About BWise

Blog

Continuous Auditing

December 15, 2011 by
Filed under: Continuous Monitoring, Governance, Risk and Compliance

A small note on our vision of Continuous Auditing (CA), or at least the way we interpret the terminology. There are many point solutions for support of Computer Assisted Audit Techniques (CAAT), Audit Data Analysis, Segregation of Duties analysis and Continuous Monitoring. For many of our customers it is now becoming more obvious that there are clear benefits in having these integrated in your GRC Suite:
    • Go through the phases of maturity in CA in one software package, leverage existing knowledge of tooling in CAAT's and extend to Continuous Monitoring/Auditing later
    • Integrated automated and manual testing
    • Direct accessibility of results and follow-up by Internal Audit departments
    • Integrate with other GRC activities such as ERM (Risk Assessments) as described in the GTAG towards Continuous Assurance
    • Other technical infrastructure benefits and Total Cost of Ownership
    What is our vision?
    In order to provide a practical example of the benefits of having an integrated GRC Suite, that includes Data Analytics, CM and CA capabilities, take a look at the following graph:


    It tells us that our performance has increased in managing our overdue accounts receivables. It also provides Internal Audit with the insights on the effectiveness of this process over a certain period, the entire year in this case. Any peaks or strange behavior in trends can directly be explained through the management comments which are directly visible in the graph. An auditor's opinion is pending, orange dot at the end of the year, and twice management has indicated that the control of overdue receivables is insufficient, the red dots. This graph represents the tip of the iceberg only.

    There is much more information underneath that is derived from an integrated GRC suite. The picture below depicts individual components (not all are relevant for this example). Let me explain which ones are:
    • The IC Framework Integration is a decomposition of processes, risks and controls. In this case Billing -> Non-collectable receivables and loss of interest (reducing working capital) -> Periodic monitoring and follow-up of overdue receivables. All other functionalities make use of this framework for integration purposes
    • KRI/KPI/KCI - Regardless of the correct name, Key Risk Indicators give direct insight in the current state of affairs and provide means to easy trending. In this case the KRI is defined as a % of turnover which is overdue more than 60 days
    • Continuous Monitoring - The data to calculate the KRI and the exact details underneath (what customers are overdue, what amounts/regions/products etc.), including individual invoice data is automatically captured from a source ERP/Financial system and analyzed, presented and pushed into a follow-up workflow
    • Control Self Assessments are performed on most key controls from the IC framework. During these self-assessments, management makes use of the Continuous Monitoring data to substantiate their opinion. Any exception is either explained and documented or needs appropriate follow-up actions
    • Action Management handles the tracking and tracing of all outstanding tasks for management
    • Since an Audit Module is integrated in the GRC Suite, all data is present and available to Internal Audit. Even though they have an independent function, the entire audit trail of findings; follow-up, CM data, results, etc. is available in the system and accuracy is guaranteed. Their opinions are available throughout the process (see yellow dot in graph) or at a specific point in time when an audit is performed
    All data to produce the graph, but also all data that is relevant for follow-up, monitoring, auditing and trending is directly available in the same application. It makes the auditing, and continuous monitoring an integral part of day-to-day business. It becomes part of the Internal Control environment. There is a much more detailed explanation behind all of this, which will be published shortly in our series on Data Analytics for GRC Vol. III - The Future of Audit Analytics and Continuous Auditing. Stay tuned!

    Tags: BWise, Continuous Monitoring, Audit

More Information

What is GRC?

Read the definition of Governance, Risk and Compliance


Gartner ORM report

Nasdaq's BWise has been positioned as a Leader in Gartner's Magic Quadrant for Operational Risk Management Report, 2015. 


Forrester report

Forrester positioned Nasdaq BWise as a Leader in New Report, The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016.


Why BWise

Download the brochure: Three Key Reasons why Hundreds of Customers Rely on Nasdaq BWise.

Scroll up