Internal audit departments looking to start a "continuous auditing" program are entering an area that is either quite crowded or sparsely populated. The root of this seeming contradiction is, like a lot of things related to continuous auditing, a matter of definition.

To be sure, continuous auditing is on the mind of many executives. In an ongoing benchmarking survey, 32% of 305 organizations have told the Institute of Internal Auditors in the past year that they perform continuous auditing. In a 2006 survey by PricewaterhouseCoopers, 81% of 392 companies said they at least aspired to continuous auditing, if they hadn't already begun doing it.

But just what is "it"? For the vast majority of practitioners, "continuous" is a malapropism. The term first got traction in the 1990s, used as a contrast to the traditional practices of internally auditing individual business processes every year or every few years, and auditing financial-reporting systems annually or quarterly. Any audit activities performed more often than every three months came to be known, by some, as continuous. The IIA still defines continuous auditing simply as "any method used to perform audit-related activities on a more continuous or continual basis," without further defining what "more" means.

That leaves a lot of room for interpretation. And definitions have diverged widely, though continuous auditing is generally held to be an automated approach. Increasingly it is assumed to mean examining all data relevant to the audit being performed, rather than the historical norm of examining supposedly representative samples.

A leading continuous auditing expert, Rutgers University professor Miklos Vasarhelyi, calls it "an audit that happens immediately after or closely after a particular event." But he notes that any definition of the term is a moving target, as technology advances and the way organizations use continuous auditing evolves. Although Vasarhelyi published what is regarded as the first significant paper on the topic in 1991, he says now that "it will take a few decades for businesses and the public to understand what it is, and for us to develop exactly what the field is."

Today, says Vasarhelyi, "there are huge differences in what is considered continuous auditing. Some companies call it continuous when a particular process fails an audit and it is repeated several times over the next year." But the actual prevalence of the practice as per his definition is "limited," he says. Only a smattering of companies audit some business processes in something close to real time.

Whether internal auditing is appraised as having attained continuous status can depend on one or more of several factors: the number, timing, and frequency of automated processes; the percentage of the organization's risk profile addressed through a continuous audit approach; and the sophistication of the technology employed.

For virtually all companies engaged in continuous auditing, it is a work in progress. While acknowledging that the term is "subject to interpretation," Richard Chambers, president and CEO of the IIA, says, "We're not familiar with anyone out there that has mastered continuous auditing yet."

Further complicating the definition is coming to grips with how continuous auditing differs from continuous monitoring. Typically, the latter is seen as being done by company management to ensure that policies, procedures, and business processes are operating effectively and address management's responsibility to assess the effectiveness of internal controls. Continuous audits are performed by audit departments to evaluate the adequacy of management's monitoring function and, thus, often cover the same or similar ground.

In fact, "some would tell you that there is no distinction between the two," says Chambers. However, where there is a distinction, it can be blurry. For example, at some organizations the audit department's role is not just to scrutinize management monitoring but also to hand over the data-analytic scripts it created for auditing specific processes to management for use in its monitoring activities.

Following is a look at how three large companies with long-established programs use continuous auditing and the challenges they confronted in rolling it out.

Power Audit
American Electric Power began dabbling in continuous auditing as a way to better allocate internal audit staff resources. The idea was to identify automatable audit processes and free up staff to perform more subjective audits requiring professional judgment.

For example, notes Jay Hoffman, director of internal audit at the electric company, during the past couple of years, data privacy has become a hot-button issue. "I've got eight people on my team," he says. "Do I want to send one of them to go look at the emerging risk related to data privacy and understand that? Or would I rather that person do an accounts-payable audit that was created three or five years ago and isn't likely to yield a ton of new issues?" Thus, somewhat counterintuitively, AEP uses continuous auditing for testing low-risk areas.

But the program, launched five years ago, didn't really achieve much success until two years ago, Hoffman notes. Figuring out how to get started proved to be a big challenge, although he was able to avoid one big misstep early on; that is, Hoffman quickly realized that putting a priority on finding a technology tool would be a mistake. "In my experience, if you don't know what you want to do, you'll never find the right tool to help you do it," he says.

• 1
• 2
• 3
• 4
• next »

LinkedIn Company Connections:

• Microsoft |
• Hospital Corporation of America |
• HCA |
• American Electric Power