Continuous Auditing:
Implications for Assurance,
Monitoring, and
Risk Assessment
Global Technology Audit Guide
Continuous Auditing:
Implications for Assurance,
Monitoring, and Risk Assessment
Author
David Coderre, Royal Canadian Mounted Police (RCMP)
Subject Matter Experts
John G. Verver, ACL Services Ltd.
J. Donald Warren Jr., Center for Continuous Auditing, Rutgers University
Copyright © 2005 by The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201.
All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording,
or otherwise — without prior written permission of the publisher.
The IIA publishes this document for informational and educational purposes. This document is intended to provide information,
but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to
any legal or accounting results through its publication of this document. When legal or accounting issues arise,
professional assistance should be sought and retained.
1. Executive Summary Summary for Chief Audit Executive ………………………………………………………………………...............1
Continuous Auditing ………………………………………………………………………………………1
The Need for a Continuous Auditing/Continuous Monitoring: An Integrated Approach ………………1
The Roles of Internal Audit Activity and Management ……………………………………………………2
The Power of Continuous Auditing …………………………………………………………………………2
Implementation Issues ………………………………………………………………………………………2
2. Introduction …………………………………………………………………………………………………3
Continuous Auditing: A Brief History ………………………………………………………………………3
Today’s Audit Environment …………………………………………………………………………………3
COSO Enterprise Risk Management (ERM) Framework …………………………………………………4
The Roles of the Internal Audit Activity and Management ………………………………………………5
Benefits of Continuous Auditing and Monitoring …………………………………………………………5
3. Key Concepts and Terms: The Need for Clarity ……………………………………………………………7
Continuum of Continuous Auditing ………………………………………………………………………8
4. Relationship of Continuous Auditing to Continuous Assurance and Continuous Monitoring……………9
Continuous Assurance ………………………………………………………………………………………9
Continuous Monitoring ……………………………………………………………………………………9
Continuous Auditing ………………………………………………………………………………………9
5. Areas for the Application of Continuous Auditing ………………………………………………………11
Applications for Continuous Control Assessment…………………………………………………………11
Applications for Continuous Risk Assessment ……………………………………………………………13
Development of Audit Plan ………………………………………………………………………………14
Support to Individual Auditing ……………………………………………………………………………15
Follow-up on Audit Recommendations ……………………………………………………………………15
Conclusion …………………………………………………………………………………………………16
6. Implementing Continuous Auditing ………………………………………………………………………17
Continuous Auditing Objectives …………………………………………………………………………17
Continuous Control and Risk Assessment – Relationship ………………………………………………21
Manage and Report Results ………………………………………………………………………………23
Challenges and Other Considerations ……………………………………………………………………24
7. Conclusion …………………………………………………………………………………………………26
8. Appendix A – Example of Continuous Auditing Applied to Accounts Payable …………………………27
9. Appendix B – Related Standards …………………………………………………………………………29
10. Appendix C – Continuous Auditing Self Assessment ……………………………………………………30
11. About the Author …………………………………………………………………………………………32
12. References …………………………………………………………………………………………………33
GTAG — Table of Contents
The need for timely and ongoing assurance over the effective-
ness of risk management and control systems is critical.
Organizations are continually exposed to significant errors,
frauds or inefficiencies that can lead to financial loss and
increased levels of risk. An evolving regulatory environment,
increased globalization of businesses, market pressure to
improve operations, and rapidly changing business conditions
are creating the need for more timely and ongoing assurance
that controls are working effectively and risk is being mitigated.
These demands have put increased pressure on chief
audit executives (CAEs) and their staff. Internal audit depart-
ments have been extensively involved in a wide range of
compliance efforts, particularly due to legislation, such as
Section 404 of the U.S. Sarbanes-Oxley Act of 2002, raising
concerns not only about mounting expectations, but also
about internal auditors’ ability to maintain independence and
objectivity when evaluating the effectiveness of controls, risk
management, and governance processes.
Today, internal auditors face challenges in a range of areas:1
Regulatory Compliance and Controls: Evaluation and
identification of issues and processes, sustainability, resources,
defining materiality, priorities, and financial reporting risks.
Internal Audit Value and Independence: the high
expectations of internal auditing, growing internal controls
issues, confusion around the role of internal auditing liability
and responsibility, and compromised objectivity and inde-
pendence.
Fraud: Detection and control, identity theft, fraud
management responsibility, and increased incidence and cost
of fraud.
Availability of Skilled Resources: Lack of competency
and appropriate skill sets, shortage of auditors, retention, and
lack of understanding of risks and controls.
Technology: appropriate solutions to support compli-
ance, technology business model, information security,
competing information technology (IT) priorities, and
outsourcing.
It is evident that a new approach, one that provides a
sustainable, productive, and cost-effective means to address
these issues, is essential.
Continuous Auditing
Traditionally, internal auditing’s testing of controls has been
performed on a retrospective and cyclical basis, often many
months after business activities have occurred. The testing
procedures have often been based on a sampling approach
and included activities such as reviews of policies, proce-
dures, approvals, and reconciliations. Today, however, it is
recognized that this approach only affords internal auditors a
narrow scope of evaluation, and is often too late to be of real
value to business performance or regulatory compliance.
Continuous auditing is a method used to perform control and
risk assessments automatically on a more frequent basis.
Technology is key to enabling such an approach. Continuous
auditing changes the audit paradigm from periodic reviews of
a sample of transactions to ongoing audit testing of 100
percent of transactions. It becomes an integral part of modern
auditing at many levels. It also should be closely tied to
management activities such as performance monitoring,
balanced scorecard, and enterprise risk management (ERM).
A continuous audit approach allows internal auditors to
fully understand critical control points, rules, and exceptions.
With automated, frequent analyses of data, they are able to
perform control and risk assessments in real time or near real
time. They can analyze key business systems for both anom-
alies at the transaction level and for data-driven indicators of
control deficiencies and emerging risk. Finally, with contin-
uous auditing, the analysis results are integrated into all
aspects of the audit process, from the development and main-
tenance of the enterprise audit plan to the conduct and
follow-up of specific audits.
The Need for Continuous Auditing/Continuous
Monitoring: An Integrated Approach
In light of CAEs’ concerns regarding the burden of compli-
ance efforts, the scarcity of resources, and the need to main-
tain audit independence, a combined strategy of continuous
auditing and continuous monitoring is ideal.
Continuous monitoring encompasses the processes that
management puts in place to ensure that the policies, proce-
dures, and business processes are operating effectively. It
addresses management’s responsibility to assess the adequacy
and effectiveness of controls. This involves identifying the
control objectives and assurance assertions and establishing
automated tests to highlight activities and transactions that
fail to comply. Many of the techniques of continuous monitor-
ing of controls by management are similar to those that may
be performed in continuous auditing by internal auditors.
Management’s use of continuous monitoring procedures,
in conjunction with continuous auditing performed by inter-
nal auditors, will satisfy the demands for assurance that
control procedures are effective and that the information
produced for decision-making is both relevant and reliable.
An important additional benefit to the organization is
that instances of error and fraud are typically significantly
reduced, operational efficiency is increased, and bottom-line
results are improved through a combination of cost savings
and a reduction in overpayments and revenue leakage.
Organizations that introduce a continuous auditing and
controls monitoring approach often find that they achieve a
rapid return on investment.
The business and regulatory environment and emerging
audit standards are driving auditors and management to make
more effective use of information and data analysis technolo-
gies as a fundamental enabler of continuous auditing and
continuous monitoring.
1
GTAG — Executive SummarySummar y for t he Chief A udit Executive — 1
1 Report from The IIA’s 2005 International Conference CAE Roundtable Discussion, July 2005.
The Roles of Internal Auditing and Management
Management has the primary responsibility for assessing risk
and for the design, implementation, and ongoing mainte-
nance of controls within an organization. The internal audit
activity is responsible for identifying and evaluating the
effectiveness of the organization’s risk management system
and controls as implemented by management. Auditors
conduct the evaluation to provide assurance to the audit
committee and senior management as to the state of risk and
control systems and, in the case of legislation such as the
Sarbanes-Oxley Act, the reliability of management’s repre-
sentation concerning the state of controls. Ideally, internal
auditing is not part of the controls monitoring process and
does not design or maintain the controls, thereby retaining
its independence.
Although the monitoring of internal controls is a
management responsibility, the internal audit activity can
use and leverage continuous auditing to strengthen the over-
all monitoring and review environment in an organization.
The level of proactive monitoring performed by management
will directly affect how auditors approach continuous audit-
ing. In cases where the continuous monitoring of controls is
being performed by management, the same level of detailed
transaction testing may not be required under continuous
auditing. Instead, auditors can focus on procedures to deter-
mine the effectiveness of management’s monitoring process
and, depending on the outcome of such tests, adjust the
scope, number, and frequency of audit testing.
The Power of Continuous Auditing
The power of continuous auditing lies in the intelligent and
efficient continuous testing of controls and risks that results in
timely notification of gaps and weaknesses to allow immediate
follow-up and remediation. By changing their overall approach
in this way, auditors will develop a better understanding of the
business environment and the risks to the company to support
compliance and drive business performance.
Implementation Issues
The CAE must be cognizant of the fact that continuous audit-
ing will change the audit paradigm, including the nature of
evidence, timing, procedures, and level of effort required by
internal auditors. This will place demands on the audit depart-
ment. In particular, it will have to:
• Obtain and nurture audit committee and senior manage-
ment support for the concept and implementation of
continuous auditing.
• Develop and maintain the technical competencies and
enabling technology necessary to access, manipulate, and
analyze the data contained in disparate information sys-
tems.
• Use (or implement) data analysis techniques to support
audit projects, including the use of appropriate analytic
software tools and development and maintenance of data
analysis techniques and expertise within the audit team.
• Sponsor, promote, and encourage the adoption and
support of continuous monitoring by management.
• Ensure that continuous auditing is adopted as part of
an integrated, consistent approach to risk oriented
audit planning.
• Manage and respond to the results of continuous audit-
ing, determining appropriate use, follow-up, and report-
ing mechanisms. The CAE will have to ensure that
appropriate action is taken on the audit findings report-
ed to management and that the results of continuous
auditing are considered by management when assessing
activities, such as the monitoring of controls, perform-
ance measurement, and enterprise risk management.
This IIA Global Technology Audit Guide (GTAG)
identifies what must be done to make effective use of tech-
nology in support of continuous auditing and highlights areas
that require further attention. By reading and following the
steps described, internal auditors should be in a much better
position to use technology and maximize their return on
investment as well as to demonstrate to management the
need to make appropriate technology investments — while
contributing to compliance with the regulatory requirements
impacting their organization and to its overall health and
competitiveness.
2
GTAG — Executive Summary Summar y for t he Chief A udit Executive — 1
This GTAG will focus on the technology-enabled aspects of
continuous auditing and will address:
• A history and background of similar concepts used
during the last 30 years.
• A definition of related terms and techniques:
continuous auditing, continuous risk assessment,
continuous control assessment, continuous monitoring,
and assurance.
• The role of continuous auditing in relation to continu-
ous monitoring.
• Areas where continuous auditing can be applied by the
internal audit activity.
• Challenges and opportunities related to continuous
auditing.
• The implications for internal auditing and the CAE
and for management.
• A continuous auditing self-assessment tool (Appendix C,
page 30).
Since 1980, many terms have been associated with the
notion of providing ongoing audit procedures in real time or
near real time, including: continuous monitoring, continuous
control assessment, and continuous auditing. This GTAG
categorizes previous approaches under the unifying concept
of “continuous auditing.” It discusses continuous control
assessment and continuous risk assessment as the main
components of continuous auditing. This guide also deems
monitoring activities to be management’s responsibility, but
discusses the interrelationship between auditing and moni-
toring and how internal auditors provide additional assurance
to support management in their role.
One of the current and most visible drivers for continu-
ous auditing is the high cost of regulatory compliance. In the
United States, a Financial Executives International survey
(March 2005)2 pegged the cost of Sarbanes-Oxley compli-
ance at an average of more than $4 million per organization.
Since most of these costs were related to manual, people-
intensive processes — based on use of internal resources and
external consultants — it is no surprise that an AMR
Research study (January 2005)3 found that key technologies
can be used to reduce compliance costs by upwards of 25
percent.
The burden of compliance is pressuring organizations to
improve their methods of performing ongoing evaluation of
internal controls. In this context, the U.S. Securities and
Exchange Commission stated, “both management and audi-
tors must bring reasoned judgment, and a top-down, risk-
based approach to the [Sarbanes-Oxley Section 404]
compliance processes.” This has led to an increased focus on
both continuous monitoring (by management) and continu-
ous auditing. Supporting a comprehensive set of audit activi-
ties, continuous auditing not only helps support the audit
activity’s assurance of controls, but also risk assessment; the
identification of fraud; waste, and abuse; audit planning; and
the tracking of audit recommendations.
Continuous Auditing: A Brief History
The origins of automated control testing began in the 1960s
with the installation and implementation of embedded audit
modules (EAMs). However, these modules were difficult to
build and maintain, and were used in relatively few organiza-
tions. By the late 1970s, auditors begun moving away from
this approach. In the 1980s, early adopters within the audit
profession began using computer-assisted audit tools and
techniques (CAATTs) for ad hoc investigation and analyses.
Coincident with this, the notion of continuous monitoring
was first introduced to auditors in a largely academic context.
The basic premise was that use of ongoing automated data
analysis would help auditors identify the areas of greatest risk,
as a precursor to determining their audit plans. For the most
part, however, auditors were not ready for this type of
approach. They lacked easy access to appropriate software
tools, the technical resources and expertise to overcome data
access challenges, and most importantly, the organizational
will to embrace this new commitment to a significantly
different audit approach and methodology.
During the 1990s, within the global audit profession,
there was increasingly widespread adoption of data analytics
solutions, which were viewed as a critical tool to support the
testing of the effectiveness of internal controls. This technol-
ogy was used to examine transactions for indications of
events that occurred because a control did not exist or failed
to perform properly. It also identified transactions that did
not meet control standards. In addition, data analysis
supported the testing of controls not directly evidenced by
transactional data. For example, enterprise resource planning
(ERP) access and authorization tables could be analyzed to
identify failures to maintain appropriate segregation of duties.
However, even with this technology underpinning, tradition-
al audit processes often relied on representative samples,
rather than assessing the entire population, with analyses
continuing to take place some time after the completion of
the business activity (transaction). As a result, risk and
control problems had a greater opportunity to escalate and
impact business performance negatively.
Today’s Audit Environment
Today, proliferation of information systems in the business
environment gives auditors easier access to more relevant
information — but also involves the management and review
of vastly increased volumes of data and transactions.
Further, the rapid pace of business requires prompt iden-
tification of, and response to, control issues. Regulations such
as Section 404 of Sarbanes-Oxley in the United States
require the timely disclosure of control deficiencies and
management assertions around the adequacy of the control
3
Introduction – 3GTAG — Introduction — 2
2 Survey on SOX Section 404 Implementation, Financial Executives International, March 2005.
3 SOX Decisions for 2005: Step Up Technology Investments, John Hagerty, AMR Research, January 2005.
framework. This statutory compliance imperative, as well as
ongoing changes in auditing standards and the evolution of
audit software, are encouraging and enabling auditors to
adopt new approaches to assessing information and controls.
The CAE must be able to provide senior management
with ongoing assessments — rather than simply periodic
reviews — of the health of
本文档为【GTAG 3 Continuous Auditing Implications for Assurance, Monitoring, and Risk Assessment】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。