Continuous Auditing and Continuous
Control Monitoring:
Case studies of technology adoption in
leading internal audit organizations and
external audit teams
Miklos A. Vasarhelyi
Siripan Kuenkaikaew
Silvia Romero
CA/CM adoption
External auditors and CA – Assessment of 4
Audit teams use of CA
• Objectives
• This study involve field research studies from 4 external audit
teams
• Examines the status of usage of technology in auditing, its
enablers and difficulties
Rutgers Business School
CA/CM adoption
Methodology
• Interviews with audit team managers, IT managers and
forensic team managers.
• The interviews were conducted face-to-face through site
visits.
Rutgers Business School
CA/CM adoption
Conclusions
• Teams report tools are useful – but usage is sparse
• Integration between teams
– Wide range of outcomes with Approva – suggest leveraging the better
practice as to how IT is integrated on team
– Background / training of specialists makes a difference
• Audit Managers “wish lists”
– Data extraction – all teams prefer be in position to do extracts rather than rely
on client and then test for reliability
– Automated report generation [e.g. IDEA comparison reports]
• Synergies between internal and external audit use of tools
– No teams mentioned activity that leverages work / tools of internal auditors
on the external audit
Rutgers Business School
4
CA/CM adoption
Leading Organizations Usage of CA/CM
Objectives
• This study involve field research studies from 9 leading
internal audit organizations.
• Examines the status of continuous auditing and continuous
control monitoring adoption of the organizations.
Rutgers Business School
CA/CM adoption
Methodology
• Interviews with internal auditors, IT internal auditors and
internal audit management.
• The interviews were conducted face-to-face through site
visits.
• Interviewees were selected from the internal audit
department. At least four employees were interviewed per
organization to ensure validity, information completeness, and
a range of points of view.
Rutgers Business School
CA/CM adoption
The Audit Maturity Model (1)
Stage 1
Stage 2
Stage 3
Stage 4
Traditional Audit
Emerging
Maturing
Continuous Audit
Objectives
•Assurance on the
financial reports
presented by
management
•Effective control
monitoring
•Verification of the
quality of controls
and
operational results
Approach
•Traditional interim and
year-end audit
IT/Data access
•Case by case basis
•Data is captured during
the audit process
•Traditional plus
some
key monitoring
processes
•Repeating key
extractions on cycles
•Usage of alarms as
evidence
•Continuous control
monitoring
•Systematic
monitoring
of processes with
data
capture
•Improvements in
the
quality of data
•Creation of a critical
meta-control
structure
•Audit by exception
Audit Automation
•Manual processes &
separate IT audit
•Audit management
software
•Work paper
preparation software
•Automated
monitoring
module
•Alarm and follow-up
process
Rutgers Business School
•Complete data
access
•Audit data
warehouse,
production, finance,
benchmarking and
error history
•Continuous
monitoring
and immediate
response
• Most of audit
automated
CA/CM adoption
The Audit Maturity Model (2)
Stage 1
Stage 2
Stage 3
Stage 4
Traditional Audit
Emerging
Maturing
Continuous Audit
Audit and
management
sharing
•Independent and
Adversarial
•Independent with
some core monitoring
shared
•Purposeful Parallel
systems and common
infrastructures
Management of
audit functions
•Financial
organization
supervises audit and
matrix to Board of
director
•Some degree of
coordination between
the areas of risk,
auditing and
compliance
IT audit works
independently
Analytic methods
•Financial ratios
•Financial ratios at
sector level/account
level
•Shared systems and
resources where
natural process
synergies allow
•IA and IT audit
coordinate risk
management and
share automatic audit
processes
•Auditing links
financial to
operational processes
•KPI level monitoring
•Structural continuity
equations
•Monitoring at
transaction level
Rutgers Business School
•Centralized and
integrates with risk
management,
compliance and SOX/
layer with external
audit.
•Corporate models of
the main sectors of
the
business
•Early warning
system
CA/CM adoption
The Audit Maturity Model
Traditional Emerging Maturing Continuous
Rutgers Business School
CA/CM adoption
Factors affect the adoption
• Management support
– Management support is critical especially for projects requiring
considered amount of budget and affecting some operational
processes.
– It is also necessary that the auditor has access to the systems
and data of each auditee (Handscombe 2007). Such access
requires management approval.
– The audit-aid technology implementation is initiated and
supported by the head of the internal audit department or higher
level management.
– Internal auditors do not have direct access to the data.
– With the CA/CM tools, data are automatically extracted without
human intervention.
Rutgers Business School
CA/CM adoption
Factors affect the adoption
• Employee knowledge
– Hall and Khan (2003) posited that an adoption of new invention
might be slow if a success of the implementation requires
complex new skills.
– Continuous auditing and continuous control monitoring relies on
advance technology.
– The tools and systems are varied across/within the company, so
that an internal auditor needs some basic knowledge or skills for
those systems, audit-aid technology and tools.
– Standard training, customized training, MBA program
– Prefer experienced auditors
– Staff rotational program
Rutgers Business School
CA/CM adoption
Factors affect the adoption
• Perceived cost
– In this context, cost is not the monetary value but the perception
of the adoption cost.
– Taylor and Murphy (2004) suggested that high set-up and
ongoing costs could be barriers to the implementation of
technology.
– Searcy and Woodroof(2001): Continuous auditing is increasingly
adopted because of a dramatically fallen in a cost of
implementation and an availability of support technology.
– Cost is not the barrier for the adoption of technology. It was not
identified as a top challenge for the implementation.
Rutgers Business School
CA/CM adoption
Factors affect the adoption
• Regulation and compliance
– Many of the executives are thinking of continuous auditing as
one of the solutions that assist them to comply with the
regulation (Handscombe 2007).
– SEC 33-8128 (accelerate the submission of financial report),
SOX 404 (internal control quality and on-time report), bank
regulation
– Although there is no explicit relationship between CA/CM
implementation with regulation and compliance, the interviewees
report that CA/CM supports SOX fulfillment.
– It facilitates the review activities and reduces time allocated to
SOX compliance.
Rutgers Business School
CA/CM adoption
Analysis
1. Most of the companies are at the foundation stage of CA/CM
adoption.
• Contrasts with the findings of the ACL and internal audit surveys
conducted by PwC.
2. Lacking audit aid tools such as working paper management
and data analysis tools.
• i.e. Consumer 1
3. Lack of training for Audit aid tools
• Consumer 1 is not successful with the ACL data analysis adoption.
4. Audit like organization
Rutgers Business School
CA/CM adoption
Analysis
5. IA needs to improve audit competency and technology skill
set.
– Bank 2 hires Big4 as a consultant to help in internal audit areas.
6. Some companies have a certain level of CA/CM technology
adoption such as Hi-tech1, Hi-tech 2 and Bank 1.
– External auditor can rely on internal audit work at some level.
7. With advanced auditing technology, sufficient access to data
is facilitated; for instance, the continuous monitoring system
of Bank 1 and the audit tools of Hi-tech 1.
– Analyze data in various dimensions and at a deeper level
Rutgers Business School
CA/CM adoption
Conclusion
•
Several companies have implemented some advanced audit technologies,
however, none of them really has continuous auditing.
•
Most of them are ranked between stage 1, traditional audit, and stage 2,
emerging.
•
There is opportunity for development in the future.
Rutgers Business School