an overall opinion No action item accountability Addresses risk based on hope 140 & Continuous Auditing Reporting and Next Steps C09 11/25/2010 17:46:34 Page 141 methodology. However, it is important to note that the objective of any internal audit report format is to conve y a need to address a confirmed gap in a business process. The confirmed gap identified reflects a risk to the business unit and the company as a whole. The report’s goal is to get an action from business owners to address the cause of the exception noted. One quick caution regarding the exception memorandum format. I realize that this format appears to be the way to go because it is simple to produce and just regurgitates the t esting performed. However, be sure to consider one of the most significant disadvantages with this method: the lack of distribution. If you do not communicate continuous auditing report exceptions to anyone but the process owners, there is a risk that the required action needed to address the cause will not get completed or at least not in a timely manner. But the continuous auditing methodology will follow the approach phase and repeatedly identify the same exceptions that could possibly grow in significance over time. Any identified risk not addressed in a timely manner by business unit management always poses a greater risk the longer the exposure goes unaddressed. Therein lies the challenge. At some point during the continuous auditing execution (month after month), there will be a need to raise the issue to another level in order to get the appropriate action to address the risk. Keep in mind that the business partner involved in the continuous auditing program is not intentionally ignoring the need for action. The business owner wants to address the cause but has many other responsibilities and problems to deal with in the day-to-day business process. And if internal audit has no requirement for a formal action plan and only the business owner is aware of the current exception, it gets reprioritized and moved down on the list of things to do. The need to raise an exception detail to another level will reflect poorly on the business owner who appears to have ignored an identified risk and also hurt the internal audit department’s relationship with the business partner involved in the continu- ous auditing program. All of these aspects must be considered when deciding on the most appropriate report format to use in your continuous auditing methodology. It is also possible to create a combination report that combines the formal report and the exception memorandum. From my experience, the most effec- tive reporting format for a continuous auditing methodology always is the formal report because it is formal, requires an overall opinion, contains the Reporting Options Summary & 141 C09 11/25/2010 17:46:34 Page 142 five-component approach, requires management action, and is distributed. But more than any of these aspects, it keeps the delivering a consistent product out of the internal audit department and that provides a clear message to the business owners, senior management, audit committees, and external parties as to the state of risks identified and the corresponding control environment effectiveness of the business process under review. In an effort to clarify a couple of the key distinctions in the report selection process, we are going t o discuss two specific components that play a significant role in every report but have a particular impact on communi- cating the findings in the continuous auditing methodology. The two components are report ratings and report distribution. Report Ratings Anyone who has spent time in internal audit or has been a partner in an internal audit knows that the rating process is challenging. Whether it is for an overall opinion or an individual audit objective, consistent application of ratings requires a solid knowledge of the business process and associated risks. Implementing standard definitions for the ratings that are to be applied assists the auditors in consistency of rating determination. Ratings in general are a point of angst for business unit owners because t he overall rating is drawing a conclusion on the business processing unit’s effectiveness in achieving its objectives. Keep in mind that the conclusion being derived usually is based on a sample test performed by an outsider and represents only a fraction of what the business unit processes on a daily basis. At least that is the way business owners see it. To a certain degree, that is a fair assessment of how internal audit executes an audit plan. The details being left out are that the internal audit samples selected are well thought out after a significant effort has been spent on planning and represent testing of the most critical controls supporting the achievement of the busin ess objectives. Alldetailaside,itstillcomesdowntoassigningaratingtothework performed. In a continuous auditing program, the rating is applied to the specific objective determined during the foundation phase and is based on the results of the testing performed during the e xec ut i on phase. T he rating that is going to be assigned communicates to independent readers the strength of the business unit control environment as it pertains to the objective and 142 & Continuous Auditing Reporting and Next Steps C09 11/25/2010 17:46:34 Page 143 corresponding controls tested. Most rating scales have at a minimum three possible ratings: satisfactory, needs improvement, and unsatisfactory. Each rating must have a definition that specifically explains the risk represented when receiving that particular rating. With all of the details and documentation required for ratings, audit departments have to determine if it is really worth evaluating control environments to this level and then having to explain it to business owners. Except when a satisfactory rating is achieved, responsible auditors will have to expend energy explaining why business owners receive a less-than- satisfactory rating. Providing these explanations is a challenge, especially with continuous auditing reports, because they are completed on the estab- lished recurring cycle. To ease the communication and ultimate business unit acceptance of the rating details, some internal audit departments have switched to rating with colors instead of words. The color scale for this type of rating system would be green for satisfactory, yellow for needs improvement, and red for unsatisfactory. Believe it or not, this quick switch helps reduce business owner discussion by a significant amount. It is much easier for a business process owner to accept that their control environment is yellow than to say that the control environment needs improvement. So much time is wasted when it comes to report ing becau se specific words are being d ebate d and interpreted differently. If you are having those types of discussions, consider making the switch to color ratings instead of words. A stated rating in the report, whether it is words or colors, provides a specific conclusion from the internal audit department as to the current effectiveness of the control environment in which the continuous auditing testing was com- pleted. This rating can be used by the internal audit department and other internal groups, such as enterprise risk management, to evaluate the overall risk and control effectiveness of the particular business unit reviewed as well as the department, division, or company. Providing a rating on the continuous auditing report also drives consistency from a service delivery standpoint and can be used to summarize and categorize risk across the company. The alternative of not providing a rating is so attractive because it removes the most contentious component of any internal audit report from the equation. But there are risks to issuing a report without any rating. These risks include, but are not limited to, informal communication, work performed with no conclu- sion, unknown risk level of process tested, and an interpretation factor of control Reporting Options Summary & 143 C09 11/25/2010 17:46:34 Page 144 environment effectiveness. Probably the biggest risk is the interpretation factor that an independent reader is required to apply to the continuous auditing results because no overall opinion has been rendered by the company’s control evaluation experts: internal audit. This can be very dangerous. Allowing independent readers to reach their own conclusions can go one of two ways. They can interpret a result as bad when in reality it is not, or they can interpret a result as good when in reality it is not. The challenge is not just in a mistaken interpretation; the bigger exposure is that independent readers could make business decisions based on erroneous interpretations and could cause signifi- cant exposure to the business unit or the company. To ensure that there is no opportunity for misinterpretation of continuous auditing testing results, consider including an overall opinion based on risk in your report format. Table 9.1 can assist you in incorporating color ratings in your continu- ous auditing report. This is the color rating format that I use for both my continuous auditing methodology and for my full-scope reviews. If you prefer not to use colors, you c an still use the explanations included in Table 9.1 since t hey include the standard satisfactory, needs improvement, and un- satisfactory definitions with each corresponding color. However, I recom- mend utilizing the color rating system as it is easier on business owners and more versatile in high-level reporting. Report Distribution Distribution is the other specific component to be discussed in relation to the continuous auditing report. Distribution is the process by which the report is sent out to other parties in addition to the business process owner. Distribution seems straightforward and easy to understand, but often it is not performed during the execution phase of the continuous auditing methodology. Many internal audit departments believe one of the best ways to gain acceptance of the continuous auditing methodology is by telling business owners that the report will not be distributed to anyone other than themselves. The responsible auditor and the business owner agree to discuss discrepancies identified during testing and not to discuss the results externally. Although this may seem like a good approach, it can cause significant challenges long term. To illustrate the point, consider this example. A contin- uous auditing program has been launched in a department, and the business 144 & Continuous Auditing Reporting and Next Steps C09 11/25/2010 17:46:34 Page 145 owner and the responsible auditor make an agreement that the report will not be distributed to anyone other than the process owner. Note that it does not matter what type of report the continuous auditing methodology is slated to issue. The only item to focus on in this example is that the final report will not be distributed. Also, for this example, consider that we are dealing with a continuous auditing objective that has transactions occurring multiple times every day and that the testing frequency will be ‘‘6-9-12.’’ as described in Chapter 5. This frequency requires testing to be executed for the first six consecutive months and then at the end of month 9 and month 12. In our example, testing in the first month reveals no reportable issues. The continuous auditing report is issued and indicates no reportable issues; everyone is positive about the results. However, in month 2, the testing identifies a reportable control weakness. The weakness is supported by the testing and validated with the business owner. Everyone agrees it is an exception, and it is documented in the report and provided to the business owner for remediation. In month 3, testing shows the same exception noted in the prior month. This is not uncommon; it usually takes 60 days to recognize a change in the continuous auditing testing results. The month 3 report is issued and accepted by the business owner. In month 4, the responsible auditor expects that the testing results will show an improvement. After completing month 4 testing, however, the responsible auditor not only does not see any improvement but also notices that the exception has gotten worse. After discussing the results with the business owner, the responsible auditor realizes that control improvements are not going to be coming anytime soon and the exception details need to be communicated to the next level to ensure the risk gets properly addressed. With this recognition, the responsible auditor must now tell the business owner that the prior results are going to be communicated to a distribution, which will include additional parties outside the business unit to assist in obtaining the proper attention to address the issues noted. This ‘‘betrayal’’ (from the business owner’s point of view) will cause a significant relationship problem between internal audit in gene ral and the business unit. Unfortunately, in this example, expanding the continuous auditing report distribution is the only way to ensure that the control exception will be addressed. It is difficult for any process owner to commit to an action plan without formal accountability and the knowledge that other individuals in the company are aware of the issue and are expecting a remedy to be created and Reporting Options Summary & 145 [...]... foundation of the methodology The first month of testing is critical because all subsequent continuous testing performed is executed with the same program, which only increases the reliance on the dedicated performance of the business process validation targeted by the continuous auditing program The goal of the approach review is to ensure that there is a direct link among the critical components of the continuous. .. subsequent months of continuous auditing testing This simple step does not take a significant amount of time but provides a huge value to the audit department over the course of the continuous auditing program Process Changes Review One of the most significant differences between the continuous auditing methodology and a full-scope audit methodology is the frequency of the testing Since the planning for... communication of the results of the continuous auditing program However, there is always the risk that an action plan is developed that addresses the condition, not the root cause This is a common mistake and often is the result of not taking sufficient time to understand the five-component approach before discussing exception specifics with business process owners The condition is the component that initiates the. .. focused on the requirements of the continuous auditing methodology; by doing so, they will develop and implement the appropriate actions To ensure that business process owners stay focused on addressing the root cause with their corresponding targeted action plans, there is no need to search and develop the perfect action especially during the execution of a continuous auditing program The continuous. .. temptation, the rush to implement a quick fix is even more of a temptation Every person, especially from the business unit, believes they understand what it will take to correct the exceptions noted during the continuous auditing program The development of action plans that address symptoms of the exception rather than the root cause identified during testing are very common and the direct result of incorrect... or challenge the method or even location where the continuous auditing testing takes place Any of these testing nuances should be formally documented in the continuous auditing work papers so that the next responsible auditor to execute the testing is aware of any potential challenges with performing the work The goal of the testing nuance documentation is to compile a detailed profile of testing requirements... aware of the importance of the five-component approach and its impact on not just the reporting responsibility of communicating the exception but also the action plans that will be developed to address the specific issues noted as a result of the continuous auditing testing Management Buy-in Since the internal audit department is not responsible for developing and ultimately building the action plan, the. .. significant amount of additional time but are necessary to ensure not only the completeness of the continuous auditing file but also to provide coaching notes for any auditor who performs subsequent testing The unique requirements of the foundation, approach, and execution phases of the continuous auditing methodology dictate the necessity for these review steps to ensure completeness and strength of supporting... because it is the same exact standard that was identified in the approach phase of the continuous auditing methodology when the testing criteria was developed The criteria represents the specific standard that the selected sample tested was verified against Without knowing the processing standard, the continuous auditing program could not have been executed When developing the criteria component for the exception... long as the work is performed in accordance with the phase requirements Testing Nuance Review The objective of the testing nuance review is to document any anomalies identified during the first few months of executing the continuous auditing methodology There are instances when the sampling, information or data gathering, or testing execution requires a distinct process or technique Another example of a . listing of any discrepancies identified in the execution phase of the continuous auditing program. Each component plays a critical role in convey- ing the results of the completed continuous auditing. understand, but often it is not performed during the execution phase of the continuous auditing methodology. Many internal audit departments believe one of the best ways to gain acceptance of the continuous. reliance on the dedicated performance of the business process validation targeted by the continuous auditing program. The goal of the approach review is to ensure that there is a direct link among the