Professional Documents
Culture Documents
Continuous Auditing: An Effective Tool For Internal Auditors
Continuous Auditing: An Effective Tool For Internal Auditors
By
Working Paper
Continuous Auditing: An Effective Tool for Internal Auditors
Executive Summary
Increasing corporate accountability and regulatory pressure push internal auditors to seek
new ways to enhance effectiveness and efficiency in their work and provide assistance to
stakeholders. Auditors are facing many challenges, including the highest rates of fraud in history.
According to a survey of executives from 459 public companies (annual revenue of $250 million
or more) and state and federal government agencies, 75 percent of the organizations experienced
fraud in the prior 12 months; that's up from 62 percent in 1998.1 These organizations indicated
that they plan to implement new approaches to help combat fraud and misconduct. Continuous
auditing is one approach that internal auditors can use in this effort.
This article addresses the potential impact of the current environment on continuous
auditing and its stakeholders. The following questions are addressed: (1) How does a corporation
benefit from continuous auditing? (2) To what extent may external auditors rely on audit
evidence generated by internal auditors? (3) To what extent has the Sarbanes-Oxley Act and SEC
rule-making created more demand for continuous auditing? and (4) To what extent should
interested parties, such as regulators, management, external auditors or internal auditors, act as a
catalyst for continuous auditing? In addition, this article shows how continuous auditing can help
continuous basis. Continuous auditing tests transactions based on prescribed criteria, identifies
anomalies, and is the responsibility of the auditor. Efforts to improve corporate governance and
1
enhance investor confidence will lead to greater use of continuous auditing to generate assurance
on demand.
meeting its fiduciary responsibilities. Continuous monitoring focuses on the control environment,
not transactions. However, internal auditors in applying continuous audit procedures that test
result of corporate scandals and breakdowns in financial reporting in recent years. The Public
Company Accounting Reform and Investor Protection Act of 2002 (referred to as the “Sarbanes-
Oxley Act”) has been law over two years. The Securities and Exchange Commission (SEC)
issued rules and regulations for corporations to comply with the Act. The New York Stock
Exchange and NASDAQ issued governance requirements for listed companies. The Financial
Executive Institute, the American Institute of Certified Public Accountants (AICPA), and the
governance, compliance with the statutory requirements of the Act, and fraud detection. These
events require accountants and the profession to develop processes to restore public confidence
Tools, techniques, technological platforms and their advances, and the need for
continuous auditing have been widely discussed by academics, the business community,
consultants, and accounting professionals over the years. The Canadian Institute of Chartered
Accountants (CICA) Research Report, “Continuous Auditing” was published in 1999 (“the
CICA Research Report”).2 The IIA Research Foundation (IIARF) Research Report, “Continuous
2
Auditing: Potential for Internal Auditors” was published in 2003.3 The former presented a
hypothetical case study in continuous auditing and suggested research areas for further study,
and the latter presented the results of a survey of internal auditors on their use of continuous
auditing. The CICA Research Report concluded that continuous auditing was viable if certain
conditions were met, and the IIRAF Research Publication concluded that internal auditors would
Business is dynamic and change is constant. Technology continues to change and become
more complex. Companies seek new technologies to enhance their business processes. As
information systems in companies become more complex, the traditional audit trail is diminished
or eliminated. As a result, internal control and security become critical concerns, and procedures
to test the accuracy and reliability of financial information require new processes that address the
loss of the audit trail. Generalized audit software used by auditors often may not contain the
functionality necessary to extract data that are recorded in complex file structures of database
systems. Auditors are required to seek technologies such as embedded audit modules or an
“audit mart” (audit data warehouse) to assist them in testing these control environments. Real-
time transaction processing systems affect the procedures employed by auditors. A continuous
auditing process is the optimal audit approach for many real time systems. Exhibit 1 shows
Technology is a driving force for positioning businesses in the global market. Today’s
makers (management, regulators and auditors) and requires better ways to address the dynamic
3
nature in which information is generated. New technologies enhance companies’ business
processes. Information technology and the Internet impact—and will continue to impact—how
companies are organized, conduct business, relate to competitors and communicate with
investors. Exhibit 2 illustrates continuous auditing using an embedded audit module (EAM)
approach.
Business complexity and technology have been attributes of corporations that require
auditors to develop new methodologies and processes for auditing. Recent developments,
particularly in the regulatory environment, are pushing auditors toward some form of continuous
auditing.
To rely on the work of internal auditors, generally accepted auditing standards require
external auditors to: (1) obtain an understanding of the internal audit function; (2) assess the
competence and objectivity of internal auditors; (3) evaluate and test the internal auditors’ work.
Internal auditors can also provide direct assistance to the external auditor.
The CICA Research Report (1999) noted that should they determine it is appropriate to
use the work of internal auditors in a continuous audit, external auditors would consider the same
factors as in a traditional audit: the independence and objectivity of the internal audit function,
the internal audit function’s scope, and the competence of the internal auditors performing the
work.
In March 2004, The Public Company Accounting Oversight Board (PCAOB) issued
Auditing Standard No. 2, “An Audit of Internal Control Over Financial Reporting Performed In
Conjunction With An Audit Of Financial Statements.” That standard is similar to the auditing
4
standard followed by external auditors prior to the establishment of the PCAOB. Auditing
Standard No. 2 permits external auditors to incorporate the internal audit work into their audit of
a company’s system of internal control over financial reporting. As with the auditing standard
prior to the PCAOB standard, an external auditor is required to assess the competence and
For most audit areas, internal auditors' work (e.g., testing of internal control systems and
on a more limited basis, direct assistance to the external auditor) has traditionally been relied on
auditors will have to adapt this methodology as they rely on the work of internal auditors.
Section 404 of the Sarbanes-Oxley Act is of particular importance for companies subject
to the Act’s reporting requirements. The Securities and Exchange Commission (SEC) issued
rules for implementing Section 404 of the Act. These rules establish the requirements for
management’s report on internal control over financial reporting and the certification of
disclosures in filings under the Exchange Act. Management is required to issue an annual report
that states (1) its responsibility for establishing and maintaining adequate internal controls over
the financial reporting process; (2) the framework (e.g., COSO) used to evaluate internal control;
(3) the effectiveness of internal control during the year reported on; and (4) that the external
Section 404 of the Sarbanes-Oxley Act is regarded as the most critical part of the Act by
many chief financial officers and information technology executives. Companies are concerned
as to whether they have processes (both internal control and financial) in place to comply with
the Act. Companies seem willing to invest in technology solutions (e.g., business performance
5
management solutions, internal compliance portals; enabling workflow; upgrading finance
systems; and consolidating ERP systems) to assure compliance with the Act.
Sarbanes-Oxley Act on their organizations. The findings showed that 46 percent of the
companies had sought initial funding for projects to comply with the reporting requirements of
the Act, with 31 percent beginning projects without current funding. These executives believe
that compliance will increase their costs. About 40 percent of these executives believed their
companies would have to upgrade current financial processes. Of significance is that 15 percent
Under the Sarbanes-Oxley Act, external auditors are required to render an opinion
annually on management’s assessment of internal controls. In its Auditing Standard No. 2, the
PCAOB recognized that external auditors may use work performed by internal auditors in audits
of internal controls over financial reporting. With its continuous reporting requirements, the Act
creates the need for companies to have in place some form of continuous monitoring/auditing
process to assist management in meeting its reporting responsibilities. It would seem that under
these circumstances, the Act may create greater demand for continuous auditing and
Senior managers may question whether or not they have appropriate processes in place to
assure them that financial disclosures and the internal control systems are in compliance with the
Act. However, today’s technologies provide management the opportunity to develop an audit
methodology that can test on a continuous basis, business processes, internal controls and
6
financial disclosures. This methodology can be designed to provide documentation to senior
responsibilities under the Act, internal auditors may be sought out to assist management in
identifying the internal controls over financial reporting to be included in such processes. While
consultation may also be held with external auditors as well as internal auditors, some executives
are reluctant in allowing external auditors to use a continuous auditing approach, as this might
Greater demand for continuous auditing and opportunities for internal auditors are
present in today’s regulatory environment in light of the Sarbanes-Oxley Act. Chief executive
officers and chief financial officers are involving internal auditors in the certification process.
Internal auditors should be involved early in the process of system design of information systems
Stakeholders have often criticized the current traditional audit model for failing to detect
fraud or other illegal acts and to identify appropriate risks. The recent financial crisis seems to
support the stakeholders’ criticism such as the following: (1) alleged fraud in WorldCom, (2)
alleged illegal acts in Tyco and (3) unknown risks incurred by Enron in structuring special-
purpose entities. This crisis has led financial statement users and regulators to question the
The question, “Would continuous auditing have uncovered the Enron issues before they
escalated to a crisis?,” was raised shortly after the Enron crisis surfaced. An argument that due
to the nature of the transactions (e.g., off-balance sheet or indirect financing), continuous
7
auditing would not have raised the issue because such transactions are not reflected in the
accounting records. On the other hand, a continuous audit is broader in scope than a financial
statement audit, and procedures to address both on- and off-balance sheet financings could be
incorporated into a continuous audit process. In the Enron example, such procedures may have
revealed the cash flow problems of the company’s financings (both direct and indirect) prior to
the company's collapse. A continuous audit would (1) focus on all processes, including those that
are not a component of the financial report; (2) be more akin to a supervisory review than the
traditional “after-the-fact” review; and (3) rely on analysis that cross corporate business
auditing could include models that perform analytic procedures such as cash flows. Such a
model should include not only direct obligations, but indirect obligations such as off-balance
sheet financings. As mentioned previously, had such a process been in place, Enron
management and auditors should have been alerted in a timelier manner to the cash flow issues
Stakeholders have varying information needs. For example, management has need for
both strategic and operational data to fulfill its stewardship role. Management can also be
instrumental in the design of the technology systems to generate that information. On the other
hand, investors, lenders, customers, suppliers, and other users do not have access to internal
financial information provided to management and must rely on publicly available information
including non-financial information. Both financial and non-financial information will need to be
8
In a real-time environment, the value of historical information is diminished and may
lack relevance to the users’ decision process. As users’ information needs become more real-
time, the need for continuous auditing increases because users need timely assurance from a third
The definition of continuous auditing included in the CICA Research Report (1999)
refers to the external auditor. The report stated that a continuous audit is “a methodology that
survey of Big Four auditing firms found that most partners believe that continuous auditing of
real-time (continuous) reporting would increase users’ expectations about auditors’ responsibility
to (a) report going-concern problems more timely, (b) detect fraud, and (c) provide more
technology. People impediments included lack of client resources to provide audit schedules;
change in the mindset of the client and audit team; and lack of appropriate auditor skill set.
Process impediments included client control environment and closing process not adequate, and
issues with current audit model. Technology impediments included client systems not adequate
or properly integrated, and better technology audit tools required. Solutions identified for these
impediments revolved around increasing training and improving audit tools, improving client
Managing Risks
a continuous auditing application, CPAS. These authors provide one of the earliest detailed
discussions of a continuous audit process. The focus was on the use of a continuous process that
9
performs continuous analytics to provide the auditor with improved data in addressing audit
areas. Audit methodology referred to as Continuous Process Audit methodology (CPAM) was
based upon exception reporting. Exception reporting is necessary because of the large volume of
data to be audited. This process requires continuously alerting auditors to exceptions during the
processing of transactions.5
risk and controls consulting and rethink their traditional audit approach. This contemporary
approach should assist auditors in providing assurance to senior management that risks are being
The IIARF Report, published in 2003, featured a survey of internal auditors regarding
their use of continuous auditing. Findings include: (1) internal auditors saw continuous auditing
as inevitable for future auditing of complex corporations; (2) “once-a-year” audits may no longer
be appropriate; (3) migration to a continuous auditing model was moving slowly; and (4)
obstacles to continuous auditing included the investment required to develop and implement a
continuous auditing process and the difficulty to cost-justify or calculate a return on investment
on the implementation.
Business Complexity
The market in which the company operates; the industry in which the company competes; and
the regulations under which the company operates are examples of external factors. Moreover,
external factors are affected by the economy; dependence on a third party (e.g., customer or
supplier); demand for the product; and industry and environmental risks. Internal factors
include: (1) the organizational structure; (2) management philosophy; (3) personnel skills; (4)
10
business processes and technology supporting the business processes; and (5) transaction
volume.
information and generate both financial and operating reports to assist management in its
stewardship role, ranging from strategic planning decisions to daily operational decisions. With
each generation, IT has become more sophisticated and complex. During the 1990’s, ERP
systems were widely implemented. These implementations required a rigid program not only to
incorporate IT processes into the company’s operations, but to ensure that the users were
adequately trained and understood how to best utilize these systems. Accordingly, in
determining whether continuous audit methodologies are appropriate, management and auditors
Auditors perform risk assessments in planning an audit to determine audit risks. Risks to
the business, both from within and outside the firm, are evaluated. Upon completing a risk
assessment, auditors determine the nature, extent and timing of audit tests. These three items are
companies are generally ERP systems, other sophisticated systems and legacy systems in which
the audit trail may no longer be visible (i.e., the ability to trace a transaction manually from its
source document to its entry into the accounting records). The lack of an audit trail requires
audit tests in order to determine the authenticity, accuracy and completeness of transactions
11
While computer assisted audit tools (CAATs) may be suitable for some systems, a
continuous auditing process may be more appropriate in complex IT environments. CAATs may
supplement continuous audit procedures. Although on limited basis, both external auditors and
internal auditors are developing and using continuous auditing techniques. These auditors have
Corporate Executives
investment required to design, develop and implement the technology. Management is often
reluctant to spend funds on technology initiatives unless the benefit of such technology and
technology investment, corporate executives are concerned that company employees, while
receiving training in the new technology, may not take the time to fully understand the
auditing in the corporate environment. Business practices and culture of each country differ.
Management in foreign divisions or subsidiaries oftentimes focuses on local results and how the
operating unit may be viewed by corporate headquarters. As a result, they may have in place
accounting procedures (e.g., establishing reserves) that are acceptable in their jurisdiction to
manage results reported to headquarters. In that culture, continuous auditing may be viewed by
local management as infringing on its ability to manage its business unit. Headquarters could be
viewed as looking over local management’s shoulders. This oversight by headquarters may be
viewed as being akin to how internal auditors are often viewed by an outlying location, that is,
local management is often uncomfortable when internal auditors appear at its location.
12
Likewise, the change management process to adopting continuous auditing methodologies in a
multinational company may be significant due to culture differences within and between
countries.
Human resource issues that arose during the implementation of ERP systems may surface
during the implementation of continuous auditing processes. For example, one of the key issues
experienced during ERP implementations was staff retention of members of the implementation
team. Employees who participated in the implementation became marketable and were often
sought out by other companies. Staff retention is paramount in optimizing the value of new
technologies and that any new technology such as continuous auditing may have the same result.
For example, as staff becomes more knowledgeable of the continuous auditing technology, they
become more marketable and difficult to retain. Turnover in staff could become the most
significant issue causing the process to fail. Incentives would have to be in place to encourage
The Sarbanes-Oxley Act has required business managers to re-think the types of
disclosures and adequacy of internal controls. Many business executives believe that eventually
some from of continuous process may be required to assist them in determining that company
processes and procedures comply with the Act. The responsibility of these continuous processes
will more than likely reside in the internal audit departments since they are more akin to an audit.
Executives are reluctant to permit external auditors to install a continuous auditing process on
their systems because of the concern that these systems may corrupt the company’s data and will
13
arises if external auditors were allowed to embed continuous audit software on a client’s
information system.
External Auditors
External auditors’ views on continuous auditing vary, but are to some degree consistent
among the firms. For example, an auditor at a Big Four firm stated a distinction should be made
between continuous assurance and continuous auditing and that the terms are often used
(ongoing, real-time) assurance and issuing reports on its results. Continuous auditing has more to
do with techniques for auditing continuously, whether or not assurance is provided continuously
or annually.
assurance setting. Continuous assurance is a service that is not currently demanded by clients,
but may be needed in the future. Continuous auditing, on the other hand, has potential within the
traditional reporting cycle. It is potentially more effective (e.g. finding misstatements and
pinpointing problems, sooner and with greater certainty) and more efficient (e.g. more automated
implementing continuous audit processes is usually too costly. Because of the uniqueness of IT
systems, audit clients may require too much customization of the continuous auditing software.
Additionally, scalability is an issue (e.g., the upfront investment required may be appropriate for
14
With the Sarbanes-Oxley Act, the independence rules may prohibit external auditors from
which generate alarms to be acted on could be viewed as integral to the management process and
Regulators
The regulators’ role is not to mandate continuous auditing nor dictate how companies
manage their affairs. If the market were to demand continuous auditing and reporting, regulators
would have to ensure that such matters could be done within their rules and regulations. For
example, the PCAOB is now responsible for auditing standards. Should existing auditing
standards be required to change due to continuous auditing, those standards would be set by the
PCAOB. Should the PCAOB set such standards, the SEC would ensure that generally accepted
methodologies comply with the PCAOB standards. The SEC would also require that disclosures
be in conformity with generally accepted accounting principles and the SEC rules and
regulations.
Internal Auditors
Respondents to the 2003 IIA survey indicate that internal auditors have an interest in
continuous auditing. Of significance is that of 161 respondents, 47 (29%) worked with audit
processes they considered to be continuous in nature. Internal auditors utilize both audit tests and
monitoring techniques in a continuous auditing environment. For example, audit tests may
encompass testing transactions for authenticity; accuracy and completeness whereas monitoring
techniques encompass monitoring the control environment (e.g., program changes) to determine
15
About 80% of the internal auditors responding to the survey believed that continuous
auditing would be implemented in their organization, and of those not currently using continuous
auditing techniques, about 75% believed that continuous auditing is feasible in their companies.
obstacles are: (1) lack of management support; (2) lack of appropriate skills; (3) lack of baseline
Limited research, empirical and experimental, has been conducted in the area of
continuous auditing. This article examined what company characteristics indicate that continuous
auditing is appropriate, the extent that external auditors may rely on audit evidence generated by
internal auditors, the extent that the Sarbanes-Oxley Act and SEC rule-making create more
demand for continuous auditing, and the extent that interested parties, such as regulators,
management, external auditors or internal auditors, should act as a catalyst for continuous
auditing.
Business complexity and the information technology environment suggest that auditors
should use a continuous audit approach. Generally, the more complex the business and the
environment in which it operates, business risks increase. Continuous auditing can help manage
those risks.
Internal auditors are charged with the responsibility of auditing policies and procedures
and determining that the control system is functioning properly. They are independent of the
units examined and have reporting responsibility to both senior management and to the
16
organization’s Board of Directors. Accordingly, internal auditors have great potential to benefit
systems to manage information for decision-making are obvious candidates for leading the
development of continuous auditing. These companies operate in complex global markets and
Companies must address continuous auditing as they would consider any new
technology. That is, continuous auditing is not “simply a technology” initiative, but an initiative
that should be embraced by the total organization. The support by all within the organization is
required to bring continuous auditing to reality. Internal audit may serve as the “change agent”
in this process much like the directors and department managers functioned when ERP systems
were initially introduced. The development of continuous auditing will require “champions”
both within the internal audit department and outside the department, with senior management
17
ENDNOTES
1. KPMG. 2003. KPMG Fraud Survey 2003. New York, NY: KPMG.
3. J. Donald Warren, Jr., and X.L. Parker. 2003. Continuous Auditing: Potential for Internal
Auditors. Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation.
4. D. Searcy, J. Woodroof, and B. Behn. 2002. Continuous Audit: The Motivations, Benefits,
Problems, and Challenges Identified by Partners of a Big 4 Accounting Firm. Proceedings of the
36th Hawaii International Conference on System Sciences January 6-9, 2003.
5. M.A. Vasarhelyi, and F. B. Halper. 1991. The Continuous Audit of Online Systems. Auditing:
A Journal of Practice & Theory. (Spring): 110-125.
ADDITIONAL READNG
R. J. Daigle and J.C. Lampe. 2003. Responding to the Sarbanes-Oxley Act with continuous
online assurance. Internal Auditing 18 (Mar/Apr): 3-9.
P. Krass. 2002. The Never-Ending Audit: Can software prevent future Enrons? CFO.com.
(Nov) http://www.cfomagazine.com/printarticle/0,53,17,7789,00.html
D. K. McConnell, Jr. and G. Y Banks. 2003. How Sarbanes-Oxley Will Change the Audit
Process. Journal of Accountancy (September) New York. 49-55.
18
Securities and Exchange Commission. 2003. Management’s Report on Internal Control Over
Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports. Release
33-8238 (June 5).
The Institute of Internal Auditors. 2002. The Sarbanes-Oxley Act of 2002: Summary of Key
Provisions of Interest to Internal Auditors.
M.A. Vasarhelyi, A. Kogan and M. Alles. 2002. Would Continuous Auditing Have Prevented the
Enron Mess? The CPA Journal (July).
J. Donald Warren, Jr. 2004. Continuous Auditing Implications of the Current Technological,
Regulatory and Corporate Environment. Dissertation. Texas A&M University.
19
Exhibit 1
20
Exhibit 2
21