Background
The objective ofHistory
The first application of continuous auditing was developed at AT&T Bell Laboratories in 1989. Known as a continuous process auditing system (CPAS), the system developed by Miklos Vasarhelyi and Halper provided measurement, monitoring, and analysis of the company's billing information. Here key concepts such as metrics, analytics, and alarms pertaining to financial information were also introduced.Components
Continuous auditing is made up of three main parts: continuous data assurance (CDA), continuous controls monitoring (CCM), and continuous risk monitoring and assessment (CRMA).Continuous data assurance
Continuous data assurance verifies the integrity of data flowing through the information systems. Continuous data assurance uses software to extract data from IT systems for analysis at the transactional level to provide more detailed assurance. CDA systems provide the ability to design expectation models for analytical procedures at the business-process level, as opposed to the current practice of relying on ratio or trend analysis at higher levels of data aggregation. CDA software can continuously and automatically monitor transactions, comparing their generic characteristics with predetermined benchmarks, thereby identifying anomalous situations. When significant discrepancies occur, alarms are triggered and routed to appropriate stakeholders and auditors.Continuous controls monitoring
Continuous controls monitoring consists of a set of procedures used for monitoring the functionality of internal controls. CCM relies on automatic procedures, presuming that both the controls themselves and the monitoring procedures are formal or able to be formalized. CCM can be used for monitoring access control and authorizations, system configurations, and business process settings. CDA and CCM are complementary processes. Neither process is self-sufficient or comprehensive. Even if no data faults are found it cannot be concluded that controls are fail-safe. Further, even if controls are being implemented, data integrity cannot be assumed. When combined, however, these monitoring approaches present a more complete reliance picture.Continuous risk monitoring and assessment
Continuous risk monitoring and assessment is used to dynamically measure risk and provide input for audit planning. CRMA is a real-time integrated risk assessment approach, aggregating data across different functional tasks in organizations to assess risk exposures and provide reasonable assurance on the firms' risk assessments.Black box logging
In addition to the aforementioned three components, the black box audit log file is also an important part of continuous auditing. This file can be viewed as an extension of the existing practice of documenting audit activities in manual or automated work papers. A black box log file is a read-only, third-party controlled record of the actions of auditors. The objective of black box logging is to protect a continuous auditing system against auditor and management manipulations.Continuous reporting
Continuous reporting is the release of financial and non-financial information on a real-time or near real-time basis. The purpose of continuous reporting is to allow external parties access to information as underlying events take place, rather than waiting for end-of-period reports. The adoption ofImplementation
Generally, the implementation of continuous auditing consists of six procedural steps, which are usually administered by a continuous audit manager. Knowing about these steps will enable auditors to better monitor the continuous audit process and provide recommendations for its improvement, if needed. These steps include: *Establishing priority areas. This entails choosing which organizational areas to audit. When performing the actions listed above, auditors need to consider the key objectives from each audit procedure. Objectives can be classified as one of four types: detective, deterrent (also known as preventive), financial, and compliance. A particular audit priority area may satisfy any one of these four objectives. *Identifying monitoring and continuous audit rules. The second step consists of determining the rules or analytics that will guide the continuous audit activity, which need to be programmed, repeated frequently, and reconfigured when needed. In addition, monitoring and audit rules must take into consideration legal and environmental issues, as well as the objectives of the particular process. *Determining the process' frequency. Continuous auditing need not be literally continuous. Auditors need to consider the natural rhythm of the process being audited, including the timing of computer and business processes as well as the timing and availability of auditors trained or with experience in continuous auditing. *Configuring continuous audit parameters. Rules used in each audit area need to be configured before the continuous audit procedure (CAP) is implemented. In addition, the frequency of each parameter might need to be changed after its initial setup based on changes stemming from the activity being audited. When defining a CAP, auditors should consider the costs and benefits of error detection as well as audit and management follow-up activities. *Following up. Another type of parameter relates to the treatment of alarms and detected errors. Questions such as who will receive the alarm (e.g., line managers, internal auditors, or both ― usually the alarm is sent to the process manager, the manager's immediate supervisor, or the auditor in charge of that CAP) and when the follow-up activity must be completed, need to be addressed when establishing the continuous audit process. *Communicating results. A final item to be considered is how to communicate with auditees. When informing auditees of continuous audit activity results, it is important for the exchange to be independent and consistent.Demand
Demand for continuous auditing has come from a variety of sources, primarily user-driven requirements. External disclosure, internal drivers, laws and regulation, and technology all play important roles in pushing up demand.External disclosure
More frequent disclosure will drive the nature of the audit process. This increase improves the quality of earnings while reducing manager aggressiveness and decreasing stock market volatility.Internal drivers
As companies have become more integrated within their own departments and with other companies, such as suppliers and retailers, a desire for data integrity throughout the electronic data exchange process is also driving demand for continuous auditing.Laws and regulation
Laws and regulation require activities and ways a company followed in order to achieve a specific goal to be monitored. Under such laws and regulation company commenced for continuous auditing.Technology
XBRL
Security
Because of the nature of the information passing through continuous auditing systems, security and privacy issues are also being addressed. Data assurance techniques, as well as access control mechanisms and policies are being implemented into CA systems to prevent unauthorized access and manipulation, and CCM can help test these controls.Challenges
For many organizations, there are a number of challenges to implementing a continuous auditing approach. The following are some common challenges with associated recommendations.ACL: {{cite web , url=http://www.aclchina.com/solution/Continuous%20Auditing.pdf , title=Archived copy , access-date=2013-01-18 , url-status=dead , archive-url=https://web.archive.org/web/20100525033720/http://www.aclchina.com/solution/Continuous%20Auditing.pdf , archive-date=2010-05-25Accessing complex, diverse system environment
Few organizations have a completely homogeneous, seamless system environment. There is typically a mix of ERPs or multiple instances of one ERP, mainframe systems, off-the-shelf applications, and legacy systems—all of which may contain valuable data. Technology is available to access all of this data to gain a complete picture.Reluctance to expand the use of technology
Technology may be viewed as a threat to those who perceive that automation might replace jobs. A benefit of continuous auditing is that it performs routine, repetitive tasks and provides the opportunity for the more interesting exploratory work that adds far more value to the organization.Overwhelming results
When not properly implemented, continuous auditing can result in hundreds—even thousands—of false positives and wasted effort. Many companies that have experienced success with continuous auditing recommend that you start small. Select which area of the company poses the greatest risk and where its transactions and control systems are most important to the company for your initial foray into continuous auditing. Automate a small number of key initial tests, such as comparing your accounts payable vendor master file with the employee address file, to uncover potential policy violations or fraud. Moving forward, increase the tests and gradually expand into other business processes in stages.Training
Training is essential for optimum results. A number of institutions, including ACL Services Ltd., offer training on computer-aided audit techniques including continuous auditing through automation. Training can be conducted either on-site or remotely, depending on the need of companies.Comparison to computer-aided auditing
Continuous auditing is often confused with computer-aided auditing. The purpose and scope of the two techniques, however, are quite different. Computer-aided auditing employs end user technology including spreadsheet software, such as Microsoft Excel, to allow traditional auditors to run audit-specific analyses as they conduct the periodic audit. Continuous auditing, on the other hand, involves advanced analytical tools that automate a majority of the auditing plan. Where auditors manually extract data and run their own analyses in computer-aided auditing during the course of their traditional audit, high-powered servers automatically extract and analyze data at specified intervals as a part of continuous auditing.See also
*References
External links