Primary navigation:

QFINANCE Quick Links
QFINANCE Topics
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > Continuous Auditing: Putting Theory into Practice

Auditing Best Practice

Continuous Auditing: Putting Theory into Practice

by Norman Marks

Executive Summary

  • Continuous auditing is a topic that is frequently identified as a method for internal auditors to “raise their game” and improve the value they provide to their stakeholders. For example, in their 2010 “State of the internal audit profession study,” PricewaterhouseCoopers identifies the ability to leverage technology (including the use of continuous auditing techniques) as one of the eight attributes of a maximized internal audit function.

  • In a 2010 study, “What is driving continuous auditing and continuous monitoring today?,” KPMG reports, “In a volatile economic environment, a number of key drivers are prompting companies to employ continuous auditing and continuous monitoring techniques to do more than manage risk, including help reduce cost, improve performance, and create value.”

  • This article defines continuous auditing, discusses the ways in which continuous auditing techniques can be used to provide value, and shares guidance on how to design an effective program. It advises that only after the objectives of a continuous auditing initiative have been determined, and the program designed, should auditors evaluate and acquire software.

Back to top

Introduction

The Institute of Internal Auditors (IIA) has issued an excellent global technology audit guide (GTAG) on the topic of continuous auditing. The guide, which we will refer to as GTAG-3, covers a lot of ground, including this definition of continuous auditing:1

“Continuous Auditing is any method used by auditors to perform audit-related activities on a more continuous or continual basis. It is the continuum of activities ranging from continuous control assessment to continuous risk assessment—all activities on the control-risk continuum. Technology plays a key role in automating the identification of exceptions and/or anomalies, analysis of patterns within the digits of key numeric fields, analysis of trends, detailed transaction analysis against cut-offs and thresholds, testing of controls, and the comparison of the process or system over time and/or against other similar entities.”

Continuous auditing enables an internal audit function to:

  • provide the board and management with assurance on a more frequent, if not continuous, basis;

  • monitor risks and adjust the audit program to ensure that it addresses what matters to the organization today;

  • improve the level of activity, in terms of both volume and period of time, that is audited.

It is important to consider the use and value of continuous auditing within the context of how the IIA defines an internal auditing function:

“A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes.”

Taking these two definitions together enables the following points to be made. Each of these will be discussed in this article.

  1. Continuous auditing is a method used by internal auditors in support of their assurance and consulting services.

  2. Continuous auditing includes activities related to one or more of the following:

    1. Continuous risk assessment (also known as risk monitoring), including the use of analytical techniques to identify trends, etc., to develop and maintain the periodic audit plan;

    2. Continuous testing of controls to provide assurance that they operate as intended. GTAG-3 refers to this as “continuous controls assessment”;

    3. Continuous testing of transactions2 to identify anomalies, exceptions, and potential problems.

  3. Although continuous auditing typically leverages technology, continuous auditing activities may include manual testing, reviews of reports, etc.

  4. Despite its name, continuous auditing is not necessarily performed continuously. The frequency will depend on a number of factors, including:

    1. The frequency with which transactions occur (for example, journal entries are predominantly a month and quarter-end activity);

    2. The frequency with which controls are performed;

    3. The level of business risk being addressed;

    4. The risk that the control may not be performed as intended.

However, few internal audit departments have made major moves into continuous auditing. One of the reasons is that the value is not clear to every chief audit executive (CAE).3 We will discuss that first.

Back to top

The Value of Continuous Auditing

Imagine that you are the CAE of a global company and you are called in to see the CEO. He asks for your assessment of the quality of controls over the hedging of currency risk—which you identified as a high-risk area in your last report to the audit committee.

Is it acceptable to reply to the CEO that you will be able to tell him when you have completed the next audit, scheduled in three months? Is it acceptable to report, instead, on the audit your team completed a year ago?

The answer is clearly “no.” When it comes to the more significant risk areas (such as the hedging of currency risk mentioned above), the CAE should try to provide assurance when it is needed by the primary stakeholders.

Value Proposition 1: Audit at the Speed of Business

This is the first value proposition for continuous auditing: the ability to provide assurance when it is needed. This can be referred to as “audit at the speed of business.” The GTAG-3 refers to it as “continuous controls assessment.”

What does internal audit provide assurance on? The Institute of Internal Auditors’s “International standards for the professional practice of internal auditing” (IIA, 2010) guides us to provide assurance on the “governance, risk management, and control processes for the organization.”4

Extending that, continuous auditing enables an internal auditing function to provide assurance, when it is needed, on the more significant areas of the organization’s governance, risk management, and related controls processes. We can refer to this as “continuous risk and control assurance.”

The value to the board and executive management of continuous risk and control assurance is generally very high. Although this dimension of continuous auditing can require the most resources to develop and maintain, the value will frequently far exceed the cost.

The next section will discuss how an internal audit department can use continuous auditing techniques for each of the value propositions. The second value relates to fraud.

Value Proposition 2: Fraud Detection and Control

Internal audit departments have a keen interest in fraud: in the adequacy of controls that prevent or detect fraud, and in investigating potential fraudulent activities. The second value proposition is that continuous auditing enables the monitoring of risks for indicators of fraud, and of transactions for potential fraudulent activity.

Continuous testing of transactions to detect potential errors and possible fraudulent activity is generally considered a management activity. However, many internal audit departments have included in their charter the detection of fraudulent activity. Automated techniques can improve the effectiveness and efficiency of a fraud detection program.

Building a business case for continuous fraud detection will depend on the level of risk that fraud represents to the organization, and the quality of existing controls to either prevent or detect significant fraud. The greater the quality of existing controls that can be leveraged, the lower the total cost of a fraud detection program will be.

Value Proposition 3: Continuous Risk Assessment/Monitoring

The third, but possibly the most important dimension of continuous auditing, is continuous risk assessment or monitoring. The key to an effective internal audit department is to be focused on the risks that are important to the organization now. If risk assessment is only performed annually, or even semi-annually, audit engagements may be scoped to address risks that are no longer critical—and the more critical risks may not receive audit attention.

Internal audit departments are moving to more continuous risk assessment, often updating their audit plan on a quarterly basis. Technology can enable many risks to be monitored as frequently as the auditor desires. For example, consider the risk to a global company of sales to customers in Poland. One of the “drivers” of that risk will be the level of sales (or even the pipeline of sales orders) to customers in Poland. As that level rises, so does the risk. Technology can be used to monitor the level of sales or sales orders and send an alert to the audit department if it exceeds a predefined level.

This value proposition can be described as: continuous auditing can be used to ensure that the internal audit plan remains focused on the more significant risks to the organization as the business changes. It enables auditing at the speed of business.

Continuous risk monitoring is an essential element in continuous risk and control assurance. Without it, the scope continuous auditing of controls will not be updated as risks change.

Summary

Three value propositions have been identified, each of which will be discussed in more detail below.

  • Continuous risk and control assurance: Continuous auditing enables an internal auditing function to provide assurance, when it is needed, on the more significant areas of the organization’s governance, risk management, and related control processes.

  • Continuous fraud detection: Continuous auditing enables the monitoring of risks for indicators of fraud, and of transactions for potential fraudulent activity.

  • Continuous risk assessment or monitoring: Continuous auditing can be used to ensure that the internal audit plan remains focused on the more significant risks to the organization as the business changes.

Back to top

Continuous Risk Assessment or Monitoring

Although this is the third value proposition, it is a critical element of both continuous risk and control assurance and continuous fraud detection, so it will be covered first. Why is it so critical? Because without continuously updating internal audit’s understanding of risks, auditing (whether continuous or not) is likely to remain focused on what used to be important instead of what is important. The same applies to fraud detection, which should also be driven by the types of fraud and fraud schemes that represent a higher level of risk to the organization.

Ideally, internal audit will be able to leverage an effective risk management program (or ERM, for enterprise risk management) that identifies and assesses risks to the strategies and objectives of the organization. The internal auditor should evaluate whether:

  • the ERM program can be relied on to identify the more significant risks to the organization;

  • the identification of risks is timely, enabling the internal audit department to adjust the audit plan as needed;

  • the assessment of risk levels is reliable.

When these conditions exist, the audit department should work with the risk function to ensure that it receives the information it needs, when it needs it, to maintain the risk-based audit plan.

However, many organizations do not have an ERM program that can be relied upon. Presumably , internal audit has raised this as an issue of critical importance with the board and executive management. But internal audit should not use this as an excuse not to try to maintain an audit plan focused on today’s risks.

Back to top

Making It Happen

A Continuous Risk Monitoring Program

One way to build a continuous risk assessment/monitoring program is as follows.

  1. Start with the risks you want to monitor. Use the latest risk assessment as a basis.

  2. Identify the causes or drivers of the risk. What would cause the risk level (probability or potential impact) to change? For example, if there is a revenue recognition risk related to sales to Thailand, the risk level is likely to rise if the level of sales to Thailand increases.

  3. Determine your strategy for monitoring the risk drivers. For example, you can monitor corporate information on orders in the sales pipeline and be alerted when the level (volume or value) is outside a defined range. Why a range? Because if the pipeline is low, the risk level decreases. It is not only increases that should be monitored. The strategy should also include a decision on how often to monitor the risk. If the risk is considered critical and the level is volatile, then monitor more often than if the risk is lower and considered less likely to change.

  4. Identify the mechanism(s) that will be used for risk monitoring. Will you rely on existing reports and systems, or will you need to build new capabilities?

  5. Define the process for receiving the risk information and responding, generally with updates to the audit plan. How often will you update the plan? Also, a change in a risk level may indicate a need to inquire of management what the causes of the change are—to confirm the risk level and understand whether related controls and/or activity need prompt audit attention. Some changes in risk levels may indicate an increased level of fraud risk, meriting special attention by internal audit or a fraud department.

  6. Step back and decide whether the design to date will be sufficient to monitor the risks. Update the plan, or accept the limitations as appropriate.

  7. Build and implement the continuous risk assessment program.

  8. Consider how to work with management to identify new or emerging risks, and when to add them to the program.

  9. Consider metrics with which to monitor whether the continuous risk assessment program is working effectively.

  10. Seek to continuously improve. Perform formal reviews on a formal basis to validate performance, including determining whether the program failed to identify risk changes of significance during the period

Back to top

Continuous Risk and Control Assurance

The idea behind a continuous risk and control assurance (CRCA) program is that internal audit should provide its stakeholders with assurance that the more critical risks to the enterprise are effectively managed—when that assurance is needed.

Building a CRCA program takes time. A typical organization has multiple risks that internal audit will want to address, each of which relies on multiple controls.

Although the decision could be made to provide continuous assurance on only a very few risks and their controls, a larger program that addresses more risks and controls will generally provide a higher return on the investment.

Before considering tools, the CRCA program must be designed. Some internal audit departments are sold tools before they have designed a program, before they have decided how to use the tools—or even whether they are in fact the tools they need. As a result, most of these departments have had limited success.

Design

A CRCA program will include most if not all of the following components, as shown in Figure 1:

  • continuous risk monitoring, including the monitoring of key performance indicators (KPI);

  • continuous control monitoring;

  • continuous transaction or activity monitoring;

  • investigation of potential inappropriate activities that have been detected;

  • continuous reporting to stakeholders.

The first step, as discussed above, is to decide which business risks will be included in the CRCA program. These will be subject to continuous risk monitoring (see previous section), which has two aspects:

  • Monitoring of key performance indicators. A failure to achieve strategies, goals, or performance targets is a strong indicator that risks were not managed effectively, and that there is a continuing level of risk to achieving goals and objectives.

  • Monitoring of risk levels, typically achieved by monitoring the drivers of the risk as discussed earlier. Risk levels are reflected in key risk indicators, or KRI.

Risks are managed through controls. ISO Publication 73 defines a control as a “measure that is modifying risk” and IIA Standard (2010) defines control as “Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.”

A higher level of risk is a strong indicator that controls are either not designed or are not working effectively to manage risk within organizational tolerances. The CRCA program should include processes to respond to higher levels of risk, such as reviewing with management the root causes of the higher risk level and whether the system of internal controls remains adequate.

Once the business risks to be addressed are defined, the next step is to identify the controls that are relied on to manage those risks. These are the controls, the key controls, that will be tested in the CRCA program. By key controls, we mean those controls that have to be in place and operating properly if risks are to be managed. They are not all the controls, just those that if they failed or were not adequately designed would mean that the risks are highly unlikely to be well managed.

Key controls may operate at any level of the organization (corporate, division, location, department, process, etc.) and may be manual or automated. Typically, several controls are required to manage any single risk. If assurance is to be obtained that the risks are well managed, all the key controls have to be addressed in the CRCA program.

If the key controls have not already been identified, consideration should be given to performing an audit. In fact, every time a traditional audit is performed, a deliverable could be the identification of key controls and a strategy for testing them (as described in the rest of this section). This way, the CRCA program is built with confidence that the key controls are properly identified, and a relationship can be developed with operating management that will serve as a foundation for the program going forward.

Testing

After identifying the key controls, the next step is to define how they will be tested. Rather than jump straight to detailed testing techniques, it is better to define the strategy for the testing first. In a CRCA program, many controls will be tested and the overall design of testing will be more efficient—especially when considering how to leverage technology and other techniques (such as management reviews or manual testing)—when all the controls are considered together rather than one at a time. Examples of testing strategies include:

  • Rely on management’s continuous monitoring program—for payroll controls, and for the review of financial trends and significant variances from forecast. Obtain reports monthly to review the results and follow up on any issues.

  • Use software to test controls—to confirm that all journal entries are approved by a manager, and to verify that all changes to the manufacturing computer system were approved by the IT manager.

  • Use manual testing—to review actions taken with respect to outstanding items on the bank reconciliation, and to confirm that appropriate cutoff procedures are in place for the annual inventory count.

  • Rely on management self-assessments—to confirm that the code of conduct has been reviewed with all personnel, and that backup generators are in place and tested periodically.

  • Rely on supervision—by the IT director of controls over the work of the database administrators, and by the manager of the warehouse of the quality inspection of goods received.

  • Use software to test data—to validate that all payments to suppliers were consistent with purchase orders and records of goods received, and to identify potential duplicate payments.

One important design consideration is the frequency with which assurance should be provided. Just because it is called continuous doesn’t mean that the testing and the assurance have to be continuous. They key is that the assurance is provided when it is needed, and that the testing is sufficient to support the assurance.

The best assurance for management that risks are being managed effectively is when assurance can be provided on the condition and quality of the controls in place. Although testing transactions provides assurance that risks have been managed in the past, the level of forward-looking assurance is limited.

The value of assurance is that it provides comfort to the board and stakeholders with respect to current and future activity. While the past provides an indication of what will happen in the future, controls assurance is more powerful and valuable. Testing of controls provides direct evidence that they are performing. Testing of transactions provides, at best, limited indirect evidence.

Testing transactions, even when 100% of transactions are examined, only provides assurance relative to those transactions. It does not provide assurance that the controls are adequate and will ensure the integrity of current and future transactions. Consider a hypothetical analysis of home burglaries which shows that while there were several in neighborhood A, there were none in B. Does that prove that everybody in neighborhood B locked their doors and had effective alarm systems? Clearly not. The fact that transactions were accurate does not prove that there were adequate controls to ensure that they were accurate.

Therefore, a risk and controls assurance program aims to provide as much assurance that the controls are adequate as possible. However, there are limitations, especially to the use of technology to enable the continuous auditing of controls:

  • Some controls involve the exercise of judgment, such as the review of journal entries. While technology can test that the journal entries were approved by a manager, they cannot test whether the review was perfunctory or whether appropriate judgment was exercised.

  • A number of controls involve physical activities, such as the counting of inventory. Technology can test that a count was taken and adjustments approved by a manager, but it cannot test to ensure that all locations were properly examined.

In many cases these limitations can be addressed by including manual testing as part of the CRCA program. For example:

  • a manual review of a sample of journal entries can be performed throughout the year;

  • auditors can attend the occasional inventory counting procedure.

Where the limitations involved in testing controls cannot be overcome, the auditor may decide that the indirect assurance from testing transactions is sufficient. This may be the case when the risk if the control fails is considered to be low.

In some companies, management has implemented a continuous monitoring program. This involves direct monitoring by management that assures them that the controls are functioning as intended. When such a program is in place, internal audit should seek to place as much reliance as possible on it. Duplication of effort should be avoided. The auditor should: ·

  • Review the scope of management’s continuous monitoring program and confirm that it includes the key controls to be covered by the CRCA program.

  • Verify that the monitoring by management meets quality and objectivity standards necessary for internal audit reliance. For example, does it simply rely on a manager confirming that he or she has performed the control?

  • Determine whether the program produces evidence that can be used by the internal auditor. For example, the program may rely on supervision by a manager that is not documented when it is performed.

For some controls, the auditor may decide to rely on a self-assessment program. This can be valuable, especially where the risk is relatively low, or where direct testing is difficult—such as testing employee awareness of the code of ethics.

The CRCA program design must include consideration of how testing exceptions, or indications that controls may be failing, will be addressed. Most of the time the exceptions will have to be reviewed with management, so that explanations can be obtained and a determination made as to whether the controls have in fact failed—and what actions will be taken in response.

In a few cases, especially where the risk of fraud is considered high, the CRCA program might include “alerts,” typically but not necessarily automated, informing internal audit of the control or data exception.

The CRCA program design should include how the results of the testing and monitoring will be summarized for use by internal audit management. What will the summary look like, how often will it be produced (or will it be continuously updated and always available), and how will exceptions be highlighted?

Reporting

Finally, the design has to address how stakeholders will be informed of the quality of risk management and the related controls.

  • How often do executive management and the board require reports?

  • Do they prefer to receive reports (such as dashboards) or to be notified when there are exceptions?

  • What information will be provided to operating management? How often will it be provided, and in what form?

Once the design is complete, the tests can be developed. With respect to the use of technology, the design will determine what the technology needs to achieve and will define the requirements for the selection of the appropriate set of tools. Since the program needs to address all forms of controls, it is unlikely that a single software tool will meet all needs and a combination of tools will be required. For example, one tool may be used as a repository of risk and control information to capture and report the results of testing. Another may be used for risk monitoring and data analytics. Yet another may be used to monitor IT activity when testing IT general controls.

Figure 1 summarizes all the elements of a fully-featured CRCA program.

  • The first two rows address the monitoring of key performance indicators (for business objectives) and risk indicators (for risks to those business objectives).

  • Controls auditing is the preferred testing approach, but where that is not possible the testing of data (either in the enterprise systems or in a data warehouse or similar) may be included. This is especially true when the risk of fraud is considered (see below).

  • The results of the CRCA program have to be collected for reporting within internal audit and to stakeholders. This is shown on the right side of the diagram.

Back to top

Continuous Fraud Detection

Many internal audit functions have taken on the responsibility for detecting fraud. Even where strong controls are in place, it is prudent to monitor transactions and look for the signs of potential fraud.

A CRCA program will typically include fraud risks, monitoring their level, testing the controls, and examining activity for potential issues of concern.

A continuous fraud detection program will follow some of the same principles and steps as a CRCA program, even if the continuous auditing activity is limited to fraud detection rather than a full CRCA program:

  • Design the program and define your needs before selecting software or developing detailed testing techniques.

  • Focus on frauds that represent the higher level of risk to the business. According to the Association of Certified Fraud Examiners’s latest global fraud study (ACFE, 2010), the average company experiences fraud amounting to 5% of annual revenue. While this is high, care should be taken not to allocate more resources to fraud detection than the risk merits or the detection costs. This can be done by focusing on those fraud risks and schemes that are more likely to be significant to the business.

Back to top

Making It Happen

An Effective Fraud Detection Program

The following steps have proven useful in implementing effective fraud detection programs.

  1. Identify the fraud risks specific to your organization. Every company is different, and the risks from fraud will vary.

  2. Assess each fraud risk for likelihood and potential scale.

  3. Select the fraud risks that the program will address.

  4. For each risk, identify how the fraud would work: what are the fraud schemes?

  5. Determine how an inspection of transactions or other activity (such as trend analysis, comparison of same product margins in different locations, or the detection of transactions approved by the same person who originated the transactions) might detect potential fraud.

  6. Design the process for investigating exceptions. Take care to discuss the process with any management personnel who might be involved in reviewing and providing explanations for exceptions.

  7. Develop and implement the program.

  8. Monitor and adjust the testing procedures as necessary (for example, changing tolerances on any automated tests that are producing false positives).

  9. Continue to monitor fraud risks and change the program as needed.

  10. Review and continually improve the fraud detection program.

Back to top

Summary

There are several ways in which continuous auditing techniques can be used to improve the effectiveness of an internal audit program. They include:

  • continuous risk and control assurance;

  • continuous fraud detection;

  • continuous risk assessment.

Before embarking on the continuous auditing journey, the internal audit department should decide what it wants to use continuous auditing for. Will it be for one or more, or for some variant, of the above purposes?

Some departments review the software marketed for continuous auditing or continuous control monitoring and purchase what appears to be the “best.” However, they may do this before deciding on the purpose and objectives of their program, which would enable them to define their needs for technology.

Other audit functions understand continuous auditing to be purely an application of technology and do not therefore consider the use of manual testing. Typically, their program becomes one of testing transactions, primarily for potential fraud. It does not provide assurance on the quality of controls, and does not help them to realize their mission of providing assurance and consulting services relating to the effectiveness of governance, risk management, and related control processes.

Finally, some audit departments have left the field entirely. They believe that management should be performing continuous monitoring of controls and that continuous auditing is not necessary. This overlooks the potential for internal audit to review and test management’s monitoring program and then rely on it (perhaps supplementing it with its own tests as necessary) to provide their stakeholders with assurance when it is needed by the board and management.

Continuous auditing has great potential. It can move an internal audit from providing assurance based on traditional point-in-time audits to providing assurance when it is needed. But to realize that potential, an internal audit department has to be disciplined.

Back to top

Notes

1. Unfortunately, there is no universally accepted definition of continuous auditing. Many (including KPMG in its 2009 publication, “Continuous auditing/continuous monitoring”) have limited continuous auditing to the use of technology to collect and analyze transactions. The present essay uses the IIA definition.

2. Any activity may be tested, including not only transactions but changes to application code, router or automated control configurations, master data, etc. The term “transaction” is used generically to include any activity subject to testing.

3. In its 2008 global internal audit survey (the latest), “Escalating the role of internal audit,” Ernst & Young reported that 42% of respondents to its survey had implemented some level of continuous auditing, mainly to “identify deficiencies, monitor risks and identify potential fraud activities.” Reasons for not having already implemented continuous auditing included a “lack of skill sets within internal audit, budget constraints and no perceived value in the program.”

4. From the definition of “assurance services” in the Glossary to IIA Standards (2010), p. 18.

Back to top

Back to Table of contents

Further reading

Reports:

  • Association of Certified Fraud Examiners (ACFE). “Report to the nations on occupational fraud and abuse: 2010 global fraud study.” 2010. Online at: www.acfe.com/rttn.aspx
  • Coderre, David. “Global technology audit guide (GTAG) 3: Continuous auditing: Implications for assurance, monitoring, and risk assessment.” Institute of Internal Auditors, 2005. Online at: www.theiia.org/guidance/technology/gtag3
  • Ernst & Young. “Escalating the role of internal audit: Ernst & Young’s 2008 global internal audit survey.” 2008.
  • Institute of Internal Auditors (IIA). “International standards for the professional practice of internal auditing (Standards).” Revised October 2010. Online at: tinyurl.com/7we53bq
  • KPMG. “Continuous auditing/continuous monitoring: Using technology to drive value by managing risk and improving performance.” June 2009. Online at: tinyurl.com/5w3huxt [PDF].

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share