August 2006

Making the Change to Continuous Auditing

Understanding the benefits and challenges of implementing continuous audit methodologies can help internal audit functions transition into a new audit paradigm.

Lisa A. Beach
Freelance Writer

Internal auditors face a daunting task. They need to respond effectively to the demands of a rapidly changing business environment, while helping organizations comply with growing regulatory mandates and industry-based requirements. This pressures internal auditors to provide more timely and ongoing assurance that controls are working effectively and risk is being mitigated. Enter, continuous auditing — the potential superhero of the audit function.

As a technology-driven methodology, continuous auditing performs control and risk assessments automatically on a continuous basis — it changes the audit strategy from periodic reviews of a sample of transactions to ongoing audit testing of 100 percent of transactions. The power of continuous auditing lies in its ability to detect control gaps and weaknesses in a real-time environment, making it possible to report fraud and rectify errors immediately.

"But our management already does continuous monitoring," audit managers might be saying. However, continuous monitoring is not the same as continuous auditing. Review the following clarification from The Institute of Internal Auditor's Global Technology Audit Guide (GTAG), Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment:

"Continuous auditing is any of the methods used by auditors to perform the audit on a continuous basis. It tests transactions based on prescribed criteria and identifies anomalies ... Continuous monitoring is a method used by management to assist in meeting its fiduciary responsibilities. It focuses on the control environment, not transactions."


How can continuous auditing benefit a typical organization? "Continuous auditing provides for timely, sometimes immediate, identification of anomalies or control gaps," explains Paulette Keller, director of audit technology and support, group audit management, Zurich Financial Services. "It's a proactive approach rather than a reactive approach. Action can be taken to identify and correct problems before they get out of control. Plus, continuous auditing can help validate the adequacy of management's continuous monitoring controls."

Heriot Prentice, The Institute's director of technology practices, helped publish GTAG, so he's well versed about continuous auditing's capabilities. "Continuous auditing can enable greater audit penetration and coverage. It can allow internal auditing to deliver timelier and higher-quality results. And, it can help audit management allocate precious — and scarce — staff resources better to focus on high risk or significant areas of exposure to the organization," he says. In a nutshell, continuous auditing offers a sustainable, cost-effective, and resource-efficient solution to mitigate risk.


Prentice is quick to point out that compliance and heightened demands for improved corporate governance and fiscal transparency are not one-time events. Furthermore, companies are increasingly calling on internal auditing to help improve performance by identifying areas of revenue leakage, operational inefficiencies, and fraud. "The only way internal auditing can meet these demands — without growing its audit department significantly — is through the effective use of technology," says Prentice.

"Continuous auditing requires a paradigm shift from traditional auditing," notes Keller. "It requires not only audit knowledge, but also technical knowledge and detailed knowledge of controls built inside of various information systems."


With all its pluses, continuous auditing hasn't won everyone over yet. Why? "Companies don't want to change something if it's not broken," surmises Robert Mainardi, chief audit executive (CAE) at Penn Mutual. "Also, the costs associated with incorporating continuous auditing into an existing function might be keeping companies at bay, whether that means buying new software or paying for data storage for the testing results." Besides the upfront costs, it takes a lot of time to establish the process in the beginning, from coding the parameters into the software to training on the application used to execute the testing.

From an applications standpoint, Prentice outlines a range of choices — from simple spreadsheets, to mid-range statistical and analytical software tools, to purpose-built, comprehensive data analysis technologies that fit into an organization's IT infrastructure.

"Companies are realizing that, in order to implement a truly effective continuous audit program, they will most likely need to make changes to their business processes," explains Miron Marcotte, managing director, Protiviti. "Most companies want to make the compliance process a simpler and more value-added process. However, many companies see that they need some system enhancements to reap the true value of a fully implemented continuous audit program."


Even the companies that are embracing the technology still face some challenges. For example, GTAG cites the following challenges organizations commonly deal with when implementing continuous auditing:

  • Internal auditors lack the guidance and skills necessary to implement continuous auditing in their organizations.
  • Auditors struggle with the question of who will ultimately pay for continuous auditing.
  • Auditors must have access to the organization's systems and data and must know how to use the vast amount of information that the technology can access.
  • Auditors must determine where continuous auditing fits and how they can link the process to integrated risk management initiatives and continuous improvement processes. The concept of continuous auditing often lacks support from key stakeholders.


So how can internal auditors start implementing continuous auditing?

1. Read GTAG. This free 44-page guide, available for download from The IIA's Web site, helps auditors identify what must be done to use technology effectively to support continuous auditing. GTAG also helps support the audit function's investment in audit technology.

2. Market the benefits. Mainardi points out the need for audit departments to market the advantages of continuous auditing versus the traditional standard of sample testing. "Having the ability to evaluate the entire population provides a confident stance on the state of the population instead of a projection extrapolated from testing a sample," says Mainardi.

3. Understand your current environment. Prentice recommends identifying which major business processes are most critical and which areas need more control. He also advises determining which risks apply to the major business processes based on the risk categories — financial, operational, compliance, and strategic — outlined in The Committee of Sponsoring Organizations of the Treadway Commission's Enterprise Risk Management— Integrated Framework.

4. Set expectations. Mainardi advises auditors, especially CAEs, to talk with key stakeholders — audit clients and management — about what continuous audit can and cannot accomplish, as well as help others view continuous auditing as an evolving process rather than a one-time implementation. Keller also suggests coming to an agreement with management on the format and process for the continuous audits, including reporting formats and corrective action tracking and responsibilities.

5. Evaluate technical resources. Does the organization have the technical resources to support continuous audit efforts? Can the data be extracted and analyzed using an organization's existing database application, or does a software package need to be purchased? Is there room to store the data in a data warehouse or server? Are the auditors trained to perform continuous auditing?

6. Start small. Keller suggests starting with a familiar process, perhaps one in which transaction testing was performed by sampling in the past. This will assure the auditors understand the business process well enough to know what the key controls are and how they could be tested in a continuous audit environment. The process should be one where it would be valuable to have timely identification and reporting of control gaps or anomalies. This should be followed by the creation of an audit plan to extract the data and test each of the key controls. Auditors will then be able to begin the continuous audit process, report on the results, including corrective actions taken, and reevaluate periodically.


With the upfront costs and time needed to get continuous auditing up and running, how can organizations maximize their investment in this new process? Keller advises internal auditors to work with management to identify high-risk areas where continuous auditing can add the most value to the organization. "We used continuous confirmation to confirm receipt of claim payments. There were several instances where this program helped detect fraudulent payments generated by employees. We then took action to prosecute these individuals."

According to Mainardi, continuous auditing is an excellent tool to apply to the basic, but extremely critical, regulatory requirement for late trading, which is when a client or business processes a market trade request after the 4 p.m. close of the financial markets.

"To perform automated testing daily, you would set up the software to capture any transaction processed after 4 p.m. and have them summarized into an exception report. Once the data has been retrieved, each transaction must be reviewed to determine if it was a late trade. To execute this review, each trade will be compared against the following criteria: 1) If it did receive the current day's value, the auditor must determine that the trade was received prior to 4 p.m. and was in good order; 2) If the trade was received after 4 p.m., the auditor must verify that the trade is given the next day's opening trade value. All exceptions must be captured in a report and provided to the business unit leader for explanation."

Mainardi suggests incorporating continuous auditing into the annual audit plan as well as through each individual audit. Although the learning curve can be significant, once the continuous audit process is established with corresponding parameters, similar logic can be applied throughout multiple processes in multiple businesses.


Put it in writing and get buy-in. GTAG advises outlining the transition to continuous auditing, from planning and prioritization to continuous techniques currently in use. Then get everyone on board, from the top down. Key stakeholders must view continuous auditing as an organizational and business solution, not just as a technology solution.

Be consistent. Mainardi stresses the importance of a consistent application of the continuous audit requirements throughout the year. The audit team must exhibit the diligence and commitment to apply the techniques on every audit and perform the required monthly or quarterly reviews. Only this level of dedication will ensure a successful continuous audit operation, says Mainardi.

Understand and use the data effectively. Marcotte says that it's critical to understand the data under examination before reporting the results. This will ensure its accuracy and completeness and help render an accurate analysis. Furthermore, an organization must have the ability to use transactional information to increase and evaluate operational effectiveness.

Evaluate. Keller counsels on the need to re-evaluate the results on a continuous basis to make sure the continuous audit is still adding value.

With its proactive approach, cost-effectiveness, and resource-efficiency, continuous auditing brings a lot to the table. As it gains a track record of generating assurance on demand, contributing to corporate governance, increasing operational efficiency, and driving business performance, it will, indeed, earn the title of "superhero" of the audit function.


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014