Continuous Auditing (CA) has been in the minds of Audit Committees and Chief Audit Executives (CAE) for more than two decades. While the overall concept is well understood, sometimes it is confused with Continuous Monitoring (CM). A distinction between these two has to be made to understand how CA complements continuous monitoring and the unique benefits of CA. The particular approach a CAE takes in continuous auditing will be influenced by the maturity and sophistication of the organization, requiring a certain level of tailoring to achieve maximum value. We will also discuss the steps to successfully implement a continuous auditing initiative.
Continuous Auditing vs. Continuous Monitoring
The concept of CA has been around for many years. The AICPA report “Special Committee on Assurance Service” mentioned it for the first time in 1995. The necessity for continuous auditing arises from a need for daily reporting and a demand for more reliable, valid and just-in-time information for effective decision-making.
Continuous Auditing – The automatic method used by persons who are able to provide assurance such as an internal auditor or an independent auditor, to perform control and risk assessments and to collect auditing evidence on a frequent basis. Continuous audit activities heavily rely on technology to automate the identification of exceptions or anomalies, analyze patterns, review trends, and test controls. Real-time continuous auditing is especially useful for high-risk enterprise processes.
Continuous monitoring, in comparison, is a process under Operational management used to ensure that management’s policies, procedures, and key business processes are operating effectively. CM is used as part of the control structure in the monitoring role promoted by COSO. CM detects and corrects process irregularities and helps implement process improvements (adequacy and effectiveness of internal controls). This permits ongoing insight into the effectiveness of controls and the integrity of transactions. For instance, management may identify critical control points and implement automated tests to determine, on a continuous or frequent basis, if these controls are working properly.
There are certainly similarities between Continuous Auditing and Continuous Monitoring as they both use the same automated techniques, but they are two different processes, with two different, complementary approaches. The primary difference is related to ownership of the process. Continuous monitoring is management driven (first two lines of defense) while continuous audit is audit driven (third line of defense). Although many of the continuous monitoring techniques used by management are similar to those performed by internal auditors, continuous auditing enables auditors to evaluate the adequacy of management’s monitoring function and identify and assess risk areas. As the reliance by Internal Audit (IA) on the CM process increases, the assessment is not necessarily performed on a continuous basis, but more periodically as any
Another difference is in the type and sufficiency of evidence generated by continuous monitoring systems. Information provided by continuous monitoring systems can give auditors significant information about a process, system or data, but due to its indirect nature, that information alone would not be sufficient in a continuous auditing engagement. The IIA, in its GTAG (Global Technology Audit Guide) related to Continuous Auditing, details the CA/CM inverse relationship in regard to the amount of effort that management and the audit function put, respectively, into CM/CA. In many instances, IA led a continuous auditing initiative that was later transferred to management to become part of the continuous monitoring process. The auditor would not be part of this new control function as, in that case, his independence would be impaired. An organization can obtain great benefits in implementing CM and CA together.