Are Continuous Auditing and Continuous Assurance Myths?
A well-respected thought leader on internal auditing told me this week:
Continuous Assurance (CA) is a MYTH. It is an illogical notion, showing a lack of understanding of audit fundamentals.”
I asked why he said that, and his reply was:
Because people are looking for “easy outs. Example: You can automate the notification of changes to a users rights…been doing that for 25 years. But you cannot continuously assure yourself that every user has exactly the correct rights. That is not a continuous audit….never has been…and never will be.”
My counter-argument was:
I assume you believe that controls provide a [reasonable level of] assurance that risks are managed within tolerances, and the value of auditing controls – their design and operation. If not, we already out of sync.
If you can identify the controls you want to rely on for continued [reasonable] assurance that the risks are managed within tolerances, then the trick is to design tests of those controls.
Do you believe that you can test the controls and obtain reasonable assurance at a point in time? If so, you should be able to design tests that are performed on a more continuous basis and provide more continuous assurance.
Now, we don’t define continuous assurance as literally all the time. We define it to provide a reasonable level of assurance that the controls are effective on a continuing basis. Where the risk (resulting from a control failure) is higher, the frequency of testing of that control will probably be higher than when the risk is lower.”
How would you have responded? Do you agree with my reply?