Theory to practice: continuous auditing gains.
The need for more timely and reliable risk and control assurance has encouraged internal auditors to revisit the theory and practice of continuous auditing. The theory is not new. As a concept, continuous auditing has been explored in internal audit circles since the 1970s. Conceptually, the approach revolves around a process focused on the monitoring and/or auditing of key risks and controls on a real-time basis. This process may involve the use of technology. While there have been many attempts to implement the concept of continuous auditing, few organizations have realized its full vision and potential.
To learn more about how internal audit departments are addressing the need for more timely risk and control assurance, PricewaterhouseCoopers conducted its second annual "2006 State of the Internal Audit Profession Study." The study, which included input from over 400 internal audit executives, found that CAEs are actively pursuing strategies designed to shorten audit cycle times and provide more timely risk and control assurance. This quest is prompting renewed interest in the practice of continuous auditing.
As the 2006 study confirms, the term "continuous" is more a concept than a practice today. Practices vary and may involve a combination of both computer-assisted audit programs and manual procedures. This monitoring or auditing is "continuous" in relatively few cases--and, in those rare instances, usually involves repetition of both automated and manual audit procedures. However, there is a clear trend in the majority of departments surveyed towards the implementation of the continuous auditing concept.
Other findings of the PwC study include:
* More than 80 percent of the nearly 400 companies responding to questions about continuous auditing said they either had a continuous auditing or monitoring process in place or were planning on developing one.
* Half of the 2006 survey respondents have some form of continuous auditing or monitoring process within their internal audit functions, a significant jump from 35 percent in 2005.
* Both automated and manual processes figure prominently, with 56 percent of respondents saying their continuous auditing processes include both manual and automated elements; 41 percent indicating that their processes are entirely manual; and a scant 3 percent reporting that they have fully automated processes.
* So-called "continuous auditing" is continuous in name only: the most common continuous auditing "cycle" is quarterly, with 57 percent of respondents falling into this category. Another 34 percent focus on monthly monitoring activities, while only 9 percent focus on daily applications of their continuous auditing processes.
Implications for Internal Auditors
The evolution towards truly continuous auditing will place new demands on internal audit groups, which often serve as their organizations' internal control "experts." The traditional internal audit cycle is linear, with reports only being issued after a properly conducted internal audit. As a result, audit projects would, at best, take weeks from the initiation of the audit to issuance of the report. Furthermore, audits are typically planned on an annual cycle, following an annual risk assessment. The ability to react to changes in mid-cycle depends on the auditor's capability to identify changes in risk or control performance proactively.
The practical development of continuous auditing will demand a mastery of applying technology to the entire internal audit process. Leading practices in this area involve the use of technology to identify and report changes in risk or control indicators in real time. Changes in risk and control indicators may be reportable events themselves, the catalyst for an audit or identify the need for a refinement to the existing risk assessment. In this way, the traditional linear audit cycle of assessing risk, planning, auditing and reporting is replaced by a more complex yet more responsive and real-time set of audit-related activities.
Implications for Financial Executives
In some organizations, the change of the internal audit process--from a linear, annual cycle to a more dynamic process--may meet with resistance. Internal audit's constituents, in particular the finance function, may be accustomed to a relatively methodical and linear audit approach. Internal audit's ability to report control deteriorations more rapidly, even without going through the formalities of an audit, can change the relationship between the auditor and management. Technology-enabled continuous auditing is a more dynamic approach that places internal audit in a much more proactive role.
The CFO can take a leadership role in supporting the migration of internal audit to a more continuous audit approach. It's essential that financial executives across the organization recognize that when implemented with care, continuous auditing is about improving the quality and timeliness of communication between auditor and management, providing management more timely input on the state of controls and risks and keeping the auditor better informed.
--Contributed by Anthony O'Reilly (email@example.com), a Partner in PricewaterhouseCooper's Internal Audit Services practice in Boston.