Internal audit departments looking to start a "continuous auditing" program are entering an area that is vague in definition and lacking in expert practitioners, says CFO Magazine.
Rutgers University professor Miklos Vasarhelyi, a leading continuous auditing expert, told CFO Magazine that continuous auditing is "an audit that happens immediately after or closely after a particular event." But he notes that any definition of the term is a moving target, as technology advances and the way organizations use continuous auditing evolves. But the actual prevalence of the practice as per his definition is "limited," he says.
CFO Magazine says that continuous auditing is on the mind of many executives. Citing figures from an ongoing benchmarking survey, the magazine says that 32% of 305 organizations have told the Institute of Internal Auditors in the past year that they perform continuous auditing. Meanwhile, in a 2006 survey by PricewaterhouseCoopers, 81% of 392 companies said they at least aspired to continuous auditing.
For almost all companies engaged in continuous auditing, the activity is a work in progress. Richard Chambers, president and CEO of the IIA told CFO Magazine that they are not familiar with anyone that has mastered continuous auditing yet.
Further complicating the definition is how continuous auditing differs from continuous monitoring, says CFO Magazine. Typically, the latter is seen as being done by company management to ensure that policies, procedures, and business processes are operating effectively and address management's responsibility to assess the effectiveness of internal controls. Continuous audits are performed by audit departments to evaluate the adequacy of management's monitoring function and, thus, often cover the same or similar ground.
In its report, CFO Magazine takes a look at how three large companies have implemented continuous auditing and the challenges they confronted in rolling it out.
American Electric Power began experimenting with continuous auditing as a way to better allocate internal audit staff resources. The plan was to identify automatable audit processes and free up staff to perform more subjective audits requiring professional judgment. The continuous auditing program helps AEP decided what to include and exclude from its annual audit plan.
Meanwhile, at Microsoft, the company launched its continuous auditing program three years ago. PricewaterhouseCoopers, which was advising the company on the project, warned the internal audit department to expect trouble in three areas: getting its hands on the data, and pushback from both the audit staff and the internal stakeholders whose business processes were to be audited. All predictions indeed happened, says CFO Magazine.
Hospital Corporation of America, which owns 163 hospitals and 105 freestanding surgery centers, started its continuous auditing program eight years ago. According to CFO Magazine, in-house developers have built what internal audit director Chase Whitaker calls a "quiltwork" of audit routines — about 50 of them — that run on a variety of applications, including ACL, Paisley Consulting's Focus (for Sarbanes-Oxley compliance), and Microsoft's .Net, among others.