Continuous auditing

Continuous auditing is the independent application of automated tools to provide assurance on financial, compliance, strategic and operational data within a company. Continuous auditing uses a set of tools to assure the internal control system is functioning to prevent fraud, errors and waste. The “continuous” aspect of continuous auditing and reporting refers to the near real-time capability for financial information to be checked and shared. Not only does it indicate that the integrity of information can be evaluated at any given point of time, it also means that the information is verified constantly for errors, fraud and inefficiencies.

Each instance of continuous auditing has its own pulse. The internal management chooses for evaluation depends on the frequency of updates within the accounting information systems. Analysis of the data may be performed hourly, daily, weekly, monthly, etc. depending on the application.

Non-financial aspects of continuous auditing might encompass an ongoing assessment program to determine the state of security control effectiveness as a result of changes in an organization's information systems or its environment of operation. Large changes to an organization's security and network infrastructure profile should trigger near real-time monitored events.^[1]

History of continuous auditing

The first application of continuous auditing was developed at AT&T Bell Laboratories in 1989^[2]. Known as a continuous process auditing system (CPAS), the system developed by Vasarhelyi and Halper provided measurement, monitoring, and analysis of the company's billing information. Here key concepts such as metrics, analytics, and alarms pertaining to financial information were also introduced.

Components of continuous auditing

Continuous auditing is made up of two main parts: continuous data assurance (CDA) and continuous controls monitoring (CCM).

Continuous Data Assurance

A concern with continuous auditing is that the financial information is correct.

Continuous Controls Monitoring

Monitoring is measuring, or comparing settings in an enterprise resource planning (ERP) system with a model.

Level 1: Analytical Review Level 2: Some accounts monitored daily Level 3: Detailed monitoring of accounts/exceptions

Black Box Logging

A black box log file is a read-only, third-party controlled record of the actions of auditors. The objective of black box logging is to protect a continuous auditing system against auditor and management benchmarks.

Continuous Reporting

Continuous reporting is the release of financial and non-financial information also on a near real-time basis. The purpose of continuous reporting is to allow external parties access to information as event take place, rather than waiting for the end of period reports. The adoption of XBRL by companies makes the release of this information more feasible. Continuous reporting also benefits users under Regulation Fair Disclosure.

Continuous reporting is a point of constant debate. Some parties, including analysts and investors, are interested in knowing how a company is doing at a given point in time. They argue that near real-time information would provide them with the ability to take advantage of important business moves as they happen. However, opponents are skeptical of how the raw information can be useful and fear information overload, or that there would be too much irrelevant information out there. Additionally, some companies are fearful that continuously reported financial information would give away important strategic moves and undermine competitive advantage.

Demand

Demand for continuous auditing has come from a variety of sources, primarily user-driven requirements. External disclosure, internal drivers, laws and regulation, and technology all play important roles in pushing up demand.

External disclosure

More frequent disclosure will drive the nature of the audit process. This increase improves the quality of earnings while reducing manager aggressiveness and decreasing stock market volatility^[3].

Internal drivers

As companies have become more integrated within their own departments and with other companies, such as suppliers and retailers, a desire for data integrity throughout the electronic data exchange process is also driving demand for continuous auditing^[4][5]

Laws and regulation

In Laws and regulation all those activities and ways by which a company followed in order to achieve a specific goal. By these laws and regulation company comenced for continuous auditing.

Technology

XBRL

XBRL facilitates the development of continuous auditing modules by providing a way for systems to understand the meaning of tagged data. Proper use of XBRL assures that relevant data gathered from multiple sources is easily comparable and analyzable. XBRL is a derivative of the XML file format, which tags data with contextual and hierarchical information. It is expected that many enterprise resource planning systems will provide data in the XBRL-GL format to facilitate machine readability.

Security

Because of the nature of the information passing through continuous auditing systems, security and privacy issues are also being addressed. Data assurance techniques, as well as access control mechanisms and policies are being implemented into CA systems to prevent unauthorized access and manipulation, and CCM can help test these controls.

Comparison to Computer-Aided Auditing

Continuous auditing is often confused with computer-aided auditing. The purpose and scope of the two techniques, however, are quite different. Computer-aided auditing employs end user technology including spreadsheet software, such as Microsoft Excel, to allow traditional auditors to run audit-specific analyses as they conduct the periodic audit. Continuous auditing, on the other hand, involves advanced analytical tools that automate a majority of the auditing plan. Where auditors manually extract data and run their own analyses in computer-aided auditing during the course of their traditional audit, high-powered servers automatically extract and analyze data at specified intervals as a part of continuous auditing.

Continuous Auditing in Action

AT&T Bell Laboratories - The first model of continuous auditing was developed to evaluate the billing system within the company.

Itau Unibanco - Continuous auditing allows management to assess the performance and compliance of individual branches.

NEMEA - Advanced continuous auditing software intuitively compiles responses across all departments, tracks high-risk areas, then documents and provides standardized regulatory compliance reports to internal and external auditors.

Hospital Corporation of America -

Hewlett-Packard -

Procter & Gamble - Analytics are used to enable advanced automation and remote auditing.

Siemens - Advanced continuous monitoring of internal controls and access to IT systems.

See also

• Center for Audit Quality (CAQ)

External links

• Rutgers Accounting Web
• The Future of Audit
• 2009 IT Audit Benchmarking Study (The Institute of Internal Auditors)
• United States Patent and Trademark Office Patent 7,676,427 System and Method of Continuous Assurance

References

1. ^ NIST Special Publication 800-53
2. ^ Vasarhelyi, M.A. and Halper, F. B., 1991, The Continuous Audit of Online Systems, Auditing: A Journal of Practice and Theory, 10(1), 110-125.
3. ^ Hunton, J., A. Wright, and S. Wright. 2002. Assessing the Impact of More Frequent External Financial Statement Reporting and Independent Auditor Assurance on Quality of Earnings and Stock Market Effects. Working paper presented at the Fifth Continuous Auditing Symposium.
4. ^ Van Decker, J., 2004, The Need for Continuous Controls Monitoring, Available Online, Delta 2951: METAgroup, http://www.metagroup.com/webhost/ONLINE/739743/d2951.htm.
5. ^ Vasarhelyi, M.A., Alles, M. and Kogan, A., 2004, Principles of Analytic Monitoring for Continuous Assurance, Journal of Emerging Technologies in Accounting, 1(1), 1-21.

5. Wei Chen, Jin-cheng Zhang, Yu-quan Jiang. One continuous auditing practice in China: data-oriented online auditing (DOOA) [A]. The 7th IFIP International Conference on e-Business, e-Services, and e-Society (I3E2007) [C]. Boston: Springer, 2007: 521 – 528