Updating IIA Guidance on Continuous Auditing/Monitoring

Peter Millar (of ACL Services) is leading a small team (Brad Ames of HP and myself) in a project to update the Global Technology Audit Guide (GTAG) on Continuous Auditing. This is a routine update, such as we go through for all IIA guidance, but it provides the opportunity to upgrade the current guidance.

I have been writing a fair amount about continuous auditing, including a paper and several blog posts. They may stimulate your thinking on this topic.

I would appreciate some feedback on the following questions regarding the GTAG update:

  • The traditional GTAG is written for the chief audit executive and focuses on the use of technology. It is filed under the Professional Guidance/Information Technology section of The IIA's Web site rather than the Standards and Guidance section. But continuous auditing is a way of performing the business of auditing rather than just making use of technology. For example, some controls cannot be tested using software alone (consider a manager's review of a reconciliation, or the performance of a physical count of inventory), so other forms of testing are needed, including management self-assessment, manual tests, and surveys. Should the continuous auditing guidance be for all auditors and cover both automated and non-automated procedures rather than focus on technology? Should we have two forms of guidance, one that is for a general audience and one that focuses only on the use of technology?
  • I am very much a believer in risk-based auditing, and that the continuous auditing program should be designed to provide assurance on the more significant risks. Do you agree?
  • There are differences between the continuous assessment and testing of controls, and the continuous monitoring or inspection of controls (see my blog post on this topic). Is this important and should it be discussed in detail in the guidance?
  • COSO's Internal Control–Integrated Framework describes internal auditing as a monitoring control. Should the guidance address whether management should be permitted to rely on internal auditing to monitor controls, or should it assert that monitoring controls is a management responsibility?
  • Continuous auditing and continuous monitoring (by management) are similar in many ways, but different in others. How important is this, and should there be a discussion in the guidance on internal auditing's role in helping management design and implement monitoring? For example, is it a reasonable expectation that internal auditing could establish continuous procedures and then hand them over to management?
  • Do you have other concerns with the current GTAG, or issues you would like to see addressed?

Please share your comments here. I also welcome your direct e-mails at norman.marks@sap.com.

Posted on Mar 8, 2010 by Norman Marks

Share This Article:    

  1. 1.  Technology is becoming extensively embedded in processes.  Even the "physical" inventory count may be aided by hand-held scanners and supported by database extracts.  So, as a general direction, I recommend integrating the automated and manual elements into the continuous monitoring of "business processes" and maintaining the separate ITGC guidance (which has manual elements).

    2.  Yes, risk-based is much more effecient and effective.  The major problem is the current practice of determining and assessing risks.  Asking management "what keeps them up at night" is neither objective nor independent.  Raising the bar on determining vulnerabilities and threats and assessing the financial, operational, legal and reputational impacts would be helpful.

    3.  This is a useful distinction for IA.  If expanded, please emphasize the value to the client organization being monitored/audited.

    4.  Management repsonsibility (part of an overall process quality mindset)

    5. A partnership between IA and the client can establish both meaningful monitoring AND effective workflow on alerts. 

  1. Describe the concept of continuous risk assessment earlier in the guidance. This application of continuous analysis techniques is clearly an audit activity and underutilized by most shops.
  1. 1. Technology/automation needs to be embedded into business as usual when it comes to Continuous Auditing (CA).  I think the guidance should be combined (automated and manual) when it comes to setting up CA irrespective if its monitoring/testing a business or an IT process.  Exclusions of manual procedures is inevitable but that should be the exception and not the rule.

    2. Agree.  It should start with focusing on highest risk areas first.

    3. Yes.  It is extremely important to distinguish especially as more IA departments are getting into the business of building CA programs for testing and handing them over to the management. 

    4. It depends on the design of the process and the related risk and key controls.  I think it is hard to generalize that IA is a monitoring control as management is also responsible to monitor the performance of controls.  In an ideal robust control environment, IA would like to be just monitoring but thats not the reality.

    5. There is need for client awareness and education related to Continuous Auditing.  A lot of clients are still used to Auditors coming in for a short period of time and then going away until the next audit cycle.  There is a paradigm shift with CA where auditors essentially don't ever "go away".

  1. My only reply is toward point number 4.  After reading the GTAG and the most recent COSO Guidance on Monitoring Internal Control (actually was re-reading them the last couple days).  I would conclude with COSO that IA is a part of the overall monitoring process.  While assessing controls effectiveness is Management's responsiblity, Management's decision on internal control should be based on a wholestic view of the organization, which includes audit results from both internal (i.e. Management's assessment process and Internal Audit) and external sources.

  1. It all seems to come back to question 4 (IA as monitoring).  Monitoring on behalf of management or on behalf of the AC?  Given the objectivity requirements I interpret this as the later. As a result, I think we need to be careful to differentiate IA from the control activities that management is responsible for.  It would seem to me that IA's role is to provide management and the AC with assurance that the priority risks are being considered during the design phase of any continuous monitoring system.  I also feel that any IT tools used to assess that systems effectiveness is just simply part of the ongoing Internal Audit program.  As a result, (in reference to question #1) the standards and guidance should be combined where this is the case.  Where management does not have a continuous monitoring process, and it is warranted, then I believe this should be implemented with the assistance of IA as discussed above.  In reference to question #5 I think it is clear from the standards that you cannot maintain objectivity in assessing the effectiveness of a process you were responsible for designing and implementing.  As a result, I believe IA should only consult with management on the design of such a system rather than take ownership.Perhaps some additional wording on this in the guidance would be beneficial.

  1. I like Shane's ideas. they fully represent my views.

    Audit should never be infused into management by becoming a full time monitoring tool. IA  would then loose its objectivity.



  1. Monitoring, from my perspective, is not about 1 aspect of the organization (i.e. management or the Audit Committee). Monitoring encompasses of all activities that provide feed back regarding the effectivess control activities of the organization (i.e. Management, Board, AC). 

  1. Norm,

    Thanks for seeking comment on this issue.  I'd welcome the opportunity for further dialog with you, Peter, Brad, and others.  And I can help make some introductions to smaller firms like Arrowpoint Capital, HCA HealthCare, NAVTEQ, and others who are really doing an excellent job in integrating data analysis with risk assessment and audit reporting for a thorough job of Continual Auditing.

    In terms of feedback on your points above - the most important point you raise is that CA / CM is NOT about technology.  It is primarily an audit process change and technology is merely one of many enablers.  

    Isn't it interesting that the IIA has asked three people from technology firms, including two that sell audit software, to help re-write the GTAG.  How can others help you in this effort?  

  1. Not that HCA HealthCare is small (smile).   At $30B++, they've got a 10+ person Continuous Auditing team.

Leave a Reply