Page 470 - ITGC_Audit Guides
P. 470
GTAG — Foundational Continuous Assurance Framework
• Timely identification of exceptions and anomalies. • Examine and analyze trends, comparisons, and outliers
• Analysis of patterns and trends. within a single process, as compared with its own past
• Detailed transaction analysis against cut-off performance and against other processes or systems
thresholds. operating within the enterprise.
• Testing of controls. • Correlate and analyze outliers to show how well
• Comparative analysis among peers. management is responding to risks and provide a
forward-looking view on emerging risks.
• Highlight potential exposures for focus of audit
Continuous auditing provides a way to identify risk scoping (periodic and real time).
indicators and evaluate risk parameters across IT operations,
IT applications, and business processes by analyzing systems • Detect outliers in business units, geographies, or
for changes, security, incidents, outliers, and transactions. processes that may be taking on increased risk or
Continuous auditing enhances the ability of internal experiencing atypical rates of change.
auditors to comment on the availability and utility of data, • Highlight areas where controls are nonexistent or not
understand application controls, and optimize business performing adequately, prompting auditors to perform
processes through automation. When deployed effectively, more thorough control assessments in specific areas.
continuous auditing: • Manage business critical spreadsheets and other
user-developed applications. 2
• Is focused on audit objectives and assertions such • Predict or anticipate future risks.
as completeness, accuracy, and authorization to
determine the reliability of the information decision Ongoing risk assessment results serve as inputs for the audit
makers use. plan and ongoing control assessment activities.
• Can detect emerging areas of risk and control
weakness. Ongoing Control Assessment
An ongoing control assessment continually evaluates
Under the foundational continuous assurance framework internal controls against a baseline condition and
(see Figure 1), there is no overlap between continuous subsequent changes to control configurations, and considers
auditing and continuous monitoring, and continuous the interrelationship of automated controls, IT general
auditing can be performed even if continuous monitoring controls, and manual controls as illustrated in Figure 2.
does not exist in the first and second lines of defense. In each case, the auditor should look for unusual patterns
However, opportunities for continuous monitoring or outliers. Ongoing control assessment enables CAEs to
exist wherever there are opportunities for continuous provide management with an early warning of control
auditing. An opportunity for an audit observation or violations or deficiencies.
recommendation may exist if continuous monitoring
opportunities are present but are not being performed by
management. Figure 2: Ongoing Control Assessment
Ongoing Risk and Control Assessments Define Control Objectives: { Business Process
• Authorization
Control Objectives
• Completeness
Ongoing risk and control assessments should be designed to • Accuracy Automated (Application) Controls:
• Changes
work together to sustain assurance and potentially lengthen • Security
the time between traditional audit engagements. { • Incidents
• Outliers and Transactions
Determine Key Controls IT General Controls:
Ongoing Risk Assessment • Operating System
• Database
Ongoing risk assessment should include a review of the • Network
results of management’s monitoring efforts, including Evaluate Baseline Condition Controls
(Still Active and Functioning)
leading indicators, performance measures, quality control, and Measure for Subsequent Changes
and segregation of duties. Ongoing risk assessment
continually identifies and assesses risks by using technology-
based audit techniques to:
2 For more information, see GTAG 14: Auditing User-developed Applications.
5
