Continuous audit is emerging as an effective strategy for managing and minimising organisational risk. A few years ago, the Journal of Accountancy noted that organisations “are investing time and money in continuous auditing,” but what does this approach mean in practice?
How does it work? How does a continuous monitoring audit help you mitigate risk, and how can audit management software support you?
What is continuous audit?
The internal audit process is crucial to an organisation’s risk management strategy. Internal auditors are often known as the “third line of defence” against corporate risk because they provide independent assurance of risk management controls.
Internal audit usually follows a set timetable, a cyclical process to a specific schedule. An auditor or audit team collates data on risks and controls and publishes findings.
Continuous audit, conversely, is an “always on” audit process.
How does continuous auditing work?
Rather than a person manually completing audit tasks, a continuous monitoring audit is supported by technology, automatically assessing and delivering findings at very regular intervals. This enables constant risk awareness, auguring the traditional internal audit process and supporting internal audit teams in their work.
When is continuous auditing used?
Often, continuous audits are focused on new processes or procedures. The continuous audit process provides a quick and early indication of the procedures’ success, unlike traditional internal audits, which can occur months after a business process or activity.
Continuous auditing and monitoring can bolster internal audits in priority areas identified by the business, acting as a second layer of control and assessment for critical processes or functions.
What are the benefits of continuous audit?
It’s worth exploring the advantages and disadvantages of continuous audit. What are the benefits, and are there any downsides to implementing continuous audit techniques?
Benefits of a continuous audit include:
- Immediate detection occurs for errors, fraud, or non-compliant activity. The continuous audit process swiftly identifies any errors, omissions, or fraud, unlike a time-bound audit.
- As a result, we minimise the potential for harm, making mitigation and remediation easier.
- The chances of noncompliance are also reduced, minimising the potential for reputational damage or financial penalties.
- Proactively plan audit work and manage auditors’ time. Continuous audit offers a key advantage by avoiding peaks and troughs of demand, thus making the audit process more efficient.
- Up-to-date data is always available. Whether to comply with external reporting requirements or for your internal audit reporting, continuous audit gives you instant access to accurate and current data. Accounts can be prepared faster, and you are assured that their content is watertight.
- It positions the auditor as a valued business advisor. Continuous audit brings auditors close to business processes and enables the audit team to suggest improvements, tweaks, and remedial actions in a way that timetabled audit does not.
Embracing a continuous audit process brings significant benefits. By proactively managing risks and ensuring ongoing compliance, your organisation gains a competitive edge in today’s dynamic business landscape. Are there any disadvantages? Setting up costs can be an obstacle. And as with any technology-led approach, a human overlay will ensure the continuous audit process isn’t over-reliant on technology at the expense of common sense.
7 steps to an effective continuous audit
Rutgers University recognizes six steps in an effective continuous audit process, as outlined in this paper. In our analysis, we’ve added a seventh that will help make your continuous monitoring audit more rigorous, robust and easier.
- Establish priority areas. Look at new procedures and any other processes critical to your business strategy, maybe carrying out a materiality assessment to determine key priorities.
- Determine the rules for your continuous audit process; the parameters that guide your monitoring. These rules must consider factors like legal or external reporting requirements alongside internal compliance controls.
- Decide how regular your monitoring will be. “Continuous” is slightly misleading; monitoring is rarely genuinely continuous. The cadence of your monitoring is something you will need to decide. A cost-benefit analysis, and an assessment of how frequently new data is available, will help to determine your monitoring frequency.
- Monitor and tweak your parameters. Determine your frequency and rules before starting, but also revisit them after continuously auditing for a set period. Consider if you’ve set your triggers at the proper levels. Are you overreacting to risks with few costs?
- Determine your follow-up process. What happens when an error is identified or an alarm is triggered during the continuous audit process? Who does the alarm flag to? What do they need to do in response? How does the communication process work? Are there steps that should be taken, for instance, to cross-check and verify data — before a trigger is acted on? What is the escalation process?
- Share the results of the process. How will you communicate the ongoing findings? At what intervals and via what means?
- Identify the tools and technologies that can support you. Artificial intelligence, machine learning and robotic processes transform data collection and analysis. Explore their potential to supercharge your data analytics and continuous audit process.
Harness continuous audit to future-proof your audit process
As organisations’ risk profiles evolve, internal audit teams must transition from time-bound, reactive audits to leveraging continuous audits’ benefits—providing at-your-fingertips data and insights for proactive risk management in a complex environment
Doing this, and making the best use of the technologies that can support you, enables internal auditors to play a valued role in corporate governance, acting as a partner to the C-suite and board and proactively tackling emerging risks.