Stepping into continuous audit: a health-care audit shop shares its strategy for making real-time auditing a success

Internal Auditor, April, 2004 by Lee Nelson

IN LIGHT OF INCREASED attention to fraud and corporate governance issues, many internal auditors are looking for ways to reduce companywide risk and expand audit coverage. Continuous auditing (CA) provides auditors with an effective means of meeting these challenges by facilitating rapid, timely analysis of critical transactions.

CA technology enables auditors to perform automated audit testing across the enterprise on a regular, real-time basis and report findings directly to management electronically. Ideally, management then addresses identified issues, thereby reducing risk without the need for a formal audit, or even a physical visit to the site.

At HCA Inc., a health-care company that owns and manages more than 190 hospitals across the United States and Europe, both management and the audit department had a keen interest in expanding audit coverage. Some of our facilities were audited only on a three- or four-year rotation, leaving substantial gaps between engagements during which issues could go undetected. We reasoned that if routine audit tests could be executed "continuously," we could close these gaps and allow audit staff to focus more time on in-depth analysis.

Approximately two years ago, internal audit management assembled a small team to devise and implement plans to make CA technology a part of everyday business. The team identified seven essential steps to creating an effective CA environment: determine the types of tests to be performed, select the testing method, identify testing criteria, automate tests, communicate test results, receive feedback, and track the progress of CA efforts. By addressing each of these areas, we've been able to successfully deploy real-time auditing at HCA and improve our coverage of companywide risks.

DETERMINE TYPES OF TESTS TO BE PERFORMED

HCA's audit team determined that CA tests fell into two main categories. The first category, direct reporting, consists of tests in which identified issues are reported directly to the client. These strictly exception-based tests identify issues that represent a clear violation of a standard--such as when a sub-ledger account balance does not agree to the month-end balance on the general ledger. Because there is no "gray area" associated with these types of tests, we chose to perform them exclusively via real-time CA. Reports run on a fixed schedule across the enterprise, and any exceptions are distributed to management.

Indirect reporting, the second CA testing category, produces exceptions that require manual follow-up to determine whether or not an issue actually exists. For example, if testing reveals that an entity possesses assets yet does not show any earnings, internal auditing would need to investigate further to determine whether there is a legitimate business reason for this condition. Although reporting exceptions are generated automatically through the CA process, human judgment is often required to complete the analysis.

SELECT TESTING METHOD

The HCA audit team considered several testing methods for the CA process. One approach we examined involved embedding audit modules in existing systems, enabling auditors to identify and report suspicious transactions from within those systems as exceptions occur. However, the team reasoned that if a system has the ability to monitor and report suspicious transactions, it should have controls in place to prevent those types of transactions from occurring in the first place. Plus, implementing this type of module into new systems--or retrofitting the module into existing or legacy systems--often represents a low priority for information technology departments.

We also considered trending key financial indicators and flagging any anomalies for research purposes. Because HCA's facility operators routinely monitor their own key indicators and trends, however, this exercise would have been redundant. Furthermore, investigating the root cause of an issue using this method would likely have required extensive audit resources, making the CA initiative counterproductive.

After extensive research, we determined that the best approach was to monitor transactions, master-file changes, and account balances using audit-developed software to analyze files extracted from the source system. For example, we designed a suite of tests to examine all month-end journal entries to highlight cases of potential earnings management. The system automatically identifies questionable transactions and reports them to internal auditing, as well as the appropriate business owner, for follow-up.

IDENTIFY TESTING CRITERIA

Potential CA tests must meet two main criteria before HCA will deploy them. First, a test must be able to fulfill a defined audit objective. For example, our goal may be to identify employees who are manipulating earnings by posting manual journal entries to the general ledger for accounts receivable. We could easily run testing on a continuous basis to pinpoint this type of activity by comparing the month-end accounts receivable sub-ledger balance to the general ledger balance.