See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/228401522

Fundamentals of continuous auditing and monitoring in enterprise resource

planning systems

Article · January 2011

CITATIONS READS

0 462

5 authors, including:

Andrei Sabau Florinel Sgardea

University of Pitesti Bucharest Academy of Economic Studies
6 PUBLICATIONS   12 CITATIONS    12 PUBLICATIONS   9 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Internal Control View project

Optimal Hedging View project

All content following this page was uploaded by Florinel Sgardea on 07 April 2017.

The user has requested enhancement of the downloaded file.

 Mathematics and Computers in Biology, Business and Acoustics

Fundamentals of continuous auditing and monitoring in enterprise

resource planning systems

ANDREI SORIN SABĂU

Faculty of Mathematics and Computer Science
University of Pitesti
1, Targul din Vale Str., Arges County
ROMANIA
andrei@asabau.com www.asabau.com

ELENA MONICA SABĂU

Faculty of Accounting and Management Information Systems
Academy of Economic Studies
6, Romană Square, District 1, Bucharest
ROMANIA
emsabau@gmail.com http://www.ase.ro

FLORINEL MARIAN SGĂRDEA

Faculty of Accounting and Management Information Systems
Academy of Economic Studies
6, Romană Square, District 1, Bucharest
ROMANIA
sgardeafm@gmail.com http://www.ase.ro

LUCIAN CONSTANTIN GABRIEL BUDACIA

Faculty of Internal and International Commercial and Financial - Banking Relations
Romanian - American University
1B, ExpoziŃiei Ave., District 1, Bucharest
ROMANIA
lucian.budacia@yahoo.com http://www.rau.ro

Abstract: The new economic realities including the evolving regulatory environment, increased globalization,
market pressure to improve operations, and rapidly changing business conditions are pressuring organizations
to improve their methods of performing ongoing evaluation of internal controls by both internal audit and
management. Objectives of the generally accepted framework for testing and monitoring of internal controls,
the COSO Enterprise Risk Management Integrated Framework, encourage audit to approach their activities
from a business perspective and require organizations to quickly gain access to valuable information in order to
manage risk and improve performance ensuring the effectiveness of internal controls and a proper risk
mitigation. The paper presents the basic concepts of continuous auditing and monitoring in enterprise resource
planning systems by demonstrating the benefits of such IT investments following a compliance and
performance perspective, and explores technology usage in support of continuous auditing and monitoring.

Key-Words: continuous auditing, continuous monitoring, integrated IT solutions, ERP systems, risk
management, audit performance

1 Introduction changing business conditions are pressuring

The new economic realities including the evolving organizations to improve their methods of
regulatory environment, increased globalization, performing ongoing evaluation of internal controls
market pressure to improve operations, and rapidly by both internal audit and management.

ISBN: 978-960-474-293-6 45
 Mathematics and Computers in Biology, Business and Acoustics

Objectives of the generally accepted framework Redesigns the traditional Changes the traditional
for the testing and monitoring of internal controls, audit approach so it can approach of management
the COSO Enterprise Risk Management Integrated become repeatable and by having the process
Framework, encourage audit to approach their sustainable. owners focus on
activities from a business perspective and require business risk and
organizations to quickly gain access to valuable performance monitoring.
information in order to manage risk and improve Allows the internal audit Gives management the
performance ensuring the effectiveness of internal team to automatically ability to effectively
controls and a proper risk mitigation. identify control monitor those areas most
According to The Institute of Internal Auditors breakdowns in real time important to it, using
the concept of continuous auditing (CA) is (allowing action to be either risk or
connected to the one of continuous monitoring taken immediately) by performance lens.
(CM). keeping track of specific
CA is a method used by auditors to perform controls, transactions,
audit-related activities on a continuous basis. and business events as
Activities range from continuous control assessment they occur.
to continuous risk assessment. Technology plays a Tends to raise the Enhances the way
key role in making it a viable option through internal audit overall internal controls are
automation. importance within the monitored, thereby
CM of controls is a process that management organization. improving risk
puts in place to ensure its policies and procedures management and
are adhered to, and that business processes are business performance.
operating effectively. CM involves automated Table 1. Parallels and similarities between CA and
continuous testing of all transactions within a given CM features.
business process area against a suite of control rules.
The expected benefits of a CA/CM software Continuous auditing Continuous monitoring
implementation targeting ERP systems mainly Is directed at providing Is clearly a management
consists of increased ability to mitigate business the internal audit monitoring function.
risks, reductions in the cost of assessing internal department with better
controls, increased confidence in financial results, risk and control
improvements to financial operations, reductions in information.
financial errors and potential fraud, increased
profitability. Is focused on key Allows for a more
controls providing granular focus across all
2 Parallels and differences between assurance at the audit operational levels
concepts objective level.
Basic features in understanding the concepts of CA
and CM, the parallels and the differences between Table 2. Differences between CA and CM features.
them are presented in Table 1 and Table 2.
3 Main objectives
Continuous auditing Continuous monitoring The goal of a CA/CM software implementation
Collection of audit Feedback mechanism is an array of automated evaluations performed
evidence and indicators used by management to through the use of automated tools and procedures,
by an internal auditor on ensure that controls some on a real-time basis and others on a defined
information technology operate as designed and frequency based on performance cycle and risk, and
(IT) systems, processes, transactions are a point-in-time assessment or an assessment of all
transactions, and processed as prescribed. controls on a real-time basis. In achieving this goal
controls. the organization must integrate the existing ERP
Provides organizations Is the responsibility of system with an enterprise risk management (ERM)
with greater audit management and can program monitoring capabilities from both a CA
coverage (100 % of the form an important and CM perspective. The ERM program ensures an
population). component of the control efficient and effective control and activity design
structure. covering a range of financial, regulatory, fraud, and
operational risks. The desired result is to coordinate

ISBN: 978-960-474-293-6 46
 Mathematics and Computers in Biology, Business and Acoustics

the efforts of internal audit with management to where represents the success rate of a
avoid duplication of efforts and unproductive usage given CA/CM implementation, IS - type of
of resources. implementation structure, IC – type of
The value of the software solutions, as tools for implementation connection, IP – type of
the CA and CM, is in their ability to translate a implementation platform, RU – resource usage, ET
business rule to a configurable control and assess – extraction timing, RT – review timing.
transactions’ performance against expected results. Either integrated or distributed, the CA/CM
When a configurable control or transaction does not implementation structure closely mimics the
conform to a predefined risk-based business rule structure of the ERP system being audited. If the
pattern or trend, an alert as a “red flag” can be ERP system has a monolithic structure the CA/CM
automatically generated. A red flag could be an implementation is usually tightly integrated; if the
email notification to the business user and a ERP system consists of multiple loosely coupled
supervisor, or a summary dashboard by control applications, multiple CA/CM software agents
points, process area, and operating unit. forming a distributed system are needed to target
As shown above, the CA and CM solutions goals each ERP application.
are bringing greater transparency for continuous There are two types of connections to the
assurance and performance and their success is underlying ERP data, direct and intermediated. A
dependent upon the effective use of technology direct connection means direct access to one of the
tools. Either internal or external to the ERP first two layers (from bottom-up) of an ERP system:
platform, CA and CM solutions achieve their goals application layer or database layer. This connection
by 1) monitoring a system’s global configuration type is the fastest but comes with the penalty of
settings, access controls, and rules that define the having to implement the CA/CM solution within the
parameters of how an event or transaction can be same platform and programming language as the
initiated, processed, and recorded, 2) creating rules ERP system. In this case the CA/CM
and tests run against the actual flow of transactions, implementation can’t be easily ported to other types
identifying exceptions, anomalous patterns and of ERP systems.
trends, or other outliers that represent risk or are If direct access is not feasible, the CA/CM
contrary to expected measures of performance such implementation can use intermediated access. This
as key performance indicators (KPIs), and 3) can be achieved via remote enabled ERP functions
providing historical or emerging trends evaluation capable of being triggered from outside the system
within risk and performance areas, allowing or authenticated web services. Remote enabled ERP
management to increase business performance. functions require both the ERP system and the
CA/CM implementation be present on the same
4 Integrating CA and CM into ERP network, usually behind a firewall. A good example
systems of such functions is SAP BAPIs, Business
Enterprise Resource Planning (ERP) integrates Application Programming Interface, enabling
internal and external management information, remote access to SAP defined functions.
facilitating horizontal and vertical integration of When using authenticated web services for
business processes across an organization via a intermediated data access, whether or not the ERP
synchronized suite of software applications (Hunton system and the CA/CM implementation are present
et al 2004). Most ERP systems incorporate industry on the same network is irrelevant. Both can always
best practices reflecting the vendor's interpretation use HTTP GET, HTTP POST and SOAP protocols
of the most effective way or de-facto standards to over an internet connection. A web service describes
perform each business process thus easing itself via a Web Services Description Language in
compliance with international financial and audit XML format. This document contains full
requirements such as IFRS, Sarbanes-Oxley, or information on how to query the web service and
Basel II. what kind of result format to expect. The XBRL
The overall success rate of a CA and CM global standard for exchanging business information
implementation within an ERP system depends on between business systems is a natural choice when
many factors and can be represented by the feeding ERP data into a CA/CM implementation via
following function extending the one presented by web services. Based on the XML format it is the
Gray et al (2010): preferred choice of transferring data when using
web services while its business oriented xml
= f(IS, IC, IP, RU, ET, RT) (1) structure meets the CA/CM data requirements.

ISBN: 978-960-474-293-6 47
 Mathematics and Computers in Biology, Business and Acoustics

The CA/CM implementation can reside on the Implementing CA and CM will have a significant
same platform with the ERP system or on a impact on how business decisions are made and
completely separated one. If the ERP system hosts monitored by reconsidering the timing of reporting
the CA/CM implementation, the implementation is processes and changing the type, speed, and
referred to as an embedded audit module (EAM). If visibility of information on risk and performance.
the implementation is hosted on a separate platform, A CA and CM software implementation for an ERP
the implementation is referred to as monitoring and system will preserve the completeness, accuracy,
control layer (MCL). Being tightly coupled with the consistency, and reliability of data. It can reduce the
ERP systems, EAMs are more vulnerable to overall cost of compliance by improving the
manipulation compared to the more isolated MCLs efficiency of business processes and the audit
offering better code protection (Alles et al). But they function. It adds business value by generating better
can also monitor the ERP more closely and be information to facilitate timely business decisions
triggered by suspicious events compared to the regarding risk and performance. The return on this
MCLs which can’t query the ERP too often due to investment is quickly realized through
system usage constraints and may miss suspicious improvements to an organization’s bottom-line
events (Alles et al). Also, CMLs relies little on the results, based on the timely identification of
cooperation of the enterprise personnel. Regarding increased risk, errors, and fraud, and the creation of
solution vendors, EAMs are usually provided by a stronger internal control environment across the
ERP vendors while CMLs are usually provided by enterprise
third party vendors and audit firms.
The resource usage factor combines mean and
peak memory, disk space and cpu usage References:
requirements. Depending on the current processed [1] G. L. Gray, R. S. Hayes, The Dimensions for
CA/CM task - data transfers, single or multiple table Identifying Potential Synergistic Combinations
lookup, various calculations – the usage of Continuous Auditing and XBRL, American
requirements can vary significantly. The more Accounting Association Annual Meeting and
robust the CA/CM implementation is, the faster it Conference on Teaching and Learning in
executes and reacts to suspicious events. Accounting, 2010
The interval between an event occurrence and its [2] M. G. Alles, G. Brennan, A. Kogan, M.A.
recording by the CA/CM implementation represents Vasarhelyi, Continuous Monitoring of Business
the extraction timing factor Gray et al (2010). This Process Controls: A Pilot Implementation of a
can happen in real time, very frequent or periodic Continuous Auditing System at Siemens
with the corresponding continuous auditing and [3] J. E. Hunton, A. M. Wright, Are Financial
monitoring types. Auditors Overconfident in Their Ability to
The interval between the event recording and its Assess Risks Associated with Enterprise
review represents the review timing interval factor Resource Planning Systems? Journal of
Gray et al (2010). The sooner the company knows Information Systems, Vol.18, No.2, 2004, pp.7-
about the event either through its employees or 28
external auditors, the sooner it can react by taking [4] The Institute of Internal Auditors, Continuous
appropriate measures. Auditing: Implications for Assurance,
Monitoring, and Risk Assessment, A Summary
5 Conclusion of The IIA's Global Technology Audit Guide,
In light of today’s challenges, the companies must IIA, 2005.
find new ways to respond effectively to the demands [5] KPMG, Advisory Continuous auditing/
of a rapidly changing business environment and an Continuous monitoring Using technology to
increasingly complex regulatory environment drive value by managing risk and improving
focusing heavily on issues of risk, control and audit. performance, KPMG, 2009.

ISBN: 978-960-474-293-6 48

View publication stats