Slide 1MotivationBackgroundCorporate FraudIncreased Laws & RegsPCAOB Audit Standard 5Technology and the AccountantTone at the TopInternal ControlsTraditional Audit ApproachSlide 11Traditional Audit Approach Ineffective for FraudSolutionContinuous Audit DefinedForensic AccountingSlide 16Embedded Audit ModulesEmbedded Audit Module (Cont)Slide 19Exception HandlingSlide 21Slide 22Irrational RatiosIrrational Ratios (cont.)Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32PCAOB Audit Standard 2CAAT’SSlide 35CAATs FunctionalitySlide 37Slide 38Refinement of Audit TestsQuestions?Developing a Forensic Continuous Audit ModelGrover S. Kearns, PhD, CPA, CFEUniversity of South Florida St. Petersburg1MotivationOrganizations are under pressure to proactively recognize and react to potential fraud in a comprehensive and cost-efficient manner.2BackgroundExcesses of past two decades and increase in financial statement fraud.Increased laws and regulation.Need to improve ‘tone at the top.’Inability to provide results using traditional audit approaches.Increasing costs of IT security and forensic methods.3Corporate Fraud4Increased Laws & RegsSarbanes Oxley Act of 2002 (SOX)Sec 404 – system of internal controlsSec 409 – acceleration of SEC filingsPCAOB Statements SAS 99COSO & COBIT FrameworksThese have led to increased costs, increased pressures on management and on auditors.5PCAOB Audit Standard 5“An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements.”Increases reliance on internal audit departments as evidence external auditors can use in order to reduce duplication of efforts and lower audit costs. Continuous auditing tools are capable of monitoring internal controls for SOX compliance reporting. 6Technology and the AccountantSOX and SAS 99 encourage management and external auditors to employ technological approaches and embedded audit modules to audit financial transactions and internal controls. SOX Section 409 accelerates the SEC filings for Form 10-Q and annual report Form 10-K. The FTC’s red flag rules, effective December 31, 2010 for financial institutions and certain other firms under FTC jurisdiction including CPA firms, require companies to check for and report specific violations. 7Tone at the TopExecutive management sets tone.Organizational tone is most important to internal control.Committee of Sponsoring Organizations (COSO)Control Objectives for IT (COBIT)Lack of ‘tone’ can imply lack of controls8Internal ControlsPCAOB Auditing Statement 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, states that it is management’s responsibility to design and implement a program of controls to prevent, detect and deter fraud.9Traditional Audit ApproachTests of transactions when limited to small sample sets may not be representative and cannot be expected to detect a large percent of errors or fraudulent activities. Given the increased transaction processing for most firms and increased regulatory pressures, the traditional approaches appear inadequate and require increased substantive testing.10Q. Why did the Auditor cross the road?A. Because according to the Audit File, that’s what he did 3 years ago!11Traditional Audit Approach Ineffective for FraudInternal and external audits combined only responsible for uncovering 19% of fraud.ACFE 2010 Report to the Nations Audits are isolated events that examine a small part of all transactionsAuditors lack technical skills12SolutionUse forensics in a proactive manner to continuously and methodically examine a significant number of transactions in a cost-efficient manner in order to flag incidents of error, misuse, and fraud.To do so we use a modified continuous forensics auditing approach.13Continuous Audit Defined“A continuous audit is a methodology that enables independent auditors to provide written assurance on a subject matter, for which an entity’s management is responsible, using a series of auditors’ reports issued virtually simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter.” CICA/AICPA Research Study on Continuous Auditing, 1999.14Forensic AccountingForensic accounting offers the highest level of assurance, is suitable for legal review, and arrives at conclusions in a scientific fashion. (Crumbley)As a result of new regulatory requirements for compliance and emphasis on IT governance, auditors with forensic IT skills have been in increased demand. (Hoffman, 2004) 15Judicious application of the cost/benefit rule based upon the likelihood and severity of the risk. Performing analytical procedures on a routine basis reduces cost of external auditors and time on-site. 16Forensic Continuous Audit TimingEmbedded Audit ModulesEAMs depends upon audit specific software that resides in the targeted application (Alles, 2002).EAM allows auditors to determine which transactions are to be tested and at what frequency. Results are collected and reported real-time. (Groomer and Murthy, 1989). Companies often do not activate the EAM because of the significant resource requirements which can slow overall processing dramatically (Kuhn and Sutton, 2010; Debreceny et al., 2005). 17Embedded Audit Module (Cont)As the selected transaction is being processed by the host application, a copy of the transaction is stored in an audit file for subsequent review.The EAM approach allows selected transactions to be captured throughout the audit period, or at any time during the period, thus significantly reducing the amount of work the auditor must do to identify significant transactions for substantive testing.18Target Application Ghosted Application Production ServerAudit ServerFraud Audit TestsFraud Audit Application(Embedded Audit Module)BusinessTransactionsControl ReportsAlarmsSelectedTransactionsException Handling Refinements & ModificationsManagement Audit Committee Internal Auditors External AuditorsContinuous Fraud Auditing System 19Exception HandlingCA performs a large number of tests over a much higher percentage of transactions and can reduce reliance upon analytical procedures (Alles et al., 2008). It will also result in a large number of selected transactions that have failed the audit tests.Exception handling of