Internal Auditing: The 24/7 Approach

For Harrah's Entertainment, an effort to fully automate the internal auditing process begun early last year could not have been timed more fortunately.

That's because the casino industry — already subject to stiff compliance demands from state authorities and the payment-card industry — saw its bar raised further at the beginning of this year by new reporting requirements, mostly involving system security, from the Nevada Gaming Commission.

At Harrah's, the heavier compliance crush is eased considerably by its ongoing project to achieve "continuous auditing." Definitions for that term vary widely; the Institute of Internal Auditors, for one, calls it "any method used by auditors to perform audit-related activities on a more continuous or continual basis." Increasingly, though, individual practitioners see the cutting edge as auditing 100% of data relating to transactions, processes, policies, or whatever else is to be audited, rather than reviewing small samplings at longer intervals, as many organizations still do.

Achieving that level of scrutiny generally is accomplished by writing data-analytic scripts for each area to be audited, then integrating them with any database and reporting systems used internally and with off-the-shelf auditing software programs like ACL, Idea, and Microsoft Access.

The integration work was a big undertaking for Harrah's, which has 40-plus properties, including 13 in Nevada. Each property has three key systems that run its slot machines, table games, and sports-book service, and there are also food-and-beverage, ATM, and in some cases hotel management systems. "We're talking about a lot of systems in a casino," says Cheryl Kondra, chief audit executive for Harrah's.

A lot of employees, too, which is a crucial factor. That's because monitoring workers' access to systems is one of the most important tasks for Kondra's department. Casinos are required to review the access listings each quarter to determine that, for instance, only active employees are listed and that everyone has the appropriate level of access. At Caesars Palace alone there are 5,200 employees, about 2,000 of whom have access to the key gaming systems.

"It was a massive, very manual process to print a report and compare it to an HR listing of employees," says Kondra. "Automating that, and monitoring it continuously instead of waiting until the end of the quarter, makes the audit a lot easier, and we don't find as many exceptions."

System access is so important because of the potential for employee fraud. "It's not just the access to cash," she notes. "You have to have adequate access to systems to get everything to balance so the fraud does not pop out."

For Harrah's, a big benefit of the move to automated monitoring is that it allows the 86 auditors who work at the casinos to spend more time on the gaming floor doing surveillance — another way to catch employee fraud. "I'd rather see them on the floor because that's where the action is, not at their desks buried in paperwork," Kondra says.

Provincial Prudence
For the Office of the Comptroller General of the British Columbia Ministry of Finance in Canada, the 2008 launch of a move to continuously audit 100% of transactions put it well ahead of most governments and other non-profit organizations, for which less-automated processes are still commonplace.

"We've had a lot of interest in what we're doing, from the Florida governor's office to some non-profits in the States, because we're using technology to move forward," says Shyrl Kennedy, executive director of the office since 2001.

That was the year a consultant analyzed the ministry's accounts-payable processes and determined that finance staff spent 77% of their time on processing transactions, 20% more than an efficient company might spend. Before a payment was made, it had to be determined whether the person issuing the payment had the proper spending authority, whether the account coding was right, and whether the goods had actually been received, among other requirements. "It was a very cumbersome process," says Kennedy.

The consultant recommended that instead of auditing 100% of transactions before payment, only a sampling of payments be reviewed post-transaction. The project started small, focused just on travel expenses. In 2004, it was expanded broadly across all government ministries, and savings of about $20 million per year in efficiencies and overpayments have been identified since then.

But with just statistical data samplings being audited, savings were still falling through the cracks. "We were really just hoping to find things, so we could know whether there was a business process or policy that needed to be cleaned up," Kennedy says.

Through extensive use of ACL software, her office last year began to continuously monitor payments made with purchasing cards. While using purchase cards can bring big administrative savings, she notes, there is also significant risk involved, because most purchases are small-dollar items that don't stand out, and many people in the government have access to cards that they could use for unauthorized purchases.

The continuous-auditing system has produced "incredible" efficiencies in identifying inappropriate purchases and people without authority to use cards, Kennedy notes. Now she is gearing up to tackle the rest of the government's spending, related to invoices, contracts, and grants.

The time it takes to roll out such a system is surprisingly short. With the purchase-card module, Kennedy says, developing business requirements and data analytics, having ACL integrate them into its program, and creating business processes for implementing the system took about three months.

Tracking What Counts Most
Last fall, Siemens Financial Services Inc., the U.S. arm of the global financial services firm, was just starting to institute continuous auditing, rather than performing tests every one to three years (depending on the risk level of the thing being audited).

But Jason Gross, who was running the internal audit department, found that he could not go as far as he liked in designing controls for the processes being audited. That was because of the expectation by the audit committee of parent company Siemens AG that auditors be arms-length from the activities they're reviewing as well independent from management. If he were to design audit controls, he would then be participating in the management of the company rather than simply using existing controls to perform an audit. That would go beyond the proper purview of internal audit, as viewed by the Siemens AG audit committee. 

So in October the company formed a new department alongside internal audit, called controls management, with Gross in charge as vice president. He created a continuous-controls-monitoring system, which runs every night and uses many of the same elements he'd been working on for continuous auditing.

The difference between internal auditing and controls management, Gross notes, is in the level of granularity. "We're down at the data level, looking transaction by transaction, where typically an audit, depending on its objective, might just review a process and not get as deep into the data details," he says.

But it's the primary focus of the effort that draws interest. "I think we stand out a little bit, because a lot of the buzz you hear about continuous monitoring relates to generic processes such as travel and entertainment and purchase to pay," Gross tells CFO.com. "But we're monitoring our financial services business by developing the program from the ground up, because there was no package we could go out and buy to do that."

What's being monitored, essentially, is "everything that determines the value of a financial asset," says Gross's boss, Matthias Grossmann, CFO of the U.S. financial services unit, which provides financing for healthcare, energy, and industrial companies and manages $6 billion to $7 billion in assets. "Number one, of course, is information on your obligors. Is the entity migrating to different risk classes? Is there the normal underlying collateral? Do any inconsistencies show up?"

The decision to launch the controls-management department and put the focus on continuously monitoring the financial services operation was an easy one, Grossmann notes. "When we did audits using these techniques, we always found something," he says. "So we thought we could use them in our daily business, using technology we already had that was coming from a different angle. So far it looks good, and I hope we can expand it."

Gross says that, in fact, continuously monitoring controls not only can detect problems but can do so before they've happened. When the company is preparing a new lease financing contract, for example, all elements relating to the transaction and borrower are loaded into the system before the contract is finalized, which can turn up "data mismatches," he notes.

Article by David McCann