The Reality of Real-Time Auditing Companies that blend process improvements, ongoing compliance, and real-time auditing processes are accomplishing more work more effectively and, with technology, are doing it more efficiently.

The Sarbanes-Oxley's requirement that auditors test key controls in financial systems makes the financeIT relationship more important than ever before, but the push for real-time auditing is being driven by more than cost-cutting goals. EM&I analysts have found that leading companies are proving that investing in governance and process audits is producing significant business value. Companies that blend process improvements, ongoing compliance, and real-time auditing processes are accomplishing more work more effectively and, with technology, are doing it more efficiently. From Monitoring to Auditing Of the phases of the ‘Plan-Do-Check-Act’ cycle the checking seems to be associated with the most controversy and confusion. Monitoring, reviewing, evaluating, assessing, and auditing functions span a range of checking alternatives from reactive to proactive from non-invasive to controlling. The traditional annual external audit resides at the far end of the spectrum, while the near end is composed of companies that maintain a perpetual network of performance monitors and internal auditors. Auditing is a systematic, independent, and documented process for obtaining audit evidence (i.e., records) and evaluating it objectively to determine the extent to which audit criteria (i.e., policies, requirements) are fulfilled. Real-time auditing covers a broad range of approaches to both internal and external audit that enable companies to stay on top of organizational controls. However, it’s critical to separate the management role from the auditing role. Real-time monitoring is a mechanism by which corporate officers monitors the control and disclosure environment within the corporation on a continuous basis. Note that it is a management function – not an audit function. Executives must start preparing for real-time monitoring by identifying high-risk areas, and then prioritize business processes according to risk factors. Finally, organizations must institute a feedback mechanism (supported by technology) that provides management proper controls and adequate disclosures surrounding the process (e.g., identifying anomalies for follow-up.) Real-time auditing is an internal audit function of procedures that test both business processes and management's monitoring process to determine whether and how well the management’s monitoring systems function. Caution: the management team must not become dependent on exceptions generated by auditors. If it does, the auditing process becomes an integral part of the management process, and this leads to conflict of interests and control breakdown. A recent survey of internal auditors reported by John Cummings in the September 2004 issue of Business Finance highlights remaining gaps in corporate controls. The vast majority of internal audit teams – 92% -- see gaps in their organization's internal controls, according to a recent survey of 200 internal auditors conducted by Jefferson Wells International and the Institute of Internal Auditors (IIA) to gauge companies' progress in complying with Sarbanes-Oxley. Lack of documentation of process controls was the most frequently cited gap, mentioned by 34% of survey respondents. Formal review and approvals were identified by 23% as their problem area, and 19% cited segregation of duties. These results are disturbing because internal audit is clearly playing a central role in corporate compliance efforts while controversy and confusion exists surrounding the roles and work that must be done for compliance and improvements. ____________________________________________________________________________________ Engineering, Management & Integration, Inc. 455 Spring Park Place, Ste.350 Herndon, VA 20170 Tel: 703.742.0585 Fax: 703.742.8034 www.em-i.com

In August 2004 the Institute of Internal Auditors conducted an online survey of 76 internal audit executives from its membership that shows the emerging focus on real-time auditing within organizations. When asked, “What was the main motivation for implementing continuous auditing?” the respondents replied. • 25.9% - Closer follow-up of key controls • 22.6% - Need for quicker response to incidents • 9.7% - Less resource-dependent audits • 9.7% - More cost-effective audits • 6.5% - Fulfillment of legal requirements • 6.1% - Demand for more timely assurance • 3.2% - Fulfillment of company policies and practices • 6.5% - Other Will continuous auditing help bring companies into compliance with regulations -- and can it do so more effectively and efficiently than alternative approaches to corporate governance? Early adopters of the "continuous" concept are finding positive results. Companies that implement auditing practices can identify accounting errors, risks, and waste, etc. at their root before they create larger problems, and when done continuously they don’t need to wait until the end of the cycle to make corrections. Rolling with the Audit – using tools Currently, most continuous auditing and process improvement activities take place within a company rather than between the organization and its external auditors. It is not practical to conduct a full-blown traditional audit -- internal or external -- every month, or even every quarter. However, the traditional audit is undergoing fundamental changes. Managers are putting more emphasis on looking at the processes that generate the information rather than looking only at the outcomes. Preventive controls (i.e., policies and procedures designed to prevent an error or fraud such as approvals, segregation of duties, data edits) and detection controls (i.e., policies and procedures designed to detect and correct errors or fraud that might preclude process objectives) are being deployed. However, the type of controls may limit the evidence available to auditors. For example, a lack of preventive controls, such as edit or validation checks, on inputs before they are recorded significantly increases the risk of errors and places more of a burden on detection controls that may not be able to handle all of the combinations. IT controls include the early warning systems being deployed. But, general IT controls must ensure that changes to software programs are properly authorized, tested, and approved before they are implemented, and ensure that only authorized persons and software programs have access to the data – and then only to perform specifically designed functions. By automating some of their scrutiny, internal and external auditors gain more time to focus on the business processes and controls that determine data accuracy and process outcomes. Tools are enabling internal auditors to identify abnormal items, errors and inefficiencies in finance and accounting processes that would have been difficult to unearth otherwise (e.g., identifying duplicate payments before they're made, as opposed to after the fact.) Real-time auditing software also can boost efficiency by identifying the root causes of errors and supporting process changes. Process Standards and Improvements The International Organization for Standards (ISO) has well established and accepted standards for quality management and auditing guidelines to support organizational changes and process improvement (i.e., ISO 9001 – quality management, ISO 19011 – auditing guidelines).

____________________________________________________________________________________ Engineering, Management & Integration, Inc. 455 Spring Park Place, Ste.350 Herndon, VA 20170 Tel: 703.742.0585 Fax: 703.742.8034 www.em-i.com

ISO 9001 structures a process approach to quality that transforms customer requirements into customer satisfaction by targeting 1). Management responsibility, 2). Measurement, analysis, and improvement, 3). Product realization, and 4). Resource management. ISO 19011 structures the management of audits through a process of 1). Identifying program authority, 2). Establishing the audit program objectives, procedures, resources, 3). Implementing the audit program (from schedules to maintaining records), and 4). Monitoring and improving the audit program. Using standards, checklists and interviews, auditors are identifying critical gaps in organizational requirements: • Are adequate resources being deployed on the most critical activities to meet timely completion of projects?

• • •

Are testing plans based on the most effective set of controls? Is technology being applied wisely to make progress efficient as possible, or is it slowing the project down? Have risks been properly communicated to senior management and steering committees?

The roles auditors are allowed to exercise and the auditing activities (e.g., outcomes inspections or process recommendations) are shaping the future characteristics of organizations. By identifying business scenarios - real or potential – managers are becoming better prepared to react more effectively when business changes occur. Assessing the Benefits CXOs and internal audit executives who have begun to blend compliance initiatives with real-time auditing technology are able to monitor more compliance areas with fewer resources. They are uncovering significant errors and efficiency-improvement opportunities simultaneously. More controlsbased audit approaches will intensify audit activities especially in the financial functions, and the drivers to create better financial systems will be cost reduction of regulatory compliance and increased reliability and availability of information. Traditional audit methods have not kept pace with the ever-increasing speed and volume of corporate transactions. Although the development of a continuous link between companies and their external auditors remains immature, EM&I envisions a corporate environment in which authentication tags for people are extended to data tags that identify the reliability of the information according to an external auditor's assessment. Every software system might have an automated gatekeeper that scans the data accuracy tag of information entering or leaving it. This vision may not be far from reality. The Enhanced Business Reporting Consortium (www.ebrconsortium.org) has taken a step in that direction by developing a method for the electronic tagging of financial data using extensible business reporting language (XBRL). Practical Next Steps The main roadblock to implementation of real-time auditing has been a lack of adequate technology and the expense of such an implementation. Technology is less of a hurdle, and justification of expenses has been less problematic now that most companies have tallied their initial compliance costs. Now they're looking for ways to ensure that the controls continue to work effectively and efficiently. Some obstacles remain preventing the most intense forms of real-time auditing: costs associated with establishing ongoing connectivity between external auditors and their clients, confidentiality concerns, and security concerns. “The perfect storm” is still developing between identifying business rules and ____________________________________________________________________________________ Engineering, Management & Integration, Inc. 455 Spring Park Place, Ste.350 Herndon, VA 20170 Tel: 703.742.0585 Fax: 703.742.8034 www.em-i.com

operational processes and enabling accounting systems with effective analysis – while accessing data with enough detail from disparate systems. A small group of companies have instituted real-time auditing and monitoring processes internally. An August survey of 76 members of The Institute of Internal Auditors (IIA) found that 84% have discussed real-time auditing techniques within their organization, but the percentage of companies that have actually implemented real-time auditing is most likely well under half of that percentage.

The following steps are critical to implementing real-time auditing: 1.0 Plan and scope the program • Identify the business processes and stakeholders for initial implementation • Determine documentation and testing strategies • Get approval for goals, schedule, costs, and approach 2.0 Define the processes and business scenarios that will be monitored • Collect factual data on significant scenarios and events • Integrate, analyze, and utilize information from multiple sources 3.0 Specify the criteria with which the scenarios will be evaluated (e.g., a payment over $50,000 will generate an exception report) • Redesign measurement systems 4.0 Build technology into the routine so that the outputs are generated on a regular basis (e.g., daily) • Build an intelligence network and a corporate memory of lessons learned 5.0 Develop the processes and workflows that will govern how exceptions are addressed • Conduct scenario planning • Respond to exceptions proactively • Establish proper incentives; reward early detection 6.0 Execute the program and evaluate effectiveness • Management’s report on internal controls • Independent auditor’s report on performance and management processes Rather than hiring more auditors, organizations might elect to expand auditing technology with a more robust and continuous review and auditing process. This is an emerging trend that can pay high dividends to organizations in the form of controls on accounts payable, identification of lost charges, missed payments, fraud, waste, and rework. While real-time auditing was intended to enable executive insight into regulatory compliance issues, it is becoming an oversight program of real-time risk management. It enables more than visibility into financial transactions; it enables visibility into business scenarios that spur innovations and improvements – not to mention reduction in liabilities and lawsuits. For the current and the foreseeable future compliance environment, fewer and fewer companies can afford to postpone this practice. The role of auditing must change to enable a handoff of this technology from auditor to manager and a rollout across the organization. Managers will gain a tool in their arsenal for managing their processes, and internal auditors expand their impact and influence by repeating the rollout process. ____________________________________________________________________________________ Engineering, Management & Integration, Inc. 455 Spring Park Place, Ste.350 Herndon, VA 20170 Tel: 703.742.0585 Fax: 703.742.8034 www.em-i.com

About the Author: Dr. Donn Di Nunno CCP, CDP. is an expert in metrics for software process and product improvement with over 29 years in software engineering. Mr. Di Nunno’s areas of specialization include: IT Metrics & Measurement, Quality Management and Process Improvement, Data analysis, Systems Re-engineering, Design Recovery and IT Portfolio Management. Donn joined EM&I as a Chief Engineer in 2002. From 1997, he worked at META Group as a Program Director and Sr. Research Analyst in performance measurement. He was also a Sr. Consultant with Computer Sciences Corporation’s (CSC) Center for I/S Asset Management. He examined, integrated, and deployed emerging technologies for improving productivity and quality in legacy system environments. He established the quality assurance department and was the QA Manager for CSC’s contract on the National Flood Insurance Program in 1986. About EM&I: Engineering, Management & Integration (EM&I) Incorporated is a client-focused, management-consulting firm bridging the gap between business and technology. Our teams of highly skilled specialists provide clients engaged in technology intensive business situations with solutions geared to reduce risks and ensure successful results. In an ever-changing business environment, we support our client agencies in four key areas: Strategy, Architecture, Business Solutions, & Governance. Please visit http://www.em-i.com for more information. Contact EM&I: If you are interested in hearing more about EM&I's services to the government and private sector or would like to discuss potential teaming arrangements, please contact Dr. Malcolm Slovin at 703.742.0585. © 2005 Engineering, Management & Integration, Inc. – All Rights Reserved.

____________________________________________________________________________________ Engineering, Management & Integration, Inc. 455 Spring Park Place, Ste.350 Herndon, VA 20170 Tel: 703.742.0585 Fax: 703.742.8034 www.em-i.com