Home > Risk > Are Continuous Auditing and Continuous Assurance Myths?

Are Continuous Auditing and Continuous Assurance Myths?

 A well-respected thought leader on internal auditing told me this week:

Continuous Assurance (CA) is a MYTH. It is an illogical notion, showing a lack of understanding of audit fundamentals.”

I asked why he said that, and his reply was:

Because people are looking for “easy outs. Example: You can automate the notification of changes to a users rights…been doing that for 25 years. But you cannot continuously assure yourself that every user has exactly the correct rights. That is not a continuous audit….never has been…and never will be.”

 My counter-argument was:

I assume you believe that controls provide a [reasonable level of] assurance that risks are managed within tolerances, and the value of auditing controls  – their design and operation. If not, we already out of sync.

If you can identify the controls you want to rely on for continued [reasonable] assurance that the risks are managed within tolerances, then the trick is to design tests of those controls.

Do you believe that you can test the controls and obtain reasonable assurance at a point in time? If so, you should be able to design tests that are performed on a more continuous basis and provide more continuous assurance.

Now, we don’t define continuous assurance as literally all the time. We define it to provide a reasonable level of assurance that the controls are effective on a continuing basis. Where the risk (resulting from a control failure) is higher, the frequency of testing of that control will probably be higher than when the risk is lower.”

How would you have responded? Do you agree with my reply?

  1. April 28, 2010 at 10:29 AM


    I liked your replies. They were to the point and well worded. One thought for discussion. With the initial statement: “…showing a lack of understanding of audit fundamentals.,” doesn’t this underpin one of the significant challenges in implementing Continuous Auditing?

    Traditional audit processes involve a carefully thought-out and considered opinion of how well a part of the business is operating. With Continuous Auditing, exceptions are identified on an ongoing basis and communicated to the organization at a point in time. They are not a complete assessment of the overall situation.

    This is a significant shift in the relationship that audit has with the business. Doesn’t this in itself change “audit fundamentals,” as understood by many? ~PBM

  2. Laura
    April 28, 2010 at 3:18 PM

    I view continuous auditing as building in to a system the logic that was applied by humans when they were involved in handling and matching documents. Humans were the logic processors, when they were removed their skills were not added to the system.

  3. Denis
    April 29, 2010 at 5:44 AM

    The above-mentioned Norman’s discussion actually indirectly touch a problem of attitude towards CA, as people think that while a tested CA was established it needs no periodic revision, thus forgetting that a periodic (if not even a continuous) development and improvement is crucial for an effective CA.
    An established CA “algorithm” is very sensitive to environment change and the degree of reliability on CA result depends on how much it cover and if it is deep enough or not.
    From this point of view I just would like to say that in case the CA is implemented in a company with a more “static” environment, then the CA could be very effective if it is periodic reviewed, but in case it is implemented in a company which apply (for example) Kaizen strategy, or in two merging companies, then establishing a CA is rather futile.

  4. nmarks
    April 29, 2010 at 5:50 AM

    Denis, I agree that the continuous audit/assurance/monitoring program needs to be maintained. It’s not a “once and done” exercise. Risks emerge and change, even disappear, over time. Business processes and systems change. But that only calls for a flexible program – it does not mean that it is futile.

  5. April 29, 2010 at 7:11 AM

    I agree, Norman. For a CA implementation to be successful, it needs to be flexible or agile enough for it to adapt to underlying changes in data sources, business process changes and shifting risk.

    Denis, your point is well taken too. There’s no point in trying to build CA on shifting sands. There has to be a certain degree of procedural stability for one to consider the time investment for CA. Perhaps a more traditional risk-based adhoc audit approach is more suited for those instances. ~PBM

  6. April 29, 2010 at 1:15 PM

    So one “test” would be to join the approved users with an active employee list from HR. Any differences (in approved user, not in active employee list) would go to the approver level for review. This could be done on a continuous basis thereby providing assurance that approved users are active employees.

  7. April 29, 2010 at 3:23 PM

    Good test idea, Don. How about some of the great analytics that can be done on postings to the GL? As two merging companies being the process of binding themselves together, assurance around the integrity of financial reporting would be key. With the right data analysis technology, validating GL postings could be done, automated and scheduled with relative ease. True, this might be a stop-gap measure as the new organization standardizes on a new, centralized ERP system, but until that happens and automated controls are put in place, it sure could be a high risk area to scrutinize on a continual basis. As Norman says, “risks emerge and change, even disappear over time.” CA analytics needn’t (shouldn’t) be permanent fixtures.

  8. Girma Bersisa
    April 30, 2010 at 12:00 AM

    Yes I do agree with your counter argumaent.

  9. Girma Bersisa
    April 30, 2010 at 12:01 AM

    Yes Ido agree with your counter argument.

  10. April 30, 2010 at 3:39 AM

    I see your point Peter and yes we like a great IDEA coupled with our smart analyzer pre-built automated scripts for auditing the GL.

    You must be thinking of something like Continental and United merging into UAL.

    But my internal audit experience in building continuous audit automated processes leads me back to the five steps of problem solving: Ignore —> Deny —-> Blame Others —–> Accept Responsibility —-> Solve the Problem.

    If you prefer, you can also use a maturity index: Not Defined —> Defined but not distributed —> Distributed but not implemented —–> Embraced —–> Continuously improved from Future Events.

    CAE’s with a seat at the leadership table can readily identify management stuck in the first 3 steps (of problem solving and/or maturity) and my experience helped me realize these issues lend themselves to CA. Management that accepts the problem and devotes resources to actually solve the problem are prime continuous monitoring opportunities.

    In fact, every CA routine I have built eventually was transferred to management as a CM routine. I realize this does not fit tightly with your GTAG 3 but my CA skills were built from “in the seat” versus “in the classroom”.

    So internal audit fears of building something that will consume significant resources forever is really “the myth”. So it is not really understanding audit fundamentals but “reading people skills” and properly applying the right tool for the right job. The problems did not just go away (disappear), management solved the problem or re-engineered the process fully mitigating the risk.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: