Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities.
The "continuous" aspect of continuous auditing and reporting refers to the real-time or near real-time capability for financial information to be checked and shared. Not only does it indicate that the integrity of information can be evaluated at any given point of time, it also means that the information is able to be verified constantly for errors, fraud, and inefficiencies. It is the most detailed audit.
Each instance of continuous auditing has its own pulse. The time frame selected for evaluation depends largely on the frequency of updates within the accounting information systems. Analysis of the data may be performed continuously, hourly, daily, weekly, monthly, etc. depending on the nature of the underlying business cycle for a given assertion.
- 1 Background
- 2 History of continuous auditing
- 3 Components of continuous auditing
- 4 Black Box Logging
- 5 Continuous reporting
- 6 Implementation of continuous auditing
- 7 Demand
- 8 Technology
- 9 Challenges
- 10 Comparison to Computer-Aided Auditing
- 11 Application examples
- 12 See also
- 13 External links
- 14 References
The objective of financial reporting is to provide information that is useful to management and stakeholders for resource allocation decisions. For financial information to be useful, it should be timely and free from material errors, omissions, and fraud. In the real time economy, timely and reliable financial information is critical for day-to-day business decisions regarding strategic planning, capital acquisition, credit decisions, supplier partnerships, and so forth. Advances in accounting information systems such as the advent of enterprise resource planning (ERP) systems have enabled the generation of real time information. However, the practice of traditional auditing has not kept pace with the real time economy. Traditional manual audit procedures are labor and time intensive, which limits audit frequency to a periodic basis, such as annually.
These time and effort constraints can be alleviated through the use of technology and automation. Continuous auditing enhances the delivery of auditing services by making the audit process more efficient and effective through the use of technology and automation. The increased efficiency and effectiveness of the audit process enables more frequent or real time audits and hence enhances the reliability of the underlying information.
History of continuous auditing
The first application of continuous auditing was developed at AT&T Bell Laboratories in 1989. Known as a continuous process auditing system (CPAS), the system developed by Vasarhelyi and Halper provided measurement, monitoring, and analysis of the company's billing information. Here key concepts such as metrics, analytics, and alarms pertaining to financial information were also introduced.
Components of continuous auditing
Continuous auditing is made up of three main parts: continuous data assurance (CDA), continuous controls monitoring (CCM), and continuous risk monitoring and assessment (CRMA).
Continuous Data Assurance
Continuous data assurance verifies the integrity of data flowing through the information systems. Continuous data assurance uses software to extract data from IT systems for analysis at the transactional level to provide more detailed assurance. CDA systems provide the ability to design expectation models for analytical procedures at the business-process level, as opposed to the current practice of relying on ratio or trend analysis at higher levels of data aggregation. CDA software can continuously and automatically monitor transactions, comparing their generic characteristics with predetermined benchmarks, thereby identifying anomalous situations. When significant discrepancies occur, alarms are triggered and routed to appropriate stakeholders and auditors.
Continuous Controls Monitoring
Continuous controls monitoring consists of a set of procedures used for monitoring the functionality of internal controls. CCM relies on automatic procedures, presuming that both the controls themselves and the monitoring procedures are formal or able to be formalized. CCM can be used for monitoring access control and authorizations, system configurations, and business process settings. CDA and CCM are complementary processes. Neither process is self-sufficient or comprehensive. Even if no data faults are found it cannot be concluded that controls are fail-safe. Further, even if controls are being implemented, data integrity cannot be assumed. When combined, however, these monitoring approaches present a more complete reliance picture.
Continuous Risk Monitoring and Assessment
Continuous risk monitoring and assessment is used to dynamically measure risk and provide input for audit planning. CRMA is a real-time integrated risk assessment approach, aggregating data across different functional tasks in organizations to assess risk exposures and provide reasonable assurance on the firms’ risk assessments.
Black Box Logging
In addition to the aforementioned three components, the black box audit log file is also an important part of continuous auditing. This file can be viewed as an extension of the existing practice of documenting audit activities in manual or automated work papers. A black box log file is a read-only, third-party controlled record of the actions of auditors. The objective of black box logging is to protect a continuous auditing system against auditor and management manipulations.
Continuous reporting is the release of financial and non-financial information on a real-time or near real-time basis. The purpose of continuous reporting is to allow external parties access to information as underlying events take place, rather than waiting for end of period reports. The adoption of XBRL by companies makes the release of continuous reporting information more feasible. Continuous reporting also benefits users under Regulation Fair Disclosure. Continuous reporting is a point of constant debate. Some parties, including analysts and investors, are interested in knowing how a company is doing at a given point in time. They argue that near real-time information would provide them with the ability to take advantage of important business moves as they happen. However, opponents are skeptical of how the raw information can be useful and fear information overload, or that there would be too much irrelevant information out there. Additionally, some companies are fearful that continuously reported financial information would give away important strategic moves and undermine competitive advantage.
Implementation of continuous auditing
Generally, the implementation of continuous auditing consists of six procedural steps, which are usually administered by a continuous audit manager. Knowing about these steps will enable auditors to better monitor the continuous audit process and provide recommendations for its improvement, if needed. These steps include:
- Establishing priority areas.
This entails choosing which organizational areas to audit. When performing the actions listed above, auditors need to consider the key objectives from each audit procedure. Objectives can be classified as one of four types: detective, deterrent (also known as preventive), financial, and compliance. A particular audit priority area may satisfy any one of these four objectives.
- Identifying monitoring and continuous audit rules.
The second step consists of determining the rules or analytics that will guide the continuous audit activity, which need to be programmed, repeated frequently, and reconfigured when needed. In addition, monitoring and audit rules must take into consideration legal and environmental issues, as well as the objectives of the particular process.
- Determining the process' frequency.
Although the process is called continuous auditing, the word continuous is in the eye of the beholder. Auditors need to consider the natural rhythm of the process being audited, including the timing of computer and business processes as well as the timing and availability of auditors trained or with experience in continuous auditing.
- Configuring continuous audit parameters.
Rules used in each audit area need to be configured before the continuous audit procedure (CAP) is implemented. In addition, the frequency of each parameter might need to be changed after its initial setup based on changes stemming from the activity being audited. When defining a CAP, auditors should consider the costs and benefits of error detection as well as audit and management follow-up activities.
- Following up.
Another type of parameter relates to the treatment of alarms and detected errors. Questions such as who will receive the alarm (e.g., line managers, internal auditors, or both ― usually the alarm is sent to the process manager, the manager's immediate supervisor, or the auditor in charge of that CAP) and when the follow-up activity must be completed, need to be addressed when establishing the continuous audit process.
- Communicating results.
A final item to be considered is how to communicate with auditees. When informing auditees of continuous audit activity results, it is important for the exchange to be independent and consistent.
Demand for continuous auditing has come from a variety of sources, primarily user-driven requirements. External disclosure, internal drivers, laws and regulation, and technology all play important roles in pushing up demand.
More frequent disclosure will drive the nature of the audit process. This increase improves the quality of earnings while reducing manager aggressiveness and decreasing stock market volatility.
As companies have become more integrated within their own departments and with other companies, such as suppliers and retailers, a desire for data integrity throughout the electronic data exchange process is also driving demand for continuous auditing.
Laws and regulation
Laws and regulation require activities and ways a company followed in order to achieve a specific goal to be monitored. Under such laws and regulation company commenced for continuous auditing.
XBRL facilitates the development of continuous auditing modules by providing a way for systems to understand the meaning of tagged data. Proper use of XBRL assures that relevant data gathered from multiple sources is easily comparable and analyzable. XBRL is a derivative of the XML file format, which tags data with contextual and hierarchical information. It is expected that many enterprise resource planning systems will provide data in the XBRL-GL format to facilitate machine readability.
Because of the nature of the information passing through continuous auditing systems, security and privacy issues are also being addressed. Data assurance techniques, as well as access control mechanisms and policies are being implemented into CA systems to prevent unauthorized access and manipulation, and CCM can help test these controls.
For many organizations, there are a number of challenges to implementing a continuous auditing approach. The following are some common challenges with associated recommendations.
Accessing complex, diverse system environment
Few organizations have a completely homogenous, seamless system environment. There is typically a mix of ERPs or multiple instances of one ERP, mainframe systems, off-the-shelf applications, and legacy systems - all of which may contain valuable data. Technology is available to access all of this data to gain a complete picture.
Reluctance to expand the use of technology
Technology may be viewed as a threat to those who perceive that automation might replace jobs. A benefit of continuous auditing is that it performs routine, repetitive tasks and provides the opportunity for the more interesting exploratory work that adds far more value to the organization.
When not properly implemented, continuous auditing can result in hundreds - even thousands - of false positives and wasted effort. Many companies that have experienced success with continuous auditing recommend that you start small. Select which area of the company poses the greatest risk and where its transactions and control systems are most important to the company for your initial foray into continuous auditing. Automate a small number of key initial tests, such as comparing your accounts payable vendor master file with the employee address file, to uncover potential policy violations or fraud. Moving forward, increase the tests and gradually expand into other business processes in stages.
Training is essential for optimum results. A number of institutions, including ACL Services Ltd., offer training on computer-aided audit techniques including continuous auditing through automation. Training can be conducted either on-site or remotely, depending on the need of companies.
Comparison to Computer-Aided Auditing
Continuous auditing is often confused with computer-aided auditing. The purpose and scope of the two techniques, however, are quite different. Computer-aided auditing employs end user technology including spreadsheet software, such as Microsoft Excel, to allow traditional auditors to run audit-specific analyses as they conduct the periodic audit. Continuous auditing, on the other hand, involves advanced analytical tools that automate a majority of the auditing plan. Where auditors manually extract data and run their own analyses in computer-aided auditing during the course of their traditional audit, high-powered servers automatically extract and analyze data at specified intervals as a part of continuous auditing.
Itau Unibanco, a major full service bank in Brazil, has had a very active continuous assurance initiative since 2000. The continuous assurance program is part of the bank’s Information technology internal auditing and has over 10 people engaged in different roles in it. The CDA system currently monitors over five million customer accounts on a daily basis and sends out about six thousand alerts a month for detailed manual analysis by internal auditors.
AT&T Bell Laboratories - The first model of continuous auditing was developed to evaluate the billing system within the company.
Procter & Gamble - Analytics are used to enable advanced automation and remote auditing.
Siemens - Advanced continuous monitoring of internal controls and access to IT systems.
- Center for Audit Quality (CAQ)
- Rutgers Accounting Web
- 2009 IT Audit Benchmarking Study (The Institute of Internal Auditors)
- United States Patent and Trademark Office Patent 7,676,427 System and Method of Continuous Assurance
- CICA/AICPA. 1999. Continuous Auditing. Research Report, Toronto, Canada: The Canadian Institute of Chartered Accountants
- IIA GTAG#3
- Vasarhelyi, Miklos, and David Y. Chan. "Innovation and Practice of Continuous Auditing" International Journal of Accounting Information Systems. (Special Issue on Research Methods) 12, (2011) 152-160.
- Vasarhelyi, M.A. and Halper, F. B., 1991, The Continuous Audit of Online Systems, Auditing: A Journal of Practice and Theory, 10(1), 110-125.
- Vasarhelyi,Miklos. "The Coming Age of Continuous Assurance." Insights. Melbourne Business and Economics. April 2011. 23-30.
- Alles, Michael, Alexander Kogan, and Miklos Vasarhelyi. “Black Box Logging and Tertiary Monitoring of Continuous Assurance Systems.”Information Systems Control Journal 1. (2003): 37-39.
- Vasarhelyi, Miklos, Carlos Elder Maciel De Aquino, Nilton Sigolo, and Washington Lopes Da Silva. “Six Steps to an Effective Continuous Audit Process.” The Tech Forum, Institute of Internal Auditors. July 2008.
- Hunton, J., A. Wright, and S. Wright. 2002. Assessing the Impact of More Frequent External Financial Statement Reporting and Independent Auditor Assurance on Quality of Earnings and Stock Market Effects. Working paper presented at the Fifth Continuous Auditing Symposium.
- Van Decker, J., 2004, The Need for Continuous Controls Monitoring, Available Online, Delta 2951: METAgroup, http://www.metagroup.com/webhost/ONLINE/739743/d2951.htm.
- Vasarhelyi, M.A., Alles, M. and Kogan, A., 2004, Principles of Analytic Monitoring for Continuous Assurance, Journal of Emerging Technologies in Accounting, 1(1), 1-21.
- ACL: http://www.aclchina.com/solution/Continuous%20Auditing.pdf