Continuous auditing

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Continuous Auditing or Proactive Auditing is an automatic method used to perform audit activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities.

The "continuous" aspect of continuous auditing and reporting refers to the real-time or near real-time capability for financial information to be checked and shared. Not only does it indicate that the integrity of information can be evaluated at any given point of time, it also means that the information is able to be verified constantly for errors, fraud, and inefficiencies. It is the most detailed audit.

Each instance of continuous auditing has its own pulse. The time frame selected for evaluation depends largely on the frequency of updates within the accounting information systems. Analysis of the data may be performed continuously, hourly, daily, weekly, monthly, etc. depending on the nature of the underlying business cycle for a given assertion.


The objective of financial reporting is to provide information that is useful to management and stakeholders for resource allocation decisions. For financial information to be useful, it should be timely and free from material errors, omissions, and fraud. In the real time economy, timely and reliable financial information is critical for day-to-day business decisions regarding strategic planning, capital acquisition, credit decisions, supplier partnerships, and so forth. Advances in accounting information systems such as the advent of enterprise resource planning (ERP) systems have enabled the generation of real time information. However, the practice of traditional auditing has not kept pace with the real time economy. Traditional manual audit procedures are labor and time intensive, which limits audit frequency to a periodic basis, such as annually.

These time and effort constraints can be alleviated through the use of technology and automation. Continuous auditing enhances the delivery of auditing services by making the audit process more efficient and effective through the use of technology and automation. The increased efficiency and effectiveness of the audit process enables more frequent or real time audits and hence enhances the reliability of the underlying information.

History of continuous auditing

The first application of continuous auditing was developed at AT&T Bell Laboratories in 1989. Known as a continuous process auditing system (CPAS), the system developed by Vasarhelyi and Halper provided measurement, monitoring, and analysis of the company's billing information. Here key concepts such as metrics, analytics, and alarms pertaining to financial information were also introduced.

Lazarus Alliance took the premise and integrated the Security Trifecta philosophy of cyber security with Governance, Technology and Vigilance. The process is technically reliant on the IT Audit Machine (ITAM) developed by Lazarus Alliance and while there are alternatives to ITAM, it is widely held that it is the best assessment application available and seamlessly supports the former continuous auditing as well as the present iteration known as Proactive Auditing.

Components of continuous auditing

Continuous auditing is made up of three main parts: continuous data assurance (CDA), continuous controls monitoring (CCM), and continuous risk monitoring and assessment (CRMA).

Continuous Data Assurance

Continuous data assurance verifies the integrity of data flowing through the information systems. Continuous data assurance uses software to extract data from IT systems for analysis at the transactional level to provide more detailed assurance. CDA systems provide the ability to design expectation models for analytical procedures at the business-process level, as opposed to the current practice of relying on ratio or trend analysis at higher levels of data aggregation. CDA software can continuously and automatically monitor transactions, comparing their generic characteristics with predetermined benchmarks, thereby identifying anomalous situations. When significant discrepancies occur, alarms are triggered and routed to appropriate stakeholders and auditors.

Continuous Controls Monitoring

Continuous controls monitoring consists of a set of procedures used for monitoring the functionality of internal controls. CCM relies on automatic procedures, presuming that both the controls themselves and the monitoring procedures are formal or able to be formalized. CCM can be used for monitoring access control and authorizations, system configurations, and business process settings.

CDA and CCM are complementary processes. Neither process is self-sufficient or comprehensive. Even if no data faults are found it cannot be concluded that controls are fail-safe. Further, even if controls are being implemented, data integrity cannot be assumed. When combined, however, these monitoring approaches present a more complete reliance picture.

Continuous Risk Monitoring and Assessment

Continuous risk monitoring and assessment is used to dynamically measure risk and provide input for audit planning. CRMA is a real-time integrated risk assessment approach, aggregating data across different functional tasks in organizations to assess risk exposures and provide reasonable assurance on the firms’ risk assessments.

Black Box Logging

In addition to the aforementioned three components, the black box audit log file is also an important part of continuous auditing. This file can be viewed as an extension of the existing practice of documenting audit activities in manual or automated work papers. A black box log file is a read-only, third-party controlled record of the actions of auditors. The objective of black box logging is to protect a continuous auditing system against auditor and management manipulations.

Continuous reporting

Continuous reporting is the release of financial and non-financial information on a real-time or near real-time basis. The purpose of continuous reporting is to allow external parties access to information as underlying events take place, rather than waiting for end of period reports. The adoption of XBRL by companies makes the release of continuous reporting information more feasible. Continuous reporting also benefits users under Regulation Fair Disclosure.

Continuous reporting is a point of constant debate. Some parties, including analysts and investors, are interested in knowing how a company is doing at a given point in time. They argue that near real-time information would provide them with the ability to take advantage of important business moves as they happen. However, opponents are skeptical of how the raw information can be useful and fear information overload, or that there would be too much irrelevant information out there. Additionally, some companies are fearful that continuously reported financial information would give away important strategic moves and undermine competitive advantage.

Implementation of continuous auditing

Generally, the implementation of continuous auditing consists of six procedural steps, which are usually administered by a continuous audit manager. Knowing about these steps will enable auditors to better monitor the continuous audit process and provide recommendations for its improvement, if needed.

These steps include:

  • Establishing priority areas.

This entails choosing which organizational areas to audit. When performing the actions listed above, auditors need to consider the key objectives from each audit procedure. Objectives can be classified as one of four types: detective, deterrent (also known as preventive), financial, and compliance. A particular audit priority area may satisfy any one of these four objectives.

  • Identifying monitoring and continuous audit rules.

The second step consists of determining the rules or analytics that will guide the continuous audit activity, which need to be programmed, repeated frequently, and reconfigured when needed. In addition, monitoring and audit rules must take into consideration legal and environmental issues, as well as the objectives of the particular process.

  • Determining the process' frequency.

Although the process is called continuous auditing, the word continuous is in the eye of the beholder. Auditors need to consider the natural rhythm of the process being audited, including the timing of computer and business processes as well as the timing and availability of auditors trained or with experience in continuous auditing.

  • Configuring continuous audit parameters.

Rules used in each audit area need to be configured before the continuous audit procedure (CAP) is implemented. In addition, the frequency of each parameter might need to be changed after its initial setup based on changes stemming from the activity being audited. When defining a CAP, auditors should consider the costs and benefits of error detection as well as audit and management follow-up activities.

  • Following up.

Another type of parameter relates to the treatment of alarms and detected errors. Questions such as who will receive the alarm (e.g., line managers, internal auditors, or both ― usually the alarm is sent to the process manager, the manager's immediate supervisor, or the auditor in charge of that CAP) and when the follow-up activity must be completed, need to be addressed when establishing the continuous audit process.

  • Communicating results.

A final item to be considered is how to communicate with auditees. When informing auditees of continuous audit activity results, it is important for the exchange to be independent and consistent.


Demand for continuous auditing has come from a variety of sources, primarily user-driven requirements. External disclosure, internal drivers, laws and regulation, and technology all play important roles in pushing up demand.

Internal drivers

As companies have become more integrated within their own departments and with other companies, such as suppliers and retailers, a desire for data integrity throughout the electronic data exchange process is also driving demand for continuous auditing.

Laws and regulation

Laws and regulation require activities and ways a company followed in order to achieve a specific goal to be monitored. Under such laws and regulation company commenced for continuous auditing.



XBRL facilitates the development of continuous auditing modules by providing a way for systems to understand the meaning of tagged data. Proper use of XBRL assures that relevant data gathered from multiple sources is easily comparable and analyzable. XBRL is a derivative of the XML file format, which tags data with contextual and hierarchical information. It is expected that many enterprise resource planning systems will provide data in the XBRL-GL format to facilitate machine readability.


Because of the nature of the information passing through continuous auditing systems, security and privacy issues are also being addressed. Data assurance techniques, as well as access control mechanisms and policies are being implemented into CA systems to prevent unauthorized access and manipulation, and CCM can help test these controls.


For many organizations, there are a number of challenges to implementing a continuous auditing approach. The following are some common challenges with associated recommendations.

Accessing complex, diverse system environment

Few organizations have a completely homogenous, seamless system environment. There is typically a mix of ERPs or multiple instances of one ERP, mainframe systems, off-the-shelf applications, and legacy systems - all of which may contain valuable data. Technology is available to access all of this data to gain a complete picture.

Reluctance to expand the use of technology

Technology may be viewed as a threat to those who perceive that automation might replace jobs. A benefit of continuous auditing is that it performs routine, repetitive tasks and provides the opportunity for the more interesting exploratory work that adds far more value to the organization.

Overwhelming results

When not properly implemented, continuous auditing can result in hundreds - even thousands - of false positives and wasted effort. Many companies that have experienced success with continuous auditing recommend that you start small. Select which area of the company poses the greatest risk and where its transactions and control systems are most important to the company for your initial foray into continuous auditing. Automate a small number of key initial tests, such as comparing your accounts payable vendor master file with the employee address file, to uncover potential policy violations or fraud. Moving forward, increase the tests and gradually expand into other business processes in stages.


Training is essential for optimum results. A number of institutions, including ACL Services Ltd., offer training on computer-aided audit techniques including continuous auditing through automation. Training can be conducted either on-site or remotely, depending on the need of companies.

Comparison to Computer-Aided Auditing

Continuous auditing is often confused with computer-aided auditing. The purpose and scope of the two techniques, however, are quite different. Computer-aided auditing employs end user technology including spreadsheet software, such as Microsoft Excel, to allow traditional auditors to run audit-specific analyses as they conduct the periodic audit. Continuous auditing, on the other hand, involves advanced analytical tools that automate a majority of the auditing plan. Where auditors manually extract data and run their own analyses in computer-aided auditing during the course of their traditional audit, high-powered servers automatically extract and analyze data at specified intervals as a part of continuous auditing.

See also

External links