Where networking and knowledge intersect.
Miklos A. Vasarhelyi, Ph.D., Silvia Romero, Ph.D., Siripan Kuenkaikaew, CISA, and Jim Littley
Continuous auditing/continuous monitoring (CA/CM) has long been studied in academia and is widely discussed in practice.1 CA can be defined as the assurance that independent auditors provide simultaneously with, or shortly after, the occurrence of events underlying the subject matter.2 CM is a process implemented by management to ensure that business is operating effectively.3 The Institute of Internal Auditors (IIA) clarifies the differences between the concepts: “Continuous monitoring is management driven and continuous audit is audit driven. CM is a process used as part of the control structure part of the COSO monitoring role. CA is part of the assurance process an aspect of audit.”4
This article examines how internal audit has progressed with the implementation of CA/CM. How expectations regarding the adoption of CA/CM highlighted in a chief audit executives (CAEs) survey conducted by PricewaterhouseCoopers (PwC) in 20075 were realized is discussed using the results of a study conducted by CARLAB.6 The CARLAB study includes the results of in-depth interviews conducted with nine companies that have implemented some form of CA/CM. The analysis of the results of both studies provides evidence on the stage of CA/CM adoption by internal audit organizations.
Reports on implementation of CA/CM systems are found as early as 1991, with a system implemented at AT&T to monitor billing data in real time.7 The key characteristic of these data was their completely electronic nature, allowing AT&T to use data captured automatically by telephone switches. The system identified failures and data errors through analytic tools by comparing input data with benchmarks, notifying the auditor of deviations. The resulting low-latency error detection provided higher audit quality. It also allowed the audit to be conducted more efficiently and effectively since the auditor had greater flexibility in the search for evidence. In 1999, the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) published a joint report on CA.8 At the same time, systems with different levels of CM were starting to be developed in the industry (e.g., ACL, IDEA CaseWare) for continuous control monitoring.
Academic and professional interest in CA/CM is evidenced by the large number of articles published.9,10 Demand factors for CA/CM adoption include increasing data complexity and volume, prevalence of electronic transactions, web-based reporting, and user demand for more frequent information. The US Sarbanes-Oxley Act of 2002 (section 404) also includes provisions regarding management’s assessment of internal control and reduced disclosure time, requiring effective rapid error detection.
PwC conducted a survey11 in 2007 among CAEs of Fortune 250 companies and thought leaders within the auditing community. The purpose was to determine both the factors that would reshape internal auditing in the future and how CAEs envisioned audit in 2012. The results show the following main factors:
Internal audit was expected to go beyond a static and cyclical approach, to a state of continuously optimizing the use of technology on an as-needed basis. The report also explained that, at that time, CA/CM was rarely continuous or in real time, and that it mainly encompassed manual operations done more frequently than traditional audits. According to respondents, internal auditors would be able to integrate technology in the future to assist with data extraction and analysis. They also expected auditors to be better able to react to warnings and conduct more targeted audits.
The survey found that the main challenge was the lack of staff capabilities because traditional accounting and auditing skills were not sufficient to perform a quality audit within CA. Auditors must able to conduct data analysis and assess complex IT environments, given that auditor demand was and is increasing in the areas of technology and regulation. Among the important skill sets needed for auditors, data mining and analysis, risk assessment, and information technology were highlighted by the respondents.
The CARLAB study reports the results of interviews with auditors in large companies in different industries. The team visited nine leading internal audit organizations to conduct face-to-face interviews with 22 internal audit managers and 16 internal audit staff members. The team chose semistructured interviews, rather than a structured survey, to capture the participants’ perceptions of CA/CM adoption. The results of this study indicated that:
The CARLAB study found four key factors affecting adoption. Each affects the perceived usefulness and ease of use of the technology:
To evaluate levels of CA/CM adoption, the CARLAB study classifies the interviewed companies into four categories based on adoption maturity. The first stage corresponds to traditional auditing with periodic reviews. The second stage (emerging) includes early adopters who automate existing audit practices that are easily and simply automatable. Once users appreciate the benefits of those processes, CA is extended to other areas of the audit, characterizing the third stage (maturing). This extension is more time- and resource-intensive because it may require some process reengineering. In the final stage, all audit processes are automated (CA), with auditors engaged in analyzing results and exceptions.13, 14
Companies’ adoption levels are measured along the following seven dimensions:
Figure 1 shows the results of the evaluation of the participating companies according to their performance in the defined seven dimensions. It can be observed that most of the companies are seen in the early stages, ranking from a traditional audit model to a stage in which CA/CM is emerging. This means that, although the interviewed companies have certain levels of CA/CM, they are just in the initiation phases. Consequently, there are opportunities for development in the future.
The PwC CAE survey presented expectations of the evolution of internal audit in the five years immediately following its conclusion. There was some progress toward these expectations according to the CARLAB study. Although the first study reports high levels of adoption of CA/CM at the time of the survey, manual systems were included in the analysis and testing was not done in real time, but was done more frequently than in traditional audits. The survey predicted an increase in the levels of audit automation through technology adoption.
Another issue encompassed in the predictions and found in the CARLAB study is the need to increase training of employees and managers. It is important that managers react quickly to alerts, and that employees are prepared to use the available tool set. Interviewees in the CARLAB study expressed the importance of training, describing systems in place that include rotation of auditors (as anticipated by the PwC study).
Another expectation for the future is that internal audit responsibilities related to Sarbanes-Oxley would remain level or decline over time. Accordingly, the CARLAB study reports that Sarbanes-Oxley adoption has substantially affected the internal audit departments of the companies, and that CA/CM helps with Sarbanes-Oxley compliance by facilitating review and reducing time of performance.
CA/CM has been discussed in the auditing profession for many years, since the initial work at AT&T in the early 1990s.15 The survey conducted among CAEs in 2007 examined the levels of application of CA in business. Although it found a high rate of CA adoption, a large number of participants in the survey reported that they performed audit manually. Furthermore, they defined monthly and quarterly audits as frequencies of continuous audit. This survey predicted an increase in CA/CM in the ensuing five years, evolving responsibilities of auditors and a globalization effect relative to the auditing role.
With a different approach, the CARLAB study classified the manual audit process and periodic audit as a traditional audit, producing a different evaluation of CA/CM adoption. Most of the companies in the CARLAB study were classified in the emerging stage of CA adoption. The reason for not including them as full continuous audit adopters was that they had only partial audit automation and some key monitoring on a regular basis.
Both surveys found interesting factors that affected the implementation of CA in companies. One of the major factors was a lack of staff capabilities, especially in IT and data analytics—areas that are the core of CA. Participants in both surveys also mentioned that cost was not the major challenge for CA implementation, and that CA efficiently supported Sarbanes-Oxley compliance. Other important factors mentioned were management support, level of access to data, regulatory compliance and audit technology.
All in all, there are different definitions of CA, varying the understanding of CA. Currently, there is demand for faster and better assurance. There are opportunities for the development of CA, given current access to substantially automated audit technology; however, CA/CM remains in the initial stages of adoption.
1 Vasarhelyi, M. A.; M. G. Alles; K. T. Williams; “Continuous Assurance for the New Economy,” A Thought-leadership Paper for the Institute of Chartered Accountants in Australia, May 20102 Canadian Institute of Chartered Accountants (CICA) and American Institute of Certified Public Accountants (AICPA), “Continuous Auditing Research Report,” Canada, 19993 Coderre, D.; Global Technology Audit Guide: Continuous Auditing Implications for Assurance, Monitoring and Risk Assessment, Institute of Internal Auditors, 20054 Warren Jr., J. D.; Parker, X.; Continuous Auditing: Potential for Internal Auditors, Institute of Internal Auditors Research Foundation, 20035 PricewaterhouseCoopers, “Internal Audit 2012—A Study Examining the Future of Internal Auditing and the Potential Decline of a Controls-centric Approach,” 20076 Vasarhelyi, M. A.; M. G. Alles; S. Kuenkaikaew; J. Littley; “The Acceptance and Adoption of Continuous Auditing by Internal Auditors: A Micro Analysis,” International Journal of Accounting Information Systems, forthcoming 2012 7 Vasarhelyi, M. A.; F. Halper; “The Continuous Audit of Online Systems,” Auditing, A Journal of Practice and Theory, 19918 Op cit, CICA and AICPA9 Brown, C.; J. Wong; A. Baldwin; “A Review and Analysis of the Existing Research Streams in Continuous Auditing,” Journal of Emerging Technologies in Accounting, volume 4, number 1, 200710 Chiu V.; Q. Liu; M. A. Vasarhelyi; “On the Development and Influence of Continuous Auditing Research,” Rutgers Business School, CARLAB Working Paper, 7 January 201211 Op cit, PricewaterhouseCoopers12 The benefits and application of data analytics in CA are mentioned extensively in Vasarhelyi M. A.; J. Dai; “The Survey of Audit Analytics,” Working Paper, CARLAB, 2012.13 Alles, M.; G. Brennan; A. Kogan; M. A. Vasarhelyi; “Continuous Monitoring of Business Processes Controls: A Pilot Implementation of a Continuous Auditing System at Siemens,” International Journal of Accounting Information Systems, vol. 7, no. 2, 200614 Teeter, R.; G. Brennan; “Location Independent Audit,” Working Paper, CARLAB, 201015 Op cit, Vasarhelyi and Halper
Miklos A. Vasarhelyi, PH.D., is the KPMG professor of accounting information systems and director of the Continuous Auditing and Reporting Laboratory (CARLAB) at Rutgers University, New Jersey, USA.
Silvia Romero, PH.D., is an assistant professor in the Department of Accounting, Law and Taxation at Montclair State University, New Jersey, USA.
Siripan Kuenkaikaew, CISA, a doctoral student in accounting information systems, was a financial auditor at KPMG, Thailand, and an IT auditor with PricewaterhouseCoopers.
Jim Littley is a principal at KPMG LLP’s advisory services practice. He is KPMG’s global and Americas leader for continuous auditing and continuous monitoring services.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.