The department painstakingly went through its inventory of SOX controls to determine which ones could be assessed just by analyzing data in company systems. Then data-analytic scripts were written to allow exceptions to be found. Now, for example, the entire population of journal entries can be examined quickly for segregation-of-duty violations. “It took a little while to write the script, but now when we have to test that control every year, it’s going to take seconds — and the financial auditors love it,” says Hoffman. He adds, “If I had it to do over again, I would have started with a focus on SOX — that would have accelerated the evolution process.”
Another challenge in implementing the continuous auditing program was a technology learning curve. The auditors had to be trained to use the new ACL applications, the automated tool the company ended up purchasing. But that was a low hurdle compared with winning the auditors’ enthusiasm, according to Hoffman.
Some of the ways AEP uses continuous auditing are common to other companies. Cash-management transactions, such as setting up new bank accounts, are scrutinized closely to make sure supervisors approved the activities, for instance.
Other uses are more company-specific. AEP, which consumes a lot of fuel to power its fleet of repair vehicles, has automated audits that identify excessive fuel usage and improper use of credit cards issued for charging fleet expenses.
The audit department also conducts safety audits, watching to make sure employees don’t work excessive overtime. The goal is to avoid having line-crew members fall asleep at the wheel because they’ve been on the clock for 16 hours, and avoid having power-plant workers on the job for two weeks without a day off.
Meanwhile, the continuous auditing program helps AEP decided what to include and exclude from its annual audit plan. If the output from an automated routine suggests there is little-to-no suspicious activity in a stable business process, that is a detailed justification for excluding an audit of that process from the audit plan. Conversely, if a routine indicates a significant number of potential exceptions, that’s a strong justification for a more traditional, manual investigation.
So far Hoffman’s department has automated only 25% of Sarbox internal tests. Many other “business-as-usual” audits still must be addressed, and those remain the priorities for AEP. “Some things will always have to be reviewed manually, but any time you can just click a button to analyze data to get your control-effectiveness answer, it’s much better,” he says.
Access and Auditor Angst
When Microsoft got its continuous auditing program going three years ago, PricewaterhouseCoopers, which was advising the company on the project, warned the internal audit department to expect trouble in three areas: getting its hands on the data, and pushback from both the audit staff and the internal stakeholders whose business processes were to be audited.
Internal audit director John Digenan was really only worried about getting the buy-in on both sides, and not about the data issue. But there was little pushback from the stakeholders, “and I’m not sure why,” he says.