Internal audit departments looking to start a “continuous auditing” program are entering an area that is either quite crowded or sparsely populated. The root of this seeming contradiction is, like a lot of things related to continuous auditing, a matter of definition.
To be sure, continuous auditing is on the mind of many executives. In an ongoing benchmarking survey, 32% of 305 organizations have told the Institute of Internal Auditors in the past year that they perform continuous auditing. In a 2006 survey by PricewaterhouseCoopers, 81% of 392 companies said they at least aspired to continuous auditing, if they hadn’t already begun doing it.
But just what is “it”? For the vast majority of practitioners, “continuous” is a malapropism. The term first got traction in the 1990s, used as a contrast to the traditional practices of internally auditing individual business processes every year or every few years, and auditing financial-reporting systems annually or quarterly. Any audit activities performed more often than every three months came to be known, by some, as continuous. The IIA still defines continuous auditing simply as “any method used to perform audit-related activities on a more continuous or continual basis,” without further defining what “more” means.
That leaves a lot of room for interpretation. And definitions have diverged widely, though continuous auditing is generally held to be an automated approach. Increasingly it is assumed to mean examining all data relevant to the audit being performed, rather than the historical norm of examining supposedly representative samples.
A leading continuous auditing expert, Rutgers University professor Miklos Vasarhelyi, calls it “an audit that happens immediately after or closely after a particular event.” But he notes that any definition of the term is a moving target, as technology advances and the way organizations use continuous auditing evolves. Although Vasarhelyi published what is regarded as the first significant paper on the topic in 1991, he says now that “it will take a few decades for businesses and the public to understand what it is, and for us to develop exactly what the field is.”
Today, says Vasarhelyi, “there are huge differences in what is considered continuous auditing. Some companies call it continuous when a particular process fails an audit and it is repeated several times over the next year.” But the actual prevalence of the practice as per his definition is “limited,” he says. Only a smattering of companies audit some business processes in something close to real time.
Whether internal auditing is appraised as having attained continuous status can depend on one or more of several factors: the number, timing, and frequency of automated processes; the percentage of the organization’s risk profile addressed through a continuous audit approach; and the sophistication of the technology employed.
For virtually all companies engaged in continuous auditing, it is a work in progress. While acknowledging that the term is “subject to interpretation,” Richard Chambers, president and CEO of the IIA, says, “We’re not familiar with anyone out there that has mastered continuous auditing yet.”