Further complicating the definition is coming to grips with how continuous auditing differs from continuous monitoring. Typically, the latter is seen as being done by company management to ensure that policies, procedures, and business processes are operating effectively and address management’s responsibility to assess the effectiveness of internal controls. Continuous audits are performed by audit departments to evaluate the adequacy of management’s monitoring function and, thus, often cover the same or similar ground.
In fact, “some would tell you that there is no distinction between the two,” says Chambers. However, where there is a distinction, it can be blurry. For example, at some organizations the audit department’s role is not just to scrutinize management monitoring but also to hand over the data-analytic scripts it created for auditing specific processes to management for use in its monitoring activities.
Following is a look at how three large companies with long-established programs use continuous auditing and the challenges they confronted in rolling it out.
American Electric Power began dabbling in continuous auditing as a way to better allocate internal audit staff resources. The idea was to identify automatable audit processes and free up staff to perform more subjective audits requiring professional judgment.
For example, notes Jay Hoffman, director of internal audit at the electric company, during the past couple of years, data privacy has become a hot-button issue. “I’ve got eight people on my team,” he says. “Do I want to send one of them to go look at the emerging risk related to data privacy and understand that? Or would I rather that person do an accounts-payable audit that was created three or five years ago and isn’t likely to yield a ton of new issues?” Thus, somewhat counterintuitively, AEP uses continuous auditing for testing low-risk areas.
But the program, launched five years ago, didn’t really achieve much success until two years ago, Hoffman notes. Figuring out how to get started proved to be a big challenge, although he was able to avoid one big misstep early on; that is, Hoffman quickly realized that putting a priority on finding a technology tool would be a mistake. “In my experience, if you don’t know what you want to do, you’ll never find the right tool to help you do it,” he says.
Still, the audit leaders felt overwhelmed by the potential opportunities. “Data exists in so many places, we didn’t know what to analyze first, and we didn’t know what type of analysis to perform,” says Hoffman.
He started by asking his team which audits ate up staff resources because they involved cranking out the same reports every cycle. But he found a resistance to change, as well as a problem with getting the auditors to articulate what specifically should be looked for in tests that would be performed through an automated approach.
Eventually, Hoffman came to believe he needed a “big win” to drive auditor buy-in. He found a perfect candidate: Sarbanes-Oxley compliance audits. The audit leaders were unhappy about Sarbox eating up so much of their budgets, and the auditors didn’t like the work. “We said, if we want to get acceptance on a grand scale, let’s make Sarbanes-Oxley testing easier,” says Hoffman.