The department, meanwhile, continues to audit the access to Microsoft’s financial systems, and journal entries are examined for large entries, unusual entries, and unusual reviewers and approvers.
Also, the department keeps watch over financial-statement ratios for indicators of fraud. For example, a days sales outstanding index measures the relationship between DSO in two consecutive reporting periods. An inflated ratio could reflect fictitious sales or receivables. Among several other ratios, an asset quality index measures a company’s propensity to capitalize costs. Manipulators have a greater deterioration of asset quality, but a very high asset quality index may indicate an inappropriate deferral of costs.
Hospital Corporation of America, which owns 163 hospitals and 105 freestanding surgery centers, is one of the true veterans of continuous audit, having started its program eight years ago. In-house developers have built what internal audit director Chase Whitaker calls a “quiltwork” of audit routines — about 50 of them — that run on a variety of applications, including ACL, Paisley Consulting’s Focus (for Sarbanes-Oxley compliance), and Microsoft’s .Net, among others.
The mix of routines employed is constantly evolving. Some have been in use for all eight years, but others turned out to be not effective, and in certain cases system changes made routines moot. But there is no shortage of ideas for new ones. “I’ve probably got at least 120 items in the hopper; everything from just brainstorms to things that are going through the quality-assurance process and are nearly ready to be deployed,” says Whitaker. A steering committee meets three or four times a year and sifts through the list, in some cases seeking feedback from business-process leaders on whether a particular automated audit would provide risk coverage that they didn’t already have.
After a decision is made to develop a routine, then the big challenge comes of determining its scope, identifying data sets to be analyzed, and setting failure thresholds. “Then you’ve got to develop and deploy it, and meanwhile you’re wondering what kind of results you’re going to get,” says Whitaker.
Sometimes routines have to be adjusted. HCA, like AEP, watches employee overtime rates, in this case as a hedge against errors by nurses and other clinicians that could result in medical-malpractice lawsuits. At first the routine was set to flag anyone who worked 30% more than full-time hours. That generated a “voluminous amount” of exceptions, so the audit department contacted its facilities and found that, indeed, that kind of overtime rate was not unusual. “So we set it at 50%,” says Whitaker, “and it became more valuable information for our HR directors and CFOs.”
Another variable is the frequency of continuous audit routines. The overtime audits are done two or three times a year, in each case looking at the previous 12 months’ worth of data. But the audit department looks daily at whether business units — hospitals, surgery centers, physician practices, shared service centers — have been moved on to or off of the list of entities whose assets and operations are reflected in consolidated financial statements. That is to guard against unintentional changes and to determine if a change was made for a valid business reason.
And the audit department watches in nearly real time — hourly — for local data-security administrators granting access to applications for employees or themselves. Normally, even the security administrators are not supposed to have that access. When such changes are detected, facilities are alerted.
Other human-resources issues with financial implications are subjected to continuous auditing, as well. These include payroll reviews, looking for invalid social security numbers; and exceptionally low levels of vacation time, considered a warning sign that a fraud could be in progress by someone afraid a scheme might be detected in his or her absence.
About 15 of HCA’s continuous audit routines look directly for irregularities traceable to the finance operation. Journal entries by senior finance executives or business-unit leaders are flagged, because entries normally are made by lower-level accountants. Likewise, any entries that boost revenue by a certain percentage, particularly those that put the business unit just above its budgeted monthly goal, are flagged. “It might be valid, but at least an auditor should take a look to make sure somebody didn’t just pad something to make budget,” says Whitaker.
Other journal entries that are watched in the continuous audit telescope are adjusted estimates for contingencies like malpractice-insurance claims, bad debt allowances, and amortization schedules for intangible assets. Again, the goal is to identify instances of invalid earnings management. “If somebody puts something on the balance sheet as an asset that previously was in expenses, we want to know why,” asserts Whitaker. “Someone could do a journal entry just to shave some expenses for the month, thinking that the next month they’ll just reverse it and no one will be the wiser.”