A few more high level topics and then we move into more specific internal control topics next week...

To what extent are you using continuous auditing, key indicators and integrated auditing in your audit approach? What are the pros and cons?

By no means do I suggest that I am an expert in these areas; however, I do think they are valuable components of a risk-based internal audit program.

From a practical standpoint, I see continuous auditing as breaking up traditional audit programs based on the risk associated with certain procedures. For example, instead of completing a full-scope loan audit every 12 months, extend the cycle to 18 months. At the same time, identify the high risk procedures and perform them monthly, quarterly, semi-annually, or annually, based on the risk involved. In effect, this extends the audit cycle for low-risk activities and shortens the audit cycle for higher risk activities…within each audit. One of the difficulties I see with this is simply record keeping…I think it would be very difficult to fully implement this without some sort of audit software to help automate the process. How many of you are using audit software and what is your opinion of it?

Computer assisted audit techniques would also fall under continuous auditing. How many of you are using ACL or a similar data analysis product in your departments? Most of us are probably using Excel, Access, or a similar product to do a certain level of data analysis.

Many times key indicators are associated with a continuous audit approach, somewhat of an early warning system. In the lending area, for instance, we might monitor loan yields, trends in past dues, loan fee income, number of loans booked, renewed, or extended, etc. In the operations area, we might monitor complaints, new and closed accounts, teller balancing, etc. Changes in the level or trend of these indicators may signal a change in policy, an increase in risk, training problems, or an error / irregularity.

Analytical procedures are normally associated more with financial audits, and many times are used as key indicators on an ongoing basis. Yields on loans, investments, deposits, etc. Asset, liability, capital, income and expense accounts as a percentage of total assets or gross income.

One last comment concerning integrated auditing. I normally hear this term defined as integrating information systems (IS) auditing into financial and operational auditing. While this would not eliminate the full-scope IT or IS audit, it would require you to consider technology, management information systems (MIS), and other computer-related activities in every audit. For instance, when doing an audit of the deposit area, we try to look at that segment on the core system (i.e. interest accruals, file maintenance, etc.), management information systems (i.e. what reports are generated by the system, reviewed by whom, are they accurate, etc.), system security and access (i.e. passwords, who has access to what applications and are they based on job function and need, etc.). Looking at these issues during every audit allows us to do a more thorough review of technology issues and support overall conclusions during the full scope IS audit. Further, given the rapid advance of technology into every functional area, it is almost impossible to do an audit without considering computer issues and controls. How many of you are looking at computer-related issues extensively in every audit?

Boy! You're making my head swim this morning...... I like the idea of integrated auditing but where do you start? I mean, so many of us, I'm sure look to audit manuals for a starting place to find audit programs and internal control questionnaires. So is there a source where we can find a comprehensive audit program?
I'm also considering moving from traditional auditing to risk-based auditing but it's a big change from those auditors who have been accustomed to traditional auditing for a number of years. Also I would like utilize more CAAT in my audits....but it's a dual problem with finding audit software that will interface with the core processing software and then seeking affordable yet user-friendly audit software for small audit shops (staff of 2).
Feel free to PM me if necessary to address my questions b/c I'm sure I have more questions when you reply.

In regards to integrated auditing, the easiest approach might be to develop a short MIS / IS workprogram for use in each audit (all steps may not be applicable to every audit). This workprogram would basically be a small subset of the full scope IS audt workprogram. Address basic things like user access, password requirements, management information systems (i.e. reports), physical security, backup, contingency planning, model validation, etc. Start with a simple list of IS-related questions / procedures and expand from there. By doing this, you will be in a much better position to answer questions in the full scope IS audit. For example, when the full scope IS audit workprogram asks you to validate that user access is based on need, it is very difficult to answer for the whole bank given the number of employees and departments. If you look at user access when doing, say, the loan audit, your mind is on loans and the specific duties and controls involved. The number of employees involved is much less as well.

In regards to risk-based auditing, I would start with doing a risk assessment of your audit universe. I belive there has been more than one post regarding this, and I think there is a sample risk assessment in the Banker Tools section (if you can't find something there, send me a PM with your email address and I will send you an example). For each audit program in your universe, rank such areas as dollar size of transactions, employee turnover, risk to the bank if a threat materializes, etc. Based on the results of this anslysis, you can set up your audit schedule to audit the higher risk areas more frequently (semi-annual or annual) and the lower risk areas less frequently (every eighteen months or biannual). If you have not yet gone this process, I would not recommend trying to move to more of a continuous audit approach where you would have to get even more detailed with your risk assessments.

Beyond extensive use of MS Office, I have not had much experience with CAATs so any input from other readers would be appreciated. Hopefully we'll be looking at audit program and data analysis software in the coming months.

You really make a person think first thing on Monday

I am presently the one and only audit person at our bank. I also confirm our compliance is up to speed. I don't write policy, just ensure we are complying with the regulations. I use software for the compliance testing - which helps with audit. I am so far behind that the best I can do is take the risk association approach.
#1 - Where's the greatest risk?
#2 - Did they fix the problems from last audit?

I am VERY interested in CAAT, but have not had time to look into specific vendors. I'd love to see some sort of a demonstration/seminar in my area. Any vendors listening? I looked pretty hard last year for some sort of CAAT training for my CE - but no luck.

I think trend analysis can be very beneficial to seeing the "big picture" and I hope to utilize it more often in future audits.

As for your last question concerning computer-realted issues - I would say I do look at them indirectly in most every audit. I analyze the reports associated with the area as well as who has what type of access controls in the system.

Wow! I actually had to read this 2 or 3 times.

First of all, I'm not sure what the acronym CAAT is refering to? Maybe someone can help me out. Is this an audit software package?

In regards to the continuous audit approach, I would agree with the Risk Officer's second post. One must first determine the higher risk areas by preparing a risk assessment over the different areas of the Bank. I think that once this system is in place and you are comfortable working with it, the different areas could then be segmented. I would think that the staffing in the IA department would largely impact the effectiveness of this approach. I am currently the only IA at the Bank and feel that this approach would be more time consuming than anything. I DO, however, take a look at the results of the audit when determining the frequency of audits.

Also, each audit that I prepare includes analytical procedures that addresses yield/WAR analysis, averages, etc. Any significant variances are addressed as to the reason for the variance.

I take all of this into consideration when determining the frequency of the audit, rather than doing the continuous auditing approach. This is definitely something that could be implemented later down the line when more staff is added to the department.

Any technology related issues that concern each department are documented and reviewed during the audit of that particular area. For example, internet banking-who has access to make changes, who reviews the changes? deposit accounts- who has the ability to change customer info and who reviews the info, any supporting documentation? etc. I think that it is important to cover this area. I agree though, that it does not take away from the full-scope review that needs to be done on IT.

I am open for some contructive critisism on this topic. Very interesting topic Risk Officer, but can be somewhat complex.

Continuous auditing can be done at two levels, if you can get management buy-in: 1) Front line managers monitor their own areas on a continuous basis, and 2) the auditor conducts his/her own monitoring with priority on reviewing the front line monitoring.

And I wholeheartedly agree with Risk Manager in that it can become an issue of time trying to fine tune the various types of monitoring. It can be extremely difficult to determine the optimal level of monitoring.

My two bits...

You may also find that as your bank grows your regulators insist on a risk based audit approach.

Rolling On The Floor Laughing???

Regulators are why I had to begin a risk based approach to auditing. I admit that I was hesistant to do this but have found that I am now more efficient and don't spend a lot of time working on areas that are redundant or have few problems.