Primary navigation:

QFINANCE Quick Links
QFINANCE Reference

Home > Auditing Best Practice > Charting a Company-Specific Path Toward Continuous Auditing and Monitoring

Auditing Best Practice

Charting a Company-Specific Path Toward Continuous Auditing and Monitoring

by Joe Oringel

This Chapter Covers:

  • This chapter defines continuous auditing and monitoring and the techniques that can be used to provide this more frequent assurance.

  • Central is the use of a multidimensional maturity model that considers people, process, and technology implications and can be used to chart the journey from traditional to continuous auditing activities.

  • A journey toward continuous auditing is not all about technology, especially at first.

  • Internal auditing is about asking and answering the questions necessary to provide assurance to management that its objectives will be achieved. Providing this assurance on a more frequent basis, and with greater confidence through data analysis, increases the value of an internal audit function.


Continuous auditing has seemingly been the “next great thing” in internal audit for nearly 20 years. From its roots in embedded audit routines that would send notifications from IT systems to an auditor’s email box, to more modern software for continuous control monitoring or continuous transaction monitoring, continuous auditing has been as much about hype as reality. PricewaterhouseCoopers’ annual state of the internal audit profession surveys regularly report that a majority of internal audit functions are planning to do continuous auditing in the “coming year,” but the number of organizations that have continuous audit programs in place remains much less than 50%. Tomorrow never seems to arrive.

The Audit of the Future: Can the Future Be Now?

Imagine an internal audit department that captures monthly financial and operational data directly from a variety of enterprise systems into a secure, independent data warehouse. An updated “heat map” that summarizes risk and control effectiveness by business process and business segment is calculated and scored based on output from a combination of continuous auditing and traditional auditing activities.

Copies of transactions and master files are also compared to similar files from previous periods, and any exceptions or other unusual transactions are identified and researched by a combination of internal audit and management, depending on agreed-upon responsibilities between audit and management. For some exceptions, management is responsible for reviewing and researching the exceptions, and audit verifies management’s work as part of its validation of the updated heat map. For other, higher-risk queries, including many relating to fraud detection and prevention, the exceptions are reviewed by audit prior to review or investigation by management.

As futuristic as this may sound, it is actually a description of a North American insurance company that first implemented its continuous audit program in 2005. Initiatives for continuous improvement help to ensure the relevance and freshness of its data analysis routines. These provide ever-increasing coverage of key risks to senior management and the board of directors—all while its staff numbers have shrunk by more than 50% since the inception of continuous audit. Although only one or two auditors in the department of 10 are data specialists, all team members are comfortable making basic edits to continuous audit queries on an as-needed basis. How have they accomplished this? What can others learn from them? Read on…

Professional Guidance

The Institute of Internal Auditors’ (IIA) Global Technology Audit Guide no. 3, often referred to as GTAG 3 and titled “Continuous auditing, implications for assurance, monitoring, and risk assessment” was published in 20051 and is still the definitive guidance for establishing a continuous auditing (henceforth CA) or continuous monitoring (henceforth CM) program. Its strengths are outlining the key steps for accomplishing CA and CM, from defining business objectives to acquiring data to evaluating and reporting results.

There is an inverse relationship between CA and CM, as illustrated in Figure 1. CM programs often evolve from effective CA programs, as the more interesting and important CA queries tend to be requested by management as tests that they should be running themselves. This migration of CA queries from internal audit is central to the progression described in the maturity model later in this chapter.

The Business Case for CA and CM

The IIA published a new GTAG (no. 16) titled “Data analysis technologies” in August 2011 that provides updated guidance on the tools that can be used to accomplish CA and CM (Lambrechts et al., 2011). Benefits of CA and CM, as cited in this publication and supported in practice, include:

  • productivity and cost savings;

  • efficiency in data access;

  • improved risk and control assurance;

  • improved audit coverage;

  • reduced audit risk;

  • shortened audit cycles.

Internal audit professionals are strongly encouraged to use data analysis in the conduct of their work, as indicated by several of the IIA’s professional standards.

  • Standard 1220.A: Due professional care. In exercising due professional care, internal auditors must consider the use of technology-based audit and other data analysis techniques.

  • Standard 2300: Performing the engagement. Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives.

  • Standard 2310: Identifying information. Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives.

  • Standard 2320: Analysis and evaluation. Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.2

However, the relationship between data analysis and CA is not always clear. Some data analysis is not CA, and some CA is not data analysis, as illustrated in Figure 2. Examples of data analysis routines that are not CA include ad hoc analyses that are executed once to satisfy a particular audit objective but are not repeated over time. CA includes continuous risk assessment activities such as updating a rolling audit plan on a periodic basis, which is often accomplished through interviews or surveys but not data analysis.

Back to Table of contents

Further reading


  • Humphrey, Watts S. Managing the Software Process. Reading, MA: Addison-Wesley, 1989.
  • Institute of Internal Auditors (IIA). International Professional Practices Framework (IPPF). 2011 ed. Altamonte Springs, FL: IIA Research Foundation, 2011.


  • Oringel, Joe, and George R. Aldhizer III. “Continuous auditing and monitoring: Enhancing the efficiency and effectiveness of auditing and ERM.” Internal Auditing 24:5 (September/October 2009): 17–26. Online at: [PDF].


  • Coderre, David. “Continuous auditing: Implications for assurance, monitoring, and risk assessment.” Global Technology Audit Guide 3 (GTAG 3). Institute of Internal Auditors (IIA), 2005. Online at:
  • Lambrechts, Altus, Jacques Lourens, Peter Millar, and Donald Sparks. “Data analysis technologies.” Global Technology Audit Guide 16 (GTAG 16). Institute of Internal Auditors (IIA), 2011. Online at:
  • Ramamoorti, Sridhar, Michael P. Cangemi, and William M. Sinnett. “The benefits of continuous monitoring.” Financial Executives Research Foundation (FERF), 2011. Online at:


  • ACL Ltd, for ACL auditing software:
  • CaseWare, for IDEA auditing software:
  • “Continuous auditing—making it real” blog:
  • Rutgers Accounting Web, host of 23 different world continuous auditing symposia:
  • Visual Risk IQ, for QuickStart:

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share