The Death of Continuous Auditing

David Coderre, www.caats.ca

As the principal author of the Institute of Internal Auditors (IIA) Global Technology Audit Guide (GTAG) on Continuous Auditing (GTAG#3), I hope that you will grant me the prerogative to state that “Continuous Auditing is Dead”.  

Continuous Auditing – a misnomer as it should have been called ‘Continual’ Auditing – was never fully understood or accepted by auditors or by audit clients. The idea behind Continuous Auditing was to improve audit’s ability to easily assess and quickly respond to increased levels of risk. But this was not how it was being applied.

In my view there were two major factors that hindered the acceptance and adoption of Continuous Auditing. The first being that audit clients (I am talking primarily about ‘internal’ audit) were concerned that audit would be constantly presenting them with thousands of errors that would need to be fixed. The second was that audit itself thought the purpose was to use analytics to find transactions that were in error. This approach totally ignored ‘risk’.

I have heard many auditors talk about performing a continuous audit on accounts payable to identify duplicates. These duplicates would then be sent to management for them to address. No wonder management had concerns with continuous auditing. When I asked how often (frequency) and for how long they would be performing the continuous audit of accounts payable, there was a sort of stunned silence. My next question was: “What was the objective of the A/P audit?” Too often the answer was “To check for duplicates.” When pressed for a recommendation, I would hear: “recover the duplicate payments from the vendors.”  Not really much of value to senior management; particularly when you ran the same analysis and made the same recommendations every quarter. It also resulted in audit becoming a detective control and therefore, part of the control framework.

The audit objective should have been something along the lines of “to assess whether the controls over the processing on invoices are adequate and effective.” The identification of duplicates was not the finding but evidence that the controls were not working. The audit should have then determined which controls had failed and made recommendations to management regarding how to improve the controls. As a follow-up – to see if management action had addressed the control weakness – audit could re-test the controls again (Continuous Audit) in six months by looking for duplicates, but only if the risk warranted it. If the number of duplicates had decreased to an acceptable level – there was no real need to audit the process again.

It wasn’t just accounts payable where Continuous Auditing was erroneously employed. It was used in many business processes to find and inform managers of errors and instances non-compliance. So close! If only the analytics had been used to determine the root cause of these errors and acts of non-compliance instead of just sending thousands of transactions to management to fix – every month or quarter or whatever.

Instead of enhancing the value of internal audit, this type of Continuous Auditing increased the view that audit was either the corporate police or a detective control – neither of which was good. It certainly did not increase the perception that audit was risk-focussed and a valuable source of information to senior management.

So, there you have it. I proclaim that Continuous Auditing is dead - easy to do, if you don’t have to provide a replacement, but I won’t take the easy way out. I propose that we replace Continuous Auditing with the concept of an agile and responsive audit organization. I know I am a little late to the party. Many people have already espoused the idea of the ‘agile’ auditor.  But, the two aspects ‘agile’ and ‘responsive’ must be considered as inseparable and have a risk-centric focus. So let’s call it “Risk-Responsive and Agile Auditing”.

Risk-Responsive means that they can identify and assess changes in risk quickly and thoroughly. Agile refers to the ability of audit to identify and assess risk and provide mitigation recommendations in all aspects of company operations – not just finance. 

Agile requires a diverse skill set of auditors. They must understand risk and risk-drivers; IT controls; and how they impact all business processes. Risk Responsive requires auditors to be able to identify emerging and changing risk levels; and be able to perform and understand data analytics and machine learning. In essence ‘responsive and agile’ are the same concepts that Continuous Auditing sought to promote in auditors. The ability to monitor and assess risk and to react when it takes an upturn is at the heart of both concepts. But risk-responsive and agile eliminates the negative connotation of ‘continuous’ and places the focus on ‘risk’.

In addition, before I have to write another article on the ‘Death of Risk-Responsive and Agile Auditing’ keep in mind that ‘responsive’ refers to the identification and action taken to address increased levels of risk; and ‘agile’ refers to being able to take on any risk that could impact the organization. Neither of these means inundating management with transactions and errors; or repeating the same audit over and over again. Risk-responsive and agile should be a welcome approach to both auditors and their clients. It means that audit is identifying and addressing risk quickly and, therefore, adding value and supporting management strategic initiatives without becoming part of the control framework.

“Down with ‘Continuous Auditing’; long live the ‘Risk-responsive and agile auditor’!”