July 2002
Would Continuous Auditing Have Prevented the Enron Mess?
By Miklos A. Vasarhelyi, Alexander Kogan, and Michael G. Alles
While many believe that a well-performed traditional audit could have detected many of Enron’s operational problems, a well-performed continuous audit would have brought them to light much sooner. A continuous audit would have provided an assurance of processes that are not necessarily part of the eventual financial report; an assurance focus that is closer to secondary supervision than after-the-fact archival review; and an audit technology that relies more heavily on analysis across different processes and risk attributes.
Continuous auditing produces audit results simultaneous with relevant events. In addition, it uses online information technology to provide many different forms of assurance. One particularly useful form expands the traditional financial audit and makes it more sensitive to extraordinary transactions, such as those at the crux of the Enron case.
In a continuous audit, software continuously monitors transactions and compares their characteristics to expected results. Any significant discrepancies trigger alarms that the company’s operational managers, auditors, and top management cannot ignore. These alarms extend the nature and scope of the assurance process, bringing it closer to operations.
Enron’s transactions with its special purpose entities were abnormal in nature and detectable as such. For example, many of the ratios of Enron’s subentities would not have been consistent with their competitors and would have triggered an investigation. Also, an end-to-end flow analysis and monitoring of Enron’s component value additions would not have reconciled, triggering audit procedures to look for nondisclosed entities.
Continuous assurance depends on continuous flows of transaction data and analysis. A fully deployed assurance system would overlay a continuous measurement system. Most large U.S. corporations already use continuous internal reporting for critical variables such as cash, payables, inventory, and production.
In many ways, continuous assurance can deal with independence issues better than the traditional audit model. Objectivity and independence require environmental standards and controls, in both traditional and continuous audit environments. Although the potential for corrupt managers, economically interested assurors, and other breaches of objectivity will always remain, continuous assurance methodologies can identify these events, allow for multiparty process monitoring, and illuminate data inconsistencies that arise in bad or corrupt business models.
The traditional U.S. regulatory model is rather anachronistic. Companies, audit firms, and the government would benefit from monitoring flows and analyses that create a more comprehensive basis for checks and balances. For example, the Italian bank BIPOP Carire has used online technology to continuously update reports of its financial health to Italian authorities.
A continuous audit model could conceivably permit companies to provide summary continuous reports along a wide range of flow-related variables to the government or other supervisory authorities and to monitor key processes. This would position the government as one of the stakeholders of financial reporting in ways that are tailored to our markets’ supervisory, legal, and statutory needs.
While there is the illusion that one set of disclosures should satisfy external reporting needs, the modern corporation has many stakeholders with different needs and objectives. These stakeholders could obtain separate information structures and specific online assurances that would pay for themselves in the form of reduced risk. For example, real-time covenant monitoring would decrease banking risks.
We believe that a continuous assurance process would have detected the unreported related-party partnerships that plagued Enron. The data flows and models that would question (and require justification for) the large nonrepetitive data and resource flows between a corporation and its partnerships would have signaled a level of control that could not have been ignored. Conceivably, a reporting system that forwards such anomalies to supervisory authorities would deter some problems. Validity tests for the continuous audit environment could address related-party transactions, overlapping management, double dipping, conflicts of interest, and insider trading.
The laws, standards, and practices that currently determine business entity measurement and assurance were developed long ago for substantially different types of business entities, control environments, and data-processing capabilities. Although legislation mandating compliance and monitoring would be expensive, the threshold for error is much narrower today. Tighter regulation can be devised and implemented, but whether such steps will be taken depends upon society’s need for real-time monitoring to support trust in the capital markets.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2002 CPA Journal. Legal
Notices
Visit the new cpajournal.com.