Some companies are taking a supercharged approach to internal audit: rather than reviewing small samplings of data at regular intervals, they are looking at all of the data, all of the time. Based on automated processes that raise red flags when something is amiss, it’s essentially an extreme version of the increasingly common practice of “continuous auditing,” a hazily defined term that covers many methods of increased vigilance. According to an ongoing Institute of Internal Auditors (IIA) survey, 28% of companies are currently using some form of continuous auditing, while another 15% plan to start this year. Those numbers are likely to grow, says Richard Chambers, the institute’s president and CEO, since the approach “is the only way to be in front of emerging risks.”
Many companies start slowly, using off-the-shelf software to monitor select high-risk areas such as corporate credit-card purchases or accounts-receivable transactions. Others are integrating the monitoring into existing enterprise systems, for use by both operations and audit. The U.S. arm of Siemens Financial Services, which provides financing for health-care, energy, and industrial companies, has started running programs every night to monitor “everything that determines the value of a financial asset,” namely, information on borrowers’ riskiness, says Matthias Grossmann, CFO of the business unit. The decision to move to continuous monitoring was an easy one, he says, because the company was able to address the task with technology it already owned.
The 24/7 approach to auditing may save companies money in several ways. External-audit fees barely grew last year — up 2.2% for public companies and 3.7% for private ones, according to one study — in large part due to such internal efforts, says Marie Hollein, CEO of Financial Executives International, whose affiliate, the Financial Executives Research Foundation, performed the study. “Continuous auditing has allowed companies to have more information readily available for their external auditors,” Hollein says, and functions like “a soft close, so that you know if there’s anything that flares up.”
The IIA’s Chambers notes, however, that the automation that powers 24/7 auditing is no substitute for people, since “there are a lot more dimensions to internal audit than just identifying abnormalities.” Indeed, for Harrah’s Entertainment, one major benefit of the move to automated monitoring is that it allows the casinos’ 86 auditors to spend more time monitoring the gaming activity. “That’s where the action is, not at their desks buried in paperwork,” says Cheryl Kondra, chief audit executive for Harrah’s.