Continuous Auditing: An Effective Tool for Internal Auditors

By

J. Donald Warren, Jr.

and
L. Murphy Smith

Working Paper
 Continuous Auditing: An Effective Tool for Internal Auditors

Executive Summary

Increasing corporate accountability and regulatory pressure push internal auditors to

develop new ways to enhance effectiveness and efficiency in their work. Once-a-year reviews
are often insufficient. Consequently, continuous auditing is necessary to meet the needs of a
firm's stakeholders. Continuous auditing is any of the methods used by auditors to perform an
audit on a continuous basis. Continuous auditing tests transactions based on prescribed criteria,
identifies anomalies, and is the responsibility of the auditor. This article addresses the potential
impact of the current environment on continuous auditing and its stakeholders.
 Continuous Auditing: An Effective Tool for Internal Auditors

Increasing corporate accountability and regulatory pressure push internal auditors to seek

new ways to enhance effectiveness and efficiency in their work and provide assistance to

management in meeting its stewardship responsibilities. Once-a-year reviews are often

insufficient. As a result, continuous auditing is necessary to meet the needs of a firm's

stakeholders. Auditors are facing many challenges, including the highest rates of fraud in history.

According to a survey of executives from 459 public companies (annual revenue of $250 million

or more) and state and federal government agencies, 75 percent of the organizations experienced

fraud in the prior 12 months; that's up from 62 percent in 1998.1 These organizations indicated

that they plan to implement new approaches to help combat fraud and misconduct. Continuous

auditing is one approach that internal auditors can use in this effort.

This article addresses the potential impact of the current environment on continuous

auditing and its stakeholders. The following questions are addressed: (1) How does a corporation

benefit from continuous auditing? (2) To what extent may external auditors rely on audit

evidence generated by internal auditors? (3) To what extent has the Sarbanes-Oxley Act and SEC

rule-making created more demand for continuous auditing? and (4) To what extent should

interested parties, such as regulators, management, external auditors or internal auditors, act as a

catalyst for continuous auditing? In addition, this article shows how continuous auditing can help

provide information needed by management in meeting its fiduciary responsibilities.

Continuous auditing is any of the methods used by auditors to perform an audit on a

continuous basis. Continuous auditing tests transactions based on prescribed criteria, identifies

anomalies, and is the responsibility of the auditor. Efforts to improve corporate governance and

1
enhance investor confidence will lead to greater use of continuous auditing to generate assurance

on demand.

Continuous monitoring is management’s responsibility that assists management in

meeting its fiduciary responsibilities. Continuous monitoring focuses on the control environment,

not transactions. However, internal auditors in applying continuous audit procedures that test

management’s monitoring processes provide additional assurance to management that its

monitoring processes are operating properly.

The accounting profession and corporate community continue to be in a “fish bowl” as a

result of corporate scandals and breakdowns in financial reporting in recent years. The Public

Company Accounting Reform and Investor Protection Act of 2002 (referred to as the “Sarbanes-

Oxley Act”) has been law over two years. The Securities and Exchange Commission (SEC)

issued rules and regulations for corporations to comply with the Act. The New York Stock

Exchange and NASDAQ issued governance requirements for listed companies. The Financial

Executive Institute, the American Institute of Certified Public Accountants (AICPA), and the

Institute of Internal Auditors (IIA) continue to provide guidance to their memberships on

governance, compliance with the statutory requirements of the Act, and fraud detection. These

events require accountants and the profession to develop processes to restore public confidence

in both financial reporting and audits.

Tools, techniques, technological platforms and their advances, and the need for

continuous auditing have been widely discussed by academics, the business community,

consultants, and accounting professionals over the years. The Canadian Institute of Chartered

Accountants (CICA) Research Report, “Continuous Auditing” was published in 1999 (“the

CICA Research Report”).2 The IIA Research Foundation (IIARF) Research Report, “Continuous

2
Auditing: Potential for Internal Auditors” was published in 2003.3 The former presented a

hypothetical case study in continuous auditing and suggested research areas for further study,

and the latter presented the results of a survey of internal auditors on their use of continuous

auditing. The CICA Research Report concluded that continuous auditing was viable if certain

conditions were met, and the IIRAF Research Publication concluded that internal auditors would

use a continuous auditing process in future audits.

How Corporations Benefit from Continuous Auditing

Business is dynamic and change is constant. Technology continues to change and become

more complex. Companies seek new technologies to enhance their business processes. As

information systems in companies become more complex, the traditional audit trail is diminished

or eliminated. As a result, internal control and security become critical concerns, and procedures

to test the accuracy and reliability of financial information require new processes that address the

loss of the audit trail. Generalized audit software used by auditors often may not contain the

functionality necessary to extract data that are recorded in complex file structures of database

systems. Auditors are required to seek technologies such as embedded audit modules or an

“audit mart” (audit data warehouse) to assist them in testing these control environments. Real-

time transaction processing systems affect the procedures employed by auditors. A continuous

auditing process is the optimal audit approach for many real time systems. Exhibit 1 shows

conditions necessary for a continuous audit approach.

[Insert Exhibit 1 here]

Technology is a driving force for positioning businesses in the global market. Today’s

Web-enabled sophisticated technology environment generates financial information for decision-

makers (management, regulators and auditors) and requires better ways to address the dynamic

3
nature in which information is generated. New technologies enhance companies’ business

processes. Information technology and the Internet impact—and will continue to impact—how

companies are organized, conduct business, relate to competitors and communicate with

investors. Exhibit 2 illustrates continuous auditing using an embedded audit module (EAM)

approach.

[Insert Exhibit 2 here]

Business complexity and technology have been attributes of corporations that require

auditors to develop new methodologies and processes for auditing. Recent developments,

particularly in the regulatory environment, are pushing auditors toward some form of continuous

auditing.

Reliance by External Auditors on Work of Internal Auditors

To rely on the work of internal auditors, generally accepted auditing standards require

external auditors to: (1) obtain an understanding of the internal audit function; (2) assess the

competence and objectivity of internal auditors; (3) evaluate and test the internal auditors’ work.

Internal auditors can also provide direct assistance to the external auditor.

The CICA Research Report (1999) noted that should they determine it is appropriate to

use the work of internal auditors in a continuous audit, external auditors would consider the same

factors as in a traditional audit: the independence and objectivity of the internal audit function,

the internal audit function’s scope, and the competence of the internal auditors performing the

work.

In March 2004, The Public Company Accounting Oversight Board (PCAOB) issued

Auditing Standard No. 2, “An Audit of Internal Control Over Financial Reporting Performed In

Conjunction With An Audit Of Financial Statements.” That standard is similar to the auditing

4
standard followed by external auditors prior to the establishment of the PCAOB. Auditing

Standard No. 2 permits external auditors to incorporate the internal audit work into their audit of

a company’s system of internal control over financial reporting. As with the auditing standard

prior to the PCAOB standard, an external auditor is required to assess the competence and

objectivity of the internal auditors.

For most audit areas, internal auditors' work (e.g., testing of internal control systems and

on a more limited basis, direct assistance to the external auditor) has traditionally been relied on

by external auditors. As internal auditors employ continuous auditing methodology, external

auditors will have to adapt this methodology as they rely on the work of internal auditors.

Potential Impact of Sarbanes-Oxley Act on Continuous Auditing

Section 404 of the Sarbanes-Oxley Act is of particular importance for companies subject

to the Act’s reporting requirements. The Securities and Exchange Commission (SEC) issued

rules for implementing Section 404 of the Act. These rules establish the requirements for

management’s report on internal control over financial reporting and the certification of

disclosures in filings under the Exchange Act. Management is required to issue an annual report

that states (1) its responsibility for establishing and maintaining adequate internal controls over

the financial reporting process; (2) the framework (e.g., COSO) used to evaluate internal control;

(3) the effectiveness of internal control during the year reported on; and (4) that the external

auditor has issued its attestation on management’s assessment.

Section 404 of the Sarbanes-Oxley Act is regarded as the most critical part of the Act by

many chief financial officers and information technology executives. Companies are concerned

as to whether they have processes (both internal control and financial) in place to comply with

the Act. Companies seem willing to invest in technology solutions (e.g., business performance

5
management solutions, internal compliance portals; enabling workflow; upgrading finance

systems; and consolidating ERP systems) to assure compliance with the Act.

In a Web seminar conducted by Peoplesoft, Chief Financial Officers and Information

Technology Executives of public companies participated in a study of the impact of the

Sarbanes-Oxley Act on their organizations. The findings showed that 46 percent of the

companies had sought initial funding for projects to comply with the reporting requirements of

the Act, with 31 percent beginning projects without current funding. These executives believe

that compliance will increase their costs. About 40 percent of these executives believed their

companies would have to upgrade current financial processes. Of significance is that 15 percent

of the executives considered initiatives for evaluating internal control compliance.

Under the Sarbanes-Oxley Act, external auditors are required to render an opinion

annually on management’s assessment of internal controls. In its Auditing Standard No. 2, the

PCAOB recognized that external auditors may use work performed by internal auditors in audits

of internal controls over financial reporting. With its continuous reporting requirements, the Act

creates the need for companies to have in place some form of continuous monitoring/auditing

process to assist management in meeting its reporting responsibilities. It would seem that under

these circumstances, the Act may create greater demand for continuous auditing and

opportunities for internal auditors to assist senior management in reporting responsibilities.

Senior managers may question whether or not they have appropriate processes in place to

assure them that financial disclosures and the internal control systems are in compliance with the

Act. However, today’s technologies provide management the opportunity to develop an audit

methodology that can test on a continuous basis, business processes, internal controls and

6
financial disclosures. This methodology can be designed to provide documentation to senior

management on the adequacy of financial disclosures and the internal controls.

As corporate executives eventually develop continuous processes to meet their reporting

responsibilities under the Act, internal auditors may be sought out to assist management in

identifying the internal controls over financial reporting to be included in such processes. While

consultation may also be held with external auditors as well as internal auditors, some executives

are reluctant in allowing external auditors to use a continuous auditing approach, as this might

lead to a potential independence conflict.

Greater demand for continuous auditing and opportunities for internal auditors are

present in today’s regulatory environment in light of the Sarbanes-Oxley Act. Chief executive

officers and chief financial officers are involving internal auditors in the certification process.

Internal auditors should be involved early in the process of system design of information systems

to address areas of audit interest (e.g., controls) and business risks.

Stakeholders of Continuous Auditing

Stakeholders have often criticized the current traditional audit model for failing to detect

fraud or other illegal acts and to identify appropriate risks. The recent financial crisis seems to

support the stakeholders’ criticism such as the following: (1) alleged fraud in WorldCom, (2)

alleged illegal acts in Tyco and (3) unknown risks incurred by Enron in structuring special-

purpose entities. This crisis has led financial statement users and regulators to question the

integrity of both auditors and corporate managers.

The question, “Would continuous auditing have uncovered the Enron issues before they

escalated to a crisis?,” was raised shortly after the Enron crisis surfaced. An argument that due

to the nature of the transactions (e.g., off-balance sheet or indirect financing), continuous

7
auditing would not have raised the issue because such transactions are not reflected in the

accounting records. On the other hand, a continuous audit is broader in scope than a financial

statement audit, and procedures to address both on- and off-balance sheet financings could be

incorporated into a continuous audit process. In the Enron example, such procedures may have

revealed the cash flow problems of the company’s financings (both direct and indirect) prior to

the company's collapse. A continuous audit would (1) focus on all processes, including those that

are not a component of the financial report; (2) be more akin to a supervisory review than the

traditional “after-the-fact” review; and (3) rely on analysis that cross corporate business

processes and address risks.

Moreover, continuous auditing methodology expands traditional audit methodology by

focusing on anomalies (e.g., extraordinary, unusual or infrequent transactions). Continuous

auditing could include models that perform analytic procedures such as cash flows. Such a

model should include not only direct obligations, but indirect obligations such as off-balance

sheet financings. As mentioned previously, had such a process been in place, Enron

management and auditors should have been alerted in a timelier manner to the cash flow issues

created by the special-purpose entities.

Stakeholders have varying information needs. For example, management has need for

both strategic and operational data to fulfill its stewardship role. Management can also be

instrumental in the design of the technology systems to generate that information. On the other

hand, investors, lenders, customers, suppliers, and other users do not have access to internal

financial information provided to management and must rely on publicly available information

including non-financial information. Both financial and non-financial information will need to be

reliable and relevant to these users.

8
 In a real-time environment, the value of historical information is diminished and may

lack relevance to the users’ decision process. As users’ information needs become more real-

time, the need for continuous auditing increases because users need timely assurance from a third

party that the financial information is reliable and relevant.

The definition of continuous auditing included in the CICA Research Report (1999)

refers to the external auditor. The report stated that a continuous audit is “a methodology that

enables independent [external] auditors to provide written assurance on a subject matter…” A

survey of Big Four auditing firms found that most partners believe that continuous auditing of

real-time (continuous) reporting would increase users’ expectations about auditors’ responsibility

to (a) report going-concern problems more timely, (b) detect fraud, and (c) provide more

assurance on the degree of reliability of financial information.

Impediments to continuous auditing fell into three categories—people, process and

technology. People impediments included lack of client resources to provide audit schedules;

change in the mindset of the client and audit team; and lack of appropriate auditor skill set.

Process impediments included client control environment and closing process not adequate, and

issues with current audit model. Technology impediments included client systems not adequate

or properly integrated, and better technology audit tools required. Solutions identified for these

impediments revolved around increasing training and improving audit tools, improving client

controls and demonstrating the value of continuous auditing to clients.4

Managing Risks

Pioneering research by Vasarhelyi and Halper describes AT&T’s initiative in developing

a continuous auditing application, CPAS. These authors provide one of the earliest detailed

discussions of a continuous audit process. The focus was on the use of a continuous process that

9
performs continuous analytics to provide the auditor with improved data in addressing audit

areas. Audit methodology referred to as Continuous Process Audit methodology (CPAM) was

based upon exception reporting. Exception reporting is necessary because of the large volume of

data to be audited. This process requires continuously alerting auditors to exceptions during the

processing of transactions.5

To be of maximum value to the organization, internal auditors must focus on real-time

risk and controls consulting and rethink their traditional audit approach. This contemporary

approach should assist auditors in providing assurance to senior management that risks are being

effectively managed in a timely manner (i.e., a continuous risk assessment).

The IIARF Report, published in 2003, featured a survey of internal auditors regarding

their use of continuous auditing. Findings include: (1) internal auditors saw continuous auditing

as inevitable for future auditing of complex corporations; (2) “once-a-year” audits may no longer

be appropriate; (3) migration to a continuous auditing model was moving slowly; and (4)

obstacles to continuous auditing included the investment required to develop and implement a

continuous auditing process and the difficulty to cost-justify or calculate a return on investment

on the implementation.

Business Complexity

Business complexity includes internal and external factors of a company’s environment.

The market in which the company operates; the industry in which the company competes; and

the regulations under which the company operates are examples of external factors. Moreover,

external factors are affected by the economy; dependence on a third party (e.g., customer or

supplier); demand for the product; and industry and environmental risks. Internal factors

include: (1) the organizational structure; (2) management philosophy; (3) personnel skills; (4)

10
business processes and technology supporting the business processes; and (5) transaction

volume.

Information Technology (IT) Environment

Information technology is integral to business processes. IT systems capture financial

information and generate both financial and operating reports to assist management in its

stewardship role, ranging from strategic planning decisions to daily operational decisions. With

each generation, IT has become more sophisticated and complex. During the 1990’s, ERP

systems were widely implemented. These implementations required a rigid program not only to

incorporate IT processes into the company’s operations, but to ensure that the users were

adequately trained and understood how to best utilize these systems. Accordingly, in

determining whether continuous audit methodologies are appropriate, management and auditors

must consider the company’s IT environment.

Auditors perform risk assessments in planning an audit to determine audit risks. Risks to

the business, both from within and outside the firm, are evaluated. Upon completing a risk

assessment, auditors determine the nature, extent and timing of audit tests. These three items are

particularly affected by today’s technologies. For example, information systems in large

companies are generally ERP systems, other sophisticated systems and legacy systems in which

the audit trail may no longer be visible (i.e., the ability to trace a transaction manually from its

source document to its entry into the accounting records). The lack of an audit trail requires

auditors to adopt a technology approach (e.g. computer-assisted auditing techniques) in planning

audit tests in order to determine the authenticity, accuracy and completeness of transactions

processed. The reliability of the systems should be tested.

11
 While computer assisted audit tools (CAATs) may be suitable for some systems, a

continuous auditing process may be more appropriate in complex IT environments. CAATs may

supplement continuous audit procedures. Although on limited basis, both external auditors and

internal auditors are developing and using continuous auditing techniques. These auditors have

recognized the need to transition to a new approach.

Corporate Executives

Corporate executives believe that a major obstacle to continuous auditing is the

investment required to design, develop and implement the technology. Management is often

reluctant to spend funds on technology initiatives unless the benefit of such technology and

business measurement can be effectively demonstrated, such as by ROI. In addition to the

technology investment, corporate executives are concerned that company employees, while

receiving training in the new technology, may not take the time to fully understand the

continuous auditing process and its output.

Multinational companies present another obstacle to the acceptance of continuous

auditing in the corporate environment. Business practices and culture of each country differ.

Management in foreign divisions or subsidiaries oftentimes focuses on local results and how the

operating unit may be viewed by corporate headquarters. As a result, they may have in place

accounting procedures (e.g., establishing reserves) that are acceptable in their jurisdiction to

manage results reported to headquarters. In that culture, continuous auditing may be viewed by

local management as infringing on its ability to manage its business unit. Headquarters could be

viewed as looking over local management’s shoulders. This oversight by headquarters may be

viewed as being akin to how internal auditors are often viewed by an outlying location, that is,

local management is often uncomfortable when internal auditors appear at its location.

12
Likewise, the change management process to adopting continuous auditing methodologies in a

multinational company may be significant due to culture differences within and between

countries.

Human resource issues that arose during the implementation of ERP systems may surface

during the implementation of continuous auditing processes. For example, one of the key issues

experienced during ERP implementations was staff retention of members of the implementation

team. Employees who participated in the implementation became marketable and were often

sought out by other companies. Staff retention is paramount in optimizing the value of new

technologies and that any new technology such as continuous auditing may have the same result.

For example, as staff becomes more knowledgeable of the continuous auditing technology, they

become more marketable and difficult to retain. Turnover in staff could become the most

significant issue causing the process to fail. Incentives would have to be in place to encourage

staff to stay with the company.

The Sarbanes-Oxley Act has required business managers to re-think the types of

processes that might be needed to provide assurance on the appropriateness of financial

disclosures and adequacy of internal controls. Many business executives believe that eventually

some from of continuous process may be required to assist them in determining that company

processes and procedures comply with the Act. The responsibility of these continuous processes

will more than likely reside in the internal audit departments since they are more akin to an audit.

Executives are reluctant to permit external auditors to install a continuous auditing process on

their systems because of the concern that these systems may corrupt the company’s data and will

reduce the operational efficiency of company systems. Moreover, an independence question

13
arises if external auditors were allowed to embed continuous audit software on a client’s

information system.

External Auditors

External auditors’ views on continuous auditing vary, but are to some degree consistent

among the firms. For example, an auditor at a Big Four firm stated a distinction should be made

between continuous assurance and continuous auditing and that the terms are often used

somewhat synonymously. However, continuous assurance is about providing “continuous”

(ongoing, real-time) assurance and issuing reports on its results. Continuous auditing has more to

do with techniques for auditing continuously, whether or not assurance is provided continuously

or annually.

Continuous assurance requires continuous auditing. Continuous auditing can be useful in

a traditional setting, in which assurance is provided on an annual basis, or in a continuous

assurance setting. Continuous assurance is a service that is not currently demanded by clients,

but may be needed in the future. Continuous auditing, on the other hand, has potential within the

traditional reporting cycle. It is potentially more effective (e.g. finding misstatements and

pinpointing problems, sooner and with greater certainty) and more efficient (e.g. more automated

and more evenly spread the workload).

Public accounting practitioners generally believe the investment in developing and

implementing continuous audit processes is usually too costly. Because of the uniqueness of IT

systems, audit clients may require too much customization of the continuous auditing software.

Firms may be unable to leverage continuous auditing software from client-to-client.

Additionally, scalability is an issue (e.g., the upfront investment required may be appropriate for

large complex clients, but not for smaller, simpler clients).

14
 With the Sarbanes-Oxley Act, the independence rules may prohibit external auditors from

implementing a continuous audit approach. Embedding audit modules on clients’ IT system

which generate alarms to be acted on could be viewed as integral to the management process and

prohibited under the independence rules.

Regulators

The regulators’ role is not to mandate continuous auditing nor dictate how companies

manage their affairs. If the market were to demand continuous auditing and reporting, regulators

would have to ensure that such matters could be done within their rules and regulations. For

example, the PCAOB is now responsible for auditing standards. Should existing auditing

standards be required to change due to continuous auditing, those standards would be set by the

PCAOB. Should the PCAOB set such standards, the SEC would ensure that generally accepted

auditing standards applied by auditors of public companies using continuous auditing

methodologies comply with the PCAOB standards. The SEC would also require that disclosures

be in conformity with generally accepted accounting principles and the SEC rules and

regulations.

Internal Auditors

Respondents to the 2003 IIA survey indicate that internal auditors have an interest in

continuous auditing. Of significance is that of 161 respondents, 47 (29%) worked with audit

processes they considered to be continuous in nature. Internal auditors utilize both audit tests and

monitoring techniques in a continuous auditing environment. For example, audit tests may

encompass testing transactions for authenticity; accuracy and completeness whereas monitoring

techniques encompass monitoring the control environment (e.g., program changes) to determine

that internal controls are functioning properly.

15
 About 80% of the internal auditors responding to the survey believed that continuous

auditing would be implemented in their organization, and of those not currently using continuous

auditing techniques, about 75% believed that continuous auditing is feasible in their companies.

Similar to external auditors, internal auditors considered costs as a major obstacle to

implementing continuous auditing, particularly in the current economic environment. Other

obstacles are: (1) lack of management support; (2) lack of appropriate skills; (3) lack of baseline

criteria; and (4) lack of technology infrastructure.

Summary and Conclusions

Limited research, empirical and experimental, has been conducted in the area of

continuous auditing. This article examined what company characteristics indicate that continuous

auditing is appropriate, the extent that external auditors may rely on audit evidence generated by

internal auditors, the extent that the Sarbanes-Oxley Act and SEC rule-making create more

demand for continuous auditing, and the extent that interested parties, such as regulators,

management, external auditors or internal auditors, should act as a catalyst for continuous

auditing.

Business complexity and the information technology environment suggest that auditors

should use a continuous audit approach. Generally, the more complex the business and the

environment in which it operates, business risks increase. Continuous auditing can help manage

those risks.

Internal auditors are charged with the responsibility of auditing policies and procedures

and determining that the control system is functioning properly. They are independent of the

units examined and have reporting responsibility to both senior management and to the

16
organization’s Board of Directors. Accordingly, internal auditors have great potential to benefit

from continuous auditing.

Internal audit departments in companies that have adopted sophisticated technology

systems to manage information for decision-making are obvious candidates for leading the

development of continuous auditing. These companies operate in complex global markets and

employee a management information infrastructure that is likewise complex.

Companies must address continuous auditing as they would consider any new

technology. That is, continuous auditing is not “simply a technology” initiative, but an initiative

that should be embraced by the total organization. The support by all within the organization is

required to bring continuous auditing to reality. Internal audit may serve as the “change agent”

in this process much like the directors and department managers functioned when ERP systems

were initially introduced. The development of continuous auditing will require “champions”

both within the internal audit department and outside the department, with senior management

setting the tone and expectations.

17
 ENDNOTES

1. KPMG. 2003. KPMG Fraud Survey 2003. New York, NY: KPMG.

2. Canadian Institute of Chartered Accountants. 1999. Research Report: Continuous Auditing.

Toronto, ON: CICA.

3. J. Donald Warren, Jr., and X.L. Parker. 2003. Continuous Auditing: Potential for Internal
Auditors. Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation.

4. D. Searcy, J. Woodroof, and B. Behn. 2002. Continuous Audit: The Motivations, Benefits,
Problems, and Challenges Identified by Partners of a Big 4 Accounting Firm. Proceedings of the
36th Hawaii International Conference on System Sciences January 6-9, 2003.

5. M.A. Vasarhelyi, and F. B. Halper. 1991. The Continuous Audit of Online Systems. Auditing:
A Journal of Practice & Theory. (Spring): 110-125.

ADDITIONAL READNG

American Institute of Certified Public Accountants. 1997. Special Committee on Assurance

Services Report. Available at: http://www.aicpa.org/assurance/index.htm.

R. J. Daigle and J.C. Lampe. 2003. Responding to the Sarbanes-Oxley Act with continuous
online assurance. Internal Auditing 18 (Mar/Apr): 3-9.

A. Kogan, E. F. Sudit, and M. A. Vasarhelyi. 1999. Continuous Online Auditing: A Program of

Research. Journal of Information Systems 13 (Fall): 87-103.

P. Krass. 2002. The Never-Ending Audit: Can software prevent future Enrons? CFO.com.
(Nov) http://www.cfomagazine.com/printarticle/0,53,17,7789,00.html

D. K. McConnell, Jr. and G. Y Banks. 2003. How Sarbanes-Oxley Will Change the Audit
Process. Journal of Accountancy (September) New York. 49-55.

PricewaterhouseCoopers L.L.P. 2002. Internal Audit at a Crossroads: Leveraging Opportunities

in the Post-Enron Era.

A. Rezaee, A. Sharbatoghlie, R. Elam, and P. L. McMickle. 2002. Continuous Auditing:

Building Automated Auditing Capability. Auditing: A Journal of Practice & Theory (March ):
147-163.

D. L. Searcy and J. B. Woodroof. 2003. Continuous Auditing: Leveraging Technology. The

CPA Journa (May). http://www.nysscpa.org/cpajournal/2003/0503/dept/d054603.htm.

18
Securities and Exchange Commission. 2003. Management’s Report on Internal Control Over
Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports. Release
33-8238 (June 5).

The Institute of Internal Auditors. 2002. The Sarbanes-Oxley Act of 2002: Summary of Key
Provisions of Interest to Internal Auditors.

M. A. Vasarhelyi, M. G. Alles and A. Kogan. 2003. Principles of Analytic Monitoring for

Continuous Assurance. Working Paper. Rutgers University, Newark, NJ.

M.A. Vasarhelyi, A. Kogan and M. Alles. 2002. Would Continuous Auditing Have Prevented the
Enron Mess? The CPA Journal (July).

E. P. Wallace. 2002. The Influence of Technology on Auditing. Pennsylvania CPA Journal

(Winter). http://www.picpa.org/pacpajournal/winter2002/feature_technology.htm.

J. Donald Warren, Jr. 2004. Continuous Auditing Implications of the Current Technological,
Regulatory and Corporate Environment. Dissertation. Texas A&M University.

J. Woodroof and D. Searcy. 2001. Continuous Audit Implications of Internet Technology:

Triggering Agents Over the Web in the Domain of Debt Covenant Compliance. Proceedings of
the 34th Hawaii International Conference on System Sciences (January 3-6).

19
 Exhibit 1

Conditions Necessary for a Continuous Audit

Source: Canadian Institute of Chartered Accountants. 1999. Research Report: Continuous

Auditing. Toronto, ON: CICA.

20
 Exhibit 2

Continuous Auditing Using Embedded Audit Modules

Transaction Level Controls Cycle Level

Controls
Completeness Accuracy
Authorization Integrity of
of Input of Input
Standing
Data
EAM
Financial
C & A of Statements
Update __________
Accuracy
EAM "Keys" Completeness
C & A of
Accumulated Existence
Data (Cutoff)
Interrogation/
Restricted
Query Access To
Violation Reporting Assets and
Records
-Frequency
-Exception levels
EAM Audit / Control
EAM
-Statistical data Data Warehouses

Client Application System

Client's Computer EAM

Environment Computer Controls

Implementation -- Maintenance -- Security -- Operations

Source: Canadian Institute of Chartered Accountants. 1999. Research Report: Continuous

Auditing. Toronto, ON: CICA.

21