Addressing SOX Compliance Challenges With Workiva
Continuous Auditing Is the Value Creating Risk Detector CFOs Dream About
Your financial reports are critical indicators of your enterprise’s health. That makes internal audit a doctor of sorts, tasked with reading and interpreting all of that financial data. Unfortunately, as competition increases and operations become more complex, that task gets more daunting by the day, especially when it’s rooted in slow and expensive manual processes.
But what if we told you there’s a better way to approach that essential role? One that doesn’t rely on manual processes and miles of zigzagging audit trails between your data sources and financial statements?
That’s exactly why continuous auditing (CA) is the future of your IA function. And as we’re about to explain, it’s risk management Valhalla for every CFO in search of maximum efficiency, speed, data integrity, and insight from their financial reporting and data.
What Is a Continuous Audit? Understanding the CA Basics
Before we dive in, let’s get something out of the way – we fully understand continuous auditing is one of the buzzier terms floating around finance and accounting departments these days. But just because CA is somewhat nouveau chic doesn’t mean it’s the financial equivalent of the fidget spinner, either.
There’s a reason the continuous audit concept is piquing so much interest right now. CA is a breath of fresh, innovative air for an audit function that typically relies on manual processes to reach an end that automated, data-driven tools can get to faster and more reliably.
And that’s really continuous auditing in a nutshell. CA uses automated systems and tools rather than a limited sampling approach that’s narrow in scope and usually two steps behind your business activities. In short, by integrating continuous auditing, you’re allowing your internal auditors to continually gather information on your internal controls, information systems, processes, and transactions rather than waiting for your typical quarterly or annual audit.
The result is a more relevant and timely methodology to gauging risk, compliance, governance, and the effectiveness of controls, one that’s proactive rather than reactive. Put another way, wouldn’t you rather spot the iceberg sitting in your organization’s path while you still have time to redirect the ship? Of course you would, and that’s precisely what CA provides to your internal audit department and leadership.
The Reasoning Behind Continuous Auditing
Although we’ll dive into CA’s use of technology shortly, it’s important to remember its benefits have just as much to do with addressing the shortcomings of the traditional audit approach as it does automated solutions and the like. Because as we all know, the bigger and more complex a business gets, the more trouble old-fashioned auditing activities have in keeping pace, revealing severe limitations like:
- Narrow scope of evaluation
- Staying ahead of rapidly evolving risk
- Time lapses between control testing and business activities
- Focusing on reporting rather than a holistic view of operations
- Sprawling audit trails with tangled chains of custody
As your business grows, it becomes increasingly difficult to reveal relevant insights on current issues and risk trends across your enterprise through traditional internal auditing. Further, with such a narrow scope in both data and time, manually-driven internal audits can easily miss the forest through the trees, perhaps identifying an issue but not the underlying cause. And that’s a problem.
Zeroing in on the last of those bullet points, traditional auditing is also susceptible to audit trails and chains of data custody that look more like an air traffic controller’s screen than a clear, open informational highway. When a CSV file, for example, goes through so many hands and revisions that tracking the changes feels like swatting flies at the petting zoo, data integrity is lacking to say the least.
Granted, having too many cooks in the accounting and finance kitchen is indicative of a separate but somewhat related issue, one involving a digital finance transformation – or, more accurately, a lack thereof – but it’s repercussions are still something that IA must constantly contend with.
The Pros and Cons of Continuous Audits
Now that we’ve looked at the high-level reasoning behind continuous auditing, it’s time to set our gaze on the tangible benefits and drawbacks it brings to an enterprise.
The Benefits of Continuous Auditing
- An automated, ongoing process that gathers data on a continuous basis
- Collecting data directly from sources – your website, ERP, CRM, and other third-party data sources
- Faster, more accurate results
- Lower overhead due to automation
- Broader, continuous, proactive reviews rather than strictly cyclical ones
- Dynamic planning based on real-time results
Drawbacks to a Continuous Audit
Those benefits aren’t to say that CA isn’t without potential hurdles, though. While the drawbacks are slight, there are still a few to keep in mind before diving headfirst into the inviting CA waters.
- Requires buy-in from leadership
- Time and costs involved in implementation
- Potential over-reliance on data analysis where human intervention is appropriate
- Lack of familiarity with the underlying technologies and data analytics as a concept
Like we said, the drawbacks to continuous auditing aren’t massive. However, they’re significant enough to take into account before launching a CA initiative. Our suggestion is to gain a better understanding of the digital finance landscape in general before taking the leap.
Also, while the solutions used in CA are neither cost-prohibitive nor exceedingly complicated, it’s certainly a different approach than the traditional one you might be used to. Don’t forget, however, that continuous auditing is meant to serve as a supplement to your IA function, not as a complete replacement. At least for now.
A Continuous Audit Implementation Plan
When it comes to implementing continuous auditing tools, we suggest bringing your IA team into the process early. They’re the folks with the practical, hands-on experience that can help guide your initial planning and, from a workflow perspective, will be the ones actually using the audit tools. If IA isn’t involved in the planning process, you run the risk of seeing push-back, mainly over a lack of understanding of the tools and accuracy of the data.
Also, like any transformation initiative, you want to start small and build on early, easy successes. In other words, establish a baseline to work from and then proceed with the lowest hanging fruit, maybe a piece of evidence that IA thinks will be especially simple to collect. From there, your IT team can identify a tool or tools that will automate the process and can begin implementation.
Now, all of that seems easy enough on paper but, particularly for the uninitiated, the first technical steps in a move toward a continuous audit plan can seem overwhelming. But that’s why it’s so critical to partner with an experienced third party when needed.
Of course, if your IT already feels comfortable with the technology, you can probably address everything in-house. However, given the potential scope of the different processes, controls, and data sources that CA either addresses or relies on, this is an area where it often makes sense to partner with a specialist.
With so many vendors to choose from, systems to integrate, and data sources to connect – not to mention the high-stakes involved – there’s obviously a lot riding on a successful implementation. But whether you choose to forge ahead on your own or partner with a specialist, implementing CA should include some specific components, including:
Building Out Models
Some audit areas pose more risk to your organization than others, making it essential that you create a list of those high-risk areas and address them with your CA initiative.
Visualization and Status Reporting Dashboards
No matter what you target with your continuous auditing, you’ll want to make it easy for leadership and IA to peer into the process and gather insights into what and where the CA is occurring and, even more importantly, the areas of risk it’s uncovering.
Automated Audit Reporting
As the CA systems go through continuous control testing iterations, you’ll want to provide leadership with the ability to look at the different variables involved at any given point in time, reporting on critical areas like:
- Any potential issues uncovered
- Completion dates
- Action planning
- Ongoing status reports
- Expanded Testing Capabilities
Instead of a sampling approach, a successful CA implementation will ultimately allow IA to test entire data populations and drive continuous assurance on data accuracy and completeness from your testing.
A Continuous Auditing Example: Healthcare
Now that we’ve discussed what continuous audit activities look like, what they bring to your IA function, and some general rules of thumb for implementation, let’s look at a high-level, industry-specific example of CA at work in a sector that really needs it – healthcare.
Even before the pandemic, there weren’t too many industries under such an intense, dual-headed spotlight of regulatory forces and financial pressures like healthcare. In other words, the coronavirus only further exposed susceptibilities that were already wreaking havoc for leadership. That’s why the industry has long been looking for ways to better balance excellent patient care with financial performance that also keeps stakeholders satisfied.
That’s what makes continuous auditing such a natural fit for the industry, allowing healthcare organizations to not only streamline their audit processes and stabilize controls, but also free time for staff to focus on delivering better patient care. Although CA can benefit healthcare in seemingly endless ways, some of the most prominent include:
Accounts Receivable Valuations
One of the most significant challenges facing today’s healthcare organizations is increasing exposure to bad debt. Unfortunately, such rapid change makes it tough to generate an accurate valuation of their accounts receivable.
However, data analytic tools within a CA initiative can look at historical AR valuations and compare them to actual payments rather than using AR data samples or limited extracts. With continuous auditing, a CFO can quickly identify bad debt trends and constantly evaluate them against current AR reserve estimates.
The Revenue Charge Capture Process
Hospitals and healthcare providers aren’t in a position to lose reimbursement dollars, especially when it’s due to poor controls within the revenue charge capture process. Continuous auditing can throttle that lost revenue through recurring charge capture tests that would otherwise be impossible through traditional internal audit procedures and systems.
Healthcare employers must meet some very specific and strict compliance measures regarding employee screening. The problem is, the lists that organizations must scrub their employees, contractors, and vendors against are constantly changing.
Continuous auditing can help healthcare employers meet these stringent demands by automatically uploading a list of employees every month to check it against the most recent lists from the HHS, Social Security Administration, and Medicaid agencies.
Coding and Billing Compliance
Talk about scrutiny – government programs look at provider claims with an extremely intense microscope, constantly searching for improper billing and payments. But robust testing procedures driven by – once again – data analytic tools within a continuous auditing initiative allows providers to identify potential coding and billing issues before they become major financial and regulatory problems.
Even the most sophisticated accounts payable systems can struggle with deciphering actual duplicate payments from those that merely look similar. Continuous auditing can constantly screen for genuine duplicates and, thus, avoid preventable losses.
Also, since these CA tools work on top of existing AP systems, healthcare providers don’t have to worry about investing in entirely new systems, yet can still block such costly errors from occurring.
Granted, this is just a small sample of the benefits that continuous auditing can bring to a single industry, healthcare in this case. However, no matter what line of business you’re in, we’re pretty sure you could come up with a similar list of CA benefits within just a few minutes.
Continuous Auditing vs. Continuous Monitoring
Lastly, we want to mention something that won’t make or break a continuous auditing initiative but is still important to understand in a broader finance transformation context. Many people use the terms continuous auditing and continuous monitoring interchangeably when, in fact, there’s a pretty significant difference between the two.
Basically, that difference boils down to what data they collect and who they report the results to. Continuous monitoring, according to the Institute of Internal Auditors (IIA), “is a process implemented by management to ensure that business is operating effectively.”
To that point, CM focuses on improving business processes, business performance metrics, and activities to accomplish any strategic and operational goals, providing actionable insights to management. As discussed, continuous auditing is specific to IA, helping it more efficiently and thoroughly identify and gauge risk for the organization.
SOX Compliance and Minimizing Security Risks With CA and CM
Although companies can adopt CA and CM either separately or together, there are certain efficiencies in implementing them simultaneously or at least one after the other. Since each relies on similar data analytics tools, many companies prefer to implement both to maximize value, both from cost savings as well as improved coordination between IA and management.
When working side-by-side, CA and CM provide agility, flexibility, and foresight across the entire enterprise. For example, SOX compliance requires you to secure and monitor your data environment and IT systems from a constantly evolving and expanding risk profile and threat environment.
For data security, CM tools provide information technology leadership with an open window into any emerging threats, letting them make decisions based on real-time information and update control and risk assessments where remediation is necessary. But Sarbanes-Oxley also requires you to test – and prove – your ongoing compliance with SOX standards and regulations.
Naturally, continuous auditing lets IA efficiently review security controls on a more frequent basis, also generating any required documentation to stay in compliance. And since both the CM and CA components rely on automated solutions, the result is a more effective security environment that’s faster and more accurate than comparable manual auditing processes could ever be.
Continuous Auditing Is the Future of IA
As we said before, continuous auditing isn’t here to replace IA. However, it’s definitely poised to transform it for the better. And it’s accomplishing that transformation through digital tools that will ultimately drive improved risk management processes, cost efficiencies in IA, and put a smile on your external auditor and audit committee’s collective face.
Looking ahead, we absolutely foresee a point when CA is the beating heart of internal audit, and that time isn’t as far into the future as you might think. For now, though, think of continuous auditing as equal parts competitive advantage and finely-tuned risk detector. And Embark’s Digital Finance team is just the group of specialists you’ve been looking for to tell you all about it.