Formal Analysis of Segregation of Duties (SoD) in Accounting: A Computational Approach

This study examines a computational framework for segregation of duties (SoD) in the design as well as implementation of accounting systems. The framework consists of a model of workflows in accounting systems based on workflow graphs, a partial order model of roles performed by the actors in the accounting system, and a specification of SoD rules. We develop a set of algorithms for four SoD rules that can be used in the enforcement of SoD. For the SoD rule that precludes task type conflicts, our results show that while compliance verification can be carried out efficiently, finding an SoD compliant assignment of tasks is computationally intractable. For those situations, we present an integer linear programming (ILP) formulation for finding compliant assignments using public domain ILP solvers. For the remaining three SoD rules, we demonstrate efficient ways of testing compliance for a given assignment as well as finding compliant assignments.     

上市公司内部审计机构设置及履行职责情况研究

将内部审计机构作为内部控制监督机构是国际内部审计发展的趋势,通过对沪市上市公司2010年报中披露的有关公司内部审计机构设置、命名、职责定位、履职情况、隶属关系等信息进行描述性统计分析,发现沪市公司在机构设置、职责定位、隶属关系方面合规率较高,但存在机构名称多元化、实际履职与职责定位不吻合等问题,主要原因是我国内部审计法律基础薄弱、政策依据缺乏统一性和刚性、政策理念滞后等。基于此,提出了应从完善审计法规、统一内部审计模式等方面予以改进的政策性建议。     

Topical coverage in internal auditing: academic versus practitioner perceptions

This study reports the results of research that investigates whether a gap may exist between academic content and practitioner needs in the area of internal auditing within the USA. Questionnaires were sent to internal auditing faculty and practitioners to identify and quantify the perceived importance of 25 different internal auditing topics, as well as the use of case studies and practitioner classroom visits as pedagogical techniques. Groups were in substantial agreement on the relative importance of the topics. However, some specific topic differences were noted, with educators placing more importance on items including engagement planning, preliminary surveys, audit programmes, risk management and fraud. Practitioners placed more importance on the qualities desired in staff internal auditors, Certificate in International Auditing (CIA) examination preparation, and computer auditing. In addition, there was considerable agreement between the two groups on the use of case studies in the classroom, as well as classroom visits from practicing internal auditors.     

How can we explain internal auditing? The inadequacy of agency theory and a labor process alternative

This paper draws on labor process theory (LPT) to explain how capitalism creates conditions that give rise to a demand for internal auditing. Internal auditing developed from the metamorphosis of capitalism during the twentieth century, when capital gradually succeeded in institutionalizing structural control of labor processes to address the problem of control in inherently antagonistic capital-labor relationships. In this control context employees, management, and the board of directors are responsible for achieving the required rate of return on capital. With the premise that the literature has not adequately theorized the role of internal auditing in this context, this paper proposes an initial theorization of the role of internal auditing as a mechanism employed by management and the board of directors to control the labor process in the generation and realization of surplus value. Internal audit's assurance services to execute business activities according to management's conceptions, and its advisory services to enhance efficiency and effectiveness, are interpreted within the firm's overarching goal of maximizing the rate of return on capital employed. Future research agenda and methodological considerations are discussed.     

Rethinking IT governance: Designing a framework for mitigating risk and fostering internal control in a DevOps environment

An increasing amount of companies is transforming their IT departments towards cross-functional teams which are responsible for both development and operation of software and use automation to speed up their delivery process. This novel approach, which is commonly known as “DevOps”, promises many benefits such as increased speed and frequency of deployment. However, companies using DevOps are often struggling with demonstrating control of their software delivery processes to IT auditing parties, due to the decentralized decision-making structures and high degree of automation in DevOps teams. The research at hand presents a framework which aims to provide guidance to organizations in mitigating and governing risks in IT teams and departments that make use of the DevOps paradigm. We have adopted a design science research approach, building on a literature review and semi-structured interviews with seventeen employees from nine Dutch companies that are in different stages of their DevOps transition. The results suggest that two main factors which influence how departments design their DevOps environment are risk appetite and the DevOps maturity. We furthermore find that companies in practice often use a mixture of traditional, manual IT controls and the automated controls suggested in literature. Based on these insights, a situational control framework is designed which suggests suitable risk mitigation practices.     

内部控制框架的构建

内部控制的嬗变告诉我们 :保证会计信息的真实性是内部控制发展的主线 ,会计控制是企业内部控制的核心 ,内部控制目标随公司治理机制的完善呈多元化趋势。内部控制框架与公司治理机制的关系是内部管理监控系统与制度环境的关系。内部控制框架在公司制度安排中担任内部管理监控的角色 ,成为公司管理中不可缺少的部分。在内部控制框架的构建中 ,应采取双管齐下和分步走的战略。内部控制框架构建中应抓住的关键问题是 ,健全管理机构 ,厘清管理权责 ;确立董事会在内部控制框架构建中的核心地位 ;内部审计机构设置与科学定位 ;强化预算管理 ;建立具有操作性的道德规范与行为准则。     

Internal Audit Outsourcing: A Literature Synthesis and Future Directions

The internal audit function (IAF), which has traditionally been an in‐house function, is increasingly being outsourced to outside consultants, in line with global trends for other services. This study synthesises research on the outsourcing and co‐sourcing of internal audit services over the last three decades, and suggests directions for future research. It draws from professional and academic literature to highlight the nature of organisations that outsource the IAF, and the main reasons behind the outsourcing decision. The study further examines the financial impact of outsourcing, as well as its impact on financial reporting, internal audit quality and auditors’ independence. The study shows widespread adoption of outsourcing of internal auditing services, largely due to the perceived cost benefits as well as perceived improved access to specialised internal auditing resources. There are mixed findings on the impact of outsourcing of internal auditing services on quality, cost, independence and availability of resources. This study contributes to internal and external audit, corporate governance and outsourcing literature in general, by synthesising the existing research and providing a roadmap with which to understand the origins, development, present state and impact of outsourcing of internal auditing.     

信息技术条件下的内部控制规范:国际实践与启示

信息技术的发展和应用对内部控制产生了重大影响。本文全面研究了以美国、日本和有关非政府组织等为典型代表构建的内部控制规范对信息技术影响的考虑,认为我们可以根据我国企业信息化的发展现状和趋势,对于目前各类企业普遍实用的规范可充分借鉴各国现有规范的做法,在其中嵌入对信息技术的考虑,对于部分信息集成度已经很高的企业和有关业界(如审计)实务工作的需要,应充分借鉴有关非政府组织构建的IT内部控制模型,及时发布相关应用指南或专门研究报告,将来可以在它们的基础上发展出我国实用的信息技术条件下的内部控制模型,最后提出了值得进一步研究的问题。     

美国内部控制审计的制度变迁及其启示

我国目前正在抓紧制定内部控制审计准则。从世界范围看,美国内部控制审计的发展历史最久、最有代表性,值得我们借鉴。内部控制审计成为与财务报表审计并行的一种新审计业务,在美国的发展大体经历了三个阶段:财务报表审计中的内部控制评价阶段、财务报告内部控制审核阶段和财务报告内部控制审计阶段。本文回顾了美国内部控制审计制度变迁的历程及特点,并提出了我国在制定内部控制审计准则时需要注意解决好的七大问题。     

Machine learning-based automation of accounting services: An exploratory case study

Machine Learning (ML) applied to Robotic Process Automation (RPA) and chatbot interfaces can generate significant value for many business processes. However, these technologies generate the intended return only with a carefully planned deployment. Current literature only contains a small number of case studies about how the adoption of ML-based automation services impacts employees’ behavior. In particular, no case studies look into the automation of manual tasks related to accounting management. This article reports a study conducted to understand users’ perceptions of an ML-enabled service to automate repetitive management tasks. The service was developed in a partnership between Unisinos University and Dell Inc. The study was conducted with a group of ten highly skilled employees from Dell with expertise in accounting processes and with IT background that frequently would use the automation service. The group participated in a presentation about the service and its interface and voluntarily answered a Technology Acceptance Model (TAM) questionnaire to evaluate the usability and ease of use. Results show that 10 out of 10 users agree that the service was easy to use. Also, 8 of them agree that its output is useful to reduce the manual labor required for statutory reconciliation. Furthermore, employees with an accounting management background were given access to the service, and three voluntarily answered an open-ended survey. In summary, employees agree that an automation service can reduce the time required to conduct management tasks but questioned the long-term usefulness and the ability to incorporate the process’s particularities. These results provided insights leading to ten lessons related to user experience, training and awareness, and service development.     

审计质量保障的权利配置研究视角

现行审计质量问题是审计委托权配置失范的外部性表现.提高审计质量的有效措施是对现行会计流程控制权配置范式进行变迁,改变目前企业管理当局集会计政策选择权、会计人员聘任权及审计委托权于一身的状况,使会计信息供应脱离管理当局的直接控制而由财务报告委员会及其所属的独立会计机构全程负责,此时高质量审计服务成为信息生产者、信息使用者、企业管理当局及注册会计师的共同需求,审计质量有了保障.     

Auditing SAP R/3 – Control Risk Assessment

This paper provides an introduction to auditing in an SAP R/3 environment, focusing primarily on the assessment of control risk. A number of distinguishing characteristics of the SAP R/3 system that affect the audit are described. The application of a standard internal control framework to the assessment of application controls is illustrated. Two significant pervasive general control areas are examined - system development and program maintenance, and user access control. Relevant controls in these areas are discussed and methods for auditing these controls are outlined. Several opporhcnities for research in the auditing of SAP R/3 are proposed.     

论我国商业银行外部审计制度和模式的创新

西方商业银行外部审计主要由社会民间审计组织承担,其审计模式大致经历了账项基础审计、制度基础审计和风险导向审计三个发展阶段.目前我国商业银行审计正处于账项基础审计向制度基础审计和风险基础审计过渡的混合阶段.入世及国有商业银行即将改制上市等金融环境的变迁,要求创造公平、有序的市场竞争环境,并防范金融风险.因此,充分发挥商业银行审计的作用无疑迫切而重要.本文在借鉴西方商业银行审计制度和模式的基础上,分析了我国商业银行审计制度和模式的现状,并对其发展和创新进行了探讨,提出了修改商业银行法的有关条款及重新界定有关审计目标等意见和建议.     

The acceptance and adoption of continuous auditing by internal auditors: A micro analysis

The umbrella of “advanced technology” covers a range of techniques widely used in the U.S. to provide strategic advantage in a very competitive business environment. There is an enormous amount of information contained within current-generation information systems, some of which is processed on a real-time basis. More importantly, the same holds true for actual business transactions. Having accurate and reliable information is vital and advantageous to businesses, especially in the wake of the recent recession. Therefore, the need for ongoing, timely assurance of information utilizing continuous auditing (CA) and continuous control monitoring (CM) methodologies is becoming more apparent. To that end, we have conducted interviews with 22 internal audit managers and 16 internal audit staff members at 9 leading internal audit organizations to examine the status of technology adoption, to evaluate the development of continuous auditing, and to assess the use of continuous control monitoring. We found that several companies in our study were already involved in some form of continuous auditing or control monitoring while others are attempting to adopt more advanced audit technologies. We also made a large number of surprising observations on managerial, technology training and absorption, and other issues. According to our audit maturity model, all of the companies were classified between the “traditional audit” stage and the “emerging stage,” not having yet reached the “continuous audit” stage. This paper,¹ to our knowledge, is the first to study CA technology adoption in a micro level by an interview approach.     

The case for process mining in auditing: Sources of value added and areas of application

Process mining aims to extract knowledge from the event logs maintained by a company's ERP system. The objective of this paper is to make the case for why internal and external auditors should leverage the capabilities process mining offers to rethink how auditing is carried out. We do so by identifying the sources of value added of process mining when applied to auditing, which are as follows: 1. process mining analyzes the entire population of data and not just a sample; 2. critically that data consists of meta-data—data entered independently of the actions of auditee—and not just data entered by the auditee; 3. process mining allows the auditor to have a more effective way of implementing the audit risk model by providing effective ways of conducting the required walkthroughs of processes and conducting analytic procedures; 4. process mining allows the auditor to conduct analyses not possible with existing audit tools, such as discovering the ways in which business processes are actually being carried out in practice, and to identify social relationships between individuals. It is our argument that these sources of value have not been fully understood in the process mining literature, which has focused on developing it as a statistical methodology rather than on applying it to audit practice. Only when auditors and audit researchers appreciate what is new and unique about process mining will its acceptance in auditing practice become feasible.     

提升企业内部控制有效性的重要制度安排——关于实施企业内部控制注册会计师审计的有关问题

实施企业内控注册会计师审计具有十分重要的意义。在实施企业内控审计中,应当正确处理好企业内控责任与注册会计师审计责任的关系、企业内控自我评价与注册会计师内控审计的关系、内控审计和财务报表审计的关系、财务报告内控和非财务报告内控的关系、企业层面控制测试与业务层面控制测试的关系、重大缺陷披露与其他缺陷沟通的关系。同时,应当深入研究非财务报告内控测试的范围界定和方法技术问题、内控测试评价的样本选取问题、首次执行内控审计与连续实施内控审计的策略问题、内控审计报告的披露形式问题、内控审计信息系统的开发建设问题、内控审计结果的利用问题,推动内控审计扎实有序开展。     

计算机处理系统下的内部控制及其审计

企业的内部控制制度包括一般控制和业务控制两部分 ,一般控制包括组织和运用的控制、硬件软件的控制、过程、系统开发及人员、安全的控制等 ;业务控制包括数据输入、数据处理及数据输出的控制等内容。与此相适应 ,注册会计师的审计也要从一般控制系统和业务控制系统入手 ,注意了解企业内部控制制度的特点 ,评价其内部控制制度的健全性、合理性及有效性 ,在此基础上进行具体业务的审计。     

An exploratory study of the adoption,application and impacts of continuous auditing technologies in small businesses

Continuous auditing technology has been studied in various contexts, but mostly within large enterprises with their own integrated information systems and internal auditing functions. Although several vendors of continuous auditing technologies have reported implementations in small businesses, little is known about the use and impact of this technology in this type of organizations. This exploratory study considers the motivations for adopting a certain type of continuous auditing technology, as well as the applications and impacts of this technology in seven small businesses. The results indicate that the technology is usually implemented to increase resource efficiency, but is frequently perceived as a tool to fix data quality problems — rather than a strategically aligned technology. Implementation is not driven by an internal auditing department but by either an IT or finance department. Application of the technology is first and foremost transaction verification with process control applications emerging later. Main impacts include a change from corrective controls to preventive and detective controls; an increase in the perception of value created by the financial department; and an increase in management trust of data. The study also reveals potential negative impacts of this technology, such as alert immunization and loss of users' critical thinking.     

Outsourcing Internal Audit Services: An Empirical Study on Queensland Public-Sector Entities

A study of Queensland public-sector entities suggests outsourcing of internal audit services to be extensive (88%), with 51% of respondent agencies adopting co-sourcing and 37% of the agencies fully outsourcing. Results suggest that internal audit outsourcing is largely adopted for non-financial reasons such as lack of technological know-how and service quality rather than financial reasons. Deficiencies of current governance arrangements concerning internal audit outsourcing include (1) a lack of audit committee involvement in outsourcing processes, particularly in co-sourcing entities, and (2) inadequate segregation of duties whereby the same senior management is involved in key arrangements including selection, approval, negotiation and evaluation of contractual performance.     

美国内部控制审计制度及其对我国的启示

内部控制审计是提升企业内部控制有效性的重要制度安排。美国已建立起由SOX法案、SEC最终规则和PCAOB审计准则构成的内部控制审计制度体系,相关规定基本协调一致、相互配合。我国在充分借鉴美国经验的基础上,已于2010年4月初步确立了内部控制审计制度。我国内部控制审计制度演进的基本特征表现为：在注册会计师的保证程度上,从有限保证演变为合理保证;在审计范围上,从财务报告内部控制演变为广义的内部控制;在审计方法上,趋向于内部控制审计与财务报表审计的整合。