As the principle author of the Institute of Internal Auditors (IIA) Global Technology Audit Guide (GTAG) on Continuous Auditing (GTAG#3), I hope that you will grant me the prerogative to state that “Continuous Auditing is Dead”.
Continuous Auditing – a misnomer as it should have been called ‘Continual’ Auditing – was never fully understood or accepted by auditors or by audit clients. The idea behind Continuous Auditing was to improve audit’s ability to easily assess and quickly respond to increased levels of risk. But this was not how it was being applied.
In my view there were two major factors that hindered the acceptance and adoption of Continuous Auditing. The first being that audit clients (I am talking primarily about ‘internal’ audit) were concerned that audit would be constantly presenting them with thousands of errors that would need to be fixed. The second was that audit itself thought the purpose was to use analytics to find transactions that were in error. This approach totally ignored ‘risk’.
I have heard many auditors talk about performing a continuous audit on accounts payable to identify duplicates. These duplicates would then be sent to management for them to address. No wonder management had concerns with continuous auditing. When I asked how often (frequency) and for how long they would be performing the continuous audit of accounts payable, there was a sort of stunned silence. My next question was: “What was the objective of the A/P audit?” Too often the answer was “To check for duplicates.” When pressed for a recommendation, I would hear: “recover the duplicate payments from the vendors.” Not really much of value to senior management; particularly when you ran the same analysis and made the same recommendations every quarter. It also resulted in audit becoming a detective control and therefore, part of the control framework.
The audit objective should have been something along the lines of “to assess whether the controls over the processing on invoices are adequate and effective.” The identification of duplicates was not the finding but evidence that the controls were not working. The audit should have then determined which controls had failed and made recommendations to management regarding how to improve the controls. As a follow-up – to see if management action had addressed the control weakness – audit could re-test the controls again (Continuous Audit) in six months by looking for duplicates, but only if the risk warranted it. If the number of duplicates had decreased to an acceptable level – there was no real need to audit the process again.
It wasn’t just accounts payable where Continuous Auditing was erroneously employed. It was used in many business processes to find and inform managers of errors and instances non-compliance. So close! If only the analytics had been used to determine the root cause of these errors and acts of non-compliance instead of just sending thousands of transactions to management to fix – every month or quarter or whatever.
Instead of enhancing the value of internal audit, this type of Continuous Auditing increased the view that audit was either the corporate police or a detective control – neither of which was good. It certainly did not increase the perception that audit was risk-focussed and a valuable source of information to senior management.
So, there you have it. I proclaim that Continuous Auditing is dead – easy to do, if you don’t have to provide a replacement, but I won’t take the easy way out. I propose that we replace Continuous Auditing with the concept of an agile and responsive audit organization. I know I am a little late to the party. Many people have already espoused the idea of the ‘agile’ auditor. But, the two aspects ‘agile’ and ‘responsive’ must be considered as inseparable and have a risk-centric focus. So let’s call it “Risk-Responsive and Agile Auditing”.
Risk-Responsive means that they can identify and assess changes in risk quickly and thoroughly. Agile refers to the ability of audit to identify and assess risk and provide mitigation recommendations in all aspects of company operations – not just finance.
Agile requires a diverse skill set of auditors. They must understand risk and risk-drivers; IT controls; and how they impact all business processes. Risk Responsive requires auditors to be able to identify emerging and changing risk levels; and be able to perform and understand data analytics and machine learning. In essence ‘responsive and agile’ are the same concepts that Continuous Auditing sought to promote in auditors. The ability to monitor and assess risk and to react when it takes an upturn is at the heart of both concepts. But risk-responsive and agile eliminates the negative connotation of ‘continuous’ and places the focus on ‘risk’.
In addition, before I have to write another article on the ‘Death of Risk-Responsive and Agile Auditing’ keep in mind that ‘responsive’ refers to the identification and action taken to address increased levels of risk; and ‘agile’ refers to being able to take on any risk that could impact the organization. Neither of these means inundating management with transactions and errors; or repeating the same audit over and over again. Risk-responsive and agile should be a welcome approach to both auditors and their clients. It means that audit is identifying and addressing risk quickly and, therefore, adding value and supporting management strategic initiatives without becoming part of the control framework.
“Down with ‘Continuous Auditing’; long live the ‘Risk-responsive and agile auditor’!”
This article has 5 Comments
Thanks, @[Dave Coderre] ! Very enjoyable read. I had a great conversation with someone yesterday about continuous auditing and continuous monitoring. We talked about how we need to change the paradigms to a more meaningful risk management focus that utilizes tools available today and implements machine learning and other constructs.
In a separate conversation earlier this week, a long-time friend of mine said when he tried to implement risk-based consultative initiatives in an audit group (to help improve processes, etc.) he was told “we don’t help people!”…the group preferred a role of being compliance police over contributing value on the upfront process setup, preventive controls, etc.
I’m blessed to have a network of great acquantances, colleagues, family, and friends totaling thousands of years in audit experience. I would say confidently that each of those people have consistently encountered the same things you’ve described. Internal Audit is very focused on detecting things that have happened (even the name of Audit evokes a retrospective focus and activity); whereas, we can see a mountain range of opportunity to take the historical data and analyze it with a future focus. We must deal with correction and remediation in the short-term, just as we deal with damage from natural disasters. However, we also value early warning detection systems in cars, weather systems, etc. and that should absolutely carryforward into the audit profession. Why in the world would we not want to define and refine patterns of fraud so we could use those definitions to identify potential fraud early enough to avert significant damages to an organization’s financials or reputation, as well as helping curb a personal mistake made by someone who could otherwise destroy their life?
Considering the possibility that Risk-Responsive could also cause some to be more reactive than proactive, maybe “Risk-Focused” would be worth a look. My vote would be an acronym of ARF (Agile and Risk-Focused) for the new paradigm…and Lassie could be the mascot who keeps Timmy from falling down the well in the first place, but only after analyzing why Timmy is continously (or continually?) falling down wells and applying that to a predictive model with agile reporting.
Paul: It has been the same story for many years.
Very good story. Thanks.
Very interesting article. Fully agree about the inability of applying the concept in internal audit, from what I have so far seen in my career. I would argue that continuous audit is already well implemented in the government of Canada through the internal control function, which is governed by the Policy of Financial Management (https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32495). The types of reviews done by internal control groups don’t dwell on governance and thus are perhaps better lending themselves to short, repetitive “key control” audits.
A very good book I read on this topic is “Harnessing the Power of Continuous Auditing” by Mainardi: https://www.amazon.ca/Harnessing-Power-Continuous-Auditing-Implementing/dp/0470637692
When well implemented and focusing on key controls, continuous auditing could be useful.