The current issue and full text archive of this journal is available at

www.emeraldinsight.com/0268-6902.htm

MAJ
28,7 Implementation of the continuous
auditing system in the
ERP-based environment
592
Il-hang Shin and Myung-gun Lee
School of Business, Yonsei University, Seoul, South Korea, and
Woojin Park
School of Government and Business, Yonsei University, Wonju, South Korea

Abstract
Purpose – The purpose of this paper is to introduce the continuous auditing system based on continuous
monitoring and its implementation methodology; also to present a systematic case study of actual
continuous auditing systems implemented in the financial industry and the manufacturing industry.
Design/methodology/approach – The paper examines the method of implementing the
continuous auditing system in the enterprise resource planning (ERP) environment, and suggests
how the continuous auditing system can take firm root by looking at the successful introduction of the
continuous auditing system in the financial industry and the manufacturing industry.
Findings – The proposed method of implementing the continuous auditing system has the 2stage
approaches which can be applied to various kinds of companies in the ERP-based environment. In
addition, the proposed cases have the important practical implications acquired in the process of
implementing the continuous auditing system in the financial industry and the manufacturing industry.
Practical implications – This study will help many corporations facing various types of corruption
or circumvention of internal control, with their internal auditing, by showing them how to use the
continuous auditing system to reinforce internal control. Also, it will make the independent auditor
understand audited company’s continuous monitoring system and lead to use the infrastructure for
efficient and effective external auditing.
Originality/value – The proposed method and cases of implementing the continuous auditing
system offer an innovative approach to auditing in the ERP-based environment because it facilitates
both internal auditor and external auditor to achieve the audit objectives efficiently and effectively.
Keywords Auditing, External auditing, Internal auditing, Continuous auditing system,
Continuous monitoring scenarios, Internal control, Key-risk indicator,
Enterprise resource planning system
Paper type Case study

Managerial Auditing Journal
Vol. 28 No. 7, 2013
pp. 592-627
q Emerald Group Publishing Limited
0268-6902
DOI 10.1108/MAJ-11-2012-0775
1. Introduction
This study proposes a method to implement a continuous auditing (CA) system based
on continuous monitoring and presents a systematic case study of actual CA systems
implemented in the financial and manufacturing industries.
Recently, the focus of internal auditing has shifted from review of historical legal and
regulatory violations to the promotion of business efficiency and proactive risk
management. In other words, the internal auditor used to serve as a “policeman,”
guaranteeing constant compliance with provisions and guidelines and focusing on
ex-post-facto exposure through, for example, audits of company assets, compliance with
JEL classification – M420 Auditing
regulations, and exposure/investigation of incidents involving insiders (Flesher and Continuous
Zarzeski, 2002). Now, however, the internal auditor serves as an internal consultant, auditing system
preemptively detecting and taking actions to address core issues and risks hindering the
accomplishment of goals. The internal auditor’s duties have been expanded to include
risk management – , i.e. selecting auditing targets and areas with a high degree of risk –
and efficient, effective audits to detect indications of risk. In addition, the auditor is
expected to implement preventive measures (McNamee and Selim, 1998; Weidenmier 593
and Ramamoorti, 2006).
To apply this transition in the internal auditing function, corporations must focus
on three changes:
(1) switching from periodic auditing to CA;
(2) moving from an auditing approach that is dependent on information collected
by individuals to one that utilizes the system; and
(3) adopting a risk-based auditing support system.

For most large corporations that have insufficient internal auditing manpower and
resources to make these changes, a CA system must be implemented as an essential
infrastructure for auditing.
Due to advances in information technology after 1982[1], the internal control and
accounting information system was integrated with the enterprise resource planning
(ERP) system, and this integrated system has since been running in the computerized
environment. Because of this change, companies that implement a CA system within
the ERP system (embedded audit module) can create an environment that allows
efficient and effective control of the company (Kuhn and Sutton, 2010, 2006; Alles et al.,
2008, 2006, 2002; Daigle and Lampe, 2005, 2004; Debreceny et al., 2005, 2003; Groomer
and Murthy, 1989; Henrickson, 2009).
Thus, it will be meaningful to take a closer look at how corporations implement the
CA system in the ERP environment. The case study methodology was selected in this
study for two reasons: the limitations of CA data and the suitability of the case study
approach.
The influence of the CA system has increased in auditing, and this change has rarely
been led by researchers (Alles et al., 2008). Most research on CA systems has been based
on theoretical discussions or case studies rather than ex-post empirical analysis
(Alles et al., 2008; Brown et al., 2007; Kuhn and Sutton, 2010; Chan and Vasarhelyi, 2011).
This is likely because it is difficult to collect comprehensive data about CA systems, as
such systems are implemented according to a certain procedure over a long period of
time; as a result, there is not a large amount of supportive secondary data. According to
Swanborn (2010), the case study approach is a reasonable method of overcoming lack of
data in order to investigate an issue. In consideration of such research constraints, this
study uses the case study methodology to analyze examples of successful
implementation of CA systems.
The case study approach is eminently suitable for this research topic. According to
previous studies (Swanborn, 2010), the case study method is appropriate for topics that
encompass an extensive range of details on a certain process. As the purpose of this
study is to investigate in detail the long process required to build a CA system, the case
study approach was regarded as appropriate.
MAJ Furthermore, the case study approach can deliver information in a friendlier and
28,7 more compelling way, as it is based in a realistic application; thus, it is more persuasive
than other approaches (Stoecker, 1991). Therefore, to provide qualitative information
for academics and practitioners, the case study approach is believed to be the best for
this study. This study examines a method for implementing a CA system in the ERP
environment; it suggests an approach for successful implementation by studying the
594 successful introduction of such systems in the financial and manufacturing industries.
It is also expected that this study will help many corporations facing various types
of fraud or circumvention of internal control with their internal auditing function, by
showing them how to use the CA system to reinforce existing internal control. In
addition, this study is expected to help independent auditors better understand the
continuous monitoring system in the audited company and use this infrastructure for
efficient and effective external auditing. It is further expected that a case study of
successful implementation of CA systems will expose risks and issues involved in the
process and thus help those companies that will introduce this system in the future to
reduce costs and improve their processes. Moreover, this study is expected to help
bridge the gap between research and reality by presenting actual scenarios; it provides
insight into issues likely to be encountered in the process of implementing a successful
CA system, as well as problem-solving processes unique to the characteristics of each
industry.
This study is composed of seven sections (including the introduction). Section 2
provides an extensive review of the extant literature. Section 3 introduces the concept
of CA and outlines the method to implement a CA system. Section 4 introduces the case
of insurance Company A’s implementation of the CA system in the financial industry,
while Section 5 describes the case of Company B’s implementation of such a system in
the manufacturing industry. Section 6 describes additional subjects that need to be
considered, and the final section offers concluding remarks.

2. Literature review
In 1991, Vasarhelyi and Halper (1991) introduced the concept, and described the
implementation, of CA, calling their system “Continuous Process Auditing System
(CPAS).” This study of AT&T Bell Laboratories was a project that used technologies of the
time (PCs, databases, and corporate networks, but not the internet) to automatically collect
data on and verify the AT&T billing system. It triggered many follow-up studies on CA.
In order to survey studies related to CA, we first provide an overview of these
studies and classify them according to their subjects and approaches. Second, to
examine the characteristics of CA, we compare it with traditional auditing. Lastly, the
study describes in detail those studies concerning CA systems utilizing IT –,
i.e. systems based on a continuous monitoring system.

2.1 Overview of continuous auditing

Brown et al. (2007) divided the wide-ranging research on CA into the following five
categories according to subjects and approaches:
(1) demand factors;
(2) theory and guidance;
(3) enabling technologies;
 (4) applications; and Continuous
(5) cost-benefit factors. auditing system
First, demand factors can largely be grouped into three categories: external disclosure,
internal focus, and laws and regulation (Brown et al., 2007). With regard to external
disclosure, information users began to desire more timely disclosure of financial information
as developments in information technology made rapid disclosure possible. Such technical 595
developments, in turn, facilitated more frequent disclosure of financial information and
enabled the implementation of CA to increase the frequency of reports. The abundant
quantity of disclosed data was expected to reduce companies’ financing costs (Elliott, 2002).
Regarding internal focus, the information processed by companies became more
complex and integrated as the business environment became more complicated and
diversified (Vasarhelyi et al., 2004). Thus, internal auditors came to feel the need to
conduct timely analyses to verify these increasingly complex, integrated data
(Brown et al., 2007). Furthermore, a survey of internal audit managers conducted by
PricewaterhouseCoopers (2006) showed that CA procedures were required to achieve
timely risk analysis and reduce auditing time.
Factors relating to laws and regulation, meanwhile, are also used to enhance the
accuracy and transparency of financial reports. The Sarbanes-Oxley Act (SOX Act)
strengthens the responsibilities of managers and external auditors on internal controls
over the processing of information used to produce financial reports. According to
the SOX Act, management is responsible for confirming the effective operation of the
internal control system, whereas external auditors are responsible for confirming the
veracity of managers’ assertions that the system is working effectively. CA helps both
management and internal or external auditors to discover and rectify errors and
defalcations even in a complex and integrated information environment.
Brown et al. (2007) cited several seminal papers that adopted the perspective of theory
and guidance in presenting and summarizing key concepts, frameworks, research topics,
realistic implementation guidance, and problems likely to occur during implementation.
The Canadian Institute of Chartered Accountants (CICA)/American Institute of Certified
Public Accountants (AICPA) (1999) provided a specific definition of CA. This report
introduced CA from the perspective of external auditors and described the related
methodology, topics, and period of report disclosure. The report specified that the duties
related to certification of CA can include both financial and non-financial information, and it
emphasized that auditors who implement the CA process must have professional
knowledge regarding both the information technology and the subject of the audit.
Davis et al. (1997) presented the Statement of Auditing Standards (SAS) No. 94 as the official
guideline for CA. SAS No. 94 outlines the effect of the internal control structure on CA and
describes the financial statement reporting process under real-time accounting systems.
Vasarhelyi et al. (2004) presented a well-organized overall framework of the CA
system, categorizing it into four levels according to the stage of the process and
proposing three types of audit participants. Level 1, transaction evaluation, is the stage
in which transactions carried out by the company are checked for assurance. Level 2,
measurement rule assurance, is the stage in which the validity of accounting information
is evaluated according to specific criteria, such as Generally Accepted Accounting
Principles (GAAP). In level 3, estimate assurance and consistency of aggregate
measures, comprehensive data are analyzed and assumptions and judgments for
MAJ determining the appropriateness of the data are required. Lastly, level 4, judgment
28,7 assurance, is the stage in which the auditor uses the analyzed results to present opinions
on the appropriateness and efficiency of a certain part. Furthermore, Vasarhelyi et al.
(2004) presented a three-part hierarchy of participants necessary to the CA process. First
is the manager, who has primary responsibility for implementation of CA within the
internal control process. The second is the external auditor, who must express opinions
596 regarding the CA process from an independent standpoint. Finally, an authorized
regulator is required to supervise CA and related processes.
The third category considered by Brown et al. (2007), enabling technologies, will be
described in detail in Section 2.2 of this paper. Fourth, the applications category
includes research related to the software used in CA. A great deal of work is being done
in the application area due to the appearance of commercial CA software solutions.
Glover et al. (2000) investigated roughly 2,700 enterprises and found that about
50 per cent were using software applications for CA, far more than the 24 per cent of
survey respondents that had been using software in 1998. They predicted that software
would develop in a way to meet the needs of internal CA. As expected, Alles et al. (2008)
stated that CA software solutions were actively being developed by existing suppliers
(ACL, CaseWare IDEA) and new software suppliers (Approva, Oversight Systems).
Lastly, from the viewpoint of efficiency, Alles et al. (2006) provided an additional
description of cost-benefit-related issues, such as the long-term operating costs of database
audits, the benefits of early discovery of errors, omissions, and defalcations, the costs and
efficiency of automation, and the economic feasibility of CA. In particular, Rezaee et al.
(2002) argued that CA can reduce monitoring costs. According to this study, an auditor can
verify client transactions more quickly and efficiently through automated CA when
compared with manual labor. This increased efficiency has the additional advantage of
allowing the auditor more time to understand the client’s business and internal control
procedures. Searcy and Woodroof (2003) argued that CA can decrease the auditing time of
external auditors. They emphasized that inefficiency and errors can be reduced in the
auditing process. Lastly, Hunton et al. (2008), who analyzed the effect of CA on human
behavior by using experimental data, reported that CA reduces the earnings management
behaviors of managers.
2.2 Traditional auditing vs continuous auditing
Section 2.1 presented various studies related to CA. In this section we examine more
closely the characteristics of current CA by comparing it with traditional auditing.
Providing real-time financial information in a traditional auditing environment is
impossible in terms of time and cost. However, new technology-based automation can
drastically reduce the manpower and time required in the audit process (Elliott, 1998;
Menon and Williams, 2001). Chan and Vasarhelyi (2011) analyzed the characteristics of
CA by comparing it with traditional auditing. In particular, the study examined
various aspects of CA, such as continuous or frequent audit and proactive audit. These
aspects and their explanations are as follows.
Continuous or frequent audit. A traditional audit is conducted regularly at defined
intervals, whereas CA can be implemented in real-time. However, real-time auditing
is not always efficient in terms of cost-benefit. The frequency of auditing depends on
the risk of a company process. If a company is highly exposed to risk, such as
embezzlement, CA is the most effective method. If not, it can be more effective in terms
of cost-benefit to implement regular or irregular auditing (Chan and Vasarhelyi, 2011).
 Proactive audit. In the traditional auditing paradigm, auditing is implemented on a Continuous
yearly basis. Thus, material errors, omissions, or fraud can exist for several months auditing system
before being detected. However, in the CA system, such problems can immediately be
detected and corrected through the internal control system (Chan and Vasarhelyi, 2011).
Automation of audit procedures. Traditional auditing requires a large amount of time
and manpower, as much of the process involves manual labor. These limitations can be
alleviated considerably using automated auditing procedures (Alles et al., 2006; 597
Vasarhelyi et al., 2004). However, it is impossible to automate the entire process. Some
steps in the CA process must be achieved through the manual labor of auditors, who provide
judgments regarding complex transactions and bring their professional skepticism.
Work and roles of internal and external auditors. Implementation of CA by internal
and external auditors using the same method is inefficient, because it leads to repetition
of procedures. Thus, internal auditors must stay focused on the supervision and testing
of large quantities of data, while external auditors conduct high-dimensional analyses,
implement audit trail monitoring in the CA system, and check for fraud among
managers (Chan and Vasarhelyi, 2011).
Nature, timing, and extent of testing. Traditional auditing is conducted regularly and
manually, whereas a CA system is automatic and uninterrupted (Alles et al., 2006)
(nature). Generally, in traditional auditing, plans are made first, while the actual auditing
process is carried out at the fieldwork stage. However, planning and execution are
implemented simultaneously in the CA system (Chan and Vasarhelyi, 2011) (timing).
Finally, traditional auditing is conducted through sampling due to labor and time
constraints, whereas the population of the transaction becomes the sample in the CA
system (Chan and Vasarhelyi, 2011) (extent).
Data modeling and data analytics for monitoring and testing. Statistical techniques
such as ratio analysis, trend analysis, and regression analysis are used in traditional
auditing (Stringer and Stewart, 1986). The CA system can use techniques that are more
complex, such as data mining, bankruptcy prediction (Min and Lee, 2005; Sung et al.,
1999; Tam, 1991; Wu et al., 2007), and machine learning techniques for going concern
prediction (Martens et al., 2008).

2.3 Technology and continuous auditing

Advances in information technology made it possible to produce more relevant and
reliable information in a timely fashion at a lower cost and with less labor (Elliott, 1998;
Menon and Williams, 2001; Brown et al., 2007). Such technological advances laid the
foundation for attendant changes in auditing practices.
Vasarhelyi et al. (2004) proposed a theory that CA is necessary for taking advantage
of the advances in information technology in the ERP environment. Computer-assisted
auditing techniques (CAATS) have limitations, as it is impossible to use fully automated
and completely integrated information technology in enterprises like ERP. However,
completely integrated and automated business processes in the ERP environment aim
for real-time information flow. Accordingly, they argued that when real-time data are
needed, implementation of CA is the only way to take advantage of all of the potential
strengths of ERP systems.
Kuhn and Sutton (2010) described new theories and research on continuous
assurance models, the utilization of ERP structures, and the latest technologies, focusing
on the business perspective. Analyzing the strengths and weaknesses of each
MAJ architectural structure, they showed the future directions of ERP system design and
auditor implementation strategies. Brown et al. (2007) divided extant studies on CA
28,7 practices into five categories. Regarding enabling technologies, the largest category,
they made the following points:
(1) In a complicated business environment, it will be technically useful to apply the
belief function framework to the CA system.
598 (2) Auditing methodologies must develop in line with advances in database and
data analysis technology.
(3) Also, as transactions and accounting take place in real time thanks to advances
in scanners, card readers, database enterprise-wide management systems,
supply-chain management system and networks, CA must be done in real time,
as well (Rezaee et al., 2000; Alles et al., 2004b).
(4) As the quantity of data soars, storage and analysis of data related to the business
environment, as well as standards of communicating financial information (like
XBRL) that can easily handle such data, will become important research topics in
applying the CA system now and in the future.
Although numerous studies have explored the concept and theory of CA and its
implementation in the ERP environment, most of them address topics related to
technologies for implementing CA systems (Brown et al., 2007). These studies will
contribute a great deal to the academic exploration of the concept of the CA system and
the practical resolution of various technical issues that occur during its
implementation. However, considering that the ultimate purpose of CA is to enhance
the effectiveness and efficiency of auditing in the ERP environment, balanced research
on continuous monitoring, the core component of CA, is needed in addition to research
on the technical aspects of CA. In particular, continuous monitoring scenarios play a
pivotal role in enhancing the effectiveness and efficiency of auditing; systematic
research on this topic, however, is limited. Therefore, this study focuses on methods of
systematically extracting continuous monitoring scenarios, which have been neglected
in previous studies; the study also focuses on various ways to utilize the continuous
monitoring system with a view to enhancing the effectiveness and efficiency of
auditing. In particular, this study tried to provide insight into how industry
characteristics can be directly reflected in the CA system by systematically analyzing
the successful implementation of such systems in the financial and manufacturing
industries.

3. Outline of CA system implementation

3.1 The concept of CA based on continuous monitoring
The CICA/AICPA Committee gave the most useful definition of CA in 1999:
A continuous audit is a methodology that enables independent auditors to provide written
assurance on a subject matter, for which an entity’s management is responsible, using a series
of auditors’ reports issued virtually simultaneously with, or a short period of time after, the
occurrence of events underlying the subject matter.
As illustrated by this definition, CA requires professional auditing manpower for
monitoring various kinds of financial information processed by the ERP system. CA and
the continuous monitoring system can be thought of as essential auditing infrastructure
to be utilized by auditing personnel. The continuous monitoring system serves as the Continuous
main infrastructure for the CA system; thus, it has foremost importance in the auditing system
implementation of the CA system.
The continuous monitoring system refers to a system that utilizes transaction data in
each stage of business in the ERP environment to automatically extract “abnormal” data
according to predefined monitoring scenarios[2]. Based on this definition, a conceptual
model of the CA system based on the continuous monitoring system can be represented 599
as shown in Figure 1[3].
Enterprises can maximize the transparency of financial information, enhance
operational efficiency, and improve business processes by implementing the CA
system for timely monitoring of information – provided by the continuous monitoring
system – on abnormalities taking place in distributed business activities. The
continuous monitoring system can be divided into two parts: the generation of input
data according to the general data processing flow of the information system and the
generation of output data through data processing.
The first stage occurs when the input data to be monitored are collected continuously.
In this stage, the data to be monitored, as defined by the continuous monitoring scenario,
are selected from among master data – such as transaction data, customer master data,
and data related to internal control – and archived. The second stage occurs when the
input data targeted for continuous monitoring are processed, and abnormal data are
extracted, according to each continuous monitoring scenario. For instance, input data
such as customer master data and product delivery are used to extract abnormal data
such as the “list of delivered products not registered in the customer master” according
to the continuous monitoring scenario.

3.2 Relationship between internal control, internal control over financial reporting and
the CA system
After experiencing large-scale accounting scandals involving Enron and WorldCom,
the US Congress enacted the SOX Act to enhance corporate transparency; Korea,

Figure 1.
Conceptual map of
the CA system
MAJ which suffered its foreign currency crisis at roughly the same time, amended laws
28,7 related to business accounting to enhance the transparency of business accounting and
management. One of the key points of these accounting system regulations is to
reinforce management’s responsibilities related to internal controls mentioned in the
financial reporting and disclosure process to tighten internal control.
To correctly understand the background of the accounting authorities’ regulation,
600 a correct understanding of internal control is essential. According to the COSO Report[4],
which is regarded as the general standard of internal control, internal control is a type of
process that the board of directors, management, and other members of the organization
must follow to accomplish three objectives:
(1) effectiveness and efficiency of operations;
(2) reliability of financial reporting; and
(3) compliance with applicable laws and regulations (COSO, 1992).

The COSO Framework stipulates five elements of internal control:

(1) control environment;
(2) risk assessment;
(3) information and communications;
(4) control activity; and
(5) monitoring.

These five elements are implemented at the corporate level, while the control activity
element is also implemented at the business-unit level.
Among the five elements of internal control mentioned in the COSO Report, the CA
system supports the monitoring element. The targets of monitoring are the internal
control elements, except for monitoring itself. In particular, the main interest of
monitoring is whether control activity is appropriately conducted. For example, the
purpose of continuous monitoring scenarios, such as “product release list not registered
in the customer master,” is to monitor whether “report and review of exceptions” is
conducted properly in the following examples of control activities.
For the two case studies examined in this study, involving Company A in the
financial industry and Company B in the manufacturing industry, continuous
monitoring scenarios were used to see whether the following types of control activities
in the COSO Report were properly conducted[5]:
.
report and review of exceptions;
.
approval and certification of superiors;
.
system configuration;
.
checking audit of data requiring maintenance of consistency;
. right to access the system;
.
segregation of duties; and
.
interface between systems.

For example, the purpose of Company B’s continuous monitoring scenarios such as
“supplier deferred/released in the master” is to check whether “system configuration”
is properly done. If system configuration is set as “defer” for a certain supplier in the Continuous
master control screen of the purchasing master in the ERP system, no purchasing order auditing system
can be issued to the supplier by the ERP system. In this case, internal control will serve
to reduce the risk associated with continuously issuing purchase orders to an
inappropriate supplier.
Figure 2 uses the COSO Framework, the standard of internal control, to illustrate the
relationship among internal control, the internal control over financial reporting based on 601
SOX act, and the CA system. Seen from the macro-viewpoint of purpose, internal control
can be divided into three types; among them, internal control for ensuring the reliability of
financial reporting can be called the internal control over financial reporting (Korea-SOX).
In addition, when internal control is divided into five components, the component
conducting the monitoring element corresponds to the CA system. Accordingly, the CA
system is the monitoring element, one of the five internal control elements of COSO. It
monitors the other internal control elements of the company and improves the overall
effectiveness and efficiency of internal control. In particular, corporations can view the CA
system as an effective tool supporting the operation of a SOX system (like the internal
control over financial reporting), which is one of the compliance items.
Furthermore, various studies on internal control have reported that effective
internal control has a positive effect on improving the transparency of accounting
information and that effective internal control provides a positive signal to participants
in capital markets[6]. Accordingly, these studies provide empirical evidence that the
CA system can have a positive influence on enhancing corporate value by improving
the effectiveness of internal control through the internal monitoring function.

Figure 2.
Relationship among
internal control, internal
control over financial
reporting (K-SOX), and
CA system
MAJ 3.3 Method of implementing the CA system
28,7 Implementation of the CA system can be divided into two different stages: extraction of
continuous monitoring scenarios and implementation of the risk monitoring system.
First, the continuous monitoring scenario extraction stage is the most important core
element of implementing the CA system. Continuous monitoring scenarios can be
extracted through the following three steps.
602 Step 1. Create the continuous monitoring scenario pool. In this step, various kinds of
company data are utilized to extract the continuous monitoring scenario pool. To
generate the risk pool, issues identified during the internal audit, violations of laws, and
documents (such as the list of issues identified during internal control) will be referenced,
and employees in charge of the internal auditing function, working-level staff, and
IT system managers will be interviewed. This is how the continuous monitoring
scenario pool will be generated.
Step 2. Assess the validity of the continuous monitoring scenarios. To assess the
validity of the continuous monitoring scenario pool, the impact of each scenario and data
availability will be assessed. Business impact refers to the degree to which the scenario
reflects the actual risk of the company. For the continuous monitoring scenario to be
meaningful, the scenario must reflect the actual risk of the company; if there is a
discrepancy with the actual risk, there is no reason to conduct continuous monitoring
based on the scenario. To measure the business impact of each scenario, the opinions of
the internal auditors, department heads, or executives may be reflected, and qualitative
judgments may be made; however, it is more effective to measure it by analyzing actual
data. In other words, the internal auditing department may check whether the scenario
actually extracts abnormal data by cooperating with the IT department, acquire
available data for each continuous monitoring scenario, and conduct the scenario-based
analysis. The IT department may write the SQL query statement under the leadership of
the internal auditing department to conduct this analysis.
Data availability will be assessed in consideration of whether the input data necessary
for implementing the scenario can be obtained from the current system or whether
additional system development is necessary. Even though the continuous monitoring
scenario has a substantial business impact, if the necessary data are not available in the
current system or if scenario implementation is costly, requiring additional system
development, a decision must be made as to whether to implement the scenario.
Step 3. Select the scenario for implementation of the continuous monitoring system.
In this step, the scenario will be confirmed on the basis of the validity assessment
of the continuous monitoring scenario pool. In this step, when the objective of risk
management is considered, we must note that it is more effective to establish a master
plan for each step depending on the internal resources of the company than to clearly
distinguish what does and does not need to be implemented. For instance, if a scenario is
judged to have a substantial business impact, scenarios with high data availability will
be primarily chosen as implementation targets, and scenarios with a large business
impact but low data availability will have a lower implementation priority; however,
future implementation plans will be established in consideration of the scenarios’
importance from the perspective of risk management.
The second stage of CA implementation involves the implementation of the
database and screen related to the scenario selected for continuous monitoring in the
previous step.
 Step 1. Produce data and define screens. In this step, the data generation conditions Continuous
for each selected scenario will be clearly defined, and the layout of the inquiry screen auditing system
for each scenario will be defined. To clearly define the data generation conditions for
each scenario, the internal auditing department and related departments must confirm
them. In addition, the necessary data items must be defined when the screen is defined
to allow for their actual use when auditing.
Step 2. Implement the database and screen related to the continuous monitoring 603
system. The database will be designed by clearly defining the source data necessary
for generating data for each selected scenario and the necessary data will be loaded to
the database. The screen for each scenario will also be implemented.

4. Case study of the financial industry

4.1 Outline
A case involving the implementation of a CA system by Company A, a leading non-life
insurance company, is presented here. The most noteworthy aspect of this case is that
frontline workers directly participated in the project; it was not carried out by the
internal auditing team. In other words, the customer support team and the IT
department led the project.

4.2 Project background

In the financial industry, the scope of activities is expanding, and channels of
information are diversifying; with these changes, the types of financial incidents are
becoming more intelligent. Thus, the level of data management required by government
supervisory agencies is increasing. Due to these changes in operations, the demand for
CA systems is increasing day by day in the financial industry.
Company A introduced a continuous monitoring system to cope with shifting
operational challenges; that is, the firm needed complex knowledge and system
infrastructure to detect financial accidents. Company A implemented the internal
control system to comply with the K-SOX Act and periodically has been designing and
evaluating control activities and reinforcing the internal control function by assessing
the risk of each business area. However, Company A realized that these compliance
activities for meeting the legal requirements related to K-SOX are limited in reinforcing
the actual internal control function. Although the control activity evaluation pursuant
to K-SOX stated that internal control was effective, the internal auditing function of the
company found many insurance contracts violating internal supervisory standards.
As a result, Company A planned to monitor errors and fraud by establishing a
systematic support and management system that can manage control activities, and it
included implementation of an early warning system (EWS) and computerization of
auditing in the project scope based on key risk indicators (KRI)[7]. The system also
included continuous monitoring based on continuous monitoring scenarios and
attempted to improve the efficiency of integrated internal control.

4.3 Selecting continuous monitoring scenarios by generating a risk pool

Company A generated a risk pool, assessed its validity, selected continuous monitoring
scenarios, and derived KRI based on the selected risk scenarios. To generate the risk
pool, Company A:
MAJ .
reviewed the risk pool defined by the auditing team, the internal control process,
28,7 and the list of risks targeted for CSA[8]; and
.
explained the pool of risks collected through two-week-long interviews with
frontline workers and the IT department, checked whether the system could be
implemented, and collected their opinions.

604 Company A also evaluated the importance of the risks of each scenario
through workshops, rechecked the possibility of system implementation,
extracted additional scenarios, and added the scenarios requested by risk
management leaders.
In consideration of the business characteristics of the non-life insurance company,
the risk pool was primarily divided into three divisions: sales, compensation/damage
assessment, and the head office. The sales division was subdivided into underwriting,
contract maintenance, policy loans, and bookkeeping/expenses/commissions; the
compensation/damage assessment division was subdivided into compensation and
payment; and the head office division was subdivided into asset management, general
loans, bookkeeping, reinsurance, general administration, and IT.
To categorize the risk pool, the business process classification system, used during
ERP implementation, was referenced; this categorization of the risk pool was part of
the effort to check whether the continuous monitoring scenarios were complete enough
to cover all processes of the company. The detailed categories of the sales division of
Company A are presented in Table I.
Some of the continuous monitoring scenarios for the middle categories of the sales
division are presented in Table II.
The first continuous monitoring scenario in Table II is “new contracts of long-term
insurance agents.” As explained above, the purpose of these continuous monitoring
scenarios is to extract abnormal data showing signs of fraud and errors. As long-term
insurance agents sell the insurance products of several insurance companies not
affiliated with Company A, fraudulent contracts closed for unearned commissions may
be feared. Accordingly, as transactions with long-term insurance agents are high-risk
transactions, the transaction amount and number of transactions must be continuously
monitored. Therefore, to identify abnormal data to be monitored in relation to the
continuous monitoring scenario called “new contracts of the long-term insurance
agents,” the “total number of new contracts concluded by long-term insurance agents in
the last three months and total gross premiums” data were extracted. The extracted data
were analyzed to select transactions with long-term insurance agents who had high
transaction amounts as intensive auditing targets. The standards for abnormal data
extraction for each continuous monitoring scenario are summarized in the “detailed
standards for continuous monitoring data extraction” column.

4.4 Establishing the monitoring system based on KRI indexes

To support timely auditing through the early warning and alarm system, Company A
selected continuous monitoring scenarios, which need to be monitored and adapted to
be used for early warning purposes. KRIs were also developed. For example, Company A
evaluated the insurance contracts of long-term insurance agents as high-risk items that
need to be corrected immediately; the scenario called “new contracts of long-term
insurance agents” was made into an additional monitored KRI. Accordingly, in relation
 Continuous
Division Large category Middle category
auditing system
The sales division Underwriting Analysis of new contracts
Financial accident
Bad contracts
Contracts
Check transient policy 605
Check replaced policy
Cancel quality assurance
Insurance salespeople’s own policies
Analyze new insurance salespeople
Contract maintenance Analyze business in force
Appropriateness of insurance premium collection
Change collection methods
Over-appropriation
Appropriateness of policyholders
Appropriateness of reinstated policies
Appropriateness of lapsed policies
Overdue installments
Analyze cancelled/terminated contracts
Change insurance salespeoples
Endorsement
Policy loan Frequent insurance policies
Appropriateness of insurance policy loan amounts
Change information when taking out an insurance policy
loan
Analyze policies eligible for policy loans
Analysis of policy loan application information Table I.
Accounting/expenses/ Appropriateness of non-collection Risk pool classification
commission Appropriateness of commissions categories of the sales
Check insurance salespeople division of Company A

to this scenario, Company A developed the following four KRIs to monitor long-term
insurance agents with substantial variation in the number of contracts and contract
amounts:
(1) Number of long-term insurance agents whose percentage change in new
contracts is more than ^ 30 per cent as compared to the previous month.
(2) Number of long-term insurance agents whose percentage change in new
contracts is more than ^ 30 per cent in the past three months.
(3) Number of long-term insurance agents whose percentage change in gross
premiums of new contracts is more than ^ 30 per cent as compared to the
previous month.
(4) Number of long-term insurance agents whose percentage change in gross
premiums of new contracts is more than ^ 30 per cent in the past three months.

For a KRI index (such as above) to provide an adequate early warning function –,
i.e. detecting risks in advance – the rules, roles, and responsibilities for the management
of the KRI index must be defined in advance. In other words, for each KRI, the following
must be defined: which department will generate and monitor the KRI index
 28,7

606
MAJ

Table II.

Company A
the sales division of
monitoring scenarios of
Examples of continuous
Large Continuous monitoring Detailed standard for continuous
Division category Middle category scenario Reason for selection monitoring data extraction

The sales division Underwriting Analysis of new
contracts
The sales division Underwriting Analysis of new
contracts
The sales division Underwriting Financial
incidents
New contracts of long- It is feared that long-term 1. Number of new contracts,
term insurance agents insurance agents may conclude concluded by long-term
bad contracts aiming at insurance agents, and total
defraudation of commissions gross premiums of the previous
three months
2. Including employee information
The same insurance Many large-amount contracts with 1. Those new contracts of the day
salesperson and the the same insurance salesperson which had two or more large-
same policyholder with and the same policyholder are amount contracts with the same
multiple large-amount likely to be subsidiary contracts to insurance salesperson and the
contracts meet contracts same policyholder within three
months (the criterion for large-
amount contracts is monthly
insurance premium in excess of
KRW300,000)
Contracts with the Checking whether the sale is 1. Those new contracts of the day
policyholder different complete and the insurance whose policyholder resident
than the insurance salesperson paid insurance registration numbers are
premium automatic premiums by proxy different than insurance
transfer account holder premium automatic transfer
account holders (however, group
insurances are excluded)
(continued)
 Large Continuous monitoring Detailed standard for continuous
Division category Middle category scenario Reason for selection monitoring data extraction

The sales division Underwriting Bad contracts Contracts many of Bad contracts due to the insurance 1. New long-term insurance
which are contracts salesperson’s payment by proxy or contracts within the last six
with the same defraudation of commission months which had ten or more
insurance premium through false contracts contracts with the same
automatic transfer insurance salesperson and
account holder automatic transfer account
holder (However, group
insurances are excluded.)
The sales division Underwriting Bad contracts Underwriting of Checking for bad contracts in Underwriting of contracts
contracts prohibited advance according to business prohibited according to the
according to the logic underwriting guideline for each
underwriting guideline insurance line (the generation
for each insurance line method needs to be specified)
The sales division Underwriting New contracts New contracts with no Policies that have only the basic 1. Those new contracts of the day
special option contracts without any special which had only the basic
option to avoid underwriting may contracts without any special
be subsidiary contracts to meet option
targets
The sales division Underwriting New contracts Canceling the policy Insurance salespeople, sales offices 1. Contracts that were cancelled on
and branches who cancel contracts the day
frequently are likely to be
associated with incomplete sale or
subsidiary contracts
The sales division Underwriting New contracts Contracts concluded Likely to be bad contracts or 1. Those contracts cancelled on the
this month and subsidiary contracts to meet day which were concluded in the
cancelled the next targets previous month
Continuous
auditing system

607

Table II.
MAJ (department in charge), how often the KRI data will be monitored (generation cycle), and,
28,7 if the KRI index exceeds a certain pre-determined standard, whether it will be perceived
as a warning (prior threshold). In particular, a careful approach to the prior threshold
(tolerance limit)[9] is required. Company A set up prior thresholds for the KRIs based on
past statistical performance and adjusted them through consultation between
departments in order to confirm the KRI thresholds.
608 Table III shows examples of KRIs selected on the basis of the continuous
monitoring scenarios of the sales division, along with the attributes of each KRI.
According to Table III, each KRI index is calculated according to the KRI generation
formula column and is monitored according to the value entered in the monitoring cycle
column. The threshold is divided into “red” and “green” to perceive risks in stages. That
is, green refers to a risk in the early stage; red refers to a risk that requires an immediate
response. For example, in the KRI called “number of long-term insurance agents whose
percentage change in new contracts is more than ^ 30 per cent as compared to the
previous month,” green is 0 and red is 1. This means that risks in the early stage will not
be perceived, and risks requiring immediate response will be perceived instantly. In the
early stage, Company A is not differentiating between the green and red warning stages,
and if the CA system is further stabilized, the company will set up different thresholds
for green and red.
In addition, to embed the EWS, Company A systematically defined the risk
management process. If the KRI index exceeds the pre-determined threshold, it will be
regarded as a sign of risk; the IT system will automatically send an e-mail and SMS to
the employees in charge, who will report to the department heads and management
and conduct predefined preventive activities. At the same time, the internal auditing
team will determine the reason that the early warning index exceeded the threshold
through continuous monitoring and by tracking related information. If necessary,
relevant areas will be audited in detail.

4.5 Computerization of audit management

To improve communication by maximizing computerized data and conducting audits
based on the auditing system, Company A purchased an auditing system package with
the auditing function embedded from an auditing system package maker.
As the auditing information system package was off-the-shelf, Company A
customized the system package by:
.
putting the audit processes in order to reflect the requirements related to the
auditing function; and
.
analyzing the gap from the auditing package and generating the menu structure
map showing which parts of the system needed to be additionally customized.

The audit process map and process map for defining the requirements of Company A’s
auditing system were used to generate the auditing information system menu structure
map shown in Tables IV and V.
This audit information system is closely related to the CA system and KRIs. It will
have a direct influence on the update of continuous monitoring scenarios of the CA
system by systematically managing the audit history and issues. In other words, the
audit history and identified issues are used to add new continuous monitoring scenarios.
If scenarios added this way are high-risk and need immediate correction, KRIs will be
 Large Middle Continuous monitoring Threshold Threshold
Division category category scenario KRI classification KRI generation formula Unit Cycle (red) (green)

The Underwriting Analysis New contracts of Number of agents specializing Number of agents specializing Person Month 1 0
sales of new long-term insurance in long-term insurance with the in long-term insurance with
division contracts agents percentage change of new [(Number of new contracts of
contracts as compared to the the month 2 Number of new
previous month being ^ 30 per contracts of the previous
cent or greater month)/Number of new
contracts of the previous
month] being ^30 per cent
or greater
The Underwriting Analysis New contracts of long- Number of agents specializing Number of agents specializing Person Month 1 0
sales of new term insurance agents in long-term insurance with the in long-term insurance with
division contracts percentage change of new [(Number of new contracts of
contracts as compared to the the month 2 Number of new
previous three months being contracts of the previous three
^ 30 per cent or greater months)/Average number of
new contracts of the previous
three months] being
^ 30 per cent or greater
The Underwriting Analysis New contracts of long- Number of agents specializing Number of agents specializing Person Month 1 0
sales of new term insurance agents in long-term insurance with the in long-term insurance with
division contracts percentage change of new [(Total new contract sales
contract sales premium as insurance premium of the
compared to the previous month 2 Total new contract
month being ^30 per cent sales insurance premium of the
or greater previous month)/Total new
contract sales insurance
premium of the previous
month] being ^ 30 per cent
or greater
(continued)
Continuous

monitoring scenarios
Examples of continuous

generated by Company A
auditing system

Table III.
609
 28,7

610
MAJ

Table III.
Large Middle Continuous monitoring Threshold Threshold
Division category category scenario KRI classification KRI generation formula Unit Cycle (red) (green)

The Underwriting Analysis New contracts of long- Number of agents specializing Number of agents specializing Person Month 1 0
sales of new term insurance agents in long-term insurance with the in long-term insurance with
division contracts percentage change of new [(Total new contract sales
contract sales insurance insurance premium of the
premium as compared to the month 2 Average total new
previous three months being contract sales insurance
^ 30 per cent or greater premium of the previous three
months)/Average total new
contract sales insurance
premium of the previous three
months] being ^30 per cent or
greater
The Underwriting Analysis Multiple large-amount Number of insurance sales Number of insurance Person Month 3 1
sales of new contracts with the same people who signed three or salespeople who had three or
division contracts insurance salespeople and more large-amount long-term more large-amount contracts
the same policyholders insurance contracts with the with the same insurance
same policyholder within three salespeople, and the same
months policyholder’s sales insurance
premium in excess of
KRW300,000 in the last three
months
The Underwriting Bad Number of long-term 1. Long-term insurance policies Number of long-term insurance Person Month 1 0
sales contracts insurance policies with the with the same account holder policies with the same account
division same account holder transferring insurance holder transferring insurance
automatically transferring premiums for more ten policies premiums for more than ten
insurance premiums (however, group insurance is policies
excluded)

Mega process Process chain
1. Audit planning 1.1 Establishing audit plans
1.2 Managing external documents 1.2.1 Managing external audits
2. Auditing 2.1 Periodic audits
2.2 Daily audits
3. Audit results 3.1 Post-management
3.2 Other
Continuous
Process
auditing system
1.1.1 Establishing annual audit plans
1.1.2 Establishing monthly audit plans
2.1.1 Preparing for audits
2.1.2 Conducting audits 611
2.2.1 Daily audits
3.1.1 Registering audit reports
3.1.2 Requesting field actions
3.1.3 Requesting actions (audited department)
3.1.4 Requesting actions (HR team) Table IV.
3.2.1 Transfer of duties Company A’s audit
3.2.2 Managing surveys process map

Large category Middle category Small category

Audit planning Establishing audit plans Inquiring monthly audit plans

Registering monthly audit plans
Inquiring annual audit plans
Registering annual audit plans
Audit grades
Approval box Waiting documents (for approvers)
Progress
Managing external audits Managing history of external audits
Managing reports Managing reports
Auditing Monthly audits Preparing for audits
Conducting audits
Investigating civil complaints Receiving civil complaints
Handling civil complaints
Daily audits Daily audits received
Daily audits handled
Progress of daily audits
Daily audit statistics (by department)
Daily audit statistics (by auditor)
Audit results Post-management Inquiring results of local actions
Inquiring action requirements
Inquiring registered reprimands
Inquiring audits Inquiring history by auditor
Inquiring history by auditing institution Table V.
Audit plan vs actual Company A’s auditing
Audit reports Report management status system menu
Registering reports structure map

developed, as well. Therefore, the audit information system plays a supplementary role
in the effective operation of the CA system and KRIs. Furthermore, the CA system and
KRIs affect actual auditing, helping in the selection of intensive audit items by
extracting abnormal data showing signs of fraud and errors. Accordingly, the
relationships among the CA system, EWS, and audit information management system
can be represented as shown in Figure 3.
MAJ
28,7

612

Figure 3.
Relationship between
Company A’s CA system,
EWS, and audit
information management
system

4.6 Practical implications

Company A’s case study gives rise to three important points. First, Company A efficiently
generated the continuous monitoring scenario that reflects its operational reality; it
accomplished this by generating the continuous monitoring scenario pool based on the
result of the past diagnosis of the internal auditing team or the defects of internal control
detected according to Korea-SOX. As frontline workers took an active part in the project,
presented their opinions, and thus increased the effectiveness of the continuous monitoring
scenarios, this continuous monitoring scenario pool approach could contribute to the
reduction of the project period and maximize the effectiveness of the project.
Second, Company A effectively implemented the risk management system by
defining KRIs. As risk management is a key function of the financial industry, Company
A tried to upgrade the risk management system by building a system for preemptively
detecting incidents likely to negatively affect the business of the company rather than
simply focusing on continuous monitoring of risks. It is important that Company A tried
to carry out the project efficiently by taking advantage of the continuous monitoring
scenarios made when KRIs were generated.
Third, to increase the efficiency of auditing based on the results of continuous
monitoring, Company A built a customized system for automating audits. Ensuring
the timeliness of data for actual auditing and audit trail management were important
tasks of the internal auditing department, but Company A upgraded the system for
managing audit-related data by implementing the necessary processes. In addition,
Company A implemented an audit execution and reporting process for each audit it
performed and enhanced the effectiveness of auditing by electronically following up on
what was identified during audits. The company was also able to prevent and help
eradicate intentional fraudulent behavior of people working in the head office or Continuous
frontline workers by means of the chilling effect that arises when frontline workers and auditing system
employees in the head office are notified that they are being monitored.

5. Case study of the manufacturing industry

5.1 Outline
A case involving the implementation of a CA system by Company B, a diversified firm 613
with key operations in the manufacturing business, is presented here. In Company B,
the internal audit team, a key stakeholder of the CA system, conducted the project.

5.2 Project background

With regard to the control environment of frontline workers, there were cases of
circumvention of control as ERP users’ authority and the number of power users both
increased. The same types of errors and fraud were being repeated, and as the business
scope was gradually expanding and becoming more complex, the frontline departments
conducted the internal control assessment (ICA) perfunctorily; it was difficult to monitor
all processes. Examining the current status of the auditing team, however, it was evident
that knowledge was not being accumulated; five years was the longest tenure of
continuous service, and their knowledge of ERP was so poor that frontline work was
continuously automated, while diagnostics was done manually. Accordingly, a new
diagnostician relied more on personal abilities than on the diagnostics procedure, and
common processes, including systems and conducted diagnostics, focused on ex-post
facto detection based on reports in order to conduct internal audits.
Accordingly, Company B decided to introduce a continuous monitoring system to
improve the quality of internal auditing by selecting auditing targets based on risks in
the IT environment and conducting effective audits.

5.3 Generating solutions to important issues about internal control

Company B intended to not only build the CA system but also improve the company’s
overall internal control system. Accordingly, the company identified important issues
related to internal control for each area of work and divided each issue into one of three
categories: a business process issue, an IT system issue, and an organizational issue.
All issues were divided into one of the categories to easily generate the fundamental
solutions for issues regarding internal control. For instance, the business process issue
led to solutions such as introducing a new business process or improving an existing
process. Considering the characteristics of issues, however, if continuous monitoring
was deemed to be necessary in addition to improvement of internal control, it was
included in the overall scope of the CA system.
For example, Company B conducted internal control diagnosis; it found that
collection and accounts receivable (AR) management was not monitored at the
corporate level. Accordingly, the roles and responsibilities regarding collection and AR
management were assigned first to the internal audit team, which monitored these
activities periodically. Considering their importance, manual monitoring did not seem
effective. Therefore, the following continuous monitoring scenarios were developed
with regard to collection and AR management:
.
inconsistency of collection conditions/collection methods between the customer
master and the billing document;
MAJ .
cases where the approval of the extension of the collection deadline was missing
28,7 or it was not approved at the right time; and
. all slips in which sales occurred to bankrupt customers.

Company B implemented the above continuous monitoring scenarios in a separate

continuous monitoring screen and formalized the monitoring process of the internal
614 audit team based on the continuous monitoring system.
Table VI presents examples of solutions to the important issues regarding internal
control identified by Company B.

5.4 Extracting continuous monitoring scenarios

The continuous monitoring scenarios, selected as part of the effort to solve the
aforementioned issues regarding internal control, were divided into types – details of
unusual transactions, information gaps, and incomplete/delayed transactions – to
ensure that they could be linked to the appropriate risk assessment method and
auditing practices. The continuous monitoring scenarios utilized by Company B are
classified in Table VII.
Continuous monitoring scenarios were generated for each business process in
consideration of the aforementioned classification of scenario types. The process
classification used by Company B for categorization of continuous monitoring
scenarios is presented in Table VIII.
Among the above business process areas, Table IX presents examples of continuous
monitoring scenarios generated for each type of scenario of the purchasing process.
The first continuous monitoring scenario in Table IX is “supplier deferred/released in
the master.” As explained above, if system configuration is set as “defer” for a certain
supplier in the master control screen of the purchasing master in the ERP system, no
purchasing order can be issued to the supplier by the ERP system. Accordingly,
“supplier deferred/released in the master” must be continuously monitored so that
purchasing transactions with inappropriate suppliers will be prevented, and the
blocking of purchasing transactions with appropriate suppliers will be prevented.
It is noteworthy that in Company B, the continuous monitoring scenarios were
extracted in the process of improving the overall internal control system. This approach
supports the view, mentioned earlier, that implementing the CA system by developing
continuous monitoring scenarios will enhance corporate value by reinforcing the overall
internal control.

5.5 Implementing the risk assessment model

Company B defined the audit universe with a focus on each business area and the mega
processes of SAP ERP. The company also established a “risk assessment model” that
uses detailed trend information for each continuous monitoring scenario for diagnosis,
gathers information on abnormalities, and assesses risks for each business and
process. In other words, Company B reflected the process and organization level to
classify the audit universe of the business audit office and tried to establish the best
risk assessment framework.
Risk assessment is conducted by each business division at the Entity Level and
Process Level; each risk item at each level will be assessed. At the Entity Level, risks
will be assessed for the environmental index, management index, and segregation

Area Issues about internal control
Credit rating The concrete data analysis results and (1) Company B newly established the
and credit the credit master have not been updated
management for a long time (more than a year) for
thousands of contracts, and the
periodical credit/security evaluation
procedure is inadequate
Many transactions with abnormal selling
prices (KRW0, 1 or a negative price)
entered in the Sales Order were found. If
the credit limit is exceeded in the middle
of the month, KRW1 or 0 is entered first,
and if the credit is adjusted at the end of
the month, the original unit price is
entered for closing, or if the unit price of a
new product is not set, the unit price is
entered as KRW0, and when the unit price
is set, the original unit price is entered
Collection and Collection and AR management were
A/R not monitored at all
management
Customer master is not adequately
managed for customers for whom
trading is suspended, e.g. suspension of
trading and receivership
As there are many long-term AR older
than 180 days, Company B asked
frontline workers, and confirmed that
some cases were attributed to
management problems like receivables
and payables not offset, unsettled
suspense receipts, and calculation errors
as well as actual bad receivables. It is
because the company relies on the
turnover ratio alone for management of
receivables, and the aging schedule is
not used
Continuous
Solution
auditing system
process of evaluating credit/security
after a year and reflecting it to the
credit master
(2) Company B implemented the 615
function for setting the next review
data of the credit limit in the system
and issuing a warning in the ERP
system
The system was set up so that (KRW0)
unit price will not be entered, and at
the same time the risk monitoring
scenario “the unit price in the Sales
Order is abnormal (KRW0 or 1)” was
generated, and a separate screen was
implemented in the continuous
monitoring system
The monitoring scenario was
implemented as a separate continuous
monitoring screen, and at the same
time the monitoring process of the
internal auditing team based on the
continuous monitoring system was
made official
Collection conditions and methods of
the customer master and the billing
documents were different
Approval of the extension of the
collection deadline is missing, or it is
not performed in a timely manner
Sales slips of bankrupt customers
Changed the system setting so that
Sales Order creation and slip posting
will be blocked for customers for
whom trading is suspended
Company B implemented a separate
continuous monitoring screen for
monitoring “long-term AR older than
180 days”
Table VI.
Examples of solutions to
important issues about
Company B’s internal
(continued) control
MAJ
Area Issues about internal control
28,7
Investment There are many cases where the capital
budget expenditure/capital expenditure code of
management the current investment budget number
area are different than the accounting
616 account (asset/expense) information,
and the risk of appropriation between
capital expenditures and revenue
expenditure
Purchase There are many cases where the
management account title of the item master is
area different than the account for actual
purchase transaction as it is possible to
change the account to an account other
than the accounting title of the item
master when purchase orders are
generated
There are many cases where the
incoming quantity is greater than the
order quantity except for the overage of
imported bulk cargo. As there more than
necessary goods are brought in,
unnecessary inventory management
expenses will be incurred and there is a
risk of obsolescence, and a risk of
paying an excessive amount for
purchases
The risk of double payment of the
purchase price was confirmed because
of cases where it is been a year from the
date of advance payment but has not
been offset and the balance remains
The risk of overpayment of purchase
price was confirmed due to cases where
the annual contract unit price of MRO is
different than the actual unit price
Table VI. applied when orders were placed
Solution
Company B modified the system so that
the accounting title (asset/expense)
entry can be properly restricted
according to the capital expenditure/
revenue expenditure code of the current
investment budget number when the
purchase order is made, and
implemented Edit Check control in the
system so that garbage data can be
filtered when the investment budget
number is entered
Company B implemented a separate
continuous monitoring screen for
monitoring cases where the accounting
title information of the ITEM master is
different than the account for actual
purchase transaction
Company B set the “tolerance level” for
each purchase item and BU according to
the purchase type so that the brought-in
quantity can be correctly controlled, and
implemented a separate continuous
monitoring screen for monitoring cases
exceeding the “tolerance level”
Company B implemented the continuous
monitoring screen for monitoring “it is
been a year from the date of advance
payment but has not been offset and the
balance remains”
Company B implemented the continuous
monitoring screen for “continuously
checking and verifying the list of annual
contract unit prices of MRO and the actual
unit prices when orders are placed”

of duties (SOD) index. The environmental index is related to the organization and
system of the business division, and the percentage (%) change in manpower is the
representative item. The management index is related to the management performance
of the business division, and sales/bad debt expenses by month, product, and customer
are representative items. The SOD index is intended to check for transactions
conducted by the same person that are not compatible with one another, according to
segregation of duties. A representative example is the customer generation/change and
invoice generation/change performed by the same person. One of the characteristics of
this Entity-Level index is that it is generated only for risk assessment.
 Continuous
Classification Description Example
auditing system
Unusual Showing abnormal and non-ordinary Reviewing abrupt and frequent increase/
transactions transactions or exceptions decrease of the credit limit (more than
XX%/KRW XX)
Information If there are many pieces of identical data Reviewing the inconsistency between the
GAP due to interface in the flow of information, Sales Order quantity and the Delivery 617
there will be gap between these data Order quantity
Incomplete/ Showing incomplete and delayed Reviewing incomplete purchase orders
delayed transactions that have not been fulfilled for a long time
transactions past the requested delivery date
Segregation Showing cases where jobs with conflicting Reviewing cases where the person in
of duties interests are not separated, and processed charge of warehousing is the same
by the same person according to the list of purchase order
creators
Statistical Making it possible to discover non- Reviewing cases where there are many
information ordinary transactions based on the manual entries of non-ordinary
distribution of transaction details transactions (by company, by related
department and by person in charge)
Master Showing the defects and errors of the Reviewing the accuracy of the customer,
management master that hurt the integrity of and GL distribution entries of the vendor
transactions master Table VII.
Configuration Showing the defects and errors of Reviewing cases where accounts payable Types of Company B’s
automatic control implementation in slips were generated due to the goods continuous monitoring
the system receipt slip cancelled after receipt scenarios

Process Sub_Process

Purchasing PU.01 – purchase request/quotation management

PU.02 – contract/order management
PU.03 – inspection/purchase confirmation
PU.04 – payment
Production/inventory IV.01 – production management
IV.02 – inventory management
IV.03 – fixed asset management
Sales SA.01 – credit management
SA.02 – order management
SA.03 – logistics management
SA.04 – sales management
SA.05 – collection management
Finance/other FI.01 – fund management
FI.02 – accounting management Table VIII.
FI.03 – tax management Risk pool classification
FI.04 – other category of Company B

At the Process Level, individual continuous monitoring scenarios are scored, and the total
score is calculated for risk assessment. Risk scores are calculated for the sales index, the
purchasing index, the production index, and the financial index. The sales index considers
credit management, order management, logistics management, sales management,
and collection management process. The purchasing index considers the purchase
MAJ
Process Sub_Process Scenario type Item (auditing scenario) Description
28,7
Purchasing Purchase Master Supplier deferred/released
Reviewing the
request/ management in the master appropriateness of supplier
quotation deferred/released in the
management master to reduce the risk of
618 continuous issuance of
purchase orders to
inappropriate suppliers
Purchasing Purchase Statistical % of rejected materials Reviewing the rejection rate
request/ information by lot and supplier to reduce
quotation the risk (quality) of
management inappropriate purchasing
interfering with efficient
production
Purchasing Purchase information Accounts payable slips Reviewing accounts
request/ GAP directly generated by ERP payable slips directly
quotation (TOPS data inconsistent generated in the ERP
management with ERP data with regard financial master without
to expendables/repair costs) going through the
purchasing process to
reduce the risk of
inappropriate accounts
payable appropriated
without going through the
purchasing process or
making payments
Purchasing Purchase Incomplete/ Reviewing purchase Number of customers with
request/ delayed requests with no purchase only basic credit who have a
quotation transactions order generated large amount of AR as
management compared to the basic credit
Purchasing Purchase Reviewing Continuous purchases from Extracting those companies
request/ abnormal suppliers with a high with a high return ratio in
quotation transactions rejection rate the warehousing stage for
management which purchase orders and
warehousing transactions
occur continuously
Purchasing Purchase Configuration (Construction Purchasing) Checking if the right to
request/ Limited access to the access the estimated cost of
quotation estimated cost of construction is
management construction appropriately limited to
reduce the risk of lower
transparency of the bidding
process and back-
scratching alliance with
bidders due to the leak of
the estimated cost of
construction
Table IX. Purchasing Purchase Division of Approval by inappropriate Reviewing the approval path
Examples of Company B’s request/ duties approvers (self-approval) set as self-approval in the
continuous monitoring quotation purchase request to reduce
scenarios in the management the risk of bypassing the
purchasing process appropriate approval path
request/quotation management, contract/order management, warehousing/purchase Continuous
confirmation, and payment process. The production index considers the production auditing system
management, inventory management, and fixed asset management. The financial index
considers fund management, accounting management, and tax management process. One
of the characteristics of this process-level index is that the continuous monitoring
scenarios utilized by the CA system are used for risk assessment.
The scores of individual risk items will be aggregated, and risk grades at the Entity 619
Level and the Process Level will be classified as “High/Medium/Low”. Company B
implemented a dashboard screen for viewing the risk grades for each division, identified
the intensive audit universe, and is using them to conduct efficient and effective internal
auditing.

5.6 Practical implications

Company B’s case study gives rise to three important points. First, Company B
diagnosed internal control issues and generated continuous monitoring scenarios based
on the deficiencies of internal control discovered as a result of the diagnosis. It is common
to generate the continuous monitoring scenario pool based on the results of past
diagnostics conducted by the internal auditing team or based on the defects of internal
control found in the process of Korea-SOX operations. Company B, however, conducted
a self-diagnosis of their internal control to enhance the effectiveness of continuous
monitoring scenarios, and it generated continuous monitoring scenarios based on the
result of this diagnosis.
Second, Company B generated solutions from a comprehensive viewpoint in a bid to
remove the deficiencies of internal control. To accomplish this, fundamental solutions
to risks may be necessary in addition to continuous monitoring of these risks.
Company B’s solution was to improve relevant processes and, if necessary, supplement
its policies to eliminate the deficiencies of internal control. In other words, Company B
divided the key issues of internal control into business process issues, IT system
issues, and organization issues, and tried to find fundamental solutions.
Third, the results of continuous monitoring were used as the process-level index of
the risk assessment model for extracting the audit universe, which must be an area
subject to intensive auditing. The company monitored departments/processes for each
continuous monitoring scenario and monitored departments/processes with high risks
on the dashboard to identify the intensive audit universe.

6. Discussion
The purpose of this study was to help enterprises hoping to implement a CA system –
and to help internal and external auditors better understand such systems and their
implementation – by examining two enterprise cases that introduced the CA system.
This chapter describes several problems likely to occur in the process of introducing
and running the CA system.

6.1 Speed of technological advances and practical application

Both the IT environment and enterprises’ business needs are advancing every day.
Systems are being computerized, and the capabilities of users are also improving day
by day. As the two case studies suggest, this development will continue, requiring
auditing systems to evolve to meet new challenges. Most importantly, the adoption
MAJ of CA in the field and managers’ mindsets are not keeping pace with the speed of
28,7 advancements in IT environments and auditing systems (Alles et al., 2008). No matter
how elaborate a company’s auditing system appears, if it is not utilized or updated
appropriately, it can quickly lose all practical utility and simply become a complicated
management procedure. Accordingly, the outlooks of management and the
working-level staff utilizing the auditing system must change.
620
6.2 Judgment of the management and the independence of the internal auditor
The strategy and judgment of management may be reflected in the internal control
procedure. If the CA system is introduced, the internal auditor and related departments
can see it in real time, which can be a burden to management. Hunton et al. (2008)
suggested that the decision-making of management may change when they know they
are being monitored. Accordingly, care must be exercised to prevent CA from inducing
management to make overly conservative business decisions.
As managers are in a general position to hire internal auditors, they can govern
these auditors. In particular, if a company adds a CA system that allows internal
auditors’ daily activities to be monitored in real time, management may be strongly
tempted to interfere with them. If so, the independence of internal auditors may be lost,
and they may not play their proper supervisory roles. Thus, the maintenance of
internal auditors’ integrity and independence is important.

6.3 The relationship between the company and external auditing

Understanding the company and evaluating its internal control are the most important
factors before the auditing of external auditors. If the CA system is fully utilized in this
process, the company will be understood, and internal control will be evaluated more
effectively and quickly. In addition, as external auditors are more independent than
internal auditors and have the experience and knowledge necessary to analyze various
CA systems in the same industry, they may provide better service when it comes to
insuring the CA system (Chan and Vasarhelyi, 2011). Accordingly, external auditors
will serve as the insurer for the CA system in the future (Elliott, 2002).
However, concrete guidelines addressing the extent to which the system can be
accessed and evaluated in this process will be necessary. If access rights are too
restrictive, an information asymmetry likely will arise between the company and its
auditors; if access rights are too liberal, there may be concern over the exposure of
proprietary know-how of enterprises. If the same external auditors implement the CA
system and audit the company, there may be a problem with independence. Previous
studies (Rankel et al., 2002; Ashbaugh et al., 2003; Chung and Kallapur, 2003)[10] studied
whether auditor independence is compromised if auditing and non-auditing services are
conducted at the same time. It can still take place in the process of implementing the CA
system and during the regular auditing process.

6.4 Efficiency of enforcement

The case of Company A in the financial industry is a good example of not limiting
internal auditing to auditing activities alone, but also linking it to risk management
activities. As corporate activities and departments diversify, continuous monitoring
scenarios are utilized and reported from various angles – , e.g. internal auditing, risk
management, and customer satisfaction. In this process, there should be no overlapping
work between departments. Thus, continuous monitoring scenarios must be Continuous
systematized and standardized, and relevant data must be shared. auditing system
In addition, efforts must be concentrated on core management items rather than
managing too many items at the same time or applying too-conservative standards. If
CA is conducted with too many items or too conservatively, the power of execution will
be reduced and resources may be wasted. In other words, one must consider not only
the qualitative aspects but also the quantitative elements of management items in CA. 621
7. Conclusion
The business environment of corporations has experienced increasingly rapid change
since 2000. In order to survive this change, corporations must accurately predict the
changing environment and analyze their own competitive position to adjust
appropriately. To do so, it is important for them to understand their operations’
current status in a timely fashion. The CA system optimized in the ERP environment
can play a pivotal role in accomplishing this objective. Therefore, implementing such a
system is essential to the survival of corporations.
However, the CA system based on the continuous monitoring system has been
implemented primarily by several top-tier, large corporations in the financial and
manufacturing industries. With the introduction of the CA system, it is now possible to
be notified of circumvention of process control or other problems in a timely fashion; as
a wider range of control activities can be monitored through total data analysis,
centralized monitoring of corporate-wide activities has been reinforced so that “internal
control based on rules and systems” is now possible.
The introduction of the CA system has led to a substantive change in the internal
auditing function of corporations. In a word, the “risk-based auditing” system is now in
vogue. In contrast to the uniform process of selecting auditing targets based on the
annual periodic auditing plan, most companies that adopted the CA system are now
using the risk assessment process instead; this process selects areas with high risks as
auditing targets based on a quantitative assessment of the organization and processes.
In addition, corporations have broken with the practice of using auditing items
repeatedly in similar areas for three to four years based on experience, flexibly
changing the business diagnostic strategy based on the identification of risk areas by
continuously monitoring important items. Consequently, the efficiency and
effectiveness of internal auditing have been raised.
The implications of the cases in the financial and manufacturing industries are as
follows. First, it is important to form an enterprise-wide balanced task force team (TFT):
frontline workers and the IT department should jointly participate when carrying out a
project to implement the CA system. If frontline workers and IT workforce can
collaborate with one another in each of the purchasing/production/sales/support
departments and carry out the project, they can ensure the effectiveness and
completeness of the continuous monitoring scenarios. Second, for the continuous
monitoring system to be utilized properly, the head of the internal auditing department,
or the heads of field departments (i.e. system users) need to clearly understand the
objectives of the scenarios and standards for extracting them. If users fail to understand
the meaning of the scenarios, it will be impossible to properly utilize the data provided by
the continuous monitoring screen. Third, the continuous monitoring scenarios for
continuous monitoring must be supplemented and updated in step with changes in the
MAJ business environment. As changes in the business environment and IT technology are
28,7 continuously creating new types of fraud, monitoring scenarios must be continuously
updated so that monitoring can become more effective. Fourth, to reinforce the proactive
management of various business risks, the EWS must be sophisticated. To streamline
the early warning function, KRI indexes must be generated. The KRI indexes, as well as
the attributes of each KRI index (threshold, etc.), must be continuously reviewed and, if
622 necessary, modified and supplemented. To ensure that the early warning function can
contribute to actual risk management activities, the person in charge of monitoring must
be notified immediately of alerts when KRI indexes exceed thresholds; the process must
be designed such that work can be completed when the person in charge of monitoring
approves it. Fifth, the results of monitoring and cause analysis must be archived in the
knowledge base and used to enhance the continuous monitoring system and operating
process in the future. In particular, the results of monitoring and cause analysis in
important areas must be archived and reflected in the continuous monitoring system; if
necessary, the details must be shared across the organization.
This study is significant for a few reasons: it gives guidance to companies that
already adopted the CA system by systematically analyzing and introducing cases of
successful implementation of the CA system; and it provides companies planning to
adopt the system in the future with practical lessons and implications related to the
introduction process. Furthermore, this paper provides the independent auditor with
knowledge that is necessary for efficient external auditing, facilitating the
understanding of the continuous monitoring system in audited companies.
In addition, this study contributes to the literature in several ways. First, it offers
researchers detailed examples of CA, providing valuable indirect experiences related to
implementation of CA systems. As this paper presents the background and the process
in adopting the CA, along with the output of the monitoring scenario, it is expected to
serve as practical data for researchers lacking actual experience. Second, this paper
will be useful in testing and refining the concept and theory of CA. In other words, it
will contribute the virtuous cycle of practical application and theoretical development
by suggesting the recent actual cases and related issues. Third, the results of this study
illustrate the connection between CA and other corporate activities (e.g. use by
company A as KRI). Thus, these connections increase the potential scope of future
research in this area.
A previous study (Vasarhelyi et al., 2004) suggested that enterprises that adopted
ERP can easily implement the CA system. In addition, the two companies described in
this study are industry leaders in ERP utilization. Accordingly, this study is limited in
that relatively small companies or companies not utilizing ERP may find that the costs
of implementing the continuous monitoring system do not match the benefits.
Lastly, future research topics related to CA are numerous. First, there should be a
better understanding of the characteristics of those companies that introduce the CA
system, and changes that occur in companies and management after the introduction
of this system should be analyzed, as such analysis may shed light on the effect of CA.
Another valuable research topic is measures to utilize the CA system through
connection with other systems. As mentioned above, Company A linked to the Audit
Information System and the Early-Warning System; thus, the CA system can be
utilized through links to various systems. In particular, as the ERM system is often
linked to the EWS through indexes known as KRIs, it will become possible to develop
and operate KRI indexes based on the continuous monitoring scenarios in the CA Continuous
system, which can be connected to the ERM system. Then, it will become possible to auditing system
manage risks strategically as pursued by ERM and to comprehensively manage
process-level risks, which are the main interests of the CA system[11]. Lastly, research
should address the response of auditors to the CA system. Although the CA system has
had a great influence on auditing (Alles et al., 2008), there is a paucity of research on
auditors’ responses to this system and the auditing procedure. Accordingly, it is 623
expected that the co-existence between universities and field workers will be facilitated
through these studies.

Notes
1. SAP, the world’s largest ERP system provider, was first released as an integrated business
process software application in 1982 (www.sap.com/corporate-en/our-company/
history/1982-1991.epx).
2. An important subset of CA is the continuous monitoring of business process controls
(CMBPC), a task made particularly relevant by the passage of Section 404 of the
Sarbanes/Oxley Act. The Section requires both managers and auditors to verify controls
over the firm’s financial reporting processes (Alles et al., 2006).
3. The conceptual model of the continuous monitoring system proposed in this paper
emphasizes the utilization of the continuous monitoring system more than the architecture of
the generic CMBPC, as proposed by Alles et al. (2006).
4. The COSO Report (Internal Control – Integrated Framework), published in 1992, presented
an evaluation tool that enabled a unified concept of the internal control system and helped
companies evaluate its internal control system and find ideas for improvement. Afterwards,
a majority of American corporations adopted the COSO Framework to diagnose the internal
control system. The definition of “internal control” is not mentioned in laws, but the
definition included in the COSO Report was accepted by the US Government and affiliated
organizations (US Government Audit Standard AU 319), and is regarded as the standard
representing the integrated system of the internal control structure across the world.
5. Company A in the financial industry and Company B in the manufacturing industry used
the continuous monitoring system to monitor the control activities as described above
among the various control activities exemplified in the COSO Report.
6. Doyle et al. (2007) analyzed the relationship between the quality of accruals and the internal
control over financial reporting. The study showed that vulnerable internal control over
financial reporting are related to a low quality of accruals. DeFranco et al. (2005) showed that
the stock market reacts negatively to those enterprises that report major vulnerabilities
related to internal control over financial reporting.
7. Boards and senior executives are looking to develop metrics or indicators to help monitor
potential future shifts in risk conditions or new emerging risks more effectively, allowing
management and boards to more proactively identify potential impacts on the organization’s
portfolio of risks. This puts the management and board in a better position to manage events
that may arise in the future on a more timely and strategic basis. This type of metric or
indicator is frequently referred to as a key-risk indicator (KRI) (www.coso.org: Guidance
Paper Developing Key Risk Indicators to Strengthen Enterprise Risk Management).
8. CSA is a process that allows individual line managers and staff to participate in reviewing
existing controls for adequacy, and recommending, agreeing and implementing
improvements (IIA) (https://na.theiia.org).
MAJ 9. The prior threshold refers to the level of KRI that the company must perceive as a risk and
respond to in advance. Accordingly, if the KRI index exceeds the prior threshold, the
28,7 early-warning function will be activated, and this prior threshold must be continuously
updated according to the changes in the business environment.
10. Existing studies show different results as to whether the non-audit service provided by
auditors hurts their independence in auditing services. Rankel et al. (2002) suggest that the
624 provision of non-audit service or compensation is positively (þ ) correlated with
discretionary accruals, and provision of non-audit service ultimately lessens the
independence of the auditor. Thus, they argue that an auditor’s non-audit activities must
be restricted. Meanwhile, Ashbaugh et al. (2003) and Chung and Kallapur (2003) did not find
any evidence that an auditor’s provision of non-audit service decreases the independence of
auditors, and proposed that the independence of the auditor was actually enhanced when
non-audit service was provided in addition to auditing services.
11. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a
commission established in 1985 to handle matters relating to false financial reports. In 1992,
COSO published “COSOI related to Internal Control,” and modified the existing internal
control model in October 2004, proposed as a new COSO Report. It became more specific in
the Enterprise Risk Management Framework.
ERM provides an overall perspective on the risks facing the company and can generate
the best risk management plans by effectively mixing financial solutions and organizational
solutions. In addition, ERM created a new paradigm that can effectively manage the
uncertainties in the process of accomplishing the strategic, operational and financial goals.
ERM makes it possible to integrate and perceive enterprise-wide risks, as well as establish
the best response plans (Meulbroek, 2002).

References
Alles, M., Kogan, A. and Vasarhelyi, M.A. (2002), “Feasibility and economics of continuous
assurance”, Auditing: A Journal of Practice & Theory, Vol. 21 No. 1, pp. 125-138.
Alles, M., Kogan, A. and Vasarhelyi, M.A. (2004), “Real time reporting and assurance: have their
time come?”, Institute of Chartered Financial Analysts of India, ICFAI Reader (Special
Issue – Finance in 2004).
Alles, M., Kogan, A. and Vasarhelyi, M.A. (2008), “Putting continuous auditing theory into
practice: lessons from two pilot implementations”, Journal of Information Systems, Vol. 22
No. 2, pp. 195-214.
Alles, M., Brennan, G., Kogan, A. and Vasarhelyi, M.A. (2006), “Continuous monitoring of
business process controls: a pilot implementation of a continuous auditing system at
Siemens”, International Journal of Accounting Information Systems, Vol. 7 No. 2,
pp. 137-161.
Ashbaugh, H., LaFond, R. and Mayhew, B. (2003), “Do non-audit services compromise auditor
independence? Further evidence”, The Accounting Review, Vol. 78 No. 3, pp. 611-639.
Brown, C.E., Wong, J.A. and Baldwin, A.A. (2007), “A review and analysis of the existing
research streams in continuous auditing”, Journal of Emerging Technologies in
Accounting, Vol. 4, pp. 1-28.
Canadian Institute of Chartered Accountants (CICA) (1999), Continuous Auditing: Research
Report, CICA, Toronto.
Chan, D.Y. and Vasarhelyi, M.A. (2011), “Innovation and practice of continuous auditing”,
International Journal of Accounting Information Systems, Vol. 12, pp. 152-160.
Chung, H. and Kallapur, S. (2003), “Client importance, nonaudit services, and abnormal accruals”, Continuous
The Accounting Review, Vol. 78 No. 4, pp. 931-955.
Daigle, R.J. and Lampe, J.C. (2004), “The impact of the risk of consequence on the relative demand
auditing system
for continuous online assurance”, International Journal of Accounting Information
Systems, Vol. 5 No. 3, pp. 313-340.
Daigle, R.J. and Lampe, J.C. (2005), “The level of assurance precision and associated cost
demanded when providing continuous online assurance in an environment open to 625
assurance competition”, International Journal of Accounting Information Systems, Vol. 6
No. 2, pp. 129-156.
Davis, J.T., Massey, A.P. and Lovell, R.E.R. (1997), “Supporting complex audit judgment tasks:
an expert network approach”, European Journal of Operations Research, Vol. 103 No. 2,
pp. 350-372.
Debreceny, R.S., Gray, G.L., Ng, J.J.J., Lee, K.S.P. and Yau, W. (2005), “Embedded audit modules
in enterprise resource planning systems: implementation and functionality”, Journal of
Information Systems, Vol. 19 No. 2, pp. 7-27.
Debreceny, R.S., Gray, G.L., Tham, W.L., Goh, K.Y. and Tang, P.L. (2003), “The development of
embedded audit modules to support continuous monitoring in the electronic commerce
environment”, International Journal of Auditing, Vol. 7 No. 2, pp. 169-185.
DeFranco, G., Guan, Y. and Lu, H. (2005), “The wealth change and redistribution effects of
Sarbanes-Oxley internal control disclosures”, working paper, University of Toronto,
Toronto.
Doyle, J.T., Ge, W. and McVay, S. (2007), “Accruals quality and internal control over financial
reporting”, The Accounting Review, Vol. 82 No. 5, pp. 1141-1170.
Elliott, R.K. (1998), “Assurance services and the audit heritage. What’s new and what’s rooted in
the past”, CPA Journal, Vol. 68 No. 6, pp. 40-47.
Elliott, R.K. (2002), “Twenty-first century assurance”, Auditing: A Journal of Practice & Theory,
Vol. 21 No. 1, pp. 139-146.
Flesher, D.L. and Zarzeski, M.T. (2002), “The roots of operational (value-for-money) auditing in
English-speaking nations”, Accounting & Business Research, Vol. 32 No. 2, pp. 93-104.
Glover, S.M., Prawitt, D. and Romney, M.B. (2000), “The software scene”, Internal Auditor,
August, pp. 49-57.
Groomer, S.M. and Murthy, U.S. (1989), “Continuous auditing of database applications: an
embedded audit module approach”, Journal of Information Systems, Vol. 3 No. 2, pp. 53-69.
Henrickson, R. (2009), “Practitioner discussion of principles and problems of audit automation as
a precursor for continuous auditing”, paper presented at University of Waterloo Centre for
Information Integrity and Information Systems Assurance 6th Bi-Annual Research
Symposium, Toronto, October.
Hunton, J.E., Mauldin, E.G. and Wheeler, P.R. (2008), “Potential functional and dysfunctional
effects of continuous monitoring”, The Accounting Review, Vol. 83 No. 6, pp. 1551-1569.
Kuhn, J.R. and Sutton, S.G. (2006), “Learning from WorldCom: implications for fraud detection
through continuous assurance”, Journal of Emerging Technologies in Accounting, Vol. 3,
pp. 61-80.
Kuhn, J.R. and Sutton, S.G. (2010), “Continuous auditing in ERP system environments: the
current state and future directions”, Journal of Information Systems, Vol. 24 No. 1,
pp. 91-112.
McNamee, D. and Selim, G.M. (1998), Risk Management: Changing the Internal Auditor’s
Paradigm, Institute of Internal Auditors Research Foundation, Altamonte Springs, FL.
MAJ Martens, D., Bruynseels, L., Baesens, B., Willekens, M. and Vanthienen, J. (2008), “Predicting going
concern opinion with data mining”, Decision Support Systems, Vol. 45 No. 4, pp. 765-777.
28,7 Menon, K. and Williams, D.D. (2001), “Long-term trends in audit fees”, Auditing: A Journal of
Practice & Theory, Vol. 20, pp. 116-136.
Meulbroek, L.K. (2002), “Integrated risk management for the firm: a senior manager’s guide”,
Journal of Applied Corporate Finance, Vol. 14, pp. 56-57.
626 Min, J.H. and Lee, Y.C. (2005), “Bankruptcy prediction using support vector machine with
optimal choice of kernel function parameters”, Expert Systems with Applications, Vol. 28
No. 4, pp. 603-614.
PricewaterhouseCoopers (2006), State of the Internal Audit Profession Study: Continuous
Auditing Gains Momentum, available at: www.pwc.be/en/systems-process-assurance/
pwc-state-of-internal-audit-2006.pdf (accessed 25 March 2013).
Rankel, R., Johnson, M. and Nelson, K. (2002), “The relation between auditor’s fees for non-audit
services and earnings quality”, The Accounting Review, Vol. 77 No. 4, pp. 71-105.
Rezaee, Z., Ford, W. and Elam, R. (2000), “Real-time accounting systems”, The Internal Auditor,
Vol. 57 No. 2, pp. 62-67.
Rezaee, Z., Sharbatoghlie, A., Elam, R. and McMickle, P.L. (2002), “Continuous auditing: building
automated auditing capability”, Auditing: A Journal of Practice & Theory, Vol. 21 No. 1,
pp. 147-163.
Searcy, D.L. and Woodroof, J.B. (2003), “Continuous auditing: leveraging technology”, The CPA
Journal, Vol. 73 No. 5, pp. 46-48.
Stoecker, R. (1991), “Evaluating and rethinking the case study”, Sociological Review, Vol. 39 No. 1,
pp. 88-112.
Stringer, K.W. and Stewart, T.R. (1986), Statistical Techniques for Analytical Review in Auditing,
Wiley, New York, NY.
Sung, T.K., Chang, N. and Lee, G. (1999), “Dynamics of modeling in data mining: interpretive
approach to bankruptcy prediction”, Journal of Management Information Systems, Vol. 16
No. 1, pp. 63-85.
Swanborn, P. (2010), Case Study Research: What, Why and How?, Sage, Englewood Cliffs, CA.
Tam, K.Y. (1991), “Neural network models and the prediction of bank bankruptcy”, Omega,
Vol. 19 No. 5, pp. 429-445.
Vasarhelyi, M.A. and Halper, F.B. (1991), “The continuous audit of online systems”, Auditing:
A Journal of Practice & Theory, Vol. 10 No. 1, pp. 110-125.
Vasarhelyi, M.A., Alles, M. and Kogan, A. (2004), “Principles of analytic monitoring for continuous
assurance”, Journal of Emerging Technologies in Accounting, Vol. 1 No. 1, pp. 1-21.
Weidenmier, M.L. and Ramamoorti, S. (2006), “Research opportunities in information technology
and internal auditing”, Journal of Information Systems, Vol. 20 No. 1, pp. 205-219.
Wu, C.-H., Tzeng, G.-H., Goo, Y.-J. and Fang, W.-C. (2007), “A real-valued genetic algorithm to
optimize the parameters of support vector machine for predicting bankruptcy”, Expert
Systems with Applications, Vol. 32 No. 2, pp. 397-408.

Further reading
Beasley, M.S., Branson, B.C. and Hancock, B.V. (2010), Developing Key Risk Indicators to
Strengthen Enterprise Risk Management: How Key Risk Indicators can Sharpen Focus
on Emerging Risks, available at: www.coso.org/documents/COSOKRIPaperFull-
FINALforWebPostingDec110_000.pdf (accessed 7 November 2012).
Committee of Sponsoring Organizations of the Treadway Commission (2009), Guidance on Continuous
Monitoring Internal Control Systems – Introduction, available at: www.coso.org/documents/
COSO_Guidance_On_Monitoring_Intro_online1.pdf (accessed 7 November 2012). auditing system
Committee of Sponsoring Organizations of the Treadway Commission (2011), Internal Control –
Integrated Framework, available at: www.coso.org/documents/coso_framework_body_v6.
pdf (accessed 7 November 2012).
David Coderre (2007), Recommendations for an Effective Continuous Audit Process, available at: 627
www.theiia.org/ITAuditArchive/index.cfm?catid¼21&iid¼519 (accessed 7 November 2012).
Gehrke, N. (2010), “The ERP AuditLab – a prototypical framework for evaluating enterprise
resource planning system assurance”, Proceedings of the 43th Annual Hawaii
International Conference on System Science.
Liebenberg, A. and Hoyt, R. (2003), “The determinants of enterprise risk management: evidence
from the appointment of chief risk officers”, Risk Management and Insurance Review,
Vol. 6 No. 1, pp. 37-52.

About the authors

Il-hang Shin, CPA, CIA, CISA, is a PhD candidate.
Myung-gun Lee is a Researcher and PhD candidate at Yonsei Business Research Institute.
Myung-gun Lee is the corresponding author and can be contacted at: heat23@yonsei.ac.kr
Woojin Park, CPA, is an Assistant Professor at Yonsei University.

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com

Or visit our web site for further details: www.emeraldinsight.com/reprints