Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > Continuous Auditing: Putting Theory into Practice

Auditing Best Practice

Continuous Auditing: Putting Theory into Practice

by Norman Marks

Executive Summary

  • Continuous auditing is a topic that is frequently identified as a method for internal auditors to “raise their game” and improve the value they provide to their stakeholders. For example, in their 2010 “State of the internal audit profession study,” PricewaterhouseCoopers identifies the ability to leverage technology (including the use of continuous auditing techniques) as one of the eight attributes of a maximized internal audit function.

  • In a 2010 study, “What is driving continuous auditing and continuous monitoring today?,” KPMG reports, “In a volatile economic environment, a number of key drivers are prompting companies to employ continuous auditing and continuous monitoring techniques to do more than manage risk, including help reduce cost, improve performance, and create value.”

  • This article defines continuous auditing, discusses the ways in which continuous auditing techniques can be used to provide value, and shares guidance on how to design an effective program. It advises that only after the objectives of a continuous auditing initiative have been determined, and the program designed, should auditors evaluate and acquire software.


The Institute of Internal Auditors (IIA) has issued an excellent global technology audit guide (GTAG) on the topic of continuous auditing. The guide, which we will refer to as GTAG-3, covers a lot of ground, including this definition of continuous auditing:1

“Continuous Auditing is any method used by auditors to perform audit-related activities on a more continuous or continual basis. It is the continuum of activities ranging from continuous control assessment to continuous risk assessment—all activities on the control-risk continuum. Technology plays a key role in automating the identification of exceptions and/or anomalies, analysis of patterns within the digits of key numeric fields, analysis of trends, detailed transaction analysis against cut-offs and thresholds, testing of controls, and the comparison of the process or system over time and/or against other similar entities.”

Continuous auditing enables an internal audit function to:

  • provide the board and management with assurance on a more frequent, if not continuous, basis;

  • monitor risks and adjust the audit program to ensure that it addresses what matters to the organization today;

  • improve the level of activity, in terms of both volume and period of time, that is audited.

It is important to consider the use and value of continuous auditing within the context of how the IIA defines an internal auditing function:

“A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes.”

Taking these two definitions together enables the following points to be made. Each of these will be discussed in this article.

  1. Continuous auditing is a method used by internal auditors in support of their assurance and consulting services.

  2. Continuous auditing includes activities related to one or more of the following:

    1. Continuous risk assessment (also known as risk monitoring), including the use of analytical techniques to identify trends, etc., to develop and maintain the periodic audit plan;

    2. Continuous testing of controls to provide assurance that they operate as intended. GTAG-3 refers to this as “continuous controls assessment”;

    3. Continuous testing of transactions2 to identify anomalies, exceptions, and potential problems.

  3. Although continuous auditing typically leverages technology, continuous auditing activities may include manual testing, reviews of reports, etc.

  4. Despite its name, continuous auditing is not necessarily performed continuously. The frequency will depend on a number of factors, including:

    1. The frequency with which transactions occur (for example, journal entries are predominantly a month and quarter-end activity);

    2. The frequency with which controls are performed;

    3. The level of business risk being addressed;

    4. The risk that the control may not be performed as intended.

However, few internal audit departments have made major moves into continuous auditing. One of the reasons is that the value is not clear to every chief audit executive (CAE).3 We will discuss that first.

Back to Table of contents

Further reading


  • Association of Certified Fraud Examiners (ACFE). “Report to the nations on occupational fraud and abuse: 2010 global fraud study.” 2010. Online at:
  • Coderre, David. “Global technology audit guide (GTAG) 3: Continuous auditing: Implications for assurance, monitoring, and risk assessment.” Institute of Internal Auditors, 2005. Online at:
  • Ernst & Young. “Escalating the role of internal audit: Ernst & Young’s 2008 global internal audit survey.” 2008.
  • Institute of Internal Auditors (IIA). “International standards for the professional practice of internal auditing (Standards).” Revised October 2010. Online at:
  • KPMG. “Continuous auditing/continuous monitoring: Using technology to drive value by managing risk and improving performance.” June 2009. Online at: [PDF].

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share