Continuous Audit Monitoring for
IT Impacted Areas
(Part 2 of 2)
By: Mitchell H. Levine, CISA- Audit Serve, Inc
Continuous auditing is comprised of a Continuous Control Assessment and Continuous Risk Assessment. The objective of the Continuous Control Assessment is to determine whether controls remain effective.
The source input of the continuous control assessments are the audit programs used to perform the various audits of an organization. This would require a review of each of the control objectives within these audit programs in order to identify the controls which need to be tested as part of a continuous control assessment. Audit programs are typically comprised of control objectives and audit steps used to validate whether the control objective is being adhered to and achieved. These audit steps are used to verify whether the control exists and provides compliance tests. Since it is not practical to incorporate the sample size used within a regular audit into the continuous control assessment program being instituted within an organization, a subset of the sample should be defined and consistently applied to all tests included in the overall continuous control assessment program. It should be noted that in some cases the frequency in which the control is used is intermittent which would require a trigger to be established to identify when the control was used in order to include it in the sample selection of the continuous control assessment program. In addition, the type of test deployed as part of the continuous control assessment program could be different from the test performed during a normal audit. In most cases the test performed as part of the continuous control assessment program would be scaled down as compared to a regular audit. For example, during a regular audit, source documents used to support a compliance test may be dependent on the analysis and source documents used in a different control objective. Therefore, in order to reduce the time required to perform the test within the continuous control assessment program, the starting point of the test may be different.
In addition, it is not practical to include all control objectives in the continuous control assessment program, therefore a criteria must be established to determine which control objectives within specific audit types are to be included. The potential risk if the control is not effective is the approach used within the industry as the basis of prioritizing the control objectives which must be included in the continuous control assessment program. This would require that all control objectives within audit programs used for all types of audits be assigned risk levels which would transpose to their priority level.
The continuous control assessment program can be comprised of an extension of the system operations areas or included as part of the audit department’s activities. If the continuous control assessment program is part of the audit department’s activities, consideration should be made to leverage the work performed by compliance functions deployed within the areas being audited instead of having the audit department perform additional independent tests as part of the continuous control assessment program.
In summary, an effective continuous audit monitoring program will detect changes within an environment and non-compliance with established controls. With the requirement of SOX Section 409 to have real-time disclosures of material changes in the financial condition of a company and SOX Section 302 which requires a quarterly certification of controls over financial reporting, establishing a continuous control assessment program is critical for public companies. This is especially important since most organizations have reduced the frequency of their SOX Section 404 testing.
Example of Mapping Audit programs
Continuous Control Assessments Steps
Type of Audit: IT General Controls
Control Objective: A process exists and is effectively deployed to ensure that IDs of terminated employees are deleted or disabled in a timely manner
Requirements of Regular Audit
Audit Step: Obtain a list of terminated employees during the audit sample period and perform a lookup of domain users to determine whether the user’s ID have been removed.
Population estimate: 100 terminations per year
Sample Requirements: 20% of terminated employees
Requirements of Continuous Control Assessment Program
Audit Step: Same as regular audit
Sample size: 10% of audit sample per quarter
Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs PCI Assessment and Remediation Project Management consulting services. Audit Serve also conducts Integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.
Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.