Audit Serve, Inc.

The Premier Audit, Security and Sarbanes-Oxley Consulting Company

  
               Continuous Audit Monitoring for
                          IT Impacted Areas
                                                         (Part 2 of 2)
                                  By: Mitchell H. Levine, CISA - Audit Serve, Inc.

                                                    

Continuous auditing is comprised of a Continuous Control Assessment and Continuous Risk Assessment.  The objective of the Continuous Control Assessment is to determine whether controls remain effective.

The source input of the continuous control assessments are the audit programs used to perform the various audits of an organization.  This would require a review of each of the control objectives within these audit programs in order to identify the controls which need to be tested as part of a continuous control assessment.  Audit programs are typically comprised of control objectives and audit steps used to validate whether the control objective is being adhered to and achieved.  These audit steps are used to verify whether the control exists and provides compliance tests.  Since it is not practical to incorporate the sample size used within a regular audit into the continuous control assessment program being instituted within an organization, a subset of the sample should be defined and consistently applied to all tests included in the overall continuous control assessment program.  It should be noted that in some cases the frequency in which the control is used is intermittent which would require a trigger to be established to identify when the control was used in order to include it in the sample selection of the continuous control assessment program.  In addition, the type of test deployed as part of the continuous control assessment program could be different from the test performed during a normal audit.  In most cases the test performed as part of the continuous control assessment program would be scaled down as compared to a regular audit.  For example, during a regular audit, source documents used to support a compliance test may be dependent on the analysis and source documents used in a different control objective.  Therefore, in order to reduce the time required to perform the test within the continuous control assessment program, the starting point of the test may be different.

In addition, it is not practical to include all control objectives in the continuous control assessment program, therefore a criteria must be established to determine which control objectives within specific audit types are to be included.  The potential risk if the control is not effective is the approach used within the industry as the basis of prioritizing the control objectives which must be included in the continuous control assessment program.  This would require that all control objectives within audit programs used for all types of audits be assigned risk levels which would transpose to their priority level.

The continuous control assessment program can be comprised of an extension of the system operations areas or included as part of the audit department’s activities. If the continuous control assessment program is part of the audit department’s activities, consideration should be made to leverage the work performed by compliance functions deployed within the areas being audited instead of having the audit department perform additional independent tests as part of the continuous control assessment program.

In summary, an effective continuous audit monitoring program will detect changes within an environment and non-compliance with established controls.   With the requirement of SOX Section 409 to have real-time disclosures of material changes in the financial condition of a company and SOX Section 302 which requires a quarterly certification of controls over financial reporting, establishing a continuous control assessment program is critical for public companies.  This is especially important since most organizations have reduced the frequency of their SOX Section 404 testing. 

Example of  Mapping  Audit programs
Continuous Control Assessments Steps

Type of Audit: IT General Controls

Control Objective:  A process exists and is effectively deployed to ensure that IDs of terminated employees are deleted or disabled in a timely manner 

Requirements of Regular Audit 

Audit Step:  Obtain a list of terminated employees during the audit sample period and perform a lookup of domain users to determine whether the  user’s ID have been removed. 

Population estimate:  100 terminations per year

Sample Requirements:  20% of terminated employees 

Requirements of Continuous Control Assessment Program  

Audit Step: Same as regular audit
Frequency: Quarterly

Sample size: 10% of audit sample per quarter   ________________ _________________________________________________________

Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs PCI Assessment and Remediation Project Management consulting services. Audit Serve also conducts Integrated & IT Audits, SOX Control Design & Testing.    Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.

Copyright  2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

This article appeared in a past issue of the Audit Vision E-Mail Newsletter.

Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US

This website has been optimized for Netscape and Internet Explorer 4.0 and above.  Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000  All rights reserved.  27 Pine Street, Suite 700, New Canaan, CT 06840 USA.