نظارت مستمر کنترل های فرآیند کسب و کار : اجرای آزمایشی یک سیستم حسابرسی مستمر در شرکت زیمنس
کد مقاله | سال انتشار | تعداد صفحات مقاله انگلیسی |
---|---|---|
484 | 2006 | 25 صفحه PDF |
Publisher : Elsevier - Science Direct (الزویر - ساینس دایرکت)
Journal : International Journal of Accounting Information Systems, Volume 7, Issue 2, June 2006, Pages 137–161
چکیده انگلیسی
In this paper we report on the approach we have developed and the lessons we have learned in an implementation of the monitoring and control layer for continuous monitoring of business process controls (CMBPC) in the US internal IT audit department of Siemens Corporation. The architecture developed by us implements a completely independent CMBPC system running on top of Siemens’ own enterprise information system which has read-only interaction with the application tier of the enterprise system. Among our key conclusions is that “formalizability” of audit procedures and audit judgment is grossly underestimated. Additionally, while cost savings and expedience force the implementation to closely follow the existing and approved internal audit program, a certain level of reengineering of audit processes is inevitable due to the necessity to separate formalizable and non-formalizable parts of the program. Our study identifies the management of audit alarms and the prevention of the alarm floods as critical tasks in the CMBPC implementation process. We develop an approach to solving these problems utilizing the hierarchical structure of alarms and the role-based approach to assigning alarm destinations. We also discuss the content of the audit trail of CMBPC.
مقدمه انگلیسی
The experience with the evolution of new technologies and business processes suggest that CA will initially be used to do no more than automate existing audit procedures, and thereby take full advantage of the capabilities that it has in the new ERP based environment…. [The] second stage of its evolution [will be reached] when audit processes are reengineered to exploit the underlying technological capabilities to the fullest…. However, to reach that stage will require more than technology implementation. For one thing, it will necessitate auditors actually examining their processes to see if they are susceptible to process mapping and reengineering…. At the same time, continuous analytic monitoring will intrude into the internal control arena, especially since it is built on the firm’s own ERP systems…. While the theoretical work in CA has made progress, the field has been hindered by the lack of a proper set of experimental and empirical research. From Vasarhelyi et al. (2004), pp. 19–20. Providing assurance in the modern business environment requires a thorough understanding of the ongoing changes in the way businesses organize their activities. A critical insight of the last two decades consists in deconstructing a business into its underlying business processes. A business process (BP) is “a set of logically related tasks performed to achieve a defined business outcome,” see Davenport and Short (1990). While businesses always faced the task of measuring and monitoring their activities, paper-based information technology (in the form of accounting journals and ledgers) had to rely on pre-filtered and aggregated measures which were typically recorded after a significant time lag. Modern information technology (IT) utilizes converging computer and networking tools to capture BP information at its source and in the unfiltered and disaggregated form, which makes it possible to measure and monitor business processes at the unprecedented level of detail on the real-time basis. Continuous auditing (CA) is defined as “a methodology for issuing audit reports simultaneously with, or a short period of time after, the occurrence of the relevant events” (CICA/AICPA, 1999). CA methodology can utilize the IT capability to capture transactional and process data at the source and in the disaggregated and unfiltered form to achieve more efficient, effective and timely audits. An important subset of continuous auditing is the continuous monitoring of business process controls (CMBPC), a task made particularly significant by the passage of Section 404 of the Sarbanes/Oxley Act that requires both managers and auditors to verify controls over the firm’s financial reporting processes. The managers’ responsibilities are clearly going to be largely based on the work undertaken by the firm’s internal audit department. Kogan et al. (1999) discussed the problem of finding a trade-off in the CA implementation between control-oriented and data-oriented CA procedures. There are numerous enterprise environments where process controls are either not automated or their settings are not readily accessible. In such environments, which rely on loosely-coupled legacy data processing systems, automated audit procedures of CA have to be mostly data-oriented (i.e., automated tests of details and analytical procedures), while control testing will involve significant “manual” work. The tremendous scale and scope of implementations of enterprise resource planning (ERP) systems since the early nineties has resulted in many companies approaching the state in which their most important BPs are highly automated and fully integrated. This environment of highly automated and tightly-coupled BPs (implemented in integrated enterprise systems) enables the deployment of CA procedures based on continuous monitoring of BP control settings. Vasarhelyi et al. (2004) laid out a series of hypotheses for the implementation of Continuous Audit Systems in such circumstances. They argued that CA would be built on an existing ERP system, implying that it is companies that have already reached full functionality with such systems who would be the first to turn to implementing a CA system as an overlay on their ERP infrastructure. Further, building on the experience with the implementation of ERP systems, as well as the evolutionary path of technology in general, they argued that CA would predictably follow the path of first automating existing manual audit procedures. Once a comfort level with that is reached the implementers would seek to unleash the true productivity benefits of CA by reengineering audit procedures to facilitate continuous auditing, rather than simply taking those procedures as given and making them automatic. This paper presents a pilot implementation CMBPC as a proof of concept in the US internal IT audit department of Siemens Corporation, one of the world’s largest transnational companies. It provides an important test bed, using real world audit programs and practicing internal auditors to examine the challenges, constraints and opportunities that face a CA implementation, and the extent to which it fits the implementation model laid out by Vasarhelyi et al. (2004). CA has moved from being an academic concept to a state in which CA software is being developed and offered by private industry. If CA is indeed to be the future of auditing, as has long been predicted, then the next step is its implementation for the day to day use of practitioners as opposed to pilot projects led by academics. It is this evolution that this paper examines, deriving important takeaways for the process of implementing CA, both its technological and behavioral aspects. As Alles et al. (2002) pointed out, the main constraint on CA is not the supply of technology, but the demand for it, and by extension, the human and economic forces that shape its implementation. Insights into those can only be obtained as a result of actual implementations such as the one reported on in this paper. In the next section we begin with a description of the pilot site and the forces that shaped our approach. Section 3 provides the conceptual basis for the implementation of continuous monitoring of business process controls, with a detailed description of the pilot implementation following in Section 4. The remainder of the paper examines the lessons learnt from the pilot. Section 5 examines the key issue of the difference between automation of pre-existing audit procedures and their reengineering to exploit the full power of CMBPC. One of the major takeaways from the pilot is that formalizing manual audit procedures to facilitate automation is much more difficult than might have been anticipated, but at the same time, business considerations constrain the ability for clean slate reengineering. Section 6 considers another important lesson, the need to carefully manage audit alarms, to balance type I and II errors, while Section 7 discusses the need for an audit trail for the CA system. Section 8 examines the options in the change management process for moving from the pilot to an industrial strength software application. Section 9 offers concluding comments.
نتیجه گیری انگلیسی
In this paper we report on the approach we have developed and the lessons we have learned in an implementation of the monitoring and control layer for continuous monitoring of business process controls in the US internal IT audit department of the Siemens Corporation’s US operations. The architecture designed and developed by us within a real world audit application implements a completely independent CMBPC system running on top of its own relational database which has read-only interaction with the application tier of the enterprise information system. Among our key conclusions is that “formalizability” of audit procedures and audit judgment is grossly underestimated. Additionally, while cost savings and expedience force the implementation to closely follow the existing and approved traditional internal audit program, a certain level of reengineering of audit processes is inevitable due to the necessity to separate formalizable and non-formalizable parts of the program. Our study identifies the management of audit alarms and the prevention of the alarm floods as critical tasks in the CMBPC implementation process. We develop an approach to solving these problems utilizing the hierarchical structure of alarms and the role-based approach to assigning alarm destinations. We also discuss the content of the audit trail of CMBPC. Our final conclusion from our pilot implementation is that the technology needed to implement CMBPC is already available, the laws and standards are (mostly) in place, and the time for initial wide-scale implementations is now. Only diverse practical experience will provide the facts necessary for identifying trade-offs between effectiveness, efficiency and timeliness of audit procedures and determining how to make CMBPC implementations worthwhile.