As recently as December of 2009, I engaged in a conversation with a Director of Internal Audit on what exactly Continuous Auditing and Continuous Monitoring are. I offered what my interpretation of each was and he did the same. They were not exact matches.
Even though some articles I have read credit the beginning of at least the theory of Continuous Auditing and Continuous Monitoring being formed as early as the 1980’s (and some the early 1990’s), there still seems to be some debate as to what each encompasses exactly.
The Institute of Internal Auditors (IIA) defines Continuous Auditing simply as “any method used to perform audit-related activities on a more continuous or continual basis.” This article published by CFO.com defines Continuous Monitoring as company Management (distinguishable from Audit) ensuring that policies, procedures, and business processes are operating effectively and address Management’s responsibility to assess the effectiveness of internal controls. And yet according to that same article, Richard Chambers, president and CEO of the IIA states, “some would tell you that there is no distinction between the two.”
This article published by the Pennsylvania CPA Journal (which I tend to agree with) makes the distinction even more defined by offering this table:
Performed by Internal Audit
Performed by Management
|Gain audit evidence more effectively and efficiently||Improve governance – aligning business / compliance risk to internal controls and remediation|
|React more timely to business risk||Improve transparency and react more timely to make better day-to-day decisions|
|Leverage technology to perform more efficient internal audits||Strive to reduce cost of controls and cost of testing/monitoring|
|Focus audits more specifically||Leverage technology to create efficiencies and opportunities for performance improvements|
|Help monitor compliance with policies, procedures, and regulations|
And even within these two examples, which seem clear and specific as to what each represents, there appears to be a gray area related to whether Audit or Management (or both) should be monitoring compliance with policies, procedures and regulations.
While there may be debate about the specific definitions of Continuous Auditing and Continuous Monitoring, most people seem to agree that both (in one way or another) should be implemented to achieve the highest level of coverage in the most efficient and effective manner.
5 Steps to Implementing Continuous Auditing and Continuous Monitoring
- Determine a Champion – Whether you want Audit to work with Management or Management to work with Audit, one individual or department has to be the established leader of change and implementation. Also essential will be buy-in from all levels of Management across all functions of the company. This is the new way of doing business (Audit, Compliance and Monitoring) and everyone in the company needs to be on board.
- Clearly Defined Approach – Whether you agree with the definitions above or have your own spin on the subject, be definitive with respect to your approach. Many factors will need to be considered including industry, regulation requirements, fraud awareness, cost structure, people, resources, company culture, etc.
- Leverage Technology – As I described here, I find it to be imperative for each Audit Department (and Management level individuals) to be up-to-speed on the latest Computer-Assisted Audit Tools. The use of these tools is absolutely essential to the successful implementation of Continuous Auditing and Continuous Monitoring.
- Start Slow – Like with most endeavors, you will need to ‘test’ the implementation on a few high profile, high risk processes to ensure the proper approach is in place and that you are receiving the sought after benefits. Areas such as Accounts Receivable, Accounts Payable, General Ledger Journal Entries and Time and Expense Reporting are good places to start and give you an indication of your successes (or failures).
- Measure Progress – As the program gets established, you will need to constantly assess whether it is achieving the intended goals of the implementation. Are costs being recovered? Are you seeing a return on your investment? Are controls stronger? Audit coverage greater, more efficient and most cost effective? Is fraud coverage better, smarter? Are you getting quicker indications of anomalies? If not, adjustments may be necessary.