A framework for continuous auditing: Why companies don’t need to spend big money

Organizations seeking to implement or improve continuous auditing often already have the data and tools necessary.
By Josh Shilts, CPA/CFF, CGMA

A framework for continuous auditing
Image by Lora-Sutyagina/iStock

Big Data is powerful. It can also be daunting. The current data analytic landscape focuses on the use of "scripts" that can identify duplicates and quantitative outliers. Yet, there is little guidance for script implementation or use of existing resources.

Organizations are investing time and money in continuous auditing. However, success is limited to a few larger organizations with the resources needed to accomplish their implementation. For example, some companies have implemented continuous auditing processes for accounting functions, such as accounts payable (AP), which have added to their internal control structure and aided in Sarbanes-Oxley (SOX) readiness. These organizations have applied data analysis that alerts them to repeating check or invoice numbers, recurring and repetitive amounts, and the number of monthly transactions.

All of this is considered basic fraud prevention. The problem is that this ignores other risks and rarely provides value. Sometimes, a company spends thousands of dollars to implement these processes but does not get value from them. This article discusses the appropriate methods organizations should use in implementing continuous auditing procedures.

Companies don't need complex data analytics tools or a large budget to employ an effective continuous auditing program. Organizations in the market for audit software can take advantage of a variety of tools. Those with little or nothing to spend can still achieve effective continuous auditing with simple yet powerful tools, such as Excel, and by thinking differently about data they already have.


Internal auditing's testing of controls is based on risk and often performed months after business activities have occurred. The testing is based on a sampling approach and includes reviews of policies, procedures, approvals, and reconciliations. Today, it is recognized that this approach affords internal auditors with a narrow scope of evaluation and is sometimes too late to be of real value to business performance or regulatory compliance. Continuous auditing is a method used to perform control and risk assessments automatically on a more frequent basis.

Continuous auditing focuses on testing for the prevalence of a risk and the effectiveness of a control. A framework and detailed procedures, along with technology, are key to enabling such an approach. Continuous auditing offers another way to understand risks and controls and enhances sampling from periodic reviews to ongoing testing.

Continuous auditing is not intended to replace traditional auditing but is rather to be used as a tool in implementing certain standard audit procedures to enhance audit methodology and effectiveness. For example, continuous auditing may occur by performing trend analysis on expense accounts to identify variances or drivers and alerting the audit team to a potential issue.


Implementing a continuous auditing model can be difficult at first. It is a process that grows as the maturity of the audit function grows. Initial project objectives are focused on developing a model and implementing processes to discover and analyze patterns, identify anomalies, and extract other useful information in data.

Start small with the development of the continuous auditing model and plan to expand your systems' capability as your understanding of the organization's data and underlying concepts grows.

After development, the next step is to align the continuous auditing model with internal audit's methodology and processes. Continuous auditing employs skill sets and resources that are different from traditional approaches; however, the methodology used to carry out the function is not significantly different. Continuous auditing is a function, like operational or IT audits, that helps internal audit management accomplish its objectives. The seven steps to follow to maintain continuous auditing are presented below (see the graphic, "7 Steps for Continuous Auditing").

7 steps for continuous auditing

1. Establish priority areas

Before starting a continuous auditing project, the following needs to occur:

  • Identification of critical business processes that should be subject to continuous auditing. These processes should be cross-referenced with an organization's top risks, as identified by leadership and enterprise risk management programs.
  • Understanding the availability and structure of data. A list of all business systems and the data available from those systems should be created. What systems have what reports available? For instance, if your company has a system for the storage and collection of HR data, it's likely that system has reporting capability beyond a list of employees and their contact information. The same is true of customer relationship management systems or IT systems. Internal audit will be far more valuable when it knows the value of these systems.
  • Perform assessments based on risks using data, trending, ratios, etc. For example, for a manufacturing company with factories in four states, inventory turnover might be a key metric. By using data analytics to examine variances in inventory turnover, it is likely that the reasons that a factory is underperforming could be pinpointed.
  • Evaluate and assess the projected benefits of including the business cycle/area in the continuous auditing process.

Most, if not all, internal audit departments have at their disposal a repository of risk and control information that details the processes and resources used (i.e., technology and people) by the organization to accomplish its objectives and goals. The information is revisited periodically and internal audit adjusts its audit plan based on new information. Continuous auditing will be used to initiate audit plan activities and increase internal audit coverage, and increase management's risk-based knowledge of the organization as data are collected, analyzed, and reported.

Enterprise risk assessment. Most internal audit departments use a risk-based audit plan wherein the audit strategy is aligned with the organization's strategic objectives and goals using information from internal and external sources. Information is aggregated, and risks and controls are measured based on impact and likelihood. In some instances, this process is repeated at the operational level before the initiation of an audit activity.

Audit activity plan. The objective of internal audit is to provide management with timely assurance on critical or high-risk areas. Internal audit develops its plan to accomplish this; however, certain variables affect the plan:

  • Resource allocation. Internal audit allocates resources (i.e., people and technologies) based on the outcome of the enterprise risk assessment. Higher-risk items have more resources devoted to them.
  • Plan changes. Periodically, information is received or objectives change that cause internal audit to adjust the audit plan.

Like an enterprise risk assessment, the audit plan is constantly evolving and changing. Year 1 of implementation requires the creation of a perpetual inventory of current and future business information systems and the identification of external resources (e.g., management reports, financial analysis, etc.). Doing so may make implementation take longer, but it will allow for the process to mature much faster.

2. Identify audit rules

Once a business process is selected, the auditor needs to determine audit rules (e.g., indicators, analytics, or routines) that will guide the continuous auditing activity.

The auditor will gain sufficient information to understand and document a high-level process overview, business objectives, and the correlation to organizational objectives and goals, significant risks, and key controls. This will be accomplished by:

  • Other activity integration. Using information obtained from SOX audits, traditional audit processes, and the first and second lines of defense within the organization (management and risk oversight functions such as risk management and compliance); and
  • Process and system review. Reviews of business processes and review of industry-established common priority areas (e.g., duplicate AP payments).

Using the two processes above accomplishes the goal of efficient audit coverage. The output of the initial process review is identification of audit rules to test for the prevalence of the risks and controls related to the business or process objectives using analytics or computer-assisted audit techniques (CAATs).

3. Determine process frequency

Consideration should be given to the cost, risk, benefit, and cadence of the proposed frequency of the process being audited. The nature of some continuous audit objectives, such as deterrence or prevention, may also determine frequency and variation.

After year 1, this step will become more refined as internal audit becomes more familiar with its continuous auditing abilities and the information produced from the function. Many baseline analytics or CAATs employed will come with a suggested frequency.

4. Configure parameters and execute

Technological support is needed to improve operational performance and business excellence. Testing scripts are developed and written using the audit rules and process information created in the second and third steps. Simultaneously, rules need to be configured before the continuous auditing procedure is implemented.

Internal audit will employ different types of analytic tests to conduct continuous auditing:

  • Data analysis. Using tools such as Excel, internal audit can develop spreadsheets to assist in analyzing and manipulating data.
  • Ratios or trends. Using management reports such as financial statements, internal audit collects and assesses information to identify variances from established ratios or unusual patterns in management information by reviewing trend information to determine the prevalence of a risk or the effectiveness of controls.
  • First- and second-line monitoring. Collection, aggregation, and monitoring of other internal reports is another essential focus of a continuous auditing program. Internal audit collects and analyzes these data and, where appropriate, includes them as part of its greater analysis.

Because of the abundance of information, it is imperative that internal audit organize and present information and corresponding findings in a succinct manner.

5. Manage results and follow up

Establishing the appropriate threshold levels and correctly configuring and building testing scripts ensure that an excessive number of false positives are not produced and resources are not used ineffectively. A responsible party needs to be assigned to review exceptions, evaluate results, and help make decisions related to future activities (e.g., changes, modifications).

Managing results and following up requires the greatest use of oversight resources to ensure the message delivered is appropriate and correct. More importantly, continuous auditing outputs are reviewed against internal and external measures to determine the impact of the findings as well as next steps.

In addition to a quantitative review and assessment, another important part of managing results and following up is identifying and using the appropriate tools and management techniques to ensure appropriate storage of information, scripts, and other relevant resources and information.

A variety of tools are available from external resources. However, internal audit departments should focus on tools for storage and data analysis that allow for the ability to analyze various forms and sets of data; ensure effective organization of scripts, system reviews, and findings; and allow for the ability to customize reports and expand as the continuous auditing program matures.

6. Report results

At the conclusion of each continuous auditing activity, results should be presented to management in a timely manner and in a consistent and formal report that includes observations and insight into risks, controls, and consequences associated with the findings. Because some activities are processed ad hoc and not on a defined schedule, reports are produced at various times throughout the year.

7. Assess emerging risk and add to register

Results are incorporated into internal audit's risk identification and assessment process, which can help with resource allocation. The process then repeats or continues through the same steps by adding more complex items.

About the author

Josh Shilts (josh@villelashilts.com) is managing partner at Villela & Shilts LLC, a tax and advisory CPA firm with offices in Jacksonville, Fla.; Miami; and Ocala, Fla.

To comment on this article or to suggest an idea for another article, contact Neil Amato, senior editor, at Neil.Amato@aicpa-cima.com or 919-402-2187.

AICPA resources


CPE self-study

  • A Firm's System of Quality Control (#164970, online access)

For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.

Where to find November’s flipbook issue

The Journal of Accountancy is now completely digital. 





Get Clients Ready for Tax Season

This comprehensive report looks at the changes to the child tax credit, earned income tax credit, and child and dependent care credit caused by the expiration of provisions in the American Rescue Plan Act; the ability e-file more returns in the Form 1040 series; automobile mileage deductions; the alternative minimum tax; gift tax exemptions; strategies for accelerating or postponing income and deductions; and retirement and estate planning.